224 – Use secure cryptographic mechanisms

Summary

The system must use the most secure cryptographic mechanism provided by the platform (e.g., java.security.SecureRandom) for random number generation used in critical processes (e.g., ID generation, code mapping, cryptographic keys).

Description

The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some of these keys and other critical elements are generated using random numbers. In these cases, the random numbers themselves must be generated using secure mechanisms, which have often already been implemented by the platform.

Supported In

Essential: True

Advanced: True

References

• CAPEC-20. Encryption brute forcing
• CAPEC-94. Adversary in the middle (AiTM)
• CAPEC-117. Interception
• CAPEC-151. Identity spoofing
• CAPEC-216. Communication channel manipulation
• CAPEC-272. Protocol manipulation
• CAPEC-594. Traffic injection
• CIS-3_10. Encrypt sensitive data in transit
• CWE-321. Use of hard-coded cryptographic key
• CWE-326. Inadequate encryption strength
• CWE-327. Use of a broken or risky cryptographic algorithm
• CWE-331. Insufficient entropy
• CWE-340. Generation of predictable numbers or identifiers
• NIST80053-IA-7. Cryptographic module authentication
• OWASP10-A4. Insecure design
• OWASPM10-M3. Insecure communication threat agents
• OWASPM10-M5. Insufficient cryptography
• BIZEC-APP-05. Directory traversal
• NYDFS-500_15. Encryption of nonpublic information
• MITRE-M1025. Privileged process integrity
• PADSS-2_5_1. Generation of strong cryptographic keys
• PADSS-5_2_3. Insecure cryptographic storage
• SANS25-18. Use of hard-coded credentials
• CMMC-MP_L2-3_8_6. Portable storage encryption
• CMMC-SC_L1-3_13_1. Boundary protection
• CMMC-SC_L2-3_13_8. Data in transit
• HITRUST-01_y. Teleworking
• HITRUST-06_f. Regulation of cryptographic controls
• HITRUST-09_m. Network controls
• HITRUST-09_s. Information exchange policies and procedures
• HITRUST-09_y. On-line transactions
• HITRUST-10_d. Message integrity
• HITRUST-10_f. Policy on the use of cryptographic controls
• FEDRAMP-CM-3_6. Baseline configuration - Cryptography management
• FEDRAMP-SC-8_1. Cryptographic or alternate physical protection
• FEDRAMP-SC-13. Cryptographic protection
• ISO27002-8_24. Use of cryptography
• IEC62443-SI-3_1. Communication integrity
• OSSTMM3-10_7_2. Telecommunications security (controls verification) - Confidentiality
• OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
• OSSTMM3-11_7_4. Data networks security (controls verification) - Integrity
• NISTSSDF-PS_2_1. Provide a mechanism for verifying software release integrity
• PTES-7_7. Post Exploitation - Persistence
• OWASPRISKS-P2. Operator-sided data leakage
• MVSP-2_8. Application design controls - Encryption
• OWASPSCP-6. Cryptographic practices
• BSAFSS-SM_3-2. Supply chain data is protected
• BSAFSS-EN_2-5. Avoid weak encryption
• NIST800171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
• SWIFTCSC-2_1. Internal data flow security
• ASVS-1_9_1. Communications architecture
• ASVS-2_6_2. Look-up secret verifier
• ASVS-2_9_3. Cryptographic verifier
• ASVS-3_2_4. Session binding
• ASVS-6_3_3. Random values
• C2M2-9_5_d. Implement data security for cybersecurity architecture
• PCI-3_7_1. Generation of strong cryptographic keys
• PCI-4_2_2. Strong cryptography to protect data
• SIGLITE-SL_30. Are encryption tools managed and maintained for Scoped Data?
• SIG-D_6_1. Asset and information management
• SIG-D_6_11_1. Asset and information management
• ASVS-3_2_2. Session binding
• ASVS-6_2_8. Algorithms
• ASVS-6_3_2. Random values
• ISO27001-8_24. Use of cryptography
• CASA-1_9_1. Communications Architecture
• CASA-2_9_3. Cryptographic Verifier
• CASA-6_2_8. Algorithms
• CASA-6_3_2. Random Values
• CASA-6_3_3. Random Values
• RESOLSB-Art_26_11_h. Information Security
• RESOLSB-Art_27_8. Security in Electronic Channels
• RESOLSB-Art_28_1. Security in Electronic Channels - ATMs
• FISMA-IA-7. Cryptographic module authentication
• OWASPMASVS-CRYPTO-1. The app employs current strong cryptography and uses it according to industry best practices
• OWASPMASVS-NETWORK-1. The app secures all network traffic according to the current best practices
• CWE25-798. Use of hard-coded credentials
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 395 – Insecure generation of random numbers - Static IV
• 411 – Insecure encryption algorithm - Default encryption
• 034 – Insecure generation of random numbers
• 078 – Insecurely generated token

Last updated

2025/06/17