Forgot your password?
typodupeerror
Wii Encryption Security

Wii Uses Elliptic Curve Cryptography For Saves 183

Posted by Zonk
from the advanced-tech dept.
An anonymous reader writes "A user at the Nintendo-Scene forums just posted a lengthy post about his discovery that the Wii savegame files are signed and encrypted with NIST B 233 bit elliptic curve cryptography. Could this be the first step for a Wii softmod the homebrew community have waited for? From the post: 'It appears a Wii savegame file ends with a certificate chain. The certificates contains a public keypair (the one that is being "certified") and a signature (another number pair) from the signing entity. The number pairs are stored as a compound 60 bit data (first 30 bytes for the first number, and the next 30 bytes for the second). Hence, the first and middle byte is always 00 or 01 for keys, and 00 for signatures. One can check that the keys are indeed NIST B 233 keys using openssls EC_KEY_check_key function (code forthcoming).'"
This discussion has been archived. No new comments can be posted.

Wii Uses Elliptic Curve Cryptography For Saves

Comments Filter:
  • by underpenguin (1094689) on Sunday September 16, 2007 @03:32AM (#20623181)
    Well, I'll just dig out my uplink disk....I think I have an elliptic code breaker in there somewhere
    • by creimer (824291)
      I think I still have an elliptic code breaker written in logo from my Apple ][ days. :P
  • WTF? (Score:5, Interesting)

    by Anonymous Coward on Sunday September 16, 2007 @03:42AM (#20623229)
    Why is it that we live in a world where our console gamesaves are protected more aggressively than our bank accounts and our identities combined?
    • Re:WTF? (Score:5, Funny)

      by creimer (824291) on Sunday September 16, 2007 @03:59AM (#20623309) Homepage
      Without encrypted gamesaves, the global economy will collapse and basement gamers will be out on the streets panhandling for money.
    • Re:WTF? (Score:5, Insightful)

      by Yvanhoe (564877) on Sunday September 16, 2007 @05:09AM (#20623621) Journal
      Or our votes....
    • Re: (Score:2, Interesting)

      by noidentity (188756)
      The governments of the world don't need easy access to your game saves, apparently.
    • by suv4x4 (956391)
      Why is it that we live in a world where our console gamesaves are protected more aggressively than our bank accounts and our identities combined?

      Reason 1:

      Because the manufacturer of a hardware/software product has more expertize in data protection and encryption than a bank owner does.

      Reason 2:

      In the first case, the vendor tries to protect itself and his assets. The incentive is strong.
      In the second case, the vendor is supposed to protect their customers. The incentive is weaker.

      ---------

      That said, I want t
      • by sqldr (838964)
        Reason 3:

        If the game save is encrypted, then the computer can check it's not been tampered with, and thus protect itself from buffer overflows in the data. Most of the copyright cracks on PS2 and Xbox were carried out by loading up bogus saved games.

        They're protecting themselves.
    • by Xenographic (557057) on Sunday September 16, 2007 @01:54PM (#20626991) Homepage Journal
      Clearly, the people who make our video games are far more competent than those protecting those other things like votes, money, identity, etc.

      Actually, it makes a sort of perverse sense. It's pretty easy to write bog-standard business applications that do CRUD (in both the database & other sense), but it's not so easy to program a game that has to run at acceptable frame rates.
    • Re:WTF? (Score:5, Funny)

      by harlows_monkeys (106428) on Sunday September 16, 2007 @02:22PM (#20627249) Homepage
      Because if someone steals from your bank account, that is a crime, and there is a mechanism to punish them.

      If, however, someone cheats with a gamesave, there is no official mechanism to deal with them, and so people would have to turn to vigilante justice to track down and deal with cheaters. That would be bad. Very bad. First, it would start out with roving gangs of gamers, seeking out and punishing the transgressors. Some might see them as heroes, but it would not last. Disagreements would arise over what is cheating, and what is acceptable modding.

      This would finally lead to civil war, as the gaming world splits into two (or more!) factions fighting it out. As the gaming world goes, so goes civilization itself, and the new dark ages would be upon us.

      Until the government gets off its ass and outlaws fiddling with gamesaves, all we have standing between us and the apocalypse are the game companies, and their gamesave cryptography.

    • If a gamesave is not protected, a multinational corporation might fall one cent short on its earnings next quarter. If a bank account or identity is not protected, a person might spend the rest of their life trying to set things straight while their ability to get credit, rent an apartment, get a job, get health insurance, or buy a home is destroyed.

