When an SSL handshake is performed, SSL information regarding the capabilities of browser/client and server is exchanged and validated. An SSL session key that meets both the client’s and server’s criteria is established. After the session key is established, all subsequent communication between the client and the site is encrypted and thus secured.
The most common method for negotiating the session key is the RSA public-key cryptosystem. The RSA approach uses the server’s public key to protect the session key parameters created by the client after the key parameters are sent to the server. The server decrypts this handshake with its corresponding private key. If an attacker ever steals the server’s private key, they can decrypt your SSL session and any saved SSL sessions. This approach allows Wireshark or ssldump tools to decrypt the saved SSL communication by using an exported server certificate with private key.
Perfect Forward Secrecy (PFS) removes this shortcoming of the RSA approach. When PFS is enabled, no link between the server’s private key and each session key is established. If an attacker ever gets access to your server’s private key, the attacker cannot use the private key to decrypt any of your archived sessions.
In Access Manager 4.3, PFS has been enabled by default for Administration Console and Identity Server. For information about how to enable PFS in Access Gateway, see Section 4.6, Enabling Perfect Forward Secrecy.