Use RSA with 3072-bit Modulus for Security
Ensure RSA uses at least a 3072-bit size for secure digital signatures and key transport.
Plain language
This rule says that if you use RSA encryption, you need to make sure the keys are long enough, specifically at least 3072 bits. It matters because shorter keys can be broken by hackers, which means your sensitive information, like digital signatures and data transfers, could be exposed or tampered with.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using RSA for digital signatures, and transporting encryption session keys (and similar keys), a modulus of at least 3072 bits is used, preferably 3072 bits.
Why it matters
Using RSA keys under 3072 bits weakens signatures and session-key transport, increasing risk of forgery or key recovery and loss of trust.
Operational notes
Audit certificates and configs to ensure RSA keys are ≥3072 bits for signatures and key transport; block weaker keys and track crypto library defaults.
Implementation tips
- IT team: Implement RSA keys of 3072 bits or more. Use your security software settings to configure the key length to no less than 3072 bits when generating new encryption keys for systems managing sensitive data.
- Procurement team: Ensure software purchases support larger RSA key sizes. Verify with vendors that their products can handle RSA keys of at least 3072 bits to maintain compatibility with your security requirements.
- System administrator: Regularly check systems for compliance with RSA key length requirements. Review security configurations on each system to confirm that at least 3072-bit RSA keys are being used for digital signatures and encryption.
- Training coordinator: Educate staff about the importance of secure key sizes. Develop a brief training session explaining why longer key lengths are needed and how to check their systems ensure compliance.
- Security team: Monitor for weak encryption practices. Use tools that can audit systems and alert you if RSA keys below 3072 bits are found, ensuring immediate corrective action.
Audit / evidence tips
-
Askthe key management policy document: Request documentation that describes how encryption keys are generated and managed
Gooddocument will clearly state the use of 3072-bit keys or longer for RSA encryption
-
Askthe IT team to simulate creating a new encryption key on a system. Observe that the interface defaults or enforces a minimum of 3072-bit for RSA keys
Gooddemonstration shows the process resulting in a properly sized key
-
Aska recent security audit report: Request the most recent report that includes encryption key management review
Goodreport will indicate that all systems reviewed comply with the 3072-bit key requirement
Cross-framework mappings
How ISM-1765 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1765 requires that when RSA is used for digital signatures and for transporting encryption session keys, organisations use an RSA mod... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.14 | ISM-1765 requires the use of RSA with at least a 3072-bit modulus for signatures and key transport to maintain cryptographic strength | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.