Separate RSA Key Pairs for Different Functions
Use separate RSA key pairs for signing and key transportation to enhance security.
Plain language
This guideline is about using different sets of RSA keys for different tasks like signing messages and exchanging encryption keys. It's important because using the same key for multiple purposes can make your system vulnerable to attacks, where someone could fake messages or improperly access secure information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using RSA for digital signatures, and for transporting encryption session keys (and similar keys), a different key pair is used for digital signatures and transporting encryption session keys.
Why it matters
Using the same RSA keys for multiple functions increases the risk of key compromise, allowing attackers to forge signatures or decrypt sensitive communications.
Operational notes
Audit RSA key usage to ensure separate key pairs are dedicated to signing vs key transport; label keys by purpose and prevent reuse across functions.
Implementation tips
- IT team should assign different RSA keys for signing and key transportation. Ensure that the two tasks don't share the same keys to avoid overlapping uses that could lead to security breaches.
- System administrators need to review key management policies. They should update documentation to clearly state which keys are used for which task and ensure that these keys are stored and accessed separately.
- Cybersecurity leads should conduct training sessions. These sessions will educate relevant staff about the importance of using separate RSA keys and how mishandling keys can lead to security vulnerabilities.
- IT team should implement software checks. Use software that verifies whether keys are being correctly used for their specific functions, providing alerts if keys are misapplied.
- Regular audits should be conducted by the IT security officer. Schedule these checks periodically to ensure that keys are correctly utilised according to the guidelines and policies set forth.
Audit / evidence tips
- AskDocumentation of RSA key assignments: Request listings showing which keys are used for signing and which are for key transportation GoodIncludes distinct keys being used for separate functions
- GoodIncludes up-to-date policies reflecting these practices
- AskTraining session records: Request documentation or logs of training sessions held for staff on RSA key usage. Look if these sessions included content on key separation and proper usage GoodIs dated training material that covers key separation
- AskReports or logs that show how keys are being utilised in practice GoodIs logs showing no misused keys
- AskOutcomes of recent key usage audits: Request audit reports concerning RSA key management GoodIncludes no unresolved discrepancies or recommendations regarding this control
Cross-framework mappings
How ISM-0477 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0477 requires organisations to use separate RSA key pairs for different cryptographic functions (digital signatures versus transporti... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.