In cryptography, symmetric encryption, there are 2 ways to handle the session key. One is static key cipher, and another is Perfect Forward Secrecy (or simply Forward Secrecy).
Forward secrecy, is a feature key management that ensures session key will not be compromised if the long-term secrets (private signing key) used in the session key exchange are compromised. This means by compromise a single session key, it will not affect any data other than that exchanged in the specific session protected by the key.
Thus, FS can protects past sessions against future compromises of keys. But static key cipher is the other way. By using static key cipher, compromise of single session key (in the future) will lead to compromise of all the past encrypted session.
During the cipher suite negotiation, the client sends a handshake message with a list of cipher suites it will accept. The server chooses from the list and sends a handshake message back indicating which cipher suite it will accept. Although the client may order the list with the strongest cipher suites listed first, the server may choose any of the cipher suites proposed by the client. (The client may even send those cipher suite with weakness to server) Therefore there is no guarantee that the negotiation will settle on the strongest suite in common. If no cipher suites are in common the connection is aborted.
Cipher suites using ephemeral DH and ephemeral ECDH (i.e., those with DHE or ECDHE in the mnemonic) provide perfect forward secrecy, ensuring long-term confidentiality of the session.
Note that by restricting to TLS 1.2 cipher suite doesn't guarantee forward secrecy is always been used. For example, below are a list of TLS 1.2 approved ciphers, and those highlighted are still using static key cipher.
- Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
- Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
- Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
- Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
- Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
- Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
- Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
- Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
- Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
- Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
- Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
- Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
- Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
- Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
- Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
- Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
- Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
- Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
- Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Note that FS is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. But, FS cannot defend against a successful cryptanalysis of the underlying ciphers being used. This is because, FS only protects keys (not the ciphers). If a cryptanalysis found a way to decrypt an encrypted message without the key, then FS cannot help here.