|Name ||Cryptanalysis |
|Summary ||Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as:
1. Total Break - Finding the secret key
2. Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key.
3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known
4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits
The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context. |
|Prerequisites ||The target software utilizes some sort of cryptographic algorithm.
An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext.
The encryption algorithm is known to the attacker.
An attacker has access to the ciphertext. |
|Solutions ||Use proven cryptographic algorithms with recommended key sizes.
5. Picking the most appropriate cryptographic algorithm for your usage context and data |
|CWE ID ||Description |
|CWE-327 ||Use of a Broken or Risky Cryptographic Algorithm |
|CWE-693 ||Protection Mechanism Failure |
|CWE-719 ||OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |