The Wii has four basic ways of communicating with the environment -- games on DVDs, savegames on SD card, channels/VCs on SD card and updates downloaded from Internet. All of them need to be protected, for the Wii security model to hold up integrity. Different solutions are in place for all of the ways, even if there are similarities between them.
- Encryption: Technology used to prevent unauthorized parties from viewing data. The Wii uses AES-128-CBC.
- Symmetric Encryption: The same key is used for both encryption and decryption. AES is a symmetric cipher.
- Hashing: Technology used to detect modification of data. The Wii uses both SHA-1 and MD5.
- Signing: Technology used to prevent unauthorized parties from modifying (changing, editing) data. (Generally, this is a combination of encryption and hashing.) For the purposes of signing, the Wii uses RSA and ECC. Signing is an asymmetric algorithm: a signature can be verified by a party without sufficient information to produce a signature.
- Title: In Wii terminology, a "title" is a self-contained set of code and data. Every game is a title; a channel is a title, etc.
- Content: In Wii terminology, a "content" is piece of code or data. Discs contain one "content" per partition; channels usually contain several "contents" per title.
The rest of this page will assume you know the difference between symmetric and asymmetric cryptography.
Game discs are encrypted to avoid analysis, and signed to avoid modifications.
The encryption is a symmetric cipher, 128 bit AES-CBC. Each disc usually contains two or more partitions. Each partition has its own AES key, referred to as a "title key". This key is stored on the disc, inside of a "ticket", but it is encrypted with the master AES key. So, with the master AES key you can decrypt the title keys, and with the title keys you can decrypt the partitions. Lucky for us, the master AES key was extracted by the Tweezer hack.
The disc is signed by building SHA-1 hashes of small parts of the disc, then aggregating these hashes into a hierarchical structure, which is finally signed with an asymmetric crypto. This solution is chosen for efficiency, since asymmetric cryptos are extremely slow.
For more details, see Partition Data info on the Wiidisc page.
Typically, the first partition contains system updates, in the form of WAD files. The data content of the WAD files themselves are encrypted and signed, as well. It is encrypted by 128 bit AES-CBC, by a title key. The title key is encrypted with the master AES key, and is stored in the WAD.
Savegames on SD cards
When you copy a savegame from your Wii system memory to an SD card (in "Data Management"), it encrypts it with an AES key known to all consoles (SD-key). This serves only to keep prying eyes from reading a savegame file. In crypto terminology, the SD-key is a "shared secret".
Your Wii then signs the file on the SD card with its private (ECC) key. This is to prevent anyone from modifying the save file while it is on the SD card.
If I then give you a copy of my savefile, your Wii can decrypt it because it knows the SD-key. However, it has no way of checking your Wii's signature, because it doesn't know my console's public key. To solve this problem, the savegame also contains a copy of my Wii's public key -- the one that matches the private key it used to sign the savefile. (This copy of my Wii's public key is called a 'certificate'.)
Now your Wii can verify that my Wii signed the file, but it has no way of knowing whether it was really a real Wii that signed it, or if I just made up a new random ECC key to try to fool it. To solve this problem, the certificate stored inside of the savegame is then signed with Nintendo's private key. All Wiis have Nintendo's public key stored in their firmware; your Wii can use that key to verify the signature on the certificate. If the certificate is valid, it can verify the signature on the savegame against my Wii's signature.
We solved the chicken-and-egg problem with our original memory-dumping hack. We extracted a private ECC key from one console. Since any Wii can read any savefile, we only need to have one key -- it doesn't need to be re-encrypted / re-signed every time.
Channels on SD cards
(Need to add text here)
(Need to add text here)