perfect forward secrecy, what is it?

In an encrypted communication (for example, via HTTPS) the client and the server share a secret - called a "session key" - that is responsible for ensuring communication confidentiality. Anyone who intercepts this communication, but does not know this secret, can not decipher the intercepted data. He can keep these data for the future, however, hoping that one day he will be able to interpret them (either via cryptanalysis, or through other means).

How this session key is created has an impact on the viability of these "other media". Let's say a master key (for example, the private key of the server's certificate) is used to derive session keys each time a client connects. Each session has its key, but all came from that master key. At some future point, the attacker manages to invade the server and retrieve the master key. Then he will repeat the derivation process that originated the session keys, and use the results to decipher the data he has stored.

On the other hand, if session keys are not directly derived from anything - they are created by random processes, which can not be redone in the future - there is no point in attacking the server, stealing all your secrets, etc. : Past communications between it and clients remain confidential (as long as they are not stored on the server, of course) because session keys have already been thrown away and there is no way to re-create them. Perfect Forward Secrecy is this property, in which a present communication is confidential, and is expected to remain confidential in the future even if the keys (the server's certificate, certificate, or client's user / password) are compromised. Alternatively, if a single communication is compromised (say the session key has "leaked") this does not compromise the confidentiality of all communications prior to it.

It's hard to give an example with confidence because I do not have enough knowledge of cryptographic protocols, so I'll reproduce here the graphic example of article suffers Diffie-Hellman on Wikipedia . Note that the actual protocol is a little more complicated than this (since the original DH did not ensure the authenticity of the communication , and therefore was vulnerable to attacks Man-in-the Middle >).

Let'ssayAliceandBobwanttocommunicatewitheachother,andbothcombineintoonecommonparameter(the"yellow ink"). Each of them randomly chooses another secret / key (the "red and blue inks") and combines it with the common parameter in an irreversible way (the "first ink blend"). Each sends to the other the result of this operation, which in turn is combined with its own secret (the "second ink mixture") in order to produce a common secret (the "brown ink"). This common secret can then be used as an encryption key to ensure the confidentiality of the messages exchanged until the end of that session. At the end of the session, all the secrets involved are thrown away (this is the key point of PFS).

Someone who is "listening" to the communication knows what the common parameter is, and the intermediate results of each computation, but only on the basis of this can not discover either the individual secrets of Alice and Bob or the final secret that is shared between both. And since all the secrets have been discarded, even if all the encrypted data is stored by the attacker, there is no hope of recovering those secrets in the future, so the communication can be considered "perfectly safe forever."

(That is, until the cryptographic algorithm itself is broken - allowing the decryption of the messages without the need for the keys - or the speed of the computers grows to the point where it is possible to break through brute force ... However, hypothesis less likely as long as a good cryptographic algorithm has been used.)