Perfect forward secrecy

Perfect Forward Secrecy (PFS) is an IPsec property that ensures that derived session keys are not compromised if one of the private keys is compromised in the future.

To prevent the possibility of a third party discovering a key value, IPsec uses Perfect Forward Secrecy (PFS). PFS periodically creates a new key value based on values supplied by both parties in the exchange. Because both parties contribute a random value known only to them, each new key generated is dissimilar to previously created keys.

Using PFS means that even if a third party managed to intercept a symmetrical key, that party can only use the intercepted key for a short time. Additionally, because the newly created key is not based on the previously intercepted key, the third party must begin a new brute force calculation to guess the new key value. With PFS enabled in IPsec, the creation of a new key takes longer than if not using PFS. However, using PFS helps prevent data from being intercepted and decoded by a third party.