Interview Questions

IT Interview Questions:What is PFS (Perfect Forward Secrecy) in IPSec?

Information Technology (IT) Interview Questions and Answers


(Continued from previous question...)

IT Interview Questions:What is PFS (Perfect Forward Secrecy) in IPSec?

With PFS disabled, initial keying material is "created" during the key exchange in phase-1 of the IKE negotiation. In phase-2 of the IKE negotiation, encryption and authentication session keys will be extracted from this initial keying material. By using PFS, Perfect Forwarding Secrecy, completely new keying material will always be created upon re-key. Should one key be compromised, no other key can be derived using that information. PFS can be used in two modes, the first is PFS on keys, where a new key exchange will be performed in every phase-2 negotiation. The other type is PFS on identities, where the identities are also protected, by deleting the phase-1 SA every time a phase-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key.

PFS is generally not needed, since it is very unlikely that any encryption or authentication keys will be compromised.

(Continued on next question...)

Other Interview Questions