Skip to content
Control Stack logo Control Stack
ISM-1759 ASD Information Security Manual (ISM)

Ensure Strong Encryption with Diffie-Hellman

Use a minimum 3072-bit modulus for secure Diffie-Hellman key exchanges.

Preventative SECRET TOP SECRET ASD Information Security ManualGovernanceCryptography

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

S, TS

🗓️ ISM last updated

Feb 2022

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cryptography

Section

ASD-Approved Cryptographic Algorithms

Topic

Using Diffie-hellman
Official control statement
When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about using strong encryption to keep our private information safe when it's being shared online. Imagine you're sending a secret message in a locked box; this is like ensuring the lock on that box is really difficult to pick. If we don't use strong enough encryption, it's like using a weak lock, and someone could intercept and read our message, exposing sensitive data or personal information.

Why it matters

Using weak Diffie-Hellman keys invites attackers to decrypt sensitive communications, risking data breaches and loss of confidential information.

Operational notes

Regularly verify DH groups use a minimum 3072-bit modulus in TLS/VPN configs, and update cryptographic libraries when standards change.

Implementation tips

  • IT team should ensure that all systems using Diffie-Hellman for key exchanges have a minimum 3072-bit modulus. This is done by configuring the encryption settings in your system's security protocols to use the specific 3072-bit standard. It's like setting a password; just make sure it meets the minimum strength requirement.
  • The IT manager should review current encryption policies to include instructions on using at least 3072-bit Diffie-Hellman moduli. Check existing documentation and update if necessary, ensuring all staff are aware and trained on these standards. This involves coordinating an information session or a training workshop for the relevant staff.
  • Procurement teams should verify that all new software and services purchased adhere to this minimum encryption standard. When negotiating with vendors, request specifications that show adherence to the 3072-bit minimum requirement. This prevents introducing weak points through new software acquisitions.
  • System administrators should conduct regular checks and updates on the system’s cryptographic settings to ensure compliance. This involves using tools to audit the strength of encryption methods in use and applying updates as required. Schedule these audits quarterly to maintain security integrity.
  • Audit teams should include checks for this strong encryption standard in their routine security audits. Develop a checklist that specifically identifies if the 3072-bit modulus is being used where needed. This ensures ongoing compliance and quick identification of vulnerabilities.

Audit / evidence tips

  • Ask: the encryption policy document: Request the official policy that outlines encryption standards used within the organisation

    Good: includes a clear policy that states 3072-bit modulus as a minimum for Diffie-Hellman exchanges

  • Ask: system configuration reports: Request reports that show current cryptographic settings for systems using Diffie-Hellman

    Good: is a report that clearly shows a 3072-bit minimum and has recent verification dates

  • Ask: vendor compliance records: Request the records or contracts from vendors confirming their adherence to the 3072-bit modulus standard

    Good: contains explicit mentions of using at least 3072-bit Diffie-Hellman exchanges

  • Ask: internal audit results: Request the most recent internal audit documentation related to encryption standards

    Good: shows completed audits with no major findings or resolutions for any issues found

  • Ask: IT security training records: Request records of training sessions conducted on encryption standards

    Good: includes recent training sessions covering the importance and procedures for implementing at least 3072-bit security

Cross-framework mappings

How ISM-1759 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.24 ISM-1759 requires that when Diffie-Hellman is used to agree encryption session keys, a modulus of at least 3072 bits is used

Mapping detail

Mapping

Direction

Controls