Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What is PFS (Perfect Forward Secrecy) in IPSec?

user-image
Question added by Faseeh Mohd koya , IT SUPPORT ENGINEER [L2] , Ministry of Sports and Youth
Date Posted: 2016/04/23
Sajjad Nalupurapad Peedikayil
by Sajjad Nalupurapad Peedikayil , IT Technical Support Assistant , Al Nahda National School

In cryptography, forward secrecy (also known as perfect forward secrecy or PFS) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. The key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data is derived from some other keying material, then that material must not be used to derive any more keys.    In this way, compromise of a single key permits access only to data protected by that single key.

Vimal Kumar
by Vimal Kumar , IT Systems Administrator , PRECISE Trading LLC

PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange. This would ensure if a hacker\\criminal was to compromise a private key, they would only be able to access data in transit protected by that key and not any future data, as future data would not be associated with that compromised key.

Ali Hallal
by Ali Hallal , IT Consultant , Information Systems

Let's look at how key exchange works in the common non-ephemeral case. Instead of giving a practical example using, say, Diffie-Hellman, I'll give a generalized example where the math is simple:

Alice (client) wants to talk to Bob (server).

Bob has a private key X and a public key Y. X is secret, Y is public.

Alice generates a large, random integer M.

Alice encrypts M using Y and sends Y(M) to Bob.

Bob decrypts Y(M) using X, yielding M.

Both Alice and Bob now have M and use it as the key to whatever cipher they agreed to use for the SSL session—for example, AES.

Pretty simple, right? The problem, of course, is that if anyone ever finds out X, every single communication is compromised: X lets an attacker decrypt Y(M), yielding M. Let's look at the PFS version of this scenario:

Alice (client) wants to talk to Bob (server).

Bob generates a new set of public and private keys, Y' and X'.

Bob sends Y' to Alice.

Alice generates a large, random integer M.

Alice encrypts M using Y' and sends Y'(M) to Bob.

Bob decrypts Y'(M) using X', yielding M.

Both Alice and Bob now have M and use it as the key to whatever cipher they agreed to use for the SSL session—for example, AES.

(X and Y are still used to validate identity; I'm leaving that out.)

In this second example, X isn't used to create the shared secret, so even if X becomes compromised, M is undiscoverable. But you've just pushed the problem to X', you might say. What if X' becomes known? But that's the genius, I say. Assuming X' is never reused and never stored, the only way to obtain X' is if the adversary has access to the host's memory at the time of the communication. If your adversary has such physical access, then encryption of any sort isn't going to do you any good. Moreover, even if X' were somehow compromised, it would only reveal this particular communication.

That's PFS.

More Questions Like This