AN12196 NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints Rev. 1.8 — 17 November 2020 Application note 507218 COMPANY PUBLIC Document information Information Content Keywords NTAG 424 DNA, NTAG 424 DNA TagTamper, Configuration, Personalization Abstract Guidelines for personalization, configuring and backend calculations of NTAG 424 DNA
59
Embed
NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints … · 2020. 11. 17. · SDM Secure Dynamic Messaging SSM Standard Secure Messaging SUN Secure Unique NFC Messaging UID
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features andhintsRev. 1.8 — 17 November 2020 Application note507218 COMPANY PUBLIC
Document informationInformation Content
Keywords NTAG 424 DNA, NTAG 424 DNA TagTamper, Configuration, Personalization
Abstract Guidelines for personalization, configuring and backend calculations of NTAG424 DNA
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
Revision history
Rev Date Description
v 1.8 20201117 Typo corrected in [Table 19]
v 1.7 20201112 Typo corrected in [Table 19]
v 1.6 20201022 Typo corrected in [Table 17], [Table 18]. Details added for [Section 7.4]
v 1.5 20190730 Editorial changes
v 1.4 20190612 More details added on Asymmetric Originality Check procedure
v 1.3 20190322 Typos corrected in chapters Section 4.4.2 and Section 7.2
v 1.2 20190211 Personalization steps updated, Originality Signature check added
v 1.1 20190129 Security status changed into "Company Public"
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 3 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
2 Introduction
NTAG 424 DNA introduces a feature called Secure Dynamic Messaging (SDM), whichreturns a unique secure dynamic response at each tap. NFC forum devices, which havebuilt-in NFC hardware (e.g. NFC mobile phones, tablets), open the link without anydedicated application installed in the device. The "tap unique" NDEF message offers tothe backend system (e.g. cloud) a unique tag identifying.
2.1 About this documentThis document addresses developers who are developing application based on NTAG424 DNA.
This application note is a supplementary document for implementations using the NTAG424 DNA. This document shall be used in addition to NTAG 424 DNA data sheet [1].The best use of this application note is achieved by reading the mentioned data sheet inadvance.
Note: This application note does not replace any of the relevant functionalspecifications, data sheets, or design guides.
2.2 Key benefits using NTAG 424 DNA• More advanced security, through cryptographic authentication and unique
authentication data mirror with each tap• Stronger protection of goods and documents, with tap-to-check content originality,
integrity, authenticity• Enhanced user engagement, with unique content experiences served in real time (e.g.
cloud)• Easy user adoption, through automatic tag connection to web services –no dedicated
app needed
2.3 Target applicationsNTAG 424 DNA is attractive for many applications. To name few in the list below:
• Advanced anti-counterfeitingVerify authenticity of physical goods and identify sales outside authorized markets.
• Secured exclusive user experiencesReward customers with truly exclusive and personalized content, offers, and privileges.
• Secured sensitive data applicationsProtect sensitive product and user data, or trigger an action upon a verifiedincidencee.g. payment.
• Document AuthenticationAuthenticate originality and track provenance of documents that bear credentials.
• Protected monetary offersConfer trust to proximity transactions such as coupons, promotions, or loyalty points.
• Secure authentication and configuration of closed loop devicesAuthenticate consumables and parts, and enable automated transfer of device settings.
• Verified physical visitor presenceEnable secure visitor authentication, with proof of live presence and service records.
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 4 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
• Secure log-in credentialsProtect web services using two-factor authentication logons to sensitive content sites.
2.4 Standards compliancy
2.4.1 ISO 14443
NTAG 424 DNA is fully compliant to all layers (1, 2, 3, 4) of ISO/IEC 14443 [3].
2.4.2 ISO 7816-4
NTAG 424 DNA is fully compliant to ISO/IEC 7816-4 [6].
2.4.3 NFC Forum compliancy
NFC tag is a contactless tag capable of storing NDEF data, which interoperates withISO 14443 infrastructure (or other) and NFC devices as defined by the NFC Forumspecifications. NFC Forum defines logical data structure for storing NDEF message on aTag.
