Difference between revisions of "ES block encryption"

From DSiBrew
Jump to navigation Jump to search
Line 1: Line 1:
 
ES block encryption, for lack of a better name, is a commonly used data encryption method on DSi by Nintendo.
 
ES block encryption, for lack of a better name, is a commonly used data encryption method on DSi by Nintendo.
  
It uses AES CCM to encrypt a maximum of 0x20000 bytes of data per time, and extends it with a 32 byte trail block at the end.
+
It uses AES CCM to encrypt a maximum of 0x20000 bytes of data per time, and extends it with a 32 byte metablock at the end.
  
A part of the last 16 bytes of trail block itself is encrypted with AES CTR, and contains the nonce for decryption and size of the ES block:
+
A part of the last 16 bytes of metablock itself is encrypted with AES CTR, and contains the nonce for decryption and size of the ES block:
 
  0000000: qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq
 
  0000000: qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq
 
  0000010: xx nn nn nn nn nn nn nn nn nn nn nn nn yy yy yy
 
  0000010: xx nn nn nn nn nn nn nn nn nn nn nn nn yy yy yy
  
The counter used for decrypting the trail block is the last 16 bytes of the trailblock, with the first, 14th, 15th and 16th byte set to 0:
+
The counter used for decrypting the last 16 bytes of the metablock is the last 16 bytes of the metablock itself, with the first, 14th, 15th and 16th byte set to 0:
 
  00 nn nn nn nn nn nn nn nn nn nn nn nn 00 00 00
 
  00 nn nn nn nn nn nn nn nn nn nn nn nn 00 00 00
  
After decrypting the trailblock, xx is always 0x3A, and yy is the size of the ES block (excluding the trail block). The nonce after decryption is not used. It is assumed that qq is a MAC (Message Authentication Code), used to verify the contents of the ES block after decryption, but this has not been verified yet.
+
After decrypting the metablock, xx is always 0x3A, and yy is the size of the ES block (excluding the metablock). The nonce after decryption is not used. The 16-byte block qq is a MAC (Message Authentication Code) calculated via AES CBC-MAC, used to verify the contents of the ES block after decryption.
  
The same 12-byte nonce from the trailblock is again used to decrypt the whole ES block itself.
+
The same 12-byte nonce from the metablock is again used to decrypt the whole ES block itself.
  
Data larger than 0x20000 bytes is split into multiple ES blocks, each with their own trailblock.
+
Data larger than 0x20000 bytes is split into multiple ES blocks, each with their own metablock.
 +
 
 +
A couple of tools to work with DSi AES CTR/CCM binaries can be found [http://github.com/neimod/dsi here].

Revision as of 19:03, 29 September 2010

ES block encryption, for lack of a better name, is a commonly used data encryption method on DSi by Nintendo.

It uses AES CCM to encrypt a maximum of 0x20000 bytes of data per time, and extends it with a 32 byte metablock at the end.

A part of the last 16 bytes of metablock itself is encrypted with AES CTR, and contains the nonce for decryption and size of the ES block:

0000000: qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq
0000010: xx nn nn nn nn nn nn nn nn nn nn nn nn yy yy yy

The counter used for decrypting the last 16 bytes of the metablock is the last 16 bytes of the metablock itself, with the first, 14th, 15th and 16th byte set to 0:

00 nn nn nn nn nn nn nn nn nn nn nn nn 00 00 00

After decrypting the metablock, xx is always 0x3A, and yy is the size of the ES block (excluding the metablock). The nonce after decryption is not used. The 16-byte block qq is a MAC (Message Authentication Code) calculated via AES CBC-MAC, used to verify the contents of the ES block after decryption.

The same 12-byte nonce from the metablock is again used to decrypt the whole ES block itself.

Data larger than 0x20000 bytes is split into multiple ES blocks, each with their own metablock.

A couple of tools to work with DSi AES CTR/CCM binaries can be found here.