LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What is Perfect Forward Secrecy (PFS), and how does TLS 1.3 achieve it?

PFS = even if an attacker later compromises the server's long-term private key, they cannot decrypt past recorded sessions. TLS 1.3 achieves it by mandating ephemeral Diffie-Hellman (DHE or ECDHE) — the actual session key is derived from random per-session DH values that are never stored.

Why PFS matters: without it, an adversary (e.g. a nation-state) can record encrypted traffic today and decrypt it later when they finally compromise or coerce the private key. With PFS, that long-term key never unlocks the recorded sessions.

How TLS 1.2 without PFS works (old):

  1. Client generates a random pre-master.
  2. Client encrypts it with the server's RSA public key.
  3. Server decrypts with RSA private key.
  4. Both derive session key from pre-master + nonces.

The private key directly unlocks every session. Steal it → decrypt every recording.

How TLS 1.2 / 1.3 with PFS works:

  1. Server generates an ephemeral DH private value b (per session, never stored).
  2. Server signs g^b with its long-term key.
  3. Client generates ephemeral a, sends g^a.
  4. Both derive session key from g^(ab).
  5. Ephemeral a and b are discarded after the handshake.

The long-term signing key was used only to authenticate the DH exchange. It never appeared in the key derivation — so stealing it doesn't help decrypt past traffic.

TLS 1.3 makes PFS mandatory:

  • Removed RSA key exchange entirely.
  • Only DHE / ECDHE allowed.
  • The 5 standard cipher suites all use AEAD ciphers with PFS by design.

Tip: PFS protects against the "harvest now, decrypt later" threat — increasingly important as quantum computers get closer (a quantum attacker could break the RSA cert key in the future, but ephemeral DH values are gone forever from the wire).

From Quiz: ISF / Asymmetric Cryptography | Updated: May 31, 2026