Cryptography

• Cryptography
• Key Exchange
• KDF Salts
• IV Generation
  • Connect Request
  • Messages
• Protected Payload Length
• Padding
  • Example
• Message Authentication
• Auxiliary Stream encryption

At a high level, SmartGlass uses:

• ECDH over prime256/384/521v1 with a salted SHA-512 KDF for key exchange
• AES-128-CBC for message encryption
• HMAC-SHA-256 for message authentication

Key Exchange

In detail, key exchange works like this:

1. On Discovery, the console responds with a Discovery Response including a certificate, this certificate holds the console's public key.
2. The client generates elliptic curve and derives the shared secret with console's public key using ECDH and a randomly generated public/private keypair
3. The shared secret is salted using static salts, see KDF Salts
4. The salted shared secret is hashed using SHA-512
5. The salted & hashed shared secret is split into the following individual keys:
6. bytes 0-16: Encryption key (AES-128-CBC)
7. bytes 16-32: Initialization Vector key (AES-128-CBC)
8. bytes 32-64: Hashing key (HMAC-SHA-256)
9. The client's public key is sent inside the Connect Request message to the console

KDF Salts

• Prepend: D6 37 F1 AA E2 F0 41 8C
• Append: A8 F8 1A 57 4E 22 8A B7

IV Generation

Connect Request

The IV is randomly generated and transmitted inside the unprotected payload section of the Connect Request packet.

Messages

The IV is generated by encrypting the first 16 bytes of the packet header with AES-CBC-128 and a null IV.

Protected Payload Length

The protected payload length inside the header indicates the data length without padding.

Padding

Protected payloads are padded using out of specification PKCS#7 algorithm to match needed aligment for encryption.

How it differs from specification: Plaintext needs to be aligned to 16 bytes. If the plaintext is 16 bytes aligned already, NO PADDING is used.

NOTE: By specification, a whole padding block (16 bytes) would be appended to the plaintext.

Example

Plaintext (12 bytes) DE AD BE EF DE AD BE EF DE AD BE EF

Padded (12+4 bytes) DE AD BE EF DE AD BE EF DE AD BE EF 04 04 04 04

As you can see, the padding consists of the count of bytes:

2 byte padding: 02 02

3 byte padding: 03 03 03

6 byte padding: 06 06 06 06 06 06

Message Authentication

All encrypted packets are authenticated using HMAC-SHA-256. The produced hash has a length of 32 bytes (0x20).

Auxiliary Stream encryption

Cryptography parameters for Title channel aka. Auxiliary Stream are transmitted via Auxiliary Stream message.

The host sets all the crypto parameters and informs the client about it. Client then uses received AES key, HMAC key and Client/Server IV to setup the crypto context.