Browse Definitions :
Definition

perfect forward secrecy (PFS)

Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated. If one of these session keys is compromised, data from any other session will not be affected. Therefore, past sessions and the information within them are protected from any future attacks.

Without perfect forward secrecy, a user initiates a communication session with a client and the entire conversation is encrypted based on the client’s special key. However, the client uses the same special key to generate encryption for all of its sessions, and if it becomes compromised, so does all of the information contained within each conversation.

With perfect forward secrecy, every communication session generates a unique encryption key that is separate from the special key, private, and only lasts for the duration of the session. If an attacker were to compromise one of the user’s special key, the conversations would stay encrypted and secure. Similarly, if an attacker were to compromise the unique encryption key, only that specific conversation would be leaked.

Protecting data on the transport layer of a network, perfect forward secrecy has become a security standard for developers to implement into messaging services or websites that are dedicated to user privacy. Tools applying this feature can change encryption keys as frequently as every text message, phone call, or page refresh. Recently, the Internet Engineering Task Force has published the Transport Layer Security Standard to mandate perfect forward secrecy for all TLS sessions.

Heartbleed and Perfect Forward Secrecy

Perfect forward secrecy became more of an interest after the introduction of the Heartbleed bug to OpenSSL in 2012. The vulnerability is a result of an insufficient input validation in the utilization of the Transport Layer Security protocol heartbeat extension. Heartbleed is known as a buffer over-read vulnerability and would allow the user to read more data than allowed, leaking an entire chain of information up to 64 kilobytes.

While Heartbleed has been publicly disclosed since 2014, it proved the simplicity of an OpenSSL attack and sparked the conversation around temporary methods of key exchange. Thus, perfect forward secrecy became a viable solution for protecting users from similar code defects.

Perfect Forward Secrecy in Use

Perfect forward secrecy has become widely adopted by information providers since its inception and is known as a crucial security feature. Signal, a messaging protocol for end-to-end encryption found in WhatsApp, Google Allo messenger, and Facebook conversations, popularized perfect forward secrecy. Known as the “double ratchet” system, Signal creates a new encryption key with every single message. Most recently, it also introduced a feature that enables messages to self-destruct.

In 2011, Google provided Gmail, Google Docs, and encrypted search users with perfect forward secrecy by default. Twitter has offered perfect forward secrecy to all users since 2013. Apple announced in 2016 a new, mandatory protocol for all iOS apps requiring the use of App Transport Security, a security feature that utilizes perfect forward secrecy.

This was last updated in September 2018

Continue Reading About perfect forward secrecy (PFS)

Networking
Security
  • security posture

    Security posture refers to an organization's overall cybersecurity strength and how well it can predict, prevent and respond to ...

  • ISO 31000 Risk Management

    The ISO 31000 Risk Management framework is an international standard that provides organizations with guidelines and principles ...

  • voice squatting

    Voice squatting is an attack vector for voice user interfaces, or VUIs, that exploits homonyms -- words that sound the same, but ...

CIO
  • Whistleblower Protection Act

    The Whistleblower Protection Act of 1989 is a law that protects federal government employees in the United States from ...

  • skunkworks project (Skunk Works)

    A skunkworks project, also known as Skunk Works, is an innovative undertaking, involving a small group of people, that is outside...

  • digital innovation

    Digital innovation is the adoption of modern digital technologies by a business.

HRSoftware
  • talent network

    A talent network is a group of interconnected people with similar professional skills.

  • employee onboarding and offboarding

    Employee onboarding involves all the steps needed to get a new employee successfully deployed and productive, while offboarding ...

  • skill-based learning

    Skill-based learning develops students through hands-on practice and real-world application.

Customer Experience
  • virtual assistant (AI assistant)

    A virtual assistant, also called an AI assistant or digital assistant, is an application program that understands natural ...

  • Microsoft Dynamics 365

    Dynamics 365 is a cloud-based portfolio of business applications from Microsoft that are designed to help organizations improve ...

  • Salesforce Commerce Cloud

    Salesforce Commerce Cloud is a cloud-based suite of products that enable e-commerce businesses to set up e-commerce sites, drive ...

Close