Security Analysis of the Mexican Fiscal Digital Certificate System
Abstract
In 2005 the Mexican National tributary system (SAT) started an ambitious public key infrastructure project with the aim of providing to each Mexican citizen a public/private key pair along with a digital certificate that was issued by SAT itself. As of March 2016, approximately a total of 17 million certificates have been issued. This e-government system permits Mexican citizens to exercise a series of digital on-line services such as: tax declaration, official receipt issuing/verification, contract signing, etc. In particular, all Mexican official invoices became digital by January 2016, efectively going paperless for this service. In this paper, we carefully analyze the Mexican PKI system showing that it has several weak points that can be attacked by malicious adversaries. We report experimental evidence showing that one can launch a simple dictionary attack on SAT’s password-based authentication system. We also argue that due to the fact that the hash function SHA-1 has been recently completely broken, an attacker can produce the same signature for two different documents that will verify correctly when using any old FIEL certificate that has the RSA- 1204/SHA-1 signature suite.