Security Analysis of the Mexican Fiscal Digital Certificate System

Authors

  • Luis Rivera-Zamarripa Instituto Politécnico Nacional, Centro de Investigación en Computación
  • Lil M. Rodriguez CONACYT Research Fellow-INAOE
  • Miguel Ángel León Chávez BUAP-Benemérita Universidad Autónoma de Puebla
  • Nareli Cruz-Cortés Instituto Politécnico Nacional, Centro de Investigación en Computación
  • Francisco Rodríguez-Henríquez CINVESTAV-IPN, Computer Science Department

DOI:

https://doi.org/10.13053/cys-23-2-2994

Keywords:

Information security, mexican public key infrastructure system, digital certificates, RSA

Abstract

In 2005 the Mexican National tributary system (SAT) started an ambitious public key infrastructure project with the aim of providing to each Mexican citizen a public/private key pair along with a digital certificate that was issued by SAT itself. As of March 2016, approximately a total of 17 million certificates have been issued. This e-government system permits Mexican citizens to exercise a series of digital on-line services such as: tax declaration, official receipt issuing/verification, contract signing, etc. In particular, all Mexican official invoices became digital by January 2016, efectively going paperless for this service. In this paper, we carefully analyze the Mexican PKI system showing that it has several weak points that can be attacked by malicious adversaries. We report experimental evidence showing that one can launch a simple dictionary attack on SAT’s password-based authentication system. We also argue that due to the fact that the hash function SHA-1 has been recently completely broken, an attacker can produce the same signature for two different documents that will verify correctly when using any old FIEL certificate that has the RSA- 1204/SHA-1 signature suite.

Downloads

Published

2019-06-27

Issue

Vol. 23 No. 2 (2019): Topic Trends in Computing Research (Guest Editors: A. Aguilar Meléndez, E. U. Moya Sánchez)

Section

Articles

License 

Hereby I transfer exclusively to the Journal "Computación y 
Sistemas", published by the Computing Research Center (CIC-IPN),
the Copyright of the aforementioned paper. I also accept that these 
rights will not be transferred to any other publication, in any other 
format, language or other existing means of developing.
I certify that the paper has not been previously disclosed or simultaneo
usly submitted to any other publication, and that it does not contain 
material whose publication would violate the Copyright or other 
proprietary rights of any person, company or institution. I certify that 
I have the permission from the institution or company where I work or 
study to publish this work.
The representative author accepts the responsibility for the publication
of this paper on behalf of each and every one of the authors. 
This transfer is subject to the following conditions:
  • The authors retain all ownership rights (such as patent rights) of this work, except for the publishing rights transferred to the CIC, through this document.
  • Authors retain the right to publish the work in whole or in part in any book they are the authors or publishers. They can also make use of this work in conferences, courses, personal web pages, and so on.
  • Authors may include working as part of his thesis, for non-profit distribution only.