Cryptanalytic attacks

Overview

Cryptanalytic attacks exploit flaws in the cryptographic mechanisms used to protect websites. In the event of a complete exploit of the mechanism, it will be as though the mechanism was not in place to begin with

What makes a site vulnerable?

A site may be vulnerable to cryptanalytic attacks if it uses poorly designed or implemented cryptographic mechanisms for security. This can include the use of hash functions to protect passwords, encryption to protect data, etc.

Impact of the attack

At worst, cryptanalytic attacks may entirely defeat any security mechanisms based on weak cryptography. That is, it will be as though they were not there. The use of bad cryptography may even be worse than not having used it at all, since it may have encouraged a false sense of security resulting in users entrusting more private data, etc., to the site than they would if they believed no security mechanisms where in place.

Preventing the attack

While it is not generally possible to get a complete guarantee that any cryptographic mechanism you use is secure, there are ways to get a degree of confidence. The use of well-studied (and still unbroken) cryptographic algorithms will usually be a better choice than the use of algorithms invented by non-cryptography experts or algorithms which have not undergone much study. Similarly with implementations, well-studied implementations will be better than those which have not undergone and withstood as much analysis.

The attack in the Real World

Weak encryption is cited as a major factor in a breach of TJX's security which resulted in the theft of 45 million credit and debit card records, costing the company approximately $128 million. The information was being encrypted using the flawed WEP protocol (which can now be exploited in under a minute).