Ensure Strong Encryption with Diffie-Hellman
Use a minimum 3072-bit modulus for secure Diffie-Hellman key exchanges.
Plain language
This control is about using strong encryption to keep our private information safe when it's being shared online. Imagine you're sending a secret message in a locked box; this is like ensuring the lock on that box is really difficult to pick. If we don't use strong enough encryption, it's like using a weak lock, and someone could intercept and read our message, exposing sensitive data or personal information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyTopic
Using Diffie-hellmanOfficial control statement
When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits.
Why it matters
Using weak Diffie-Hellman keys invites attackers to decrypt sensitive communications, risking data breaches and loss of confidential information.
Operational notes
Regularly verify DH groups use a minimum 3072-bit modulus in TLS/VPN configs, and update cryptographic libraries when standards change.
Implementation tips
- IT team should ensure that all systems using Diffie-Hellman for key exchanges have a minimum 3072-bit modulus. This is done by configuring the encryption settings in your system's security protocols to use the specific 3072-bit standard. It's like setting a password; just make sure it meets the minimum strength requirement.
- The IT manager should review current encryption policies to include instructions on using at least 3072-bit Diffie-Hellman moduli. Check existing documentation and update if necessary, ensuring all staff are aware and trained on these standards. This involves coordinating an information session or a training workshop for the relevant staff.
- Procurement teams should verify that all new software and services purchased adhere to this minimum encryption standard. When negotiating with vendors, request specifications that show adherence to the 3072-bit minimum requirement. This prevents introducing weak points through new software acquisitions.
- System administrators should conduct regular checks and updates on the system’s cryptographic settings to ensure compliance. This involves using tools to audit the strength of encryption methods in use and applying updates as required. Schedule these audits quarterly to maintain security integrity.
- Audit teams should include checks for this strong encryption standard in their routine security audits. Develop a checklist that specifically identifies if the 3072-bit modulus is being used where needed. This ensures ongoing compliance and quick identification of vulnerabilities.
Audit / evidence tips
-
Askthe encryption policy document: Request the official policy that outlines encryption standards used within the organisation
Goodincludes a clear policy that states 3072-bit modulus as a minimum for Diffie-Hellman exchanges
-
Asksystem configuration reports: Request reports that show current cryptographic settings for systems using Diffie-Hellman
Goodis a report that clearly shows a 3072-bit minimum and has recent verification dates
-
Askvendor compliance records: Request the records or contracts from vendors confirming their adherence to the 3072-bit modulus standard
Goodcontains explicit mentions of using at least 3072-bit Diffie-Hellman exchanges
-
Askinternal audit results: Request the most recent internal audit documentation related to encryption standards
Goodshows completed audits with no major findings or resolutions for any issues found
-
AskIT security training records: Request records of training sessions conducted on encryption standards
Goodincludes recent training sessions covering the importance and procedures for implementing at least 3072-bit security
Cross-framework mappings
How ISM-1759 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1759 requires that when Diffie-Hellman is used to agree encryption session keys, a modulus of at least 3072 bits is used | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.