Use P-384 Curve for Secure Digital Signatures
Ensure stronger digital signature security by using ECDSA with a key size of at least 224 bits, ideally the P-384 curve.
Plain language
This control is about using a specific method for signing digital documents to ensure they are authentic and haven't been altered. It's important because if digital signatures aren't strong, someone could fake documents, leading to security breaches and potential fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used, preferably the P-384 curve.
Why it matters
Using ECDSA with too-small keys or weaker curves can enable signature forgery, undermining integrity and trust in signed data and documents.
Operational notes
Regularly verify that ECDSA uses at least a 224-bit key, aiming for P-384, to maintain signature strength and stay compliant.
Implementation tips
- IT managers should ensure that their systems use the P-384 curve for digital signatures. Do this by reviewing the system settings or consulting with a trusted IT provider to confirm that this curve is used and correctly configured.
- System administrators should regularly update their cryptographic libraries to ensure they support the P-384 curve. This can involve downloading the latest updates from your software provider or checking with the vendor for upgrade instructions.
- IT security consultants should conduct an annual audit of the company's digital signature processes to verify the use of the P-384 curve. This involves examining software settings and configurations in use across all systems.
- Training coordinators should conduct training for relevant staff on why using secure digital signatures is crucial. Create materials explaining the risks of not using the P-384 curve, and demonstrate how to check if systems are compliant.
Audit / evidence tips
- AskSystem configuration files that specify digital signature algorithms GoodWill show settings explicitly mentioning the P-384 curve being applied
- GoodIncludes documentation from the vendor detailing compliance with the P-384 curve requirement
- AskTo see records of security audits conducted on digital signature processes GoodWill include an audit report stating that the P-384 curve is in use and adequately implemented
- GoodWill have records showing regular updates supporting P-384 curve compliance
- AskTraining records for staff involved in the digital signature process GoodIs a training schedule or completion certificates for staff showing they understand the importance of using the P-384 curve
Cross-framework mappings
How ISM-0475 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0475 requires organisations to use sufficiently strong ECDSA parameters for digital signatures (at least 224-bit order/key size, pref... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.