What Is Perfect Forward Secrecy and How to Enable It

If you plan on using TLS/SSL connections, ensuring the security of session keys is crucial, even if the private key becomes compromised.

Perfect Forward Secrecy (PFS) comes to the rescue by allowing control over the encryption keys, preventing attackers from accessing previous messages.

Read on to understand perfect forward secrecy (PFS) and how to enable it to your advantage.

Enabling Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) is an encryption scheme that changes the keys to encrypt and decrypt information. 

It also prohibits hackers from decrypting data from previous or future sessions, even if they steal at some point the private keys used in an individual session.

As a result, hackers cannot access the session key through decryption without first interacting with the key negotiation and exchange process. This requires significantly more work than other cyber attack methods.

All major web browsers support PFS. Google has been using it for years with Gmail, and Apple made it within iOS a requirement on the App Store in 2017. 

As more companies force customer adoption, the growth of PFS is expected to continue. Understanding how perfect forward secrecy works can help you secure past and future communications.

Understanding How Perfect Forward Secrecy Works

Implementing perfect forward secrecy is one technique to reduce the risks of a stolen server's private key. 

It overcame its vulnerabilities using a key exchange algorithm called Ephemeral Diffie-Hellman (DHE) or the Ephemeral Elliptic Curve Diffie-Hellman (ECDHE).

If the client wants to communicate with the server, they generate a pre-primary secret and encrypt it with the server's special key. The rest of the conversation is encrypted with this pre-primary secret key by both users.

The only people who can decrypt what the client and server discussed are those who know the original key of the server. 

When malicious actors try to attack, they can only read data related to a certain exchange if they recover the private keys for that exchange. 

Due to the intricacy of the mathematical calculations involved in producing a single session key, even a brute-force attack to hack the key cannot be performed efficiently.

Without PFS, malicious actors can spy on the server's communication without being detected. The reason is that the server uses the same key to encrypt each pre-primary secret with each client.

One of the benefits of Perfect Forward Secrecy is that it gives significantly superior protection by generating unique session keys for each transaction. 

Even if a hacker obtains a private key for a transaction, they can only view that exchange's data.

PFS decreases the amount of information vulnerable if a hack is successful, reducing the likelihood of hackers attempting to access secure data on the server. 

If the hackers successfully crack the private key, the work required may be insufficient for the limited data they can access. 

However, while there is no guarantee that no one will try to obtain unauthorized access to your servers, it makes you a less attractive target.

NGINX Configuration

NGINX is open-source software that you can use for the following:

• web serving, 
• reverse proxying,
• caching, 
• media streaming, and 
• load balancing, among others. 

It began as a web server intended for maximum stability and performance.

Your web server and SSL/TLS library should support Elliptic Curve cryptography (ECC) before configuring your NGINX server for Forward Secrecy. 

It is a technique used to secure applications and can reduce their computational impact.

The ECC is a smaller key that can provide security for devices with low computational resources and memory.

Here is how you enable PFS through NGINX:

Step 1: Locate your SSL configuration, assuming that /etc/nginx is the base directory.

• The command will project the available Server Blocks.
• Open the Server Block for which Forward Secrecy is enabled.

Step 2: Add these lines to the configuration.

Step 3: Set the SSL cipher depending on your browser's compatibility. You have plenty to choose from, but the cipher currently recommended is:

Step 4: Using this, restart Nginx:

Step 5: Use Discovery to test your configuration to ensure that Forward Secrecy is enabled.

Step 6: After this, you have now successfully set Forward Secrecy.

Compared to other web servers, NGINX is more secure and has a smaller codebase. A web server and a reverse proxy server can be used with NGINX.

Apache Configuration

Apache is the web server that handles HTTP requests and serves online assets and information. 

It is frequently used with the following:

• MySQL database engine, 
• the PHP scripting language, and 
• other popular scripting languages like Python and Perl.

Here is how you enable PFS through Apache:

Step 1: Locate your SSL protocol configuration using this

• The command will project the available Virtual Hosts.
• Open the Virtual Host for which Forward Secrecy is enabled.

Step 2: Add these lines to the configuration.

Step 3: Set the SSL cipher:

Step 4: Using this, restart Apache:

Step 5: Use Discovery to test your configuration to ensure that Forward Secrecy is enabled.

Step 6: After this, you have now successfully set Forward Secrecy.

Your server must prioritize certain security methods for them to work. If the server prioritizes another form of security, that's the one that will be used. 

If you adopt perfect forward secrecy, you should disable all other security methods. This is due to an SSL/TLS vulnerability known as the FREAK Attack.

Attackers can exploit the vulnerability to intercept HTTPS connections between susceptible clients and servers and force them to utilize 'export-grade' cryptography, which can then be decrypted or manipulated.

It is also important to disable lengthy duration session IDs or session tickets. These retain session-related information for extended periods after the user's session. 

Sometimes, session tickets may remain in a server's memory until the system is rebooted.

The PFS offers security so one's right to private correspondence is not violated.

The Importance of Perfect Forward Secrecy

In an ideal world where every organization or person follows secure key management best practices, PFS is unnecessary, and forward secrecy would have been fine. 

However, since cyber criminals are on the hunt to find more sophisticated ways to get people's private keys to decrypt data from previously intercepted sessions, then it means that the server's private keys are susceptible to compromise.

Perfect forward secrecy protects future compromises of secret keys or passwords from previous sessions.

It also ensures that previously recorded and encrypted sessions and communications cannot be accessed and decrypted in the future by an attacker who compromises long-term secret keys.

This is why decrypting PFS is only through installing an agent on the server or routing traffic through a set of TLS inspection devices.

Bottomline

Before, implementation complexity was a barrier to establishing perfect forward secrecy. Implementing modern load balancers and other packaged solutions is easier than ever.

With an ECC certificate to negotiate fast SSL/TLS encryption with PFS and an RSA certificate as a backup for compatibility with older browsers, it can optimally implement PFS.

Using PFS will help secure past and future sessions. Not only will it secure current sessions, but it also secures the past and the future.