The file structure on NTAG 424 DNA complies to NFC Forum Tag 4 Type [5]. There aretwo (2) required files:
• CC file is 32 bytes large, generally used for defining NDEF structure, info on accessrights for NFC device, optionally presence of Proprietary Files. It is pre-personalized asNFC Forum Tag 4 Type, NDEF V2.0.
• NDEF file is 256 bytes large. On delivery, it is empty and all type of NDEF messages/records can be programmed.
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 7 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
4 Secure Dynamic Messaging (SDM)
Allows for confidential and integrity protected data exchange, without requiring apreceding authentication.
Secure Unique NFC message (SUN) enables user experience in a secure andconvenient way. It applies to NDEF file only. Configured static or dynamic values aremirrored as text (ASCII encoded) into the NDEF message (e.g. URL) on each NFC tap[Section 4.2].
NTAG 424 creates the SUN at power-up procedure, within ISO/IEC 14443 time and HMINlimits.
4.1 Mirroring commons1. Content is mirrored within the NDEF, only in non-authenticated state2. Mirrored content (dynamic data) overlays below "place holding" content (static data)3. Independently configurable what to mirror (UID, Counter, Part of static data, Tag
Tamper status, CMAC)4. Independently configurable where to mirror5. ASCII encoded (to represent 1 byte – 2 characters are needed)6. Any separator of any length between mirrors can be set7. For each mirror following has to be defined:
• starting offset• length
8. Mirror starting position (offset) + mirror length must not overlap with any otherenabled mirror
Few mirroring examples:
Figure 1. UID, NFCCounter (PICCData) and CMAC mirror
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 8 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
Figure 3. E(PICCData), E(TagTamper status) and CMAC mirror
Figure 4. E(PICCData), E(Static File Data) and CMAC mirror
4.2 SUN generation procedure
For detailed NFC Activity procedure, refer to [10]. A high-level description of SUNgeneration:
1. On the non-locked Home screen, an NFC device (aka Reader/Writer) turns on NFCreader IC
2. NFC reader does the polling cycle for NFC technologies Figure 53. NTAG is tapped. During NFC field present, NTAG boots up4. Reader/Writer does Tag detection, ISO-14443 anti-collision, device activation [10]5. NTAG prepares all the mirrors (generates session keys, does encryption, does
mirroring, CMAC etc.) which are configured6. Reader/Writer reads the NDEF with ISOReadBinary command. NFC counter is
increased by one (1), any subsequent read within the same session does not increasethe counter
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 9 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
4.3 SDM Session Key GenerationPseudo random function as per CMAC algorithm according to NIST SP 800-38B [2].These keys are used only for Secure Dynamic NDEF Messaging - SUN.
Note: These are not the same session keys as Secure Standard Messaging ones, whichare generated during AuthenticateFirst or AuthenticateNonFirst [Section 5.1].
[1] In case of encrypting file data - PICCENCData, mirroring of UID and SDMReadCtr is mandatory. Therefore, both arealways included in SV1 calculation.
4.4 SUN Mirroring
4.4.1 PICCData mirror
PICCData consists of UID and SMDCounter. UID, SDMCounter and CMAC are alwaysco-existing, meaning that by enabling/disabling PICCData mirror, all are mirrored or not.Their mirror offsets within NDEF can be individually chosen for UID and SDMCounter.CMAC shall be appended to the end of NDEF.
How to verify the CMAC of the SUN is described in chapter [Section 4.4.4.2] - differentdata is used for computation.
4.4.2 PICCData Encrypted mirror
Note: With encryption of PICCData, we encrypt UID and NFCCounter. Thereforeverification side does not have immediate info on UID, which is usually used as input forkey derivation function. In this case, KSDMMetaRead key shall not be UID diversified andhigh attention on secure storage on system level of this key is required.
