Active attack

Passive attack involving underdeposit corrosion tends to involve large system surface areas and, hence, accounts for the greatest amount of metal loss, by weight, in cooling water systems. Active attack tends to produce intense localized corrosion and, as such, a greater incidence of perforations. 

Active attack is commonly caused by microorganisms. Four factors must be present for a diagnosis of microbiologically influenced corrosion ... 

Access of air and water will also affect the corrosion rate. Metal inserts in corrosive plastics are most actively attacked at the plastic/metal/air interfaces with certain metals, notably aluminium titaniumand stainless steel, crevice effects (oxygen shielding and entrapment of water) frequently accelerate attack. Acceleration of corrosion by bimetallic couples between carbon-fibre-reinforced plastics and metals presents a problem in the use of these composites. 

No plane of symmetry, Optically active. Attack but has twofold axis at either ring carbon of symmetry gives this product... 

Natural compounds offer a vast array of chemical structural diversity associated with evolved biological activities attacking many different molecular... 

Despite the good performance characteristics of HMTD, it had several significant faults. As mentioned earlier, the peroxide bond is very reactive. This made HMTD incompatible with most metals. It actively attacked aluminum, tin, zinc, brass, copper, iron, and lead. HMTD was also very unstable when stored, exhibiting tremendous weight loss over short periods of time. In the end, it was judged both too reactive and too thermally unstable for any practical usage. It fell into obscurity in the explosives community in the early 1950s. 

Reactions whose rate is not greatly affected by coordination. Here the reactive site of the ligand is usually quite distant from the coordination center, though a very active attacking reagent can lead to much the same result if it is sufficiently unselective. 

In the above example, the enzyme accepted the drug as a bona fide visitor, only to find that it gained an awkward squatter impossible to move. Other apparently harmless visitors can turn into lethal assassins which actively attack the enzyme. Once again, it is the enzyme mechanism itself which causes the transformation. One example of this is provided by the irreversible inhibition of the enzyme alanine transaminase by trifluoroalanine (Fig. 4.23). 

In the most general type of active attack, the attacker can choose those messages at any time. This is called an adaptive chosen-message attack. For technical reasons, weaker forms were considered where the attacker must choose all the messages before the signer publishes her public key or at least before the signer issues the first signature. 

Selective forgery The attacker has forged the signature on a message that he could select independently of the public key and before a possible active attack. 

By the way, the situation with the ElGamal scheme is similar to that with RSA, although that scheme is not directly constructed from trap-door one-way permutations Existential forgery is possible with a key-only attack. However, no method for selective forgery with an active attack is known. 

A second step was to formalize security not only as the infeasibility of computing the inverse of a function. Instead, the definition must comprise an active attack and exclude existential forgery. 

Related decisions are where one represents security parameters (see Section 5.2.4, Initialization ), how active attacks on honest users are modeled (Section 5.4.2), and the formalization of availability of service (Section 5.2.7). 

The formal reason for modeling the honest users is that one cannot define runs of the system without them One needs some source for the user inputs. A more intuitive reason for modeling the honest users is that this is where the active attacks described in Section 2.5 come in One must decide to what extent the behaviour of honest users might be influenced by the attackers. 

In the following, two formal models of essentially the same idea are presented. Some discussions of their relative merits follow. The section concludes with discussions of how conventional definitions of active attacks fit into these models. Actually, the general model with interfaces seems to simplify the treatment of active attacks in definitions considerably. 

Essentially, one obtains the best degree of security if one universally quantifies over the behaviour of the honest users No matter what the honest users do, the requirements are fulfilled. Such a model automatically covers all conceivable active attacks, because behaviours resulting from an influence by an attacker are just behaviours, too. It is rather a natural model, too — for instance, how could one know anything about how an honest user selects the messages she authenticates (This is in contrast to the behaviour of correct entities, which act according to programs.)... 

Figure 5.15. Model of an active attack on two honest users, version with direct access.

