Breaking Real-World COTS USIM Cards with Unknown Side-Channel Countermeasures

Abstract In this paper, we examine the question of how to perform an efficient side-channel analysis (SCA) of real-world crypto products with proprietary side-channel countermeasures. Concretely, answering this question requires a suitable selection of side-channel analysis methods and various steps to instantiate it to break various side-channel countermeasures. We take the analysis of a protected prototype system as an example, to discuss how to efficiently use traditional SCA methods and Deep-Learning based SCA methods in the context of analyzing current side-channel countermeasures. Then, we extend the analysis research on a real-world commercial off-the-shelf (COTS) 4G Universal Subscriber Identity Module (USIM) card, showing how to reverse-engineer the embedded side-channel countermeasures by using side-channel information only. The experiment results show that the secret key and other operator-related parameters can be fully recovered without prior knowledge of side-channel countermeasures. This research allows us to provide a living case study of the physical security analysis of real-world crypto products, which might be worthy of more in-depth investigations.