I would say the key exchange part, because PFS is used only during the key exchange of server and client.
Am I right or have I overlooked something?
Asked
Active
Viewed 17 times
0
-
Did you mean to tag this with RSA and not DH? – schroeder Nov 08 '19 at 12:39
-
I was not sure about it – ItSec Nov 08 '19 at 12:44
-
The point is _erasing all key material that enables decrypting the conversation_. This can't happen only at the handshake—the handshake, after all, serves to _establish_ the key that the peers can use to decrypt the conversation they're _about to have_; in addition to erasing any secrets that figured into the handshake, they also have to erase that key when the conversation is over. You might find [an answer over at crypto.SE](https://crypto.stackexchange.com/a/75025) helpful. – Squeamish Ossifrage Nov 08 '19 at 17:50