Perfect forward secrecy, what is it?

In encrypted communication (for example, via HTTPS) the client and server share a secret - called a "session key" - which is responsible for ensuring the confidentiality of communication. Anyone who intercepts this communication, but does not know this secret, cannot decipher the intercepted data. He can keep these data for the future, however, in the hope that one day he will be able to interpret them (either via Catalysis, or through other means).

The way this session key is created has an impact on the viability of these "other means". Let’s say a master key (for example, the server certificate private key) is used to derive session keys, each time a client connects. Every session has its key, but they all came from this master key. At a certain point in the future, the attacker manages to hack into the server and retrieve the master key. Then just repeat the shunt process that originated the session keys, and use the results to decrypt the data he saved.

On the other hand, if session keys are not directly derived from anything - they are created by random processes, which cannot be redone in the future - then it is of no use for the attacker to break into the server, steal all its secrets, etc.: communications footsteps between it and the clients remain confidential (as long as they are not stored on the server, of course), as the session keys have already been thrown away and there is no way to recreate them.

Perfect Forward Secrecy (Future Security/"Forward" Perfect) is this property, in which a present communication is confidential, and is expected to remain confidential in the future even if the permanent keys of one or the other (the server certificate, the certificate or user/password of the client) are compromised. Alternatively, if a single communication is compromised (say the session key "leaked") this does not compromise the confidentiality of all prior communications to it.

It is difficult to set an example with confidence, because I do not have enough knowledge of cryptographic protocols, so I will reproduce here the graphic example of article suffers Diffie-Hellman on Wikipedia. Note that the actual protocol is a little more complicated than that (because the original DH did not guarantee the authenticity of the communication, and therefore was vulnerable to attacks Man-in-the Middle).

Let’s say that Alice and Bob want to communicate with each other, and both combine in a common parameter (the "yellow paint"). Each of them randomly chooses another secret/key (the "red and blue inks") and combines it with the common parameter in an irreversible way (the "first mixture of inks"). Each sends to the other the result of this operation, which in turn is combined with its own secret (the "second mixture of inks") so as to produce a common secret (the "brown ink"). This common secret can then be used as an encryption key to ensure the confidentiality of the messages exchanged until the end of that session. At the end of the session, all the secrets involved are thrown away (this is the key point of PFS).

Someone who is "listening" to communication knows what the common parameter is, and the intermediate results of each computation, but only on the basis of this can not discover neither the individual secrets of Alice and Bob nor the final secret that is shared between them. And since all the secrets were discarded, even though all the encrypted data is stored by the attacker, there is no hope of him recovering those secrets in the future, so the communication can be considered "perfectly safe forever".

(That is, until the cryptographic algorithm itself is broken - allowing the messages to be deciphered without the keys - or the speed of the computers to grow so much that a brute force break is possible... However, this is considered the least likely hypothesis, since a good cryptographic algorithm has been used.)