What is Perfect Forward Secrecy (PFS)?
D5 ยท Crypto ยท CompTIA Security+ SY0-701Perfect Forward Secrecy (PFS) is a property of key exchange protocols that ensures each session uses a unique, ephemeral (temporary) session key. If a long-term private key is later compromised, past encrypted sessions cannot be decrypted.
Achieved with: DHE (Diffie-Hellman Ephemeral) or ECDHE (Elliptic Curve DHE).
Without PFS: Attacker records encrypted traffic โ later steals server key โ decrypts all past traffic.
With PFS: Each session key is unique and discarded โ past traffic stays safe.
Achieved with: DHE (Diffie-Hellman Ephemeral) or ECDHE (Elliptic Curve DHE).
Without PFS: Attacker records encrypted traffic โ later steals server key โ decrypts all past traffic.
With PFS: Each session key is unique and discarded โ past traffic stays safe.
TLS 1.3 mandates PFS โ it only supports ECDHE cipher suites. Look for "ephemeral" in cipher suite names (e.g., ECDHE-RSA-AES256-GCM). PFS protects against "record now, decrypt later" attacks.