Changes

It uses AES CCM to encrypt a maximum of 0x20000 bytes of data per time, and extends it with a 32 byte trail block at the end.

It uses AES CCM to encrypt a maximum of 0x20000 bytes of data per time, and extends it with a 32 byte trail block at the end.

The last 16 bytes of trail block itself is encrypted with AES CTR, and contains the nonce for decryption and size of the ES block:

A part of the last 16 bytes of trail block itself is encrypted with AES CTR, and contains the nonce for decryption and size of the ES block:

  0000000: qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq

  0000000: qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq qq

  0000010: xx nn nn nn nn nn nn nn nn nn nn nn nn yy yy yy

  0000010: xx nn nn nn nn nn nn nn nn nn nn nn nn yy yy yy

  00 nn nn nn nn nn nn nn nn nn nn nn nn 00 00 00

  00 nn nn nn nn nn nn nn nn nn nn nn nn 00 00 00

After decrypting the trailblock, xx is always 0x3A, and yy is the size of the ES block (excluding the trail block). It is assumed that qq is a MAC (Message Authentication Code), used to verify the contents of the ES block after decryption, but this has not been verified yet.

After decrypting the trailblock, xx is always 0x3A, and yy is the size of the ES block (excluding the trail block). The nonce after decryption is not used. It is assumed that qq is a MAC (Message Authentication Code), used to verify the contents of the ES block after decryption, but this has not been verified yet.

The same 12-byte nonce from the trailblock is again used to decrypt the whole ES block itself.

The same 12-byte nonce from the trailblock is again used to decrypt the whole ES block itself.