PFS or Perfect Forward Secrecy offers an additional security measure for encrypted communication. VPN services may use PFS to increase data communication security between VPN clients and servers.
Table of Contents
What is Perfect Forward Secrecy (PFS)?
Perfect forward secrecy is a feature of Internet communication protocols that ensures the security of data exchanged between a client and a server.
What is a session?
The time a user spends from initiating the connection with the server to the end is called a session. As an example, a user starts uploading a file to a particular server and disconnects the connection once it is finished. That time period can be identified as a session.
Along with that file some other technical data, which helps server to contact users, are also exchanged, like IP address, metadata and connection type. With the use of secure connection protocols like SFTP or TLS, these exchange data are encrypted and hence only the client, and the server knows the incoming and outgoing data. There is an encryption key, a shared secret code known only by communication parties, to decrypt the data. Therefore, when a hacker steals data, he will get some useless scrambled data.
Perfect forward secrecy is more than just encryption
Perfect forward secrecy is a step forward security measure than regular encryption.
PFS is encryption with a temporary private key which is produced in VPN client and the VPN server.
A unique session key should be used for each session to protect the transmission of data, and that key exchanged must not be used to derive any additional keys. Also if that key is derived from any other keying material, then that material should not permit to derive any more keys. Since there is a unique session key for each user session, even the compromise of a single session key will not affect any past or future data other than exchanged in the specific session protected by the particular key.
How does PFS work
In general encryption, a master key, the same private key, is used to encrypt and decrypt all session data initiated by a user between client-server sessions. But if the master key is compromised, all client-server data is also compromised.
However, in PFS, a unique key is provided for each session, and it disappears once the session is over. Therefore, although it is compromised, other session data will be safe. As an extended security feature, within a single communication session, PFC encryption keys can be refreshed. So it limits the amount of data that can be stolen by the cybercriminals if the key is compromised.
The below list shows the key agreement protocols that can be used by PFC encryption.
PFS & VPN
VPN services create secure connections over the public networks and home networks by encrypting user data and routing them through specified servers. It is worth to note that PFS is not enabled by default in VPN, so if a user is looking for PFS VPN it should be clarified that the chosen provider uses PFS encryption by default on certain protocols. The below list shows the specific VPN protocols which use PFS.
- OpenVPN
- SoftEther
- L2TP/IPSec
- IKEv2/IPSec
- SSTP
- Wireguard
PFS in VPN client-server communication works similar to the regular PFS, but both VPN client and server should have PFC enabled interfaces.
Once a user makes a VPN connection with the servers (tunneling process) and the client-server authentication is verified, it develops a unique encryption key via key-exchange (simply at handshaking stage). In case termination of the connection, the VPN re-generate dynamic encryption keys. In this way, every VPN connection has a unique key that prevents any other to steal data even if the server has been hacked.
Drawbacks of using PFS in VPN
PFS enabled VPN needs a stronger encryption layer to hide data of each session separately. So it requires more processing power, and hence it will make a potential delay in a VPN connection. If the user devices do not have more processing power, there will be a potential delay in the VPN connection, and it will slow down the internet speed. But some VPN service providers have overcome this issue by using high-end technologies.
Why is PFS important
It is true that regular encryption can protect user data, but having a single master key is vulnerable. Because once it is compromised, a hacker can access all session data. As an example, the USA national security agency (NSA) has used this vulnerability to gather data before.
PFS is an additional security measure that adds an extra layer of protection which ensures that user data is more secure on the internet and the possibility of compromising data is lower than conventional encryption methods.
Heartbleed vulnerability – this is a vulnerability found in some implementations of OpenSSL which allows an attacker to read up to 64 kilobytes of memory per attack on any connected client or server including encrypted content, usernames, passwords, and private keys. PFS is the best way to avoid using data from Heartbleed vulnerability.
Summary
PFS is an additional security measure than traditional encryption methods. It uses a temporary private key for each session to encrypt and decrypt data, and hence it assures the security of past and future data although a private key is compromised. Not all VPN services are PFS enabled, but PFS enabled VPN services can increase the data communication security furthermore.
Due to the required more processing power, users may experience a little delay in internet connection.