From these facts alone, it can probably be concluded that statistical analysis is easier to accomplish than brute force. This is generally true; however there are several techniques that are used to mitigate the effect of statistical analysis. Two of these techniques, seeding and salting are very common.
Seeds are numbers that are used to ensure randomness when generating keys. There have been many cases where knowledge of a random number generation algorithm has resulted in attackers determining the random numbers, and subsequently the keys. A seed is a variable that is introduced to the random number generation system such that even detailed knowledge of the algorithm will not be sufficient to determine the random values, without knowledge of the seed value.
Salts are applied to data cyphertext. Salting involves transforming the cyphertext one more time and is a very inexpensive operation, usually an XOR or AND operation. This operation obscures obvious patterns in the cyphertext making statistical analysis impossible until the salt function has been reversed. If an attacker has no knowledge that a salt is occurring, which pieces of cyphertext have been salted, and the salt value, then attacking the cyphertext becomes more difficult.
In all cases, when decryption has been completed, a logical decision is required to complete the process. It is important to note that decryption will never fail. That is f(x) = y will always succeed mathematically. The relative success of decryption is based on the value of y once f(x) has been performed. To illustrate this, consider an example. An attacker is attempting to decrypt a phone number. How will the attacker know if the decryption has succeeded in determining the phone number? There are a few simple tests that can be performed. First of all, if the value of y does not look like a phone number, that is, it does not pass a character inspection (14 characters, 2 parenthesis, 10 digits, no alphabetic symbols, etc….) then the decryption has probably failed and we move to the next key. Finally, once we have tried all possible keys, we probably have a list of character sets that look like phone numbers, but until we try each set we will never know which one is correct. Cryptanalysis systems often employ a very complex logical pattern matching system that attempts to guess when decryption has been successful by using knowledge of what the plaintext should look like. If an attempt is made to decrypt HTTPS data, then we know the plaintext should look like HTTP, so anything that does not resemble HTTP can be eliminated. As you can see, without some specific knowledge of what we are looking for, decryption of data is a very difficult task.
Finally, we can further complicate the process of decryption by introducing the idea of lifetime. In the previous example a phone number was decrypted. What if the process of decrypting the phone number took 4 weeks to complete, but by the time we determined the secret phone number the number was disconnected or changed? Our decryption attempts have failed because we failed to determine the secret data before the data became invalid. In reality a system may only have a matter of seconds or minutes to determine the secret data or key as many implementations will regenerate secret keys after a time period has expired or a specific amount of data has been transferred. To further complicate maters, new keys can be exchanged using a separate encryption key than the data. These characteristics of encryption systems make the life of an attacker exponentially more difficult.
To help put breaking encryption into perspective, we can look at a challenge that was put fourth by RSA in the late 1990’s. Details of the DESCHALL can be found on www.rsa.com/rsalabs. By chaining together 10’s of thousands of computers all over the world in 1998, an engineer was able to decrypt a message encrypted using 40 bit DES in 39 days.