cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25137
Views
15
Helpful
9
Replies

what is PFS?

ribin.jones
Level 1
Level 1

Could some one explain me the basic concept of PFS (Perfect Forward Secrecy)?

I do have some VPN's configured in my router with no PFS. What is the extra security feature that PFS provide?

Thanks in advance,

Ribin

1 Accepted Solution

Accepted Solutions

Patrick0711
Level 3
Level 3

During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value.  These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges.  If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.

When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2.  These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.

View solution in original post

9 Replies 9

andrew.prince
Level 10
Level 10

I did read that link. Any simple/easily understanding explanation is appreciated.

Regards,

Ribin

Do you know what the Diffie-Hellman key exchange is?

OK - so PFS does NOT use any of the information from the previously negotiated key.

They negotiate and generate a completly new key for the session when the previous key expires.

OK. So, during the configuration, we need to specify a key once (which will be used for the first negotiation only) and thereafter both the peers will use another key generated using Diffie-Helman?

No - You need to read the wikipedia on Diffie-Hellman again.

http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

Once you understand that - you will understand PFS.

Patrick0711
Level 3
Level 3

During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value.  These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges.  If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.

When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2.  These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.

ribin.jones
Level 1
Level 1

Thanks Patrick for being more specific on the explanation.

- Ribin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: