Use NIST Curves for ECDH Encryption
Use specific NIST curves for secure encryption key exchanges, with P-384 preferred.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cryptographyWhen using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.
Source: ASD Information Security Manual (ISM)
Plain language
When we talk about securing sensitive communications online, it's a bit like making sure your personal diary is under lock and key. This control recommends using specific mathematical techniques (NIST curves) for protecting data exchanges, with a preference for one type called P-384. If these techniques are not used, there’s a heightened risk that hackers could intercept and understand sensitive information intended to be private.
Why it matters
Using non‑NIST curves for ECDH can weaken key agreement, enabling attackers to derive session keys and decrypt sensitive traffic.
Operational notes
Audit TLS/ECDH configurations so only NIST P‑256, P‑384 or P‑521 curves are enabled; prefer P‑384 and remove all others.
Implementation tips
- The IT team should ensure that their encryption software is configured to use the NIST P-384 curve when setting up secure communications. They can do this by checking the settings in their encryption tools or consulting with their software vendors to confirm that these settings are available and enabled.
- System owners should collaborate with their IT providers to ensure that any new systems they procure include support for NIST curves, particularly P-384, for encrypting data. This involves having detailed discussions before purchase and verifying the encryption capabilities with the vendor.
- Managers should oversee staff training sessions about secure communications and why using specific encryption settings, like NIST P-384, can protect against data breaches. This can be achieved through a one-hour interactive workshop using simple, relatable analogies to explain complex concepts.
- The procurement team should update their purchasing checklists to require that any encryption product supports NIST P-384 or higher. They can implement this by creating a new section on the checklist specifically for technical compliance and ticking it off during vendor evaluations.
- Executives should set a policy that mandates the use of recommended NIST curves across all levels of the organisation where sensitive information is being communicated. This can be done by formalising it in the organisation's cybersecurity policy documents and ensuring everyone, from managers to employees, adheres to it.
Audit / evidence tips
-
Ask: the encryption product documentation: Request to see manuals or specification sheets for encryption tools being used
Good: shows clear support for P-384 and others
-
Good: includes specific mention of P-384 as a standard requirement
-
Ask: system configuration reports: Request a report or demonstration on how encryption settings are configured
Good: is a printout or screen capture showing P-384 active
-
Ask: training materials or attendance records from sessions on secure communications
Good: includes a training schedule and materials referencing P-384
-
Ask: to see the procurement checklists used for evaluating new encryption tools
Good: is a checklist showing this requirement ticked off
Cross-framework mappings
How ISM-1761 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-1761 requires that when ECDH is used to agree encryption session keys, organisations use specific NIST curves (P-256, P-384 or P-521)... | |