Controller Based WLANs

What is Perfect Forward Secrecy (PFS)?

by on ‎07-09-2014 11:45 AM

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x. 

Perfect Forward Secrecy (PFS) 

The keys created by peers during IKE phase II and used for IPsec are based on a sequence of random binary digits exchanged between peers, and on the DH key computed during IKE phase I. 

The DH key is computed once, then it is used a number of times during IKE phase II. The keys used during IKE phase II are based on the DH key computed during IKE phase I, so there exists a mathematical relationship between them. For this reason, the use of a single DH key may weaken the strength of subsequent keys. If one key is compromised, subsequent keys can be compromised with less effort. 

In cryptography, Perfect Forward Secrecy (PFS) refers to the condition in which the compromise of a current session key or long-term private key does not cause the compromise of earlier or subsequent keys. VPN meets this requirement with a PFS mode. When PFS is enabled, a fresh DH key is generated during IKE phase II, and it is renewed for each key exchange. 

However, because a new DH key is generated during each IKE phase I, no dependency exists between these keys and those produced in subsequent IKE phase I. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.