Attack 1 - Naïve
Attack 2 - copy legitimate IDs from existing products
Attack 3 - Steal bulk IDs from the database
Attack 4 - Subverting the Channel
Attack 5- Subverting the Database
Attack 6 - Subverting the Server
These two attacks are anticipated in the context of the Anti-Counterfeiting Protocol only.
Until the system is widely used and consumers are familiar with its protective mechanisms, the first naïve attack will probably simply consist of putting any similar looking ID on the fake products. Although these will fail at the first hurdle (they're not on the database) as soon as any consumer tries to authenticate the product, there will be a period during the early adoption of the system in which we can anticipate this simple attack.
The primary defence against it will be publicity. Brand owners will need - and no doubt wish - to publicise the new protection they have against counterfeit, or at least to publicise the criminal prosecution of those caught as a result of using the Codel system.
It is conceivable that an attacker might attempt to obtain valid VRs by writing a program to automate the consumer logon procedure, entering random VRs of their own and noting those which don't "fail".
This rates as a naïve attack in its own right as it clearly fails to appreciate the scale of the task. If there were, for instance, 10 billion unregistered legitimate VRs on the database, then, given that the potential number of VRs is a massive 1031, each such attempt at finding a match would have an approximate chance of 1 in 1021 of success. Ignoring the delays inherent in web transactions, lets assume that the attacker can attempt 1 million VRs per second. On average it would still take around 15 million years to find a single match!
