Select Correct Modulus for Diffie-Hellman Encryption
Use NIST guidelines to choose secure parameters for Diffie-Hellman encryption to safely agree on session keys.
Plain language
When it comes to discussing using Diffie-Hellman encryption, we're talking about a method to securely agree on a secret code or "key" to keep digital communications safe. Choosing the right numbers—known as a modulus and other parameters—is like making sure you have a safe with a strong lock. If you choose poorly, it's easier for someone to open that lock without a key and see your secrets.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyTopic
Using Diffie-hellmanOfficial control statement
When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3.
Why it matters
Incorrect modulus selection in Diffie-Hellman can enable weak-key attacks, allowing decryption of sessions and exposure of sensitive data and communications.
Operational notes
Verify DH modulus size and domain parameters match NIST SP 800-56A Rev. 3 approved groups; restrict configs to those groups and record periodic checks and any changes.
Implementation tips
- The IT team should consult the NIST (National Institute of Standards and Technology) guidelines to select the appropriate modulus and other parameters for Diffie-Hellman encryption. This involves using their published standards, which offer parameters proven to be secure against current threats. It’s like following a reliable recipe to ensure the security 'soup' you make is safe to consume.
- The IT manager should set up a procedure where these security parameters are reviewed annually. This can be done by scheduling a yearly technology audit where these parameters are checked against the latest guidelines, ensuring they still offer optimal security.
- Organisations should keep detailed records of the chosen parameters and the decision process. The IT team should document why these specific choices were made and store these documents in a secure but accessible place, like a dedicated folder that is regularly backed up.
- The IT team should train staff in understanding the basics of why these parameters matter. Make a short, simple training session or video explaining the importance in everyday language, thereby building a culture of compliance and security awareness.
- The organisation should benchmark their parameters against those used in peer organisations. This can involve liaising with other businesses or industry groups to compare notes in a way that doesn’t compromise security.
Audit / evidence tips
-
Askthe documentation of selected Diffie-Hellman parameters
-
Askthe training materials used to educate staff about Diffie-Hellman security. Check if the materials simplify the concept while effectively communicating its importance. Good training content will be easy to understand and focused on the specific control requirements
Cross-framework mappings
How ISM-1629 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1629 requires that when Diffie-Hellman (DH) is used to agree encryption session keys, the modulus and associated parameters are selec... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.