Services on Demand
Journal
Article
Indicators
- Cited by SciELO
- Access statistics
Related links
- Similars in SciELO
Share
Computación y Sistemas
On-line version ISSN 2007-9737Print version ISSN 1405-5546
Abstract
RIVERA ZAMARRIPA, Luis et al. Security Analysis of the Mexican Fiscal Digital Certificate System. Comp. y Sist. [online]. 2019, vol.23, n.2, pp.477-490. Epub Mar 10, 2021. ISSN 2007-9737. https://doi.org/10.13053/cys-23-2-2994.
In 2005 the Mexican National tributary system (SAT) started an ambitious public key infrastructure project with the aim of providing to each Mexican citizen a public/private key pair along with a digital certificate that was issued by SAT itself. As of March 2016, approximately a total of 17 million certificates have been issued. This e-government system permits Mexican citizens to exercise a series of digital on-line services such as: tax declaration, official receipt issuing/verification, contract signing, etc. In particular, all Mexican official invoices became digital by January 2016, effectively going paperless for this service. In this paper, we carefully analyze the Mexican PKI system showing that it has several weak points that can be attacked by malicious adversaries. We report experimental evidence showing that one can launch a simple dictionary attack on SAT's password-based authentication system. We also argue that due to the fact that the hash function SHA-1 has been recently completely broken, an attacker can produce the same signature for two different documents that will verify correctly when using any old FIEL certificate that has the RSA-1204/SHA-1 signature suite.
Keywords : Information security; Mexican public key infrastructure system; digital certificates; RSA.