ATECC608A-TNGLoRaWAN Detailed Slot Access Policies

The following tables provide a more detailed description of each slot key and slot configuration information along with what commands and command modes can be run using this slot.

Table 1. Slot 0 Configuration Information
Slot	Configuration Value	Description of Enabled Features
0	Key:	NwkKey/AppKey^(1,2) 128-bit AES diversified network parent key 128-bit AES diversified application parent key Writes by KDF command are not permitted
	Slot:	Derive key allowed with authorizing MAC Key stored in Slot 13 used for key derivation Contents of the slot are secret and cannot be read.
	Valid commands	`DeriveKey`command `KDF` AES command source key for generating other derived keys

Table 2. Slot 1 Configuration Information
Slot	Configuration Value	Description of Enabled Features
1	Key:	Device Private Key Slot contains the P256 NIST ECC private key A public version the of key can always be generated
	Slot:	Key generation is never permitted Contents of this slot are secret ECDH operations are permitted External signature of arbitrary messages is enabled
	Valid commands	GenKey - Public Key Generation GenKey - PublicKey Digest Generation Sign - External Message

Table 3. Slot 2 Configuration Information
Slot	Configuration Value	Description of Enabled Features
2	Key:	Application Session Key 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Clear Text Write `KDF`Write Encrypted Read

Table 4. Slot 3 Configuration Information
Slot	Configuration Value	Description of Enabled Features
3	Key:	Network Session Encryption Key 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Clear Text Write `KDF`Write Encrypted Read

Table 5. Slot 4 Configuration Information
Slot	Configuration Value	Description of Enabled Features
4	Key:	Serving Network Session Integrity Key 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Clear Text Write `KDF`Write Encrypted Read

Table 6. Slot 5 Configuration Information
Slot	Configuration Value	Description of Enabled Features
5	Key:	Forwarding Network Session Integrity Key 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Clear Text Write `KDF`Write Encrypted Read

Table 7. Slot 6 Configuration Information
Slot	Configuration Value	Description of Enabled Features
6	Key:	Join Server Integrity Key 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Clear Text Write `KDF`Write Encrypted Read

Table 8. Slot 7 Configuration Information
Slot	Configuration Value	Description of Enabled Features
7	Key:	Join Server Encryption Key 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Clear Text Write `KDF`Write Encrypted Read

Table 9. Slot 8 Configuration Information
Slot	Configuration Value	Description of Enabled Features
8	Key:	Certificate Data Slot contains ECC public key and certificate data Slot is lockable
	Slot:	Writes are always permitted Reads are always permitted
	Valid commands	Write - Clear Text Read - Clear Text Lock - SlotLock mode Verify - Stored Public Key Mode

Table 10. Slot 9 Configuration Information
Slot	Configuration Value	Description of Enabled Features
9	Key:	JoinEUI⁽³⁾/DevNonce Slot contains other data Data are used in derive key calculation
	Slot:	Writes are always permitted Reads are always permitted
	Valid commands	Write - Clear Text Read - Clear Text

Table 11. Slot 10 Configuration Information
Slot	Configuration Value	Description of Enabled Features
10	Key:	DevEUI⁽⁴⁾ Slot contains other data (manually assigned Device EUI) Data is used to derive the session keys Slot is lockable
	Slot:	Writes are always permitted Reads are always permitted
	Valid commands	Write - Clear Text Read - Clear Text Lock - SlotLock mode

Table 12. Slot 11 Configuration Information
Slot	Configuration Value	Description of Enabled Features
11	Key:	Multicast Application Session Key Slot contains 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Write - Clear Text `KDF`- AES Mode Encrypted Read AES

Table 13. Slot 12 Configuration Information
Slot	Configuration Value	Description of Enabled Features
12	Key:	Multicast Network Session Key Slot contains 128-bit AES session key Writes by KDF command are permitted
	Slot:	Writes are always permitted Contents of this slot are secret Reads from this slot are encrypted using the key stored in Slot 14
	Valid commands	Write - Clear Text `KDF`- AES Mode Encrypted Read AES

Table 14. Slot 13 Configuration Information
Slot	Configuration Value	Description of Enabled Features
13	Key:	Repersonalization Key Slot contains a SHA256 key
	Slot:	Slot may be written with an encrypted write back to itself Data stored in slot is secret and reads are prohibited Key cannot be used with the `MAC` command.
	Valid commands	Encrypted Write CheckMac GenDig

Table 15. Slot 14 Configuration Information
Slot	Configuration Value	Description of Enabled Features
14	Key:	IO Protection Key Slot contains a SHA-256 key A random nonce is required when using this key This slot is lockable
	Slot	Slot is always writable Data in slot is secret and reads are prohibited
	Valid commands	Write - Clear Text CheckMac GenDig Lock - SlotLock mode

Notes:

1.Each Major LoRa Network provider will have their own Unique parent key which is used to generate the diversified keys stored in the ATECC608A-TNGLoRaWAN device.
2.For the ATECC608A-TNGLoRaWAN Diversified Parent Keys are generated based on TTI, or Actility.
3.The JoinEUI value is associated with a particular network provider. For the ATECC608A-TNGLoRaWAN this value will be associated with either TTI or Actility.
4.The DevEUI is an IEEE Extended Unique Identifier. Each device will have its own value. For the ATECC608A-TNGLoRaWAN the DevEUI will be assigned by Mircrochip.