Encrypted reads are only possible on Data zone slots that have the access policies set for an encrypted read. Data in the Configuration zone and OTP zone can never be encrypted. All encrypted reads must be 32 bytes in length. Prior to doing the encrypted read an encryption key must be generated. This key can be unique every time an encrypted read is done on a given slot. Note that in order to read all of the contents of a slot, multiple reads may be required. A unique session key will need to be generated for each encrypted read.
For the ATECC608A-TNGLoRaWAN device, Slots 2-7 and 11-12 require an encrypted read.
Nonce
command. It is recommended that this be done in
Random mode, 32 bytes. Output the value to TempKey.GenDig
command. The Slot # of the Encryption key must
be included in the GenDig Input parameters, as well as the output of the
Nonce
command which is stored in TempKey.Read
command.
Opcode |
Mode |
Address |
Description |
---|---|---|---|
0x02 | 0x82 | See Section Address Encoding | 32-byte Data zone read |
Name | Size | Description |
---|---|---|
Data Contents | 32 bytes | 32 bytes of encrypted data [0:31] |
The host system must also calculate the Encryption/Decryption key based
on the output of the Nonce
command and the SHA256 calculation used
in the GenDig
command. This allows for the host system to decrypt
the data being sent.