Identifying potential countermeasures?


#1

Hello! I’m trying to perform a side channel attack against the AES portion of MILENAGE authentication in a SIM card. I’ve modified a card reader to capture (what I think are) reasonably good power traces (low-pass filtered, unfortunately the raw power trace looks like a kid’s crayon drawing), and I’ve written some fun and games to align the traces:

Unfortunately, what should be simple CPA refuses to work. Based on the “doubled” key scheduling operation, as well as an unusual number of rounds (14, when AES-128 should be 10?), I think this is an intentional countermeasure, as opposed to poor captures or noise. Other SIM cards I’ve tested look wildly different.

Is there a way to identify whether this is a countermeasure, what general approach I can take against it (if any), or some kind of gallery showing what different countermeasures look like and I’ve just missed it?

If anyone else has done some work in this area: have you seen similar results?


#2

Hi, nice traces! I don’t have any experience with MILENAGE, but others have and have written papers about it, e.g. this one.

Have you tried different leakage models? The updated Jupyter tutorials talk a bit more about this, for example here.

Jean-Pierre