Hacking And the signing bug is...

dasfteg

Well-Known Member
OP
Newcomer
Joined
Mar 23, 2008
Messages
83
Trophies
0
Location
Bikini island
XP
147
Country
United States
http://wiibrew.org/index.php?title=Signing_bug
grog.gif

QUOTE said:
struct rsa_cert {
u32 key_id;
char rsa_signature[1024];
char metadata[32];
char content_hash[20];
};

int verify_cert (struct rsa_cert cert) {
char *cert_hash=SHA1(cert.metadata + cert.content_hash);
char *sig_hash=rsa_decrypt(cert.rsa_signature, cert.key_id);

if (strncmp(cert_hash, sig_hash, SHA1_LENGTH) == 0) {
return CERT_OK;
} else {
return CERT_BAD;
}
}

int is_a_valid_disc(struct rsa_cert cert, char *disc_hash) {
if(memcmp(disc_hash, cert.content_hash, SHA1_LENGTH) != 0) {
return DISC_BAD;
}

if(verify_cert (cert) == CERT_BAD) {
return DISC_BAD;
} else {
return DISC_OK;
}
}
 

dasfteg

Well-Known Member
OP
Newcomer
Joined
Mar 23, 2008
Messages
83
Trophies
0
Location
Bikini island
XP
147
Country
United States
bennydigital said:
and this means
http://debugmo.de/?p=61
QUOTEBasically, Nintendo screwed up the RSA signature verification badly. RSA is a well-known algorithm, hasn’t been broken yet, and basically there is just one thing you can do wrong: Not comparing the complete result (after a RSA public decrypt). And Nintendo did both things wrong. They screwed this up so hard that you need to count it twice. Here is the deal: Of the 4k or 2k result of the RSA decrypted hash block, they don’t check the padding at all. They just compare the SHA1-hash. Now, C is a hard language, especially when dealing with strings and blocks of memory, and there are so many functions with different names, so it’s almost impossible to not get confused. (This was a joke, if you haven’t got it.) Even more a joke is to compare binary blocks of data using a string compare (namely strncmp) instead of a binary compare (like memcmp). Yes, you have read correctly: For verifiying the hash (which is the only thing they verify in the signature), they have chosen to use a function which stops on the first nullbyte - with a positive result. Out of the 160 bits of the SHA1-hash, up to 152 bits are thrown away. Hooray.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: Sorry for accidentally bending over