Skip to main content

Use initialization vectors once


The system should use initialization vectors, nonces and other single use numbers only once with a given encryption key.


The system’s cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some encryption mechanisms use initialization vectors to reduce the chances that a message will be decrypted. These vectors should be generated using cryptographically secure random number generators and should only be used once with a given encryption key.


  • CWE-326: Inadequate Encryption Strength: The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

  • CWE-330: Use of Insufficiently Random Values: The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

  • OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.6): Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used.

  • OWASP-ASVS v4.0.1 V6.3 Random Values.(6.3.1): Verify that all random numbers, random file names, random GUIDs and random strings are generated using the cryptographic module’s approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker.