Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R224. Use secure cryptographic mechanisms

This document contains the details of the security requirements related to the definition and management of random numbers in the organization. This requirement establishes the importance of using secure cryptographic mechanisms to generate the random numbers used in data encryption.


The system must use the most secure cryptographic mechanism provided by the platform (e.g java.security.SecureRandom) for random number generation used in critical processes (e.g ID generation, code mapping, cryptographic keys).


System cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some of these keys and other critical elements are generated using random numbers. In these cases, the random numbers themselves must be generated using secure mechanisms, which have often already been implemented by the platform.


  1. CWE-330: Use of Insufficiently Random Values The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

  2. CWE-331: Insufficient Entropy The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

  3. CWE-332: Insufficient Entropy in PRNG The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.

  4. CWE-333: Improper Handling of Insufficient Entropy in TRNG True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

  5. CWE-334: Small Space of Random Values The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

  6. CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) The software uses a Pseudo-Random Number Generator (PRNG) that does not correctly manage seeds.

  7. CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG’s algorithm is not cryptographically strong.

  8. CWE-340: Generation of Predictable Numbers or Identifiers The product uses a scheme that generates numbers or identifiers that are more predictable than required.

  9. NIST 800-53 IA-7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  10. OWASP-ASVS v3.1-7.6 Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker.

  11. OWASP-ASVS v3.1-7.15 Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.

  12. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.

Service status - Terms of Use