Perfect Forward Secrecy makes encryption safer

ExpressVPN uses Perfect Forward Secrecy to make VPN connections resistant to hacks, even if they occur far in the future.

2 min read

Hi, I'm Lexie! I write about information security, Bitcoin, and privacy.

ExpressVPN: Perfect Forward Secrecy

Encryption protocols keep you safe and your communications private. A secure chat app will encrypt conversations, and HTTPS secures websites (indicated by a green lock in your browser bar). A VPN service wraps an extra layer of encryption around all the bits and bytes.

The technique of encryption uses mathematics to ensure that only the intended recipient can decode a big chunk of gibberish into readable data. The most heavily guarded secret of any encrypted channel is the encryption keys, which encrypt or decrypt the data.

Perfect Forward Secrecy ensures that compromised or stolen encryption keys do not affect the security of past or future communications. Without Perfect Forward Secrecy any momentary system compromise—e.g., a malware infection or targeted hack—could expose all data transferred by the user both past and future.

ExpressVPN uses Perfect Forward Secrecy by default.

Static encryption keys

In simpler encryption systems, keys are generated and reused over time for storage and communications.

When information needs to be retrieved after it has been communicated, e.g. by an email or a file, it’s preferable that the encryption key used to encrypt the information is still available.

Popular encryption tools like PGP (or GnuPG) use static encryption keys to encrypt files and emails or to sign computer programs. Notably, Facebook uses them to send you unhackable email notifications.

The big downside of static encryption keys is that unless you change keys regularly, a hacker only needs to compromise a single key on your computer to compromise all your encrypted files and emails. Even if you were to change keys regularly, you would still likely keep the previous keys in case you needed to access old emails or files.

ExpressVPN uses dynamic encryption keys for Perfect Forward Secrecy

Not all data requires future accessibility. When you open an HTTPS-encrypted website, the browser doesn’t need to store the encrypted data for long. After all, you are always able to re-request the same page or keep a copy of it locally.

VPN connections are very similar in that there is no need to store or re-access transmitted information. And while there is no guarantee that intermediaries such as internet service providers (ISPs) or governments won’t keep a copy of the encrypted transmitted data, Perfect Forward Secrecy makes the information as useless as possible.

Every time you connect to ExpressVPN servers, the security certificate’s authenticity is verified. Once authenticated, a unique encryption key is negotiated through a key exchange such as Diffie–Hellman.

Learn how the ExpressVPN app verifies it’s talking to the right server.

Each ExpressVPN connection uses a different key, so in the unlikely event someone hacked your device or an ExpressVPN server and had already recorded encrypted raw data transmitted by you, they still wouldn’t be able to decipher the information. Dynamic encryption keys are purged or regenerated after a connection is terminated, or every 60 minutes to protect long-lived connections.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.