Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wii Uses Elliptic Curve Cryptography For Saves

Posted by Zonk on from the advanced-tech dept.

An anonymous reader writes "A user at the Nintendo-Scene forums just posted a lengthy post about his discovery that the Wii savegame files are signed and encrypted with NIST B 233 bit elliptic curve cryptography. Could this be the first step for a Wii softmod the homebrew community have waited for? From the post: 'It appears a Wii savegame file ends with a certificate chain. The certificates contains a public keypair (the one that is being "certified") and a signature (another number pair) from the signing entity. The number pairs are stored as a compound 60 bit data (first 30 bytes for the first number, and the next 30 bytes for the second). Hence, the first and middle byte is always 00 or 01 for keys, and 00 for signatures. One can check that the keys are indeed NIST B 233 keys using openssls EC_KEY_check_key function (code forthcoming).'"

2 of 183 comments (clear)

  1. It seems to me... by PipianJ · · Score: 5, Informative

    That this likely means the exact opposite. Elliptic Curve Cryptography is relatively difficult to crack (not unlike RSA). More to the point, it's also not liable to factorization attacks like RSA is. Furthermore, the best crack of elliptic curve technology is of a 109-bit key, and still took 3,600 or 15,000 computer-years (whether it's a binary or prime field case, respectively).

    Nintendo's not stupid. They've used RSA encryption to keep the average hacker out of DS-wireless homebrew, and this is most likely a mandated response to the Splinter Cell hack that allowed soft modding on the Xbox. It won't stop hacking through security holes in the internet protocols (a-la PSO+BBA), but they're certainly making efforts to prevent corrupted data from opening up softmod paths.

    1. Re:It seems to me... by Anonymous Coward · · Score: 5, Informative

      I'm not sure what you're getting at when you say ECC isn't liable to factorization attacks. Its certainly more difficult to compute discrete logs in an elliptic curve group than it is to factor an RSA modulus. That's why it takes a 2048 bit RSA key to have roughly the same security strength as a 233 bit ECC key.

      But, particularly because of the recent confusion regarding ECC's resistance to quantum computing (that is, that it has none), I want to make sure people realize ECC isn't any stronger than RSA. Sure, you get shorter keys and faster computations with ECC versus RSA, but for all practical purposes if/when RSA falls, ECC will go down with it. Factorization algorithms usually lead to discrete log algorithms, and vice versa. That's certainly the case with Shor's algorithm, which probably should have been made clear when the quantum computing article was posted.