Browse Definitions :
Definition

perfect forward secrecy (PFS)

Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated. If one of these session keys is compromised, data from any other session will not be affected. Therefore, past sessions and the information within them are protected from any future attacks.

Without perfect forward secrecy, a user initiates a communication session with a client and the entire conversation is encrypted based on the client’s special key. However, the client uses the same special key to generate encryption for all of its sessions, and if it becomes compromised, so does all of the information contained within each conversation.

With perfect forward secrecy, every communication session generates a unique encryption key that is separate from the special key, private, and only lasts for the duration of the session. If an attacker were to compromise one of the user’s special key, the conversations would stay encrypted and secure. Similarly, if an attacker were to compromise the unique encryption key, only that specific conversation would be leaked.

Protecting data on the transport layer of a network, perfect forward secrecy has become a security standard for developers to implement into messaging services or websites that are dedicated to user privacy. Tools applying this feature can change encryption keys as frequently as every text message, phone call, or page refresh. Recently, the Internet Engineering Task Force has published the Transport Layer Security Standard to mandate perfect forward secrecy for all TLS sessions.

Heartbleed and Perfect Forward Secrecy

Perfect forward secrecy became more of an interest after the introduction of the Heartbleed bug to OpenSSL in 2012. The vulnerability is a result of an insufficient input validation in the utilization of the Transport Layer Security protocol heartbeat extension. Heartbleed is known as a buffer over-read vulnerability and would allow the user to read more data than allowed, leaking an entire chain of information up to 64 kilobytes.

While Heartbleed has been publicly disclosed since 2014, it proved the simplicity of an OpenSSL attack and sparked the conversation around temporary methods of key exchange. Thus, perfect forward secrecy became a viable solution for protecting users from similar code defects.

Perfect Forward Secrecy in Use

Perfect forward secrecy has become widely adopted by information providers since its inception and is known as a crucial security feature. Signal, a messaging protocol for end-to-end encryption found in WhatsApp, Google Allo messenger, and Facebook conversations, popularized perfect forward secrecy. Known as the “double ratchet” system, Signal creates a new encryption key with every single message. Most recently, it also introduced a feature that enables messages to self-destruct.

In 2011, Google provided Gmail, Google Docs, and encrypted search users with perfect forward secrecy by default. Twitter has offered perfect forward secrecy to all users since 2013. Apple announced in 2016 a new, mandatory protocol for all iOS apps requiring the use of App Transport Security, a security feature that utilizes perfect forward secrecy.

This was last updated in September 2018

Continue Reading About perfect forward secrecy (PFS)

Networking
  • network traffic

    Network traffic is the amount of data that moves across a network during any given time.

  • dynamic and static

    In general, dynamic means 'energetic, capable of action and/or change, or forceful,' while static means 'stationary or fixed.'

  • MAC address (media access control address)

    A MAC address (media access control address) is a 12-digit hexadecimal number assigned to each device connected to the network.

Security
  • Evil Corp

    Evil Corp is an international cybercrime network that uses malicious software to steal money from victims' bank accounts and to ...

  • Trojan horse

    In computing, a Trojan horse is a program downloaded and installed on a computer that appears harmless, but is, in fact, ...

  • quantum key distribution (QKD)

    Quantum key distribution (QKD) is a secure communication method for exchanging encryption keys only known between shared parties.

CIO
  • green IT (green information technology)

    Green IT (green information technology) is the practice of creating and using environmentally sustainable computing.

  • benchmark

    A benchmark is a standard or point of reference people can use to measure something else.

  • spatial computing

    Spatial computing broadly characterizes the processes and tools used to capture, process and interact with 3D data.

HRSoftware
  • learning experience platform (LXP)

    A learning experience platform (LXP) is an AI-driven peer learning experience platform delivered using software as a service (...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

Customer Experience
  • BOPIS (buy online, pick up in-store)

    BOPIS (buy online, pick up in-store) is a business model that allows consumers to shop and place orders online and then pick up ...

  • real-time analytics

    Real-time analytics is the use of data and related resources for analysis as soon as it enters the system.

  • database marketing

    Database marketing is a systematic approach to the gathering, consolidation and processing of consumer data.

Close