What is Perfect Forward Secrecy (PFS), and how does TLS 1.3 achieve it?
PFS = even if an attacker later compromises the server's long-term private key, they cannot decrypt past recorded sessions. TLS 1.3 achieves it by mandating ephemeral Diffie-Hellman (DHE or ECDHE) — the actual session key is derived from random per-session DH values that are never stored.
Why PFS matters: without it, an adversary (e.g. a nation-state) can record encrypted traffic today and decrypt it later when they finally compromise or coerce the private key. With PFS, that long-term key never unlocks the recorded sessions.
How TLS 1.2 without PFS works (old):
- Client generates a random pre-master.
- Client encrypts it with the server's RSA public key.
- Server decrypts with RSA private key.
- Both derive session key from pre-master + nonces.
The private key directly unlocks every session. Steal it → decrypt every recording.
How TLS 1.2 / 1.3 with PFS works:
- Server generates an ephemeral DH private value
b(per session, never stored). - Server signs
g^bwith its long-term key. - Client generates ephemeral
a, sendsg^a. - Both derive session key from
g^(ab). - Ephemeral
aandbare discarded after the handshake.
The long-term signing key was used only to authenticate the DH exchange. It never appeared in the key derivation — so stealing it doesn't help decrypt past traffic.
TLS 1.3 makes PFS mandatory:
- Removed RSA key exchange entirely.
- Only DHE / ECDHE allowed.
- The 5 standard cipher suites all use AEAD ciphers with PFS by design.
Tip: PFS protects against the "harvest now, decrypt later" threat — increasingly important as quantum computers get closer (a quantum attacker could break the RSA cert key in the future, but ephemeral DH values are gone forever from the wire).