Attacks above and below the interface. One formal definition of an active attack might be that it is any attack where the attacker lets his entities deviate from their prescribed programs. The behaviour of the honest users and the influence of the attackers on them has nothing to do with active attacks in this sense, because no programs for users exist. Instead, this type of active attack was considered in Section 5.4.1, where the access of attackers to parts below the interface was considered. 

Notion from the GMR deflnition. The notion of an active attack in the GMR definition corresponds to the one in this section (although no notion of interface exists, of course) In an adaptive chosen-message attack, the attacker can, for a... 

Generalization. Both models presented above consider active attacks on all types of access points, i.e., not only on signers, but also on recipients and courts. 

Finally, note that an active attacker may not only influence the inputs of the honest users, but also see the outputs. For example, the poor recipient who was made to test lots of junk signatures might tell everybody around him Have you also had such troubles with e-mail this morning I received 105 authenticated messages and only 2 were correct. The attacker might even answer No, I haven t let me see if I can help , to find out which were the two that passed the test. 

Signature schemes with information-theoretic security are easy to classify Only one scheme exists so far ([ChRo91] with improvements and extensions in [PfWa92, Waid91]). With the conventions from Chapter 5, it is not even quite a signature scheme In contrast to all other schemes, it does not withstand arbitrary active attacks (see Section 5.4.2). It offers the following service ... 

The special problem with the degree of security is due to the fact that the entities of recipients and courts have secret information and divulge some of it in authentication and disputes, in contrast to all other existing signature schemes. Hence not only the signer, but also recipients and courts are vulnerable to active attacks, as described at the end of Section 5.4.2. This seems to be a more difficult problem than active attacks on signers, because each signature is issued only once, whereas it may be tested very often. ... 

This restriction is needed to prove that certain complicated active attacks need not be considered with the fail-back requirement of the signer on disputes see Section 7.1.3. 

Moreover, active attacks have to be considered, i.e., the attacker may induce the signer and the court to perform an arbitrary number of authentications and disputes. However, only a restricted active attack has been considered formally in previous conventional definitions The attacker only initiates authentications before the one dispute where he tries to achieve the result acc = TRUE. It is now shown that this restriction is in fact without loss of generality for standard fail-stop signature schemes. However, the restriction restr is used, which was not made explicitly in previous definitions. 

Lemma 7.5. If a standard fail-stop signature scheme guarantees the fall-back requirement of the signer on disputes against attackers that only initiate authentications and then one dispute, it also guarantees this requirement against general active attacks. ... 

Thus the conventional definition of the security for the signer, Definitions 7.12 to 7.14, will only consider the restricted active attacks. 

In previous definitions, this requirement has been considered almost without active attacks, i.e., the attacker only takes part in one initialization (where he may try to cheat, of course) and then immediately tries to compute a valid proof of forgery. It is now shown that this is without loss of generality in standard fail-stop signature schemes. 

Proof sketch. The correct entities are those of the court that applies verify and, if special risk bearers are considered, one risk bearer. By the assumed structure of standard fail-stop signature schemes, the court s entity only applies the deterministic algorithms res, test, and verify to information that is known to the attacker. Hence an attacker can simulate all the actions of the court s entity on his own and does not need active attacks on it. (More formally, this could be written as a reduction, as in the previous proof sketch.) The risk bearer s entity only carries out initializations. By the precondition about correct use of initialization, cheating does not count if it involves more than one initialization for the same signer s identity id. Initializations for other identities are completely independent, hence an attacker can simulate them on his own. ... 

In previous definitions, the only active attacks were that the attacker makes the signer s entity sign messages. 

Proof sketch. Active attacks on the recipient can be omitted, because the attacker can simulate the actions of the recipient s entity on his own It applies the algorithms res and test to values known to the attacker, and in disputes, it sends a previously received signature. The risk bearer s entity can be treated as in the proof sketch of Lemma 7.6. 

---