Use DH or ECDH for Secure Key Establishment
For IPsec connections, use DH/ECDH methods to securely establish keys with specific group sizes for better security.
Plain language
When you're connecting computers over the internet using IPsec, which is just a way to make sure the data stays private and secure, it's crucial to use specific methods called Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH). These methods help set up a secure key to lock your data. It's important because, without the right protection, your sensitive information could be intercepted by someone else while it's being transmitted.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Internet Protocol SecurityTopic
Diffie-hellman GroupsOfficial control statement
DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group.
Why it matters
Weak/non-recommended DH/ECDH groups in IPsec key exchange can enable MitM or decryption, exposing sensitive traffic.
Operational notes
Regularly confirm IPsec uses approved DH/ECDH groups (e.g., 384-bit ECP, 3072/4096-bit MODP) after changes/upgrades.
Implementation tips
- IT team: Use appropriate methods for securing IP connections by selecting Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH). To implement, configure your systems to use strong group sizes like a 384-bit random elliptic curve or a 3072/4096-bit modular group to make sure the data is secure against potential attacks.
- System administrators: Regularly update the configurations of IPsec protocols to ensure they're using the latest security standards. You can do this by reviewing the current setup and upgrading to the recommended group sizes for DH or ECDH, which helps to secure data effectively.
- IT security managers: Train your IT staff on the importance of using DH or ECDH methods for key establishment. Hold regular training sessions that cover why specific group sizes matter and provide step-by-step guides on setting up these protocols correctly.
- Procurement officers: When acquiring new network equipment or software, ensure they support DH and ECDH for secure key establishment. Check product specifications or ask vendors directly if their solutions are compliant with the recommended 384-bit or 3072/4096-bit group sizes.
- Management: Allocate budget and resources to ensure your IT infrastructure supports these secure configurations. Discuss with your IT and finance teams about the costs involved in upgrading systems and maintaining these security standards.
Audit / evidence tips
-
Askthe configuration files of IPsec connections: Request to see the configuration details set up for secure key establishment
GoodIt should show compliance with 384-bit ECP or 3072/4096-bit MODP groups
-
Aska report on network security protocols: Request documentation that outlines the current security protocols your organisation uses for IPsec
GoodClear integration of recommended group sizes and regular review dates should be included
-
Askevidence of staff training on secure protocols: Request records or agendas of training sessions that cover IPsec security updates
GoodEvidence of regular training programs that specifically include DH and ECDH methods
-
Askvendor compliance documentation: Request proof from vendors that their equipment supports the security requirements
GoodDocumentation explicitly stating support for 384-bit and 3072/4096-bit groups
-
Asknetwork equipment specifications: Request the technical specifications of currently used network devices
GoodSpecifications should reflect compatibility with the specified secure key establishment methods
Cross-framework mappings
How ISM-0999 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0999 requires organisations to use DH or ECDH for IPsec key establishment, with a preference for specific strong parameter groups (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.