what is PFS?

Answered Question
Nov 17th, 2009

Could some one explain me the basic concept of PFS (Perfect Forward Secrecy)?

I do have some VPN's configured in my router with no PFS. What is the extra security feature that PFS provide?

Thanks in advance,

Ribin

Correct Answer by Patrick0711 about 7 years 3 months ago

During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value.  These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges.  If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.

When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2.  These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ribin.jones Tue, 11/17/2009 - 05:20

I did read that link. Any simple/easily understanding explanation is appreciated.

Regards,

Ribin

andrew.prince@m... Tue, 11/17/2009 - 05:38

OK - so PFS does NOT use any of the information from the previously negotiated key.

They negotiate and generate a completly new key for the session when the previous key expires.

ribin.jones Tue, 11/17/2009 - 05:45

OK. So, during the configuration, we need to specify a key once (which will be used for the first negotiation only) and thereafter both the peers will use another key generated using Diffie-Helman?

Correct Answer
Patrick0711 Thu, 11/19/2009 - 18:54

During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value.  These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges.  If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.

When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2.  These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.

Actions

This Discussion