Use Ephemeral DH or ECDH for TLS Key Establishment
Use temporary DH or ECDH keys for secure TLS connections.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityWhen using DH or ECDH for key establishment of TLS connections, the ephemeral variant is used.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about using temporary keys to secure information when you connect to a website. It's like using a new, unique lock each time you mail a package so even if someone gets hold of one lock, they can't open future packages. If you skip this step, the data you send could be intercepted and misused by eavesdroppers, putting confidential information at risk.
Why it matters
Without ephemeral DH/ECDH, loss of forward secrecy means stolen TLS keys can decrypt captured traffic, exposing sensitive data and harming trust.
Operational notes
Enforce DHE/ECDHE-only TLS cipher suites and disable static DH/ECDH; periodically scan services/configs to confirm ephemeral key exchange is negotiated.
Implementation tips
- IT team should ensure the use of ephemeral keys for securing internet communications. They can do this by configuring the website's server settings to use temporary (ephemeral) Diffie-Hellman or Elliptic-curve Diffie-Hellman keys, which offer stronger security.
- System owners need to confirm that their secure website connections use ephemeral keys. They can do this by asking their IT team for a status update or report on key security configurations.
- Procurement should include requirements for ephemeral key usage in their technology purchase agreements. They can ensure any new software or services include these settings by specifying these in vendor contracts.
- Managers should organise regular training for IT staff on the importance and implementation of ephemeral keys. This can be done by scheduling annual workshops or webinars with cybersecurity experts.
- Policy makers within the organisation should update the cybersecurity policy to include mandates for using ephemeral keys in all secure communications. The policy should clearly outline the reasons and benefits of this approach.
Audit / evidence tips
-
Ask: a technical report on key configuration: Request a document showing which key exchanges are active on the server
Good: will list these keys as active and effective for TLS connections
-
Ask: training records: Request evidence of training events conducted about ephemeral keys for the IT staff
Good: record shows recent training sessions with clear content on how to implement and monitor these secure keys
-
Ask: procurement specifications: Request a copy of any recent technology purchase agreements
Good: contract specifies the use of ephemeral keys as a mandatory feature
-
Ask: the cybersecurity policy document: Request the current cybersecurity policy or guidelines
Good: policy will specify ephemeral key usage as a standard practice
-
Ask: web server logs: Request logs that show key exchanges during a sample period
Good: log will predominantly show ephemeral key usage in secure communications
Cross-framework mappings
How ISM-1448 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Related (1) | ||
| Annex A 8.24 | ISM-1448 requires that when DH or ECDH is used for TLS key establishment, the ephemeral variant (DHE/ECDHE) is used to provide forward se... | |