LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What is Perfect Forward Secrecy (PFS), and how does TLS 1.3 guarantee it?

PFS = even if an attacker later steals a server's long-term private key, they cannot decrypt past recorded TLS sessions. TLS 1.3 enforces it by requiring ephemeral Diffie-Hellman (ECDHE) for every connection.

The threat being defended against:

2025: attacker records encrypted TLS traffic, can't decrypt it.
2030: attacker compromises the server, steals its private key.
2030: without PFS, attacker decrypts the 2025 traffic.
       with PFS, the 2025 traffic is still unrecoverable.

How PFS works in TLS:

  • The server's long-term key is used only to sign the ephemeral DH parameters, not to encrypt anything.
  • A fresh, random DH key pair is generated for each session and discarded after.
  • The session key is derived from the ephemeral DH shared secret — stealing the long-term key gives the attacker no way to recover it.

Cipher-suite history:

  • TLS 1.2 offered both PFS suites (ECDHE-…) and non-PFS suites (RSA-…, plain key transport). Many old servers still used the latter.
  • TLS 1.3 removed all non-PFS suites — every TLS 1.3 connection has PFS by construction.

Tip: Even in 2024, plenty of legacy SSL/TLS configurations still allow non-PFS suites. Use testssl.sh or Qualys SSL Labs to confirm every cipher suite a server offers has ECDHE in it.

From Quiz: ISF / Cryptographic Protocols & Requirements | Updated: May 31, 2026