I am a little bit confused about the LoRaWAN security mechanism.
The NwkSKey is used by both the network server and the end-device to calculate and verify the MIC (message integrity code) of all data messages to ensure data integrity.
The AppSKey is an application session key specific for the end-device. It is used by both the application server and the end-device to encrypt and decrypt the payload field of application-specific data messages.
So technically the Network server does not know the AppSKey. What I dont understand is that in the OTAA procedure, the network server responds with a Join-accept that is encrypted using the AppKey. So if the network server has already the AppKey, it can generate the AppSKey using this formula:
AppSKey = aes128_encrypt(AppKey, 0x02 | AppNonce | NetID | DevNonce | pad16)
In that case the network server if he would like to it can decrypt the message destinated to the application.
Is my analysis correct or I am missing something?
Thanks and best regards!