Perfect Forward Secrecy
A security property that protects past communications if private keys are compromised
Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is a security property that ensures session keys are not compromised even if the server's private key is later compromised. In traditional RSA key exchange, if an attacker records encrypted traffic and later obtains the server's private key, they can decrypt all previously recorded sessions. PFS prevents this by using ephemeral (temporary) keys for each session that are derived independently of the server's long-term private key.
This is typically achieved through key exchange algorithms like Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) or DHE (Diffie-Hellman Ephemeral). With PFS, each TLS session generates a unique session key through a process that cannot be reversed even with knowledge of the server's private key. The ephemeral keys are discarded after each session, making it cryptographically impossible to decrypt past communications.
PFS has become a standard security requirement for many organizations and is mandatory for certain compliance frameworks. Modern web servers and browsers support PFS by default, and it's considered a critical security feature for protecting against both current and future attacks on recorded traffic.
Where You'll See This Term
This term commonly appears in:
- SSL certificate details pages
- Certificate Authority validation processes
- SSL configuration documentation
- Security audit reports
- Certificate management interfaces