4.4.2.1 Encryption of PICCData
Prerequisites: SDMMetaReadKey set to App.KeyX (0x0 - 0x4)
(1) - Random padding generated by the PICC to make the input 16 bytes long. It is onlyrelevant if SDMReadCtr is not mirrored, as SDMReadCtr adds uniqueness already.
4.4.2.2 Decryption of PICCData
Verification side (e.g. backend, RF reader, NFC Mobile application, etc.) needs to knowfollowing parameters:
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 15 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
int cmacSize = 16; BlockCipher cipher = new AESFastEngine(); Mac cmac = new CMac(cipher, cmacSize * 8); KeyParameter keyParameter = new KeyParameter(key); cmac.init(keyParameter); cmac.update(valueToMAC, 0, valueToMAC.length); byte[] CMAC = new byte[cmacSize]; cmac.doFinal(CMAC, 0); byte[] MFCMAC = new byte[cmacSize / 2]; int j = 0; for (int i = 0; i < CMAC.length; i++) { if (i % 2 != 0) { MFCMAC[j] = CMAC[i]; j += 1; } } return MFCMAC; } catch (Exception ex) { ex.printStackTrace(); } return null;
} }
Modern libraries have "zero length" MAC-ing implemented. In case of manualimplementation, below reference pseudo-code may be used. CMAC in detailed steps asper NIST Special Publication 800-38B [2].
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 18 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
5 Standard Secure Messaging (SSM)
Standard Secure messaging is the most up-to-date secure messaging mode, withfollowing properties:
• plain/maced/encrypted channel of communication established between PCD and PICC
CommunicationMode
BitRepresentation
Explanation
CommMode.Plain X0 Plain communication: No encryption is used at all.
CommMode.MAC 01 MACed communication: The data is transferred inplain, but a 4 bytes or 8 bytes MAC is added to themessage.
CommMode.Full 11 Encrypted communication: Full protection forintegrity, authenticity, and confidentiality.
Table 7. Communication modes in SSM
• Confidentiality and integrity are protected by using two session keys (generated on
both sides - PCD and PICC)• Standard Secure messaging is established by successful Cmd.AuthenticateEV2First
and Cmd.AuthenticateEV2NonFirst - allows cryptographically binding of all messageswithin one transaction by using a transaction identifier (TI) and a command counter(CmdCtr)
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 19 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
The LRP mode can be permanently enabled using the SetConfiguration command.After this switch, it is not possible to revert to AES mode. More details on LRP canbe found in [11] and [12].
5.1 SSM Session Keys generation
As a result of successful authentication, KSesSDMFileReadMAC andKSesSDMFileReadENC keys are generated on PCD and PICC sides, using the samealgorithm.
Figure 7. SSM Session Key generation after successful Authentication
• CMAC computation:– CMAC-ing key (KSDMFileRead) which is used to generate session key
KSesSDMFileReadMAC: 0x01– SDMMACOffset: 0x43
• empty payload for CMAC input (SDMMACInputOffset == SDMMACOffset)• GetCounterValue command protected by key 0x01• No NFCCounter limit• no mirroring and no encryption of SDMFileData - SDMENCFileData
Steps:
1. ISO14443-4 PICC Activation [Section 6.1]2. Originality signature verification [Section 6.2]3. ISO SELECT NDEF application using DF Name [Section 6.3]4. Get File Settings [Section 6.4]5. GetVersion [Section 6.5]6. AuthenticateFirst with ApplicationKey 0x00 [Section 6.6]7. Prepare NDEF data [Section 6.7]8. Write data to 0xE104 (NDEF File) [Section 6.8]9. Change File Settings of 0xE104 [Section 6.9]10.AuthenticateEV2First with ApplicationKey 0x03 [Section 6.10]11. ISO SELECT Proprietary File 0xE105 [Section 6.11]12.Write data to 0xE105 (Proprietary File) [Section 6.12]13.ISO SELECT Capability Container file 0xE103 [Section 6.13]14.AuthenticateAESNonFirst with ApplicationKey 0x00 [Section 6.14]15.Write data to 0xE103 (CC file) - READ-ONLY [Section 6.15]16.Change Key - ApplicationKey 0x02 (Using AES-128 Key diversification)
(1) Higher data transfer can be set in this step (downlink and uplink). Example shown in
6.2 Originality signature verificationThe Symmetric Originality Check is possible only in LRP mode. The asymmetric checkcan be done prior personalization to asure that it will be done on the NXP delivered IC.
