What is Perfect Forward Secrecy?

If you’re familiar with VPN protocols, you probably know a thing or two about encryption. For those who don’t, here’s a quick explanation: In order for your data to remain private, VPN protocols transform it into a unique coded language, indecipherable to anyone that does not know the set of rules that were used to scramble it.

The rules are known as the key. And as you may have guessed, it represents a weak spot in this process. If hackers somehow manage to figure out the key, they can not only intercept, decrypt and record your activities going forward but also use it to decipher any and all previous communications and data.

Enter Perfect Forward Secrecy

Using Perfect Forward Secrecy means that the key used to encrypt and decrypt information changes frequently. In this scenario, if a key is compromised, only a small portion of the user’s data can be stolen. Obviously, the damage will be determined by how much data was sent using the cracked key, but all past and future messages will be safe.

Two Conditions Must Be Met for PFS to Work

  • New and unique encryption keys must be generated at a relatively short frequency to minimize the potential for compromise.
  • The keys cannot be derived from each other. If this were not the case, then a hacker who has already cracked a key could be able to find out the rest by analyzing any patterns regarding the changes in the keys.

For maximum security, Perfect Forward Secrecy can be set up to switch keys as frequently as every message in a conversation, every voice call, or every time a user loads a page on their browser.

Security experts also add that for a maximum level of security, decrypted messages (what you see on the screen) must be deleted or moved to a more secure device.

When using PFS, a VPN connection has to go through two steps

  • The handshake: When a session begins, both the VPN server and yourself need to exchange keys to encrypt and decrypt your communications. The exchange follows a method known as the Diffie-Hellman key exchange, which we explain in another article.
  • The tunnel: After exchanging an encryption key, the server and your machine can send and receive data safely.

VPN Protocols with Perfect Forward Secrecy

While several VPN protocols are PFS capable, it doesn’t necessarily mean that the method is on by default, implementing it requires specific configuration rules from the VPN provider’s end.

The vast majority of VPNs that support OpenVPN connections use forward secrecy by default. It is less common with L2TP on the other hand. The latter is PFS capable thanks to IKE and IKEv2, which make a Diffie-Hellman exchange possible.