R224. Use secure cryptographic mechanisms
Requirement
The system must use the most secure cryptographic mechanism provided by the platform (e.g java.security.SecureRandom) for random number generation used in critical processes (e.g ID generation, code mapping, cryptographic keys).
Descriptions
System cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some of these keys and other critical elements are generated using random numbers. In these cases, the random numbers themselves must be generated using secure mechanisms, which have often already been implemented by the platform.
References

CWE330: Use of Insufficiently Random Values The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE331: Insufficient Entropy The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

CWE332: Insufficient Entropy in PRNG The lack of entropy available for, or used by, a PseudoRandom Number Generator (PRNG) can be a stability and security threat.

CWE333: Improper Handling of Insufficient Entropy in TRNG True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

CWE334: Small Space of Random Values The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

CWE335: Incorrect Usage of Seeds in PseudoRandom Number Generator (PRNG) The software uses a PseudoRandom Number Generator (PRNG) that does not correctly manage seeds.

CWE338: Use of Cryptographically Weak PseudoRandom Number Generator (PRNG) The product uses a PseudoRandom Number Generator (PRNG) in a security context, but the PRNG’s algorithm is not cryptographically strong.

CWE340: Generation of Predictable Numbers or Identifiers The product uses a scheme that generates numbers or identifiers that are more predictable than required.

NIST 80053 IA7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

OWASPASVS v3.17.6 Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker.

OWASPASVS v3.17.15 Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.

OWASPASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 80057.