Use ECDH for Secure Key Exchanges
ECDH is preferred over DH for secure data exchanges.
Plain language
This control means using a type of secure digital handshake called Elliptic Curve Diffie-Hellman (ECDH) instead of an older version called Diffie-Hellman (DH) for exchanging sensitive data. It's important because ECDH is more secure, making it harder for hackers to intercept and steal information, helping to protect your business or organisation from data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
ECDH is used in preference to DH.
Why it matters
If ECDH is not used in preference to DH, key exchange may be weaker or misconfigured, increasing the risk of session key compromise and data exposure.
Operational notes
Confirm TLS/VPN profiles negotiate ECDHE (not DHE) and disable DH cipher suites/groups; periodically scan configs and endpoints to detect regression.
Implementation tips
- The IT team should ensure that all new systems or services use ECDH for secure data exchanges. They can do this by updating or configuring the encryption settings to use ECDH instead of older methods like DH.
- Procurement should work with IT to make sure any new software or hardware includes ECDH support. This involves checking product specifications and confirming with vendors before purchase.
- The IT manager should organise training sessions for staff handling encryption to explain why ECDH is preferred and how to properly implement it. Use real-life scenarios to demonstrate the benefits of using ECDH.
- System administrators should review existing systems to identify where DH is currently used. Create a plan to migrate those systems to ECDH, prioritising sensitive areas like financial transactions or personal data.
- Compliance officers should keep up-to-date with Australian Cyber Security Centre (ACSC) guidelines. They should regularly check that ECDH remains part of the organisation's approved cryptography practices, meeting required standards.
Audit / evidence tips
- AskThe list of systems and applications using ECDH: Request documentation from the IT department showing which systems have implemented ECDH GoodA clear list showing ECDH has been applied with recent update logs
- AskVendor product specifications: Ensure procurement has vendor documentation confirming ECDH support in new purchases. Check specifications for security features GoodDocuments explicitly stating ECDH compatibility as a security measure
- AskTraining records: Request attendance records and materials from ECDH training sessions GoodRecords showing relevant staff attended and understood the importance and implementation of ECDH
- AskMigration plans: Check migration documents showing the shift from DH to ECDH GoodDetailed plans demonstrating progress and outlining future steps
- AskTo see policy and procedure documents: Verify that ECDH use is outlined in security policies. Check for references to ACSC guidelines and internal audits GoodPolicies clearly integrating ECDH as a preferred cryptographic method
Cross-framework mappings
How ISM-0994 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0994 requires organisations to use ECDH in preference to classical DH for secure key exchange | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.