Skip to content
Control Stack logo Control Stack
ISM-1372 ASD Information Security Manual (ISM)

Secure Key Establishment Using DH or ECDH in TLS

Use DH or ECDH methods to securely establish keys for encrypted internet connections.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceCryptography

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2022

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cryptography

Section

Transport Layer Security

Topic

Configuring Transport Layer Security
Official control statement
DH or ECDH is used for key establishment of TLS connections.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about using special techniques, like DH (Diffie-Hellman) or ECDH (Elliptic Curve Diffie-Hellman), to safely set up secret keys when you're establishing a secure internet connection over TLS (Transport Layer Security). It's important because if this isn't done right, hackers could potentially intercept sensitive information that you thought was secure, like passwords or personal details.

Why it matters

If TLS does not use DH/ECDH key exchange, attackers can more easily compromise sessions and decrypt intercepted traffic.

Operational notes

Confirm TLS cipher suites enforce (EC)DHE for key exchange, and disable static RSA or weak DH groups during hardening.

Implementation tips

  • System owners should ensure that their IT team understands the importance of secure key establishment. They can do this by organising tutorials or short workshops that explain how DH and ECDH work, using simple analogies and examples to make the concepts clear.
  • The IT team should configure all internet-facing servers to use DH or ECDH methods for secure key establishment. This involves ensuring that software and server settings are updated to support these techniques, often by selecting these options in the server's security settings.
  • Managers should support their IT teams by providing the necessary resources and tools to implement secure key methods. This could involve subscribing to security services or software that already have DH or ECDH capabilities built in, reducing the need for in-house development.
  • Procurement teams should choose software and systems that have been independently verified to support secure key exchange standards, like DH or ECDH. They can do this by checking software certifications or asking vendors directly about their security features.
  • IT security consultants, when hired, should audit the organisation’s current TLS configuration to ensure it uses DH or ECDH for secure connections. This involves checking technical settings and making recommendations based on the latest best practices.

Audit / evidence tips

  • Ask: the server configuration files or settings reports showing TLS setup: Request to see how TLS connections are established on key systems handling sensitive data

    Good: is clear documentation showing DH or ECDH selected as the key exchange method

  • Ask: security training records for IT staff: Request any materials or logs showing that IT staff have been trained in implementing DH or ECDH

    Good: is a record of recent training sessions focusing on these secure key exchanges

  • Ask: procurement guidelines or checklists: Request documentation that outlines how the organisation selects secure software systems. Look to see if there are criteria specifically stating the need for DH/ECDH support

    Good: is a checklist or policy document clearly mandating these methods

  • Ask: recent IT project reviews or audits: Request reports from any audits or reviews assessing TLS implementation

    Good: has DH or ECDH positively noted, with suggestions for future enhancements, if needed

  • Ask: incident response plans or logs: Request to see if there's a documented process dealing with potential breaches related to TLS

    Good: includes specific references to addressing weak key establishment and its potential remediation steps

Cross-framework mappings

How ISM-1372 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.24 ISM-1372 requires that TLS connections use DH or ECDH for key establishment during the TLS handshake

Mapping detail

Mapping

Direction

Controls