Perfect Forward Secrecy 6.1 Flashcards
Traditional Web Server Encryption
SSL/TLS uses encryption keys to protect web server communication. Traditionally this has been based on a private key stored on the web server. If you have a copy of the private key on the web server, and you’ve captured all the data, you can rebuild all of the conversations in a decrypted form. This is one point of failure for all of your web site encryption.
Perfect Forward Secrecy (PFS)
In order to protect key exchange, you change the method of the key exchange. You don’t use the servers RSA key. (Don’t worry about RSA acronym) You can create keys on the fly. You can instead use Elliptic curve or Diffie-Hellman ephemeral keys. This means if someone captures all the data, they still could not decrypt it because they would not have the private key. PFS requires more computing power, so not all servers will use PFS. The browser must be able to support PFS, however most modern browsers do support it.