The full ticket must be sent, it must be signed and match the title id of content.
Encrypt ticket with a random 128bit key and iv and AES CBC 128, then take the used key and iv concated respectively together, and encrypt them RSA CDN Modulus with PKCS#1 v1.5, Block type 1 to match 3ds's work (not Block type 2, modules seem to use this always, I've tried to make this tool in python originally but I didn't bother too much with RSA, didn't find seem to find one that let me set block type or I was blind, I've not tested server response to Block type 2 but, 3ds uses type 1, so sending with type 2 would indicate something's up if they perform checks).
Take both encrypted results, and convert them to base64.
The final result has to be sent every time access to the content or tmd is made as http headers.
"X-Authentication-Key" shall contain the base64 encrypted key and iv used for ticket.
"X-Authentication-Data" shall contain the base64 encrypted ticket.
It's recommended to use a new randomized key and iv per new session, as NIM would get a random one as well per AM request of a wrapped ticket.
