5.1.6.2 Encrypted Read
Encrypted reads are only possible on Data zone slots that have the access policies set for an encrypted read. Data in the Configuration zone and OTP zone can never be encrypted. All encrypted reads must be 32 bytes in length. Prior to doing the encrypted read an encryption key must be generated. This key can be unique every time an encrypted read is done on a given slot. Note that in order to read all of the contents of a slot, multiple reads may be required. A unique session key will need to be generated for each encrypted read.
For the ATECC608A-TNGLoRaWAN device, Slots 2-7 and 11-12 require an encrypted read.
Procedure for an Encrypted Read
- Run the
Nonce
command. It is recommended that this be done in Random mode, 32 bytes. Output the value to TempKey. - Run the
GenDig
command. The Slot # of the Encryption key must be included in the GenDig Input parameters, as well as the output of theNonce
command which is stored in TempKey.Note: The output of these two commands is the encryption key and is stored in TempKey. - Issue the
Read
command.- The contents of the Data zone slot will be encrypted by XOR’ing the data with the generated value stored in TempKey. This value in TempKey is the session key that was previously generated.
- The output of the command will be the encrypted data.
Opcode |
Mode |
Address | Description |
---|---|---|---|
0x02 | 0x82 | See Section Address Encoding | 32-byte Data zone read |
Name | Size | Description |
---|---|---|
Data Contents | 32 bytes | 32 bytes of encrypted data [0:31] |
The host system must also calculate the Encryption/Decryption key based
on the output of the Nonce
command and the SHA256 calculation used
in the GenDig
command. This allows for the host system to decrypt
the data being sent.