CAPEC-97 - Cryptanalysis

Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as:

The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • Analysis
  • Brute Force
  • Purposes 1
  • Reconnaissance
  • Scopes 3
  • Read application data
  • Confidentiality
  • Modify application data
  • Integrity
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

High level: Cryptanalysis generally requires a very significant level of understanding of mathematics and computation.

The target software utilizes some sort of cryptographic algorithm.

An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext.

The encryption algorithm is known to the attacker.

An attacker has access to the ciphertext.

Computing resource requirements will vary based on the complexity of a given cryptanalysis technique. Access to the encryption/decryption routines of the algorithm is also required.

Step 1 -

An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext..


Step 1 -

An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key..


Use proven cryptographic algorithms with recommended key sizes.

Ensure that the algorithms are used properly. That means: