A look at perfect forward secrecy in SSL with TLS 1.3

If you’re here because you want to understand what “forward secrecy SSL” or “SSL perfect forward secrecy” means, then you’ve come to the right place. Perfect forward secrecy is a now-mandatory component of SSL/TLS. Starting in TLS 1.3, all key exchange methods must be ephemeral Diffie-Hellman families — not RSA, which doesn’t support perfect forward secrecy.

What is Forward Secrecy in SSL / TLS and How Does It Work?

So, what is perfect forward secrecy? First, let’s talk about key exchange. Historically, key exchange has been performed using RSA asymmetric encryption. This method had a number of problems — hence its removal in TLS 1.3 — including Oracle padding attacks and something called Bleichenbacher’s CAT (don’t ask). The biggest may be its lack of ephemerality, though.

An ephemeral key exchange is one that allows for the regular rotation of the session keys. This is necessary for perfect forward secrecy and is impossible with RSA. That’s owed to the fact that RSA uses massive keys and transacts in huge prime numbers that are expensive to compute. The toll it takes on a website’s servers make ephemeral RSA schemes impractical at best (also, impossible).

Diffie-Hellman key exchange, specifically its elliptic curve-based variants, is much easier to compute and allows for regular key rotation. It also facilitates SSL perfect forward secrecy, which is incumbent upon regular key rotation and ensures that even if the private key associated with that site’s SSL certificate — and the private key plays a role in the generation of those session keys — is ever compromised, the session keys cannot be deciphered.

Normally, when your private key is compromised, it means that everything is compromised. The attacker will have no problem deriving keys from previous sessions and decrypting the information. SSL/TLS perfect forward secrecy prevents that, adding an additional layer of security to each session key beyond the computational hardness provided by the private key.

When Does SSL Perfect Forward Secrecy Become Effective?

Starting TLS 1.3, all SSL/TLS implementations will use perfect forward secrecy. It’s also advised that you stop using RSA key exchange and switch to an ephemeral Diffie-Hellman family in TLS 1.2 to enable forward secrecy there, too. If you’re running on a server that doesn’t currently support it, try updating your SSL/TLS software library to see if that helps. If not, it may be time to change servers.