5.1.10.2 Data Zone - Encrypted Write

Writes to the Data zone may be encrypted if the slots have been so configured. Only data written to the Data zone may be encrypted. For the ATECC608A-TNGLoRaWAN device, Slot 13 can be written as encrypted text.

All encrypted writes must be done as 32-byte blocks. If a partial block at the end of the zone needs to be encrypted 32 bytes of input, data must still be sent and used as part of the MAC calculation. The address of the write is an actual memory location address and is not a Data slot number.

Table 5-35. Input Parameters - Encrypted Write

Opcode
(1 Byte)

Mode
(1 Byte)

Address
(2 Bytes)

Input Data
(32 Bytes)

MAC
(32 Bytes)

Description
0x120x82See Section Address Encoding32 bytes of encrypted input data32 bytes of MAC32-byte encrypted write
Table 5-36. Output Response - Encrypted Write
NameSizeDescription
Response1 byteIf successful, it will return a value of 0x00. If unsuccessful, then an error code will be returned.

Data Encryption

Data must be encrypted by the host system prior to writing the data to the slot. The encryption algorithm simply XOR’s the clear text data with the value stored in the TempKey. TempKey must be a result of a GenDig command. The host system will need to calculate this value that will be used in parallel with what the ATECC608A-TNGLoRaWAN calculates. The GenDig command can be used one or more times when calculating the XOR value. The final value will be the actual XOR value used for the encryption. Once the data are encrypted and written, the ATECC608A-TNGLoRaWAN decrypts the value with the value stored in TempKey. The encrypted write must occur before any other commands that can affect the TempKey value or before a time-out occurs. In order to validate the encrypted write, a 32-byte MAC value must also be sent with the command.

Input MAC Generation

The required Input MAC is generated by a SHA256 Hash over 96 bytes. This is calculated by the host system and sent as part of the encrypted Write command.

32 bytes
1 byte
1 byte
2 bytes
1 byte
2 bytes
25 bytes
32 bytes

TempKey
OpCode = 0x12
Mode
Address (LSB, MSB)
SN[8] = Varies by vendor
SN[0:1]=0x01 0x23
Zeros
Plain Text Data