On its own, the strongest commercially available VPN encryption nowadays is pretty tough to crack. In fact, it would take one of the fastest supercomputers in the world 3.67×1055 years to break the encryption through a brute-force attack. Perfect forward secrecy (PFS) is a safety net in case your VPN gets hacked through other means.
Of course, its uses extend beyond VPNs. What is it, and how does it protect you? Read on for the answers to those questions and more.
- What Is Perfect Forward Secrecy?
- What Are the Benefits of a PFS VPN?
- VPN Providers with Perfect Forward Secrecy
- Perfect Forward Secrecy – The Bottom Line
What Is Perfect Forward Secrecy?
As mentioned, the chances of brute-forcing VPN encryption are astronomically low. Hackers are more likely to rely on exploits to get their hands on the cryptographic key required to “unlock” your network communications. After recording a large amount of encrypted data from the target, one exploit could compromise the info they transmit on a daily basis.
This is where perfect forward secrecy comes into play. Instead of just having the one “master key” that can expose everything you do online, PFS also uses temporary session keys to secure smaller chunks of network data.
Think of a hacker as a pirate and the “master key” as the key to a treasure chest. Once the pirate excitedly opens it, he finds that each gold coin is locked within another, smaller chest – each with its unique key.
Treasure hunting aside, what counts as a “session”? Well, every time you log in to your VPN, a new session is started. A key is created at the start of the session and expires when you turn off the VPN. Alternatively, some providers change the key every set interval for longer sessions (e.g., ExpressVPN does so every hour).
How Are Session Keys Created for PFS?
Let’s consider a connection between a client device and a server. Say, your smartphone and a website that uses HTTPS. These connections are secured with the Transport Layer Security (TLS) protocol, which often uses the Diffie-Hellman (DH) key exchange algorithm.
Without getting too technical, algorithms like DH allow two devices to share a secret over a communication channel that may have unwanted eavesdroppers. If you’re interested in the complexities of it all, you can find a neat explanation of the DH exchange here.
Now, for TLS connections, the Diffie-Hellman algorithm may come in two variants:
- Static Diffie-Hellman (DH)
- Ephemeral Diffie-Hellman (DHE)
The problem with static DH? Well, if a hacker manages to find out one of the parameters used in the exchange formula – which is kept secret by each side of the conversation – then they may use the same parameter to calculate future session keys. Not an ideal situation.
Fortunately, DHE ensures that those secret parameters are ephemeral/ temporary and cannot be used to calculate exchange keys for other sessions. This additional safety net is what creates perfect forward secrecy.
PFS works pretty much the same in the context of VPN client-server communications and occurs during the handshake process. In other words, when your device and the VPN server negotiate the details and parameters of the connection.
What Are the Benefits of a PFS VPN?
There are several reasons why using a PFS VPN is a good idea. Here they are:
#1 Websites Don’t Always Use PFS
We’ve mentioned that HTTPS websites may use Diffie-Hellman for key exchanges, but this isn’t always the case. Another popular key exchange algorithm is RSA – and while it’s pretty secure, it doesn’t support PFS. In fact, RSA is often paired up with DHE or its faster, Elliptic Curve variant (ECDHE) for this very reason.
#2 Damage Control in Case of a Breach
As you may have gathered from the unlucky pirate’s tale, PFS offers a great deal of security in the event of a breach. It’s already difficult enough to obtain the “master key” to a system without running into more locks. Even if a hacker gets their hands on a session key as well, only a very small portion of your data is exposed.
Moreover, cyber criminals usually go for easier targets. The amount of work they’d have to put in for such a job probably wouldn’t be worth the payout.
#3 Great Against Mass Surveillance
It’s also a great deterrent against mass surveillance if each mini session needs to be decrypted before the NSA and co. gain access to your communications.
Although to be fair, spy agencies can collect, store, and process data at ridiculous levels. They’re just waiting for an exploit like Heartbleed to come along and deal with PFS encryption more easily.