      Clearly, our society has spoken as to which of these things is more important to prevent.
  • It seems to me... (Score:5, Informative)

    by PipianJ (574459) on Sunday September 16, 2007 @03:49AM (#20623275)

    That this likely means the exact opposite. Elliptic Curve Cryptography [wikipedia.org] is relatively difficult to crack (not unlike RSA). More to the point, it's also not liable to factorization attacks like RSA is. Furthermore, the best crack of elliptic curve technology is of a 109-bit key, and still took 3,600 [certicom.com] or 15,000 [certicom.com] computer-years (whether it's a binary or prime field case, respectively).

    Nintendo's not stupid. They've used RSA encryption to keep the average hacker out of DS-wireless homebrew, and this is most likely a mandated response to the Splinter Cell hack that allowed soft modding on the Xbox. It won't stop hacking through security holes in the internet protocols (a-la PSO+BBA), but they're certainly making efforts to prevent corrupted data from opening up softmod paths.

    • Re:It seems to me... (Score:5, Informative)

      by Anonymous Coward on Sunday September 16, 2007 @04:12AM (#20623379)
      I'm not sure what you're getting at when you say ECC isn't liable to factorization attacks. Its certainly more difficult to compute discrete logs in an elliptic curve group than it is to factor an RSA modulus. That's why it takes a 2048 bit RSA key to have roughly the same security strength as a 233 bit ECC key.

      But, particularly because of the recent confusion regarding ECC's resistance to quantum computing (that is, that it has none), I want to make sure people realize ECC isn't any stronger than RSA. Sure, you get shorter keys and faster computations with ECC versus RSA, but for all practical purposes if/when RSA falls, ECC will go down with it. Factorization algorithms usually lead to discrete log algorithms, and vice versa. That's certainly the case with Shor's algorithm, which probably should have been made clear when the quantum computing article was posted.
    • Re: (Score:2, Insightful)

      by tpwch (748980)
      Yes, but they don't have to break it, they just have to find the public key. It must be stored somewhere on the wii, so it can do the encryption of the saves. They were able to find the keys for blu-ray and hd-dvd, so why not here?
    • It is still liable to disassembly attack. If elliptic curve used is sect233r1, as poster assume, that could be useful information for disassembly. If wii use OpenSSL that fact could be even more useful.
    • I found the PSO exploit when I was cheating the Dreamcast version of the game. PSO "version 2" added a new packet, known as RcvProgramPatch, that downloaded code to the system. Sega used that packet to download assembly code to the client that checked for some of the cheats we made. The packet stayed in the game through the GameCube version, at which point someone else found it and made the BBA homebrew exploit.

      Of course, Sega didn't sign that downloaded code, which is why it worked.

      Regarding this savega
  • by Neuticle (255200) on Sunday September 16, 2007 @04:09AM (#20623359) Homepage
    (Assuming that this discovery allows people to write new, arbitrary yet signed data into a save file on a SD card that the Wii will recognize as a "valid" save)

    The next step will be to search for an exploit in the console or in a game that allows execution of that data. The final step is to figure out how to get that newly loaded code to do something useful. I know this has been done before, but I'm under the impression that the exploit (in a 007 game) was found by chance. After that lucky break, the code-something-useful part came very fast.

    Is there any way to search for such an exploit other than brute force testing of games? Are there things to look for that normal players might see, or do you have to just try to execute code over and over and over in various situations, hoping to find a hole? In short, how can I, a non-programmer, help?

    I have hundreds of SNES and NES carts. I would love to be able to run those games on the Wii without having to buy them a second time or wait for N to trickle them out. Now if I can just hack together some Wii wireless SNES and NES pads, I'll be in heaven.
    • by Neuticle (255200)
      I know I made a big assumption* in the parent post, but I wanted to ask the question about the second step, if we ever get there.

      It's just too bad that there isn't some way to compromise to allow a Wii "sandbox" to play around and develop in without allowing full fledged piracy. Maybe a modified (i.e. slightly crippled to prevent full piracy) Wii dev-kit open to all for a reasonable cost?

      Just throwing the idea out there

      *I know getting past the encryption will be no easy task, and may not be feasible at all
      • by tepples (727027)

        It's just too bad that there isn't some way to compromise to allow a Wii "sandbox" to play around and develop in without allowing full fledged piracy.
        It's called a PC with a Bluetooth adapter.
    • by Bert64 (520050)
      I have a compilation DVD that runs on a modded gamecube or wii, it includes an emulator and a whole heap of NES/SNES (and sega consoles) rom files... I believe there's an xbox version of this DVD too. You could use that, and if you really feel bad about piracy just play the games where you also posess the physical cart.
      • by gl4ss (559668)
        a new mod is needed for the new wii consoles that are in shops now, as they use a newer version of the drive chip that is what was the attack route before with wii modchips(no chip works on gc2-d2c chip, as apparently the legs are not connected inside the chip, so the currently thought of workaround is afaik to replace the entire chip, which takes a little more of soldering experience than normal modding).

