Using Proper Modulus Size for Diffie-Hellman Keys
Ensure Diffie-Hellman encryption uses at least a 2048 bits modulus for secure key agreements.
Plain language
When using Diffie-Hellman, a tool that helps computers agree on secret information to stay safe online, you need to make sure it uses a big enough key, at least 2048 bits, to keep communications secure. If the key is too small, hackers could potentially crack the code, leading to stolen data and compromised security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyTopic
Using Diffie-hellmanOfficial control statement
When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used, preferably 3072 bits.
Why it matters
Using DH with a weak modulus increases the chance an attacker can derive session keys and decrypt or tamper with traffic, exposing sensitive data.
Operational notes
Regularly verify DH parameters use ≥2048-bit modulus (prefer 3072-bit). Use scanners/policy checks to detect and remediate weaker cipher suite settings.
Implementation tips
- The IT team should review the current Diffie-Hellman settings to ensure that all keys used in encryption are at least 2048 bits long. They can check this by accessing the encryption settings in their telecommunication or web server software, ensuring compliance with this standard.
- Managers should organise regular training sessions for their IT staff, focusing on the importance of encryption standards and the specific requirements for Diffie-Hellman key sizes. This can be done by inviting a security expert to speak or using online courses that delve into cryptographic best practices.
- Procurement officers need to ensure that any new software or systems purchased can support a Diffie-Hellman modulus of at least 2048 bits. This involves checking product specifications and confirming compliance with vendors before any purchase is made.
- IT security administrators should configure system logging to monitor the use of Diffie-Hellman, ensuring that all instances adhere to the key size requirement. They can do this by setting up alerts in their security information and event management (SIEM) tools for any key usage below 2048 bits.
- System owners are responsible for maintaining an inventory of systems that use Diffie-Hellman encryption. They should verify compliance by running regular audits and documenting their findings, ensuring all systems use keys that meet or exceed the 2048-bit minimum.
Audit / evidence tips
- AskConfiguration files or policy settings from the IT department to review the key sizes used in Diffie-Hellman encryption GoodWould be documentation showing all relevant systems are set to use keys of 2048 bits or more
- GoodWould be training logs showing sessions were completed and staff attendance
- AskEvidence of a procurement checklist used for evaluating new software purchases GoodIs a detailed checklist demonstrating this requirement is considered before procurement decisions
- GoodIncludes a report detailing checks conducted on all systems and their compliance status
- AskAlert configurations from the IT security team that monitor the key size used in Diffie-Hellman encryptions GoodIs a SIEM alert system confirming active monitoring and responses to any compliance deviations
Cross-framework mappings
How ISM-0472 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0472 requires that when Diffie-Hellman (DH) is used for session key agreement, the DH modulus is at least 2048 bits (preferably 3072 ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.