Hello! I’m trying to perform a side channel attack against the AES portion of MILENAGE authentication in a SIM card. I’ve modified a card reader to capture (what I think are) reasonably good power traces (low-pass filtered, unfortunately the raw power trace looks like a kid’s crayon drawing), and I’ve written some fun and games to align the traces:
Unfortunately, what should be simple CPA refuses to work. Based on the “doubled” key scheduling operation, as well as an unusual number of rounds (14, when AES-128 should be 10?), I think this is an intentional countermeasure, as opposed to poor captures or noise. Other SIM cards I’ve tested look wildly different.
Is there a way to identify whether this is a countermeasure, what general approach I can take against it (if any), or some kind of gallery showing what different countermeasures look like and I’ve just missed it?
If anyone else has done some work in this area: have you seen similar results?