ronutz · Network and security tools that run on your machine, not someone else's cloud.

What forward secrecy buys you, why static RSA key transport does not provide it, how ECDHE and DHE do, and why authentication and key exchange are two separate jobs that a suite name keeps distinct.

The question forward secrecy answers

Imagine an attacker records your encrypted traffic today and stores it. Months later they obtain the server's long-term private key, perhaps through a breach or a court order. Can they now go back and decrypt the traffic they captured?

If the answer is no, the connection had forward secrecy, sometimes called perfect forward secrecy. If the answer is yes, it did not. The difference comes down entirely to the key exchange named in the cipher suite, which is why it is one of the first things the decoder reports.

Static RSA: convenient and fragile

In the old static RSA key exchange, the client picks the secret that will protect the session, encrypts it with the server's public key from its certificate, and sends it over. Only the server's private key can decrypt it, so the session is private from eavesdroppers at the time.

The fatal property is that the session secret was protected by the server's long-term key. If that key ever leaks, every past session that used it can be unwrapped from a recording, because the encrypted secret is sitting right there in the captured handshake. One key compromise retroactively breaks every conversation it ever protected. Suites that start with TLS_RSA_WITH_ work this way, and the decoder flags them as lacking forward secrecy.

Ephemeral Diffie-Hellman: the fix

Ephemeral Diffie-Hellman breaks the link between the session secret and any long-term key. For each connection, the two sides generate fresh, throwaway Diffie-Hellman key pairs, exchange the public halves, and each combines its own private half with the other's public half to arrive at the same shared secret. The private halves never leave their machines and are discarded when the connection ends.

Because the shared secret was never encrypted under the server's long-term key, and the ephemeral private keys no longer exist, a later compromise of the long-term key reveals nothing about past sessions. There is simply nothing in the recording to unwrap.

You will see this as ECDHE, ephemeral elliptic-curve Diffie-Hellman, or DHE, the older finite-field variant. ECDHE is faster and is the modern default; DHE is being phased out, which is why even a strong DHE-AEAD suite like TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 now carries an IANA discouraged flag. The static, non-ephemeral cousins ECDH and DH, without the trailing E, do not provide forward secrecy.

Authentication is a separate job

A common confusion is to think that removing static RSA means removing RSA. It does not. Key exchange and authentication are two different jobs, and a suite name lists them separately.

In TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, the ECDHE does the key exchange and the RSA does authentication: the server signs the ephemeral handshake values with the private key behind its RSA certificate, proving it is the legitimate holder. The session secret comes from the ephemeral Diffie-Hellman exchange, so forward secrecy holds, while the certificate still proves identity. The article on certificate anatomy covers how that identity binding works.

Why TLS 1.3 made it mandatory

TLS 1.3 settled the matter by removing static RSA key transport entirely. Every TLS 1.3 key exchange is ephemeral, so forward secrecy is no longer something you have to choose by picking the right suite; it is guaranteed by the protocol. RSA and ECDSA remain only as signature algorithms for authentication. This is also why a TLS 1.3 suite name has no key-exchange token at all: there is no longer a non-forward-secret option to name.

Harvest now, decrypt later

Forward secrecy protects against a key compromise that happens after the fact, but it assumes the underlying Diffie-Hellman math stays hard. The looming concern is a future quantum computer that could break today's elliptic-curve key exchanges, which gives recorded traffic a long shelf life for an attacker willing to wait. This is the harvest-now-decrypt-later threat, and it is driving the move to hybrid post-quantum key exchanges that run a classical and a quantum-resistant exchange together. Forward secrecy remains necessary; it is just no longer assumed to be sufficient forever.