Naturally, this shouldn’t dissuade anybody from using PFS. It’s like not locking the door to your house because lock-picks exist.
VPN Providers with Perfect Forward Secrecy
Quite a few providers offer PFS. If a VPN is configured with one of these following encryption protocols, then it’s quite likely to have PFS (but again – not a guarantee):
- IKEv2/ IPSec
- L2TP/ IPSec
The provider’s FAQ should mention whether they implement the feature. Look for mentions of Diffie-Hellman, perfect forward secrecy, or acronyms like DH, DHE, ECDHE. Alternatively, you can ask a VPN customer support rep. In fact, it may be a good idea to do so in case they offer PFS, but it isn’t enabled in their app by default.
Otherwise, here are a few of them that stand out.
An industry titan with over a decade of experience under their belt and a consistent list-topper due to the sheer amount of features they implement in their software. Unsurprisingly, their app features PFS. According to one of their blog posts:
Each ExpressVPN connection uses a different key […] Dynamic encryption keys are purged or regenerated after a connection is terminated or every 60 minutes to protect long-lived connections.
The usual runner-up on top VPN lists, NordVPN, offers a more in-depth look at their encryption protocols in the support section on their website. Here’s the gist of it, so you don’t get lost in the acronym soup:
- OpenVPN – uses 4096-bit DH for key exchange. It’s unclear from their support page whether they use ephemeral DH or not. We’ve reached out to one of their support reps and will update with new info as soon as it’s available.
- IKEv2/ IPSec – features perfect forward secrecy using 3072-bit Diffie-Hellman keys.
- WireGuard (NordLynx) – once again, neither the support page nor their full blog post about NordLynx mentions anything about PFS, so we asked the NordVPN support reps for details and will update accordingly. More details below.
WireGuard is a relatively new protocol that supports PFS. According to an MIT security analysis of WireGuard, the protocol’s handshake “essentially run[s] two instances of the Elliptic Curve Diffie-Hellman key exchange,” with each session lasting three minutes at most.
As such, it’s highly likely that NordLynx integrates PFS as well. After all, why go through the effort of using a cutting-edge encryption protocol if you don’t make use of all its features?
#3 Private Internet Access (PIA)
A decent VPN provider that has had its no-logging policy tested in court – not once, but twice. As such, you can be sure your data won’t fall into the wrong hands with their service.
But how do they fare on the PFS end? Well, according to their website, their handshake encryption settings use:
- Ephemeral Diffie-Hellman key exchanges with RSA encryption
- Ephemeral Elliptic Curve DH key exchanges with ECC encryption (also used by Bitcoin)
So yes, PIA implements PFS – they even mention that they use TLS 1.2 to establish the handshake if there were any doubts. Our full PIA review.
We couldn’t find any specific mention of their handshake encryption settings on their website. However, buried in their Tomato router setup guide, we’ve found that the default configuration uses the DHE-RSA (2048-bit, in this case) combo we’ve seen before.
Overall a decent provider, though a few mishaps (which we’ve discussed in our review) may leave some users questioning their no-logs policy.
According to a blog post, SaferVPN also rotates encryption keys every sixty minutes – just like ExpressVPN. Perfect forward secrecy is enabled by default on their IKEv2/ IPSec and OpenVPN configs (the latter of which uses 2048-bit TLS for key exchanges).
While SaferVPN in itself isn’t outstanding (read our review for more info), the creators have gone on to create Perimeter81, which topped our list of the best VPNs for small businesses. If you’re looking for a way to secure your team’s communications for remote work during the pandemic, that should be your first stop.
Perfect Forward Secrecy – The Bottom Line
As you’ve seen, PFS is the way forward when it comes to both the website and VPN security. The new WireGuard protocol, in particular – although still considered experimental – promises to be a nightmare for hackers and spy agencies.
Of course, current protocols aren’t exactly pushovers when it comes to securing key exchanges and protecting your data. Just research your provider beforehand to make sure you’re getting that protection in the first place.