Use Ephemeral DH or ECDH for TLS Key Establishment
Use temporary DH or ECDH keys for secure TLS connections.
Plain language
This control is about using temporary keys to secure information when you connect to a website. It's like using a new, unique lock each time you mail a package so even if someone gets hold of one lock, they can't open future packages. If you skip this step, the data you send could be intercepted and misused by eavesdroppers, putting confidential information at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
When using DH or ECDH for key establishment of TLS connections, the ephemeral variant is used.
Why it matters
Without ephemeral DH/ECDH, loss of forward secrecy means stolen TLS keys can decrypt captured traffic, exposing sensitive data and harming trust.
Operational notes
Enforce DHE/ECDHE-only TLS cipher suites and disable static DH/ECDH; periodically scan services/configs to confirm ephemeral key exchange is negotiated.
Implementation tips
- IT team should ensure the use of ephemeral keys for securing internet communications. They can do this by configuring the website's server settings to use temporary (ephemeral) Diffie-Hellman or Elliptic-curve Diffie-Hellman keys, which offer stronger security.
- System owners need to confirm that their secure website connections use ephemeral keys. They can do this by asking their IT team for a status update or report on key security configurations.
- Procurement should include requirements for ephemeral key usage in their technology purchase agreements. They can ensure any new software or services include these settings by specifying these in vendor contracts.
- Managers should organise regular training for IT staff on the importance and implementation of ephemeral keys. This can be done by scheduling annual workshops or webinars with cybersecurity experts.
- Policy makers within the organisation should update the cybersecurity policy to include mandates for using ephemeral keys in all secure communications. The policy should clearly outline the reasons and benefits of this approach.
Audit / evidence tips
-
Aska technical report on key configuration: Request a document showing which key exchanges are active on the server
Goodwill list these keys as active and effective for TLS connections
-
Asktraining records: Request evidence of training events conducted about ephemeral keys for the IT staff
Goodrecord shows recent training sessions with clear content on how to implement and monitor these secure keys
-
Askprocurement specifications: Request a copy of any recent technology purchase agreements
Goodcontract specifies the use of ephemeral keys as a mandatory feature
-
Askthe cybersecurity policy document: Request the current cybersecurity policy or guidelines
Goodpolicy will specify ephemeral key usage as a standard practice
-
Askweb server logs: Request logs that show key exchanges during a sample period
Goodlog will predominantly show ephemeral key usage in secure communications
Cross-framework mappings
How ISM-1448 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.24 | ISM-1448 requires that when DH or ECDH is used for TLS key establishment, the ephemeral variant (DHE/ECDHE) is used to provide forward se... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.