Encrypted Read

Encrypted reads are only possible on Data zone slots that have the access policies set for an encrypted read. Data in the Configuration zone and OTP zone can never be encrypted. All encrypted reads must be 32 bytes in length. Prior to doing the encrypted read an encryption key must be generated. This key can be unique every time an encrypted read is done on a given slot. Note that in order to read all of the contents of a slot, multiple reads may be required. A unique session key will need to be generated for each encrypted read.

For the ATECC608A-TNGLoRaWAN device, Slots 2-7 and 11-12 require an encrypted read.

Procedure for an Encrypted Read

The following steps are required for each encrypted read:

1.Run the Nonce command. It is recommended that this be done in Random mode, 32 bytes. Output the value to TempKey.
2.Run the GenDig command. The Slot # of the Encryption key must be included in the GenDig Input parameters, as well as the output of the Nonce command which is stored in TempKey.
Note: The output of these two commands is the encryption key and is stored in TempKey.
3.Issue the Read command.
- The contents of the Data zone slot will be encrypted by XOR’ing the data with the generated value stored in TempKey. This value in TempKey is the session key that was previously generated.
- The output of the command will be the encrypted data.

Table 1. Input Parameters - Encrypted Read
Opcode (1 Byte)	Mode (1 Byte)	Address (2 Byte)	Description
0x02	0x82	See Section Address Encoding	32-byte Data zone read

Table 2. Output Response - Encrypted Read
Name	Size	Description
Data Contents	32 bytes	32 bytes of encrypted data [0:31]

The host system must also calculate the Encryption/Decryption key based on the output of the Nonce command and the SHA256 calculation used in the GenDig command. This allows for the host system to decrypt the data being sent.