You’re on the beach with your metal detector and you come across a locked treasure chest. Even though you can’t open it, you decide to keep it anyway. Why?
Because you might find the key later.
The same principle applies to encryption. Even if an attacker can’t read your encrypted messages now, they might record them anyway in the hopes of one day finding a key.
How do we defend against this kind of “wait-and-see” attack? With a principle called perfect forward secrecy.
What is perfect forward secrecy?
Perfect forward secrecy (PFS) protects encrypted messages from future attacks by regularly changing keys. The new keys are randomly generated in such a way that even if one key is compromised, it cannot be used to decrypt any past or future messages.
In the treasure chest analogy above, PFS means you’d never find a whole chest full of treasure. You’d find thousands of tiny locked chests, each containing at most one coin. If at any point you found a key, you’d have no way of knowing which chest it unlocks, and even if you eventually found it, you’d only have one coin.
You can see how this would be discouraging for an aspiring beach comber— or cybercriminal.
How does perfect forward secrecy work?
In real-life encrypted communications, PFS usually means that a new key is generated for every message, as is the case with the Signal messaging protocol.
But how do you get two sides of a conversation to agree on a new key? It isn’t as simple as sharing the key in the conversation, because then anyone with the old key could use it to determine the new key, and every key after that.
Signal and other protocols use something called the Diffie-Hellman key exchange (DH) to generate new secret keys without sharing them over the internet. It sounds impossible, but DH takes advantage of clever mathematics involving prime numbers and one-way functions: operations that are easy to perform but very difficult to reverse, similar to hashing.
Where else is perfect forward secrecy used?
PFS is a feature of many modern communication methods, including one of the most important protocols on the internet: TLS (Transport Layer Security), formerly SSL (Secure Sockets Layer).
Because TLS/SSL is the encryption protocol that enables HTTPS (Hypertext Transfer Protocol Secure), that means brand new encryption keys are generated every time you load a page on a website that uses HTTPS. In other words, even if someone is currently recording your encrypted web traffic, they will not be able to decrypt it later using future keys. Web server software like Apache, Nginx, and IIS can also be configured to use PFS through TLS/SSL.
ExpressVPN uses dynamic encryption keys for perfect forward secrecy
Every time you connect to ExpressVPN servers, including with our innovative Lightway protocol, the security certificate’s authenticity is verified.
Once authenticated, a unique encryption key is negotiated through the Elliptic-Curve Diffie-Hellman (ECDH) key exchange. Through this negotiation, the server and client are able to derive an encryption key without risk of interference from a third party.
Each ExpressVPN connection uses a different key, so in the unlikely event that someone once hacked your device or an ExpressVPN server and recorded encrypted raw data transmitted by you, they still wouldn’t be able to decipher the information.
Dynamic encryption keys are purged or regenerated after a connection is terminated, or every 15 minutes, to protect long-lived connections. The key is also renegotiated every time your device changes networks, for example between mobile data and Wi-Fi.
Perfect forward secrecy makes strong security future-proof
Good security is not only about making systems difficult to attack. It’s also about minimizing the damage in the event of an attack.
Perfect forward secrecy is just one of the principles we use to achieve that goal, but it’s a powerful one. It keeps your traffic private not just from current attacks, but future ones as well.