Select Correct Modulus for Diffie-Hellman Encryption
Use NIST guidelines to choose secure parameters for Diffie-Hellman encryption to safely agree on session keys.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cryptographyTopic
Using Diffie-hellmanWhen using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3.
Source: ASD Information Security Manual (ISM)
Plain language
When it comes to discussing using Diffie-Hellman encryption, we're talking about a method to securely agree on a secret code or "key" to keep digital communications safe. Choosing the right numbers—known as a modulus and other parameters—is like making sure you have a safe with a strong lock. If you choose poorly, it's easier for someone to open that lock without a key and see your secrets.
Why it matters
Incorrect modulus selection in Diffie-Hellman can enable weak-key attacks, allowing decryption of sessions and exposure of sensitive data and communications.
Operational notes
Verify DH modulus size and domain parameters match NIST SP 800-56A Rev. 3 approved groups; restrict configs to those groups and record periodic checks and any changes.
Implementation tips
- The IT team should consult the NIST (National Institute of Standards and Technology) guidelines to select the appropriate modulus and other parameters for Diffie-Hellman encryption. This involves using their published standards, which offer parameters proven to be secure against current threats. It’s like following a reliable recipe to ensure the security 'soup' you make is safe to consume.
- The IT manager should set up a procedure where these security parameters are reviewed annually. This can be done by scheduling a yearly technology audit where these parameters are checked against the latest guidelines, ensuring they still offer optimal security.
- Organisations should keep detailed records of the chosen parameters and the decision process. The IT team should document why these specific choices were made and store these documents in a secure but accessible place, like a dedicated folder that is regularly backed up.
- The IT team should train staff in understanding the basics of why these parameters matter. Make a short, simple training session or video explaining the importance in everyday language, thereby building a culture of compliance and security awareness.
- The organisation should benchmark their parameters against those used in peer organisations. This can involve liaising with other businesses or industry groups to compare notes in a way that doesn’t compromise security.
Audit / evidence tips
-
Ask: the documentation of selected Diffie-Hellman parameters
-
Ask: the training materials used to educate staff about Diffie-Hellman security. Check if the materials simplify the concept while effectively communicating its importance. Good training content will be easy to understand and focused on the specific control requirements
Cross-framework mappings
How ISM-1629 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-1629 requires that when Diffie-Hellman (DH) is used to agree encryption session keys, the modulus and associated parameters are selec... | |