Home/ Glossary/ Perfect Forward Secrecy

Perfect Forward Secrecy (PFS)

Security Glossary - SSL/TLS

Definition: Perfect Forward Secrecy (PFS) is a property of key exchange protocols that generates a unique session key for each connection. With PFS, even if the server's long-term private key is later compromised, past recorded sessions cannot be decrypted because the session keys were ephemeral and never stored.

Summary

  • Each session uses unique ephemeral keys
  • Past sessions cannot be decrypted even if the server's private key is later compromised
  • Requires ECDHE or DHE key exchange algorithms
  • Mandatory in TLS 1.3, optional in TLS 1.2
  • Critical for protecting long-lived data against future key compromise

The Importance of PFS

Without forward secrecy, an attacker who records encrypted traffic and later obtains the server's private key can decrypt all past communications. This is a realistic threat: intelligence agencies are known to record encrypted traffic at scale for potential future decryption, and private keys can be obtained through server compromise, legal compulsion, or cryptographic breakthroughs.

PFS is achieved by using ephemeral Diffie-Hellman (DHE) or ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key exchange instead of static RSA key exchange. With ECDHE, each connection generates a unique key pair that is discarded after the session ends. Even with the server's private key, there is no way to derive these ephemeral session keys.

TLS 1.3 mandates forward secrecy by only allowing ECDHE-based key exchange, eliminating static RSA entirely. For TLS 1.2, you must configure your server to prefer ECDHE cipher suites and disable static RSA key exchange to get PFS. All modern browsers support ECDHE, so there is no compatibility cost.

How to Check

An SSL checker reports whether your server's cipher suites provide forward secrecy. Look for cipher suites containing "ECDHE" or "DHE" in their names. Suites with just "RSA" for key exchange do not provide forward secrecy and should be disabled.

See how your site handles PFS

Check SSL Certificate

PFS FAQ

What is the difference between DHE and ECDHE?
Both provide forward secrecy, but ECDHE uses elliptic curve cryptography which is faster and uses smaller keys for equivalent security. ECDHE is preferred and is the only forward-secret key exchange in TLS 1.3. DHE is slower and requires careful parameter selection.
Does forward secrecy impact performance?
ECDHE key exchange adds negligible overhead compared to static RSA. The computation is fast on modern hardware and the security benefit far outweighs any performance cost. TLS 1.3 makes this even faster with optimized handshake flows.

Related Concepts

Cipher Suite TLS 1.3 TLS 1.2 SSL/TLS Handshake Man-in-the-Middle Attack
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.