Home of internet privacy

How perfect forward secrecy makes VPN encryption safer

Encryption protocols keep you safe and your communications private. A secure chat app will encrypt conversations, and HTTPS secures websites (indicated by a green lock in your browser bar). A VPN service wraps an extra layer of encryption around all the bits and bytes.

The technique of encryption uses mathematics to ensure that only the intended recipient can decode a big chunk of gibberish into readable data. The most heavily guarded secret of any encrypted channel is the encryption keys, which encrypt or decrypt the data.

[Love tech that keeps you private? Sign up for the ExpressVPN Blog Newsletter.]

Encryption also ensures that information cannot be altered while in transit, and that we have a way of verifying whether data originates from where we believe it originates. Modern encryption protocols make use of dozens of different mechanisms and algorithms to function, with many of the same cornerstones shared among them. Their weakest link: The encryption key.

In asymmetric encryption, the encryption key is shared by the participants and used to both encrypt and decrypt data. When this key falls into the hands of an attacker, they can read and alter all communications encrypted with it.

Perfect forward secrecy (PFS) ensures that compromised or stolen encryption keys do not affect the security of past or future communications. Without perfect forward secrecy, any momentary system compromise—e.g., a malware infection or targeted hack—could expose all data transferred by the user both past and future, assuming they have been recorded somewhere along the line, such as by your ISP.

PFS might also help protect against future compromise of the encryption algorithm itself, if for example it ever becomes feasible to brute-force the encryption keys, this effort would have to be multiplied by how many keys there are to crack.

ExpressVPN uses perfect forward secrecy by default

In simpler encryption systems, keys are generated and reused over time for storage and communications.

When information needs to be retrieved after it has been communicated, such as through an email or a file, it’s preferable that the encryption key used to encrypt the information is still available.

Popular encryption tools like PGP (or GnuPG) use static encryption keys to encrypt files and emails or to sign computer programs. Notably, you can configure your Facebook account to send you PGP-encrypted email notifications.

The big downside of static encryption keys is that unless you change keys regularly, a hacker only needs to compromise a single key on your computer to compromise all your encrypted files and emails. Even if you were to change keys regularly, you would likely still keep the previous keys in case you needed to access old emails or files.

ExpressVPN uses dynamic encryption keys for perfect forward secrecy

Not all data requires future accessibility. When you open an HTTPS-encrypted website, the browser doesn’t need to store the encrypted data for long. After all, you are always able to re-request the same page or keep a copy of it locally.

VPN connections are very similar in that there is no need to store or re-access transmitted information. And while there is no guarantee that intermediaries such as internet service providers (ISPs) or governments won’t keep a copy of the encrypted transmitted data, perfect forward secrecy makes the information as useless as possible.

Every time you connect to ExpressVPN servers, including with our innovative Lightway protocol, the security certificate’s authenticity is verified. Once authenticated, a unique encryption key is negotiated through the Elliptic-Curve Diffie-Hellman (ECDH) key exchange. Through this negotiation, the server and client are able to derive an encryption key without risk of interference from a third party.

Read more: Learn how your ExpressVPN app verifies it’s talking to the right server

Each ExpressVPN connection uses a different key, so in the unlikely event that someone once hacked your device or an ExpressVPN server and recorded encrypted raw data transmitted by you, they still wouldn’t be able to decipher the information. Dynamic encryption keys are purged or regenerated after a connection is terminated, or every 15 minutes, to protect long-lived connections. The key is also renegotiated every time your device changes networks, for example between mobile data and Wi-Fi.

Perfect forward secrecy protects your chats

In encrypted chat systems, PFS has been used for a long time. In OTR, for example, encryption keys are regularly cycled. OTR, presented in 2004, was the pioneer in putting the idea of PFS into practice. Short for “Off-the-Record Messaging,” it was specifically created to facilitate conversations that were private and temporary. The main encryption technique used by the masses at the time was PGP, using public/private key pairs to encrypt and sign transactions.

If a private key were to be compromised, for example after a device is stolen, the thief would be able to decipher all previously recorded messages. In court, the cryptographic signatures could be used to attribute beyond doubt who had sent which messages, even if all parties had deleted them.

In OTR, new encryption keys are negotiated by the communication parties each time a conversation is initiated. The key is discarded as the connection is cut and users can choose not to keep a copy locally.

One big disadvantage of perfect forward secrecy is the need for both participants to be online at the same time. This is a reasonable assumption for VPN protocols and HTTPS, but can be tricky for chats. In OTR, for instance, both chat participants need to be online at the same time to negotiate the key, meaning a message cannot be sent beforehand.

The encrypted messaging app Signal solves this problem differently. To achieve “asynchronous perfect forward secrecy,” the app begins its half of the key exchange 100 times and pushes it to a server. The other party can then complete the key exchange and send encrypted messages without needing to wait for the first party to come back online.

From niche concept to growing standard

The idea of PFS, like many other encryption techniques, dates back to the 1990s, yet hadn’t been used much until a decade later through OTR by an admittedly small audience. The larger public has only been reaping the benefits since the early 2010s, when Google began making it the default. Wikipedia began using PFS in 2014, and only in 2018 did all HTTPS begin to make use of PFS.

Some other major protocols in use, such as the popular WPA and WPA2 standards for Wi-Fi encryption, still do not use PFS. WPA3, however, ships with PFS.

Read more: How to back up your files and encrypt them