        with older wii's you can use very cheap modchips(wiikey clones are under ten bucks a piece)..

        so a softm
    • Re: (Score:3, Interesting)

      Regarding the part about the wireless SNES controller:

      Have you seen Nintendo's "Classic controller" that they offer (primarily for the virtual console games)? It looks a little odd, but after you start using it, you'll realize that it's really an SNES controller with some analog sticks thrown on at the bottom (and two extra "shoulder" buttons). Also, it plugs into the wii-remote, so I consider it semi-wireless.

      Anyways, definately my favourite controller ever, so you should give it a try, if you haven't ye

      • by Neuticle (255200)
        I've tried it, and it's pretty darn good, but I like my classic games on the period controllers they were designed for. I've maintained a stable of NES, SNES, Genesis and 64 controllers, and repaired more than a few rather than buy some 3rd party replacement. Anything broken beyond easy fix would be a perfect fit to turn into a Bluetooth wireless.

        As an extra bonus, they could also be used on a PC with emulators (if I'm remembering correctly)

        I know the NES, SNES and Genesis controllers were done, but do you
  • What will all the hacker and code breaker types do with their time if all companies stop encrypting stuff?
  • by Tim Browse (9263) on Sunday September 16, 2007 @06:02AM (#20623875)

    ...where the police are looking for a violent killer, and then their surveillance locates him, and they all breathe a sigh of relief, as they assume that's the hard part done - all they have to do now is arrest him.

    I can't help thinking that there's a wee bit more work to do than just find out what encryption method is being used.

    Then again, maybe your average slashdotter thinks that 'breaking encryption' is as easy as 'guessing the algorithm used' :-).

    • I don't know about the average slashdotter, but this editor probably seems to be "oh, it's just encryption; I'll reverse it and be home for lunch" school of thought.
    • by forkazoo (138186)

      ...where the police are looking for a violent killer, and then their surveillance locates him, and they all breathe a sigh of relief, as they assume that's the hard part done - all they have to do now is arrest him.

      I can't help thinking that there's a wee bit more work to do than just find out what encryption method is being used.

      Then again, maybe your average slashdotter thinks that 'breaking encryption' is as easy as 'guessing the algorithm used' :-).

      Well, sure, it'll be none trivial to get a key. OTOH,

      • by Tim Browse (9263) on Sunday September 16, 2007 @04:50PM (#20628461)

        . OTOH, there are a lot of Wii owners with an interest in finding it, so it might not be infeasible to imagine a distributed computing project with many thousands of nodes cranking away for a year.

        I don't want to worry you, but there's a possibility that cryptographers have thought of that.

        For example: [purselipsquarejaw.org]

        the Xbox uses a 2048-bit encryption key - and that will be really hard to crack, even if it is theoretically possible to derive the private key from the public key. Via New Scientist: "Brian Gladman, an independent cryptography expert based in the UK, says the length of the key means there is an incredibly slim chance of finding it via brute force computing. According to RSA company, it would take a million Pentium 500MHz computers 100 billion years to run through all the possible solutions of a 1640-bit key. A 2048 bit key would be exponentially harder to crack.
    • Re: (Score:3, Insightful)

      by Eivind (15695)
      True, if the encryption/signing is implemented correctly, there's little hope that it'll be cracked anytime soon.

      But there's another avenue for attack. Given that a wii-game is capable of creating, verifying and signing its own savefiles, this means that the encryption-keys are also stored either in the wii-console or in the game-software.

      So, it's just a matter of extracting them.

      Once you know *both* the method of encryption and signing, *AND* are in posession of the relevant keys, the rest really is a walk
  • FTFS
    The number pairs are stored as a compound 60 bit data (first 30 bytes for the first number, and the next 30 bytes for the second).

    Interesting that they can store 60 bytes of data in 60 bits! I think someone made a typo...
  • "Enough of your borax, poindexter! We need action!" - Chief Wiggum
  • The number pairs are stored as a compound 60 bit data (first 30 bytes for the first number, and the next 30 bytes for the second)

    That math does not seem to work out.
    60 b = 30 B + 30 B (huh?)

    So which is it, bits or bytes? Oh well, I guess I will go read the article to find out.
    • by strstrep (879828)
      I'm guessing bytes. A 30-bit keyspace is pretty small, definitely within the realm of brute forcing.

Stupidity, like virtue, is its own reward.

Working...