Browse Definitions :
Definition

perfect forward secrecy (PFS)

Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated. If one of these session keys is compromised, data from any other session will not be affected. Therefore, past sessions and the information within them are protected from any future attacks.

Without perfect forward secrecy, a user initiates a communication session with a client and the entire conversation is encrypted based on the client’s special key. However, the client uses the same special key to generate encryption for all of its sessions, and if it becomes compromised, so does all of the information contained within each conversation.

With perfect forward secrecy, every communication session generates a unique encryption key that is separate from the special key, private, and only lasts for the duration of the session. If an attacker were to compromise one of the user’s special key, the conversations would stay encrypted and secure. Similarly, if an attacker were to compromise the unique encryption key, only that specific conversation would be leaked.

Protecting data on the transport layer of a network, perfect forward secrecy has become a security standard for developers to implement into messaging services or websites that are dedicated to user privacy. Tools applying this feature can change encryption keys as frequently as every text message, phone call, or page refresh. Recently, the Internet Engineering Task Force has published the Transport Layer Security Standard to mandate perfect forward secrecy for all TLS sessions.

Heartbleed and Perfect Forward Secrecy

Perfect forward secrecy became more of an interest after the introduction of the Heartbleed bug to OpenSSL in 2012. The vulnerability is a result of an insufficient input validation in the utilization of the Transport Layer Security protocol heartbeat extension. Heartbleed is known as a buffer over-read vulnerability and would allow the user to read more data than allowed, leaking an entire chain of information up to 64 kilobytes.

While Heartbleed has been publicly disclosed since 2014, it proved the simplicity of an OpenSSL attack and sparked the conversation around temporary methods of key exchange. Thus, perfect forward secrecy became a viable solution for protecting users from similar code defects.

Perfect Forward Secrecy in Use

Perfect forward secrecy has become widely adopted by information providers since its inception and is known as a crucial security feature. Signal, a messaging protocol for end-to-end encryption found in WhatsApp, Google Allo messenger, and Facebook conversations, popularized perfect forward secrecy. Known as the “double ratchet” system, Signal creates a new encryption key with every single message. Most recently, it also introduced a feature that enables messages to self-destruct.

In 2011, Google provided Gmail, Google Docs, and encrypted search users with perfect forward secrecy by default. Twitter has offered perfect forward secrecy to all users since 2013. Apple announced in 2016 a new, mandatory protocol for all iOS apps requiring the use of App Transport Security, a security feature that utilizes perfect forward secrecy.

This was last updated in September 2018

Continue Reading About perfect forward secrecy (PFS)

SearchNetworking
SearchSecurity
  • man in the browser (MitB)

    Man in the browser (MitB) is a security attack where the perpetrator installs a Trojan horse on the victim's computer that is ...

  • Patch Tuesday

    Patch Tuesday is the unofficial name of Microsoft's monthly scheduled release of security fixes for the Windows operating system ...

  • parameter tampering

    Parameter tampering is a type of web-based cyber attack in which certain parameters in a URL are changed without a user's ...

SearchCIO
  • chief procurement officer (CPO)

    The chief procurement officer, or CPO, leads an organization's procurement department and oversees the acquisitions of goods and ...

  • Lean Six Sigma

    Lean Six Sigma is a data-driven approach to improving efficiency, customer satisfaction and profits.

  • change management

    Change management is a systematic approach to dealing with the transition or transformation of an organization's goals, processes...

SearchHRSoftware
SearchCustomerExperience
  • clickstream data (clickstream analytics)

    Clickstream data and clickstream analytics are the processes involved in collecting, analyzing and reporting aggregate data about...

  • neuromarketing

    Neuromarketing is the study of how people's brains respond to advertising and other brand-related messages by scientifically ...

  • contextual marketing

    Contextual marketing is an online marketing strategy model in which people are served with targeted advertising based on their ...

Close