Perfect Forward Secrecy

The security of communications transmitted across the Internet can be improved by using public key cryptography. However if the public and private keys used in those communications are compromised it can reveal the data exchanged in that session as well as the data exchanged in previous sessions.

The concept of Perfect Forward Secrecy (PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future. Online systems such as IPSEC can negotiate new keys for every communication and if a key is compromised only the specific session it protected will be revealed.

For Perfect Forward Secrecy to exist the key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material must not be used to derive any more keys.


Cisco offers Perfect Foward Secrecy as a parameter for VPN and LAN-to-LAN tunnel sessions. The Internet Key Exchange (IKE) Policy settings can use Diffie-Hellman Group algorithms. Virtru uses the AES-256 algorithm to encrypt messages with perfect forward secrecy before it leaves a device.

Perfect Forward Secrecy (PFS) refers to the notion that compromise of a single key will permit access to only data protected by a single key.

Forward Secrecy has been used as a synonym for Perfect Forward Secrecy but there is a subtle difference between the two. Perfect Forward Secrecy has the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.

In April 2014, a news article by the Electronic Frontier Foundation (EFF) was posted in reponse to the OpenSSL Heartbleed bug. Why the Web Needs Perfect Forward Secrecy More Than Ever… “At this moment, forward secrecy is more crucial than ever before.”

The FHMQV-C protocol (Fully Hashed MQV plus C for ‘key confirmation’) uses perfect forward secrecy. The compromise of a static private key does not compromise any of the session keys, and this can be demonstrated through analysis of FHMQV with session key expiration.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Perfect forward secrecy".