• Blog
  • Tools
  • Login
  • Sign Up
    •
    Request for Comments: 17651

    Perfect Forward Secrecy Made Your Private Keys Boring

    Abstract

    For twenty years, a stolen private key was a disaster.

    It meant total compromise. Every encrypted conversation, password transmitted, API call ever made was readable.

    Traffic was being recorded all the time, “just in case” your private key leaked out. The NSA even had a name for it: “harvest now, decrypt later.” Record all the encrypted traffic today. Steal the private keys tomorrow. Decrypt everything retroactively.

    Not a conspiracy theory, it was actual operational doctrine from the Snowden documents.

    This is why we used to treat private keys like plutonium. Hardware security modules. Rotations with change advisory boards. Full incident response when someone with access left the company. The idea of letting a vendor hold your private keys was unthinkable.

    Then Perfect Forward Secrecy came along, and made everything safer.

    The old RSA key exchange

    Most folks think SSL/TLS encryption still works like the old RSA key exchange.

    In RSA, the client generates a random pre-master secret, encrypts it with the server’s public key, and sends it. The server decrypts with its private key, and both sides derive session keys from this shared secret. The trouble is that the encrypted pre-master secret travels over the network, where anyone can record it. If the private key is ever compromised, that record can be decrypted to reveal the pre-master secret and derive all the session keys.

    That’s exactly what the NSA did! As Matthew Green from Johns Hopkins put it: “If the recording entity is powerful enough, they may simply steal the keys — or demand them under court order.”

    Using RSA key exchange, one key compromise unravels years of secrets.

    What is Perfect Forward Secrecy?

    With RSA, the server certificate acted as both authentication (you are who you say you are) and authorization (you are allowed to read this data). Perfect Forward Secrecy (PFS) splits these apart and only uses certificates to authenticate that you are who you say you are.

    In PFS, each connection gets its own encryption keys that exist only for that session. This happens during the TLS handshake through ephemeral Diffie-Hellman key exchange.

    The client and server each generate and exchange random numbers:

    1. Client generates random number a and sends server g^a mod p, where g and p are standard parameters defined by the cipher.
    2. Server generates random number b and sends client g^b mod p.
    3. Using their random number and the results from the other, both sides can compute g^ab mod p, which becomes the shared session secret.

    An attacker watching this exchange sees the public values but can’t derive the session key. That’s the Diffie-Hellman problem and nobody’s solved it in nearly 50 years of trying.

    The server certificate signs this initial exchange to prevent man-in-the-middle attacks, but the real session info is encrypted using the derived session key.

    Using Perfect Forward Secrecy, a compromised private key could be used to impersonate you, but all previous traffic remains safely encrypted.

    How to enable Perfect Forward Secrecy on your servers

    Good news: If you’re running TLS 1.3, you already have Perfect Forward Secrecy. It’s mandatory, you can’t turn it off.

    RFC 8446 states: “All handshakes in TLS 1.3 provide forward secrecy.” No options. No configurations. Just PFS by default.

    But if you’re still on TLS 1.2, you need to configure it properly.

    TLS supports two variants: DHE (traditional Diffie-Hellman Ephemeral) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral). ECDHE is better because its faster and uses smaller keys for equivalent security. Look for cipher suites with DHE or ECDHE in the name. Those provide forward secrecy.

    For Nginx:

    ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:secp384r1;

    For Apache:

    SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off

    For IIS, you need to mess with the registry or use IIS Crypto. Because Windows.

    Test your configuration, change www.example.com to your domain

    echo | openssl s_client -connect www.example.com:443 -tls1_2 2>/dev/null | grep "Cipher"

    See “ECDHE” in there? You’re good.

    SSL Labs will give you a detailed report. Search for “Forward Secrecy” in the results page. Should say “Yes (with most browsers)”.

    Why your certificates are safe to automate

    Without PFS, certificate automation is scary. Your private keys lived on disk. In memory. In backups. Every automated system that touched certificates became a potential catastrophic breach vector.

    With PFS, that entire threat model disappears.

    A compromised private key can’t decrypt past traffic. Can’t even decrypt current traffic from sessions that already completed their handshake. The blast radius shrinks from “all of history” to “new connections if the attacker can man-in-the-middle, but only until we notice and revoke the certificate.”

    This is why Google turned on PFS in 2011. Not for the marginal security improvement. For the operational freedom.

    We can sleep better knowing that the private keys we have on our servers, if compromised, can’t be used to decrypt past sessions.

    When Heartbleed hit in 2014, sites with PFS had dramatically different breach notifications. Without PFS: “All traffic from the past two years may be compromised.” With PFS: “Traffic after March 2014 may be at risk until you patched.”

    That’s a $100 million difference in breach costs according to Ponemon Institute data.

    The risks of private key compromise from Certificate automation becomes reasonable with PFS.

    Perfect forward secrecy and quantum computing

    Quantum computers will eventually break Perfect Forward Secrecy.

    Shor’s algorithm can solve both the discrete logarithm problem (breaks Diffie-Hellman) and integer factorization (breaks RSA) when we have big enough quantum computers.

    The NSA is probably recording traffic now to decrypt later with quantum computers. They’re betting on having the capability within 10-20 years.

    So even if you’ve frantically deployed ECDHE certificates everywhere, you’ll need to update them with newer, quantum-safe ciphers again soon. When post-quantum becomes mandatory (and it will), you’ll need to reissue every certificate with new cipher suites.

    With proper certificate management? It’s a config update. Change your cipher preferences. Click reissue. CertKit handles the rest. Every cert gets the new algorithms on its next renewal cycle. No special migration project. No weekend work. No explaining to the CEO why you need six months to “upgrade cryptography.”

    Turn on PFS this week

    Perfect Forward Secrecy has been available since 1999. TLS 1.3 made it mandatory in 2018. If you’re not using it, you’re running decades-old cryptography.

    Check your servers:

    echo | openssl s_client -connect www.example.com:443 -tls1_2 2>/dev/null | grep "Cipher"

    Fix the ones using RSA key exchange. Update your load balancers. Configure your CDN. Test with actual browsers.

    Once you’ve got PFS, your private keys are a lot safer. You can automate them, or trust a vendor like CertKit to manage them for you.

    Turn it on. This week. Before you’re explaining to the board why last year’s traffic just got decrypted.

    CertKit manages certificates in the PFS world. Where keys aren’t scary and 47-day rotation isn’t insane.

    Comments