Okay lets set things straight about encryption/decryption/signing:
NCCH files (CXI/CFA): The contents of NCCH files, ExeFS, RomFS and the ExHeader are encrypted with AES-CTR. It is signed by encrypting the SHA-256 hash of the header with RSA-2048. Encryption/decryption of the NCCH contents, uses the same key.
NCSD files (CCI/CSU aka Game Roms): These are NCCH file containers. So they will only contain CXI and CFA files in plain text(this means that the NCCH file is plain text, but the contents of the NCCH files are still encrypted.) Again like NCCH files, NCSD files are signed by encrypting the SHA-256 hash of the NCSD header with RSA-2048.
3DS Downloadable titles: This is a bit more complicated. But the files which are comprise 3DS downloads are:
- a TMD(which includes Certificates) this includes file hashes of the content and is signed.(This obtain via a SOAP request)
- a Ticket, also signed, this holds among other things the encrypted title key, for the content.(This obtain via a SOAP request)
- encrypted NCCH files(where the entire file is encrypted, on top of the AES-CTR encryption of the NCCH contents)
Decrypting downloadable 3DS titles(from entirely encrypted to readable), requires the common key and the encrypted title key from the ticket. Using the title id of the title padded with zeros as the iv, decrypt the title Key using AES-CBC. Then with the same iv as before, and the decrypted title key, decrypt the application content with AES-CBC.
HOWEVER, the ticket (which holds the encrypted title key), is only accessible on Nintendo's CDN for System titles. The 'cetk' file does not exist for eShop downloads on Nintendo's CDN. So if one managed to obtain the common key, they would only be able to decrypt System Titles to readable form.
For those theories relating to the SD Card for exploits/game sharing
read here