What is forward secrecy, and why does it matter?

4 minintermediateforward-secrecyecdhesecurity

Quick Answer

Forward secrecy means that even if a server's long-term private key is stolen in the future, past encrypted sessions cannot be decrypted retroactively. It's achieved by using a fresh, temporary key for each session's key exchange, instead of reusing the server's permanent private key. TLS 1.3 makes this mandatory for every connection.

Detailed Answer

Imagine an attacker records all of a company's encrypted traffic for a year, without being able to read any of it. Then, a year later, the server's private key gets stolen or leaked.

Without forward secrecy (e.g. RSA key exchange):
   stolen private key + recorded traffic --> attacker can decrypt everything, retroactively

With forward secrecy (e.g. ECDHE):
   stolen private key + recorded traffic --> attacker still can't decrypt past sessions
   (each session used its own temporary, now-deleted key)

Without forward secrecy, that leaked key can decrypt every recorded session from the past, because they all depended on that one long-term key. This is sometimes called "harvest now, decrypt later" — an attacker collects encrypted traffic today, hoping to crack it open later.

With forward secrecy, each session's actual encryption key is derived from a temporary key pair, generated fresh and discarded right after that one session ends. The server's long-term private key is only used to sign the exchange, proving its identity — never to directly produce the session's secret. So even a stolen long-term key can't unlock old traffic, because the temporary keys that mattered are already gone.

This is why forward secrecy is considered essential for modern TLS, and exactly why TLS 1.3 no longer allows RSA key exchange, only (EC)DHE-based methods that provide it by default.

Related Resources