The paper http://members.aol.com/jpeschel3/report.pdf is a nice introduction to the ideas behind linear and differential cryptanalysis. Here we just sketch the basic idea behind these approaches.
Differential cryptanalysis is credited to Biham and Shamir, though it is now clear that someone involved with the design of DES (read NSA) knew about the technique. The basic idea of differential cryptanalysis is to look for plaintext differences that produce biased ciphertext differences. If such a bias depends on the key, then an attacker can gain information about the key and, perhaps with sufficient data, even recover the key.
Linear cryptanalysis is, in the open literature, due to Matsui.
The idea here is to approximate some nonlinear part of a cipher
by a linear function.
For example, the nonlinear function
f(x) = x + xy,
can be approximated by the linear
function g(x) = x, with the
approximation holding with probability 3/4.
If such a linear approximation
is biased, it might yield information
about the key. In an iterated block cipher,
it is sensible to look for linear approximators
to the round function.
Such a linear approximator could be
a function of plaintext
and/or ciphertext and/or key bits.
Differential cryptanalysis requires chosen plaintext, while linear cryptanalysis "only" requires known plaintext. However, it should be noted that sufficient quantities of known plaintext implies that some lesser amount of chosen plaintext is available.