Using Secure Elliptic Curve Diffie-Hellman Encryption
Use ECDH with a base point order and key size of at least 224 bits, preferably NIST P-384, for secure key agreements.
Plain language
This control is about using a method called Elliptic Curve Diffie-Hellman (ECDH) to ensure that when confidential information is exchanged, it's done securely. Imagine if two people are sending secret messages to each other; this method helps keep their communication private. Without this, sensitive information could be exposed to unauthorised people, which might lead to data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used, preferably the NIST P-384 curve.
Why it matters
Weak ECDH parameters (e.g., <224-bit or wrong base point order) can enable key recovery, allowing decryption and compromise of secure sessions, leading to data breaches and financial loss.
Operational notes
Validate ECDH uses a base point order and key size of at least 224 bits; prefer NIST P-384. Regularly check crypto libraries/configs and test negotiated groups to prevent weak-curve use.
Implementation tips
- The IT manager should consult a cybersecurity expert to choose the right elliptic curve for encryption. They should ensure the expert specifically recommends using at least a 224-bit curve, with a preference for the NIST P-384 curve, as it provides stronger security.
- System administrators should configure the software used for encryption to support the NIST P-384 curve. This involves updating the software settings or installing updates to ensure compliance with current security recommendations.
- The IT team should test existing communication systems to check if they support the NIST P-384 curve. This can be done by using diagnostic tools and consulting the software's documentation to ensure it can handle secure key exchanges.
- Procurement should ensure that any new software purchased has support for the recommended elliptic curve sizes. This should be a specific requirement in the tender documents and contracts with vendors.
- Cybersecurity awareness training sessions conducted by the IT department should include information on why using strong encryption like ECDH with NIST P-384 is important. This helps to ensure everyone understands its role in protecting the organisation’s data.
Audit / evidence tips
- AskThe configuration documentation of encryption systems: Request written proof of the encryption settings used by the organisation GoodIs a dated document showing these specific settings have been applied and verified
- AskVendor agreements regarding encryption capabilities. Review those agreements to ensure they stipulate support for ECDH with NIST P-384 GoodShows specific contract clauses or vendor assurances that these encryption measures are supported
- AskEvidence of system testing: Request test reports or logs that show systems were tested for compatibility with NIST P-384 GoodIs a test report with successful results clearly documented
- AskThe organisation's cybersecurity training material GoodWould be a presentation or document with sections covered on ECDH and its importance
- AskTo see the IT team’s meeting notes where encryption standards are discussed GoodIncludes a recent meeting record discussing these encryption settings
Cross-framework mappings
How ISM-0474 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0474 requires organisations to use ECDH with a minimum 224-bit base point order/key size (preferably NIST P-384) when agreeing encryp... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.