Procedure is described in [Section 8.2].
6.3 ISO SELECT NDEF application using DF Name
Step Command Data Message
1 ISO7816 AID – DF ApplicationName = D2760000850101
2 CLA = 00
3 INS = A4
4 P1 = 04 (select by DF name)
5 P2 = 0C
6 Lc = 07
7 Command header = 00A4040C07
8 Command data (ISO7816 AID –DF Name) = D2760000850101
9 Le = 00
10 Cmd.Select C-APDU > 00A4040C07D276000085010100
Table 11. Select NDEF Application using Cmd.ISOSelect
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 25 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
Step Command Data Message
11 R-APDU < 9000
Table 11. Select NDEF Application using Cmd.ISOSelect...continued
6.4 Get File SettingsThis step does not reflect default delivered NTAG 424 DNA configuration of NDEF filesettings (0000E0EE00010026000CA). Purpose of the example is to show meaning ofbytes in response APDU.
Step is optional and may be left out. It is just to identify CommMode: Plain, MACed orFULL and adopt secure messaging of commands in later steps.
8 UID Offset (in Bytes) =20 (49d) (NDEF Length + NDEF header Length +NDEF File Content Length, including “=” sign in “?e=”)
10 CMAC Input Offset (in Bytes) =43 (67d) - Fully configurable. Verification side (e.g.backend) needs to know this value in order tocheck validity of received CMAC.
11 CMAC Offset (in Bytes) = 43 (67d) - including “=” sign in “&c=”)
Table 15. NDEF Message Creation
6.7.1 NDEF
NDEF is NFC Forum defined data exchange format. The NDEF specification definesa message encapsulation format to exchange information between an NFC forumdevice and another NFC forum device or an NFC forum Tag. NDEF is a lightweight,binary message format that can be used to encapsulate one or more application-definedpayloads of arbitrary type and size into a single construct called NDEF message.
An application-defined payload is encapsulated inside one single NDEF record, orchunked into two or more NDEF records.
8 UID Offset (in Bytes) =20 (49d) (NDEF Length + NDEF header Length +NDEF File Content Length, including “=” sign in “?e=”)
10 CMAC Input Offset (in Bytes) =43 (67d) - Fully configurable. Verification side (e.g.backend) needs to know this value in order tocheck validity of received CMAC.
11 CMAC Offset (in Bytes) = 43 (67d) - including “=” sign in “&c=”)
Table 16. NDEF Message Creation
6.8 Write NDEF fileWriting of the data to the NDEF file may be performed either by Update Binary(Cmd.UpdateBinary) or Write Data (Cmd.WriteData ) commands.
Table 17. Write NDEF File - using Cmd.ISOUpdateBinary
6.8.2 Write NDEF File - using Cmd.WriteData, CommMode.FULL
Usually there is no need to write NDEF data over encrypted channel, as NDEF Filecontains end consumer readable data. This chapter is for demonstrating encrypted datachannel exchange - CommMode.FULL.
Table 20. Cmd.AuthenticateEV2First using Key No 0x03...continued
6.11 ISO SELECT Proprietary file by EF NameThis step is not needed, if for Writing of the data to the file is done by Cmd.WriteData(and not Cmd.ISOUpdateBinary).
Step Command Data Message
1 ISO7816 AID – DF ApplicationName = D2760000850101
2 CLA = 00
3 INS = A4
4 P1 = 00 (Select MF, DF or EF, by file identifier)
5 P2 = 0C
6 Lc = 02
7 Command header = 00A4000C02
Table 21. Select Proprietary Application using Cmd.ISOSelectFile
Table 24. Cmd.AuthenticateEV2NonFirst using Key No 0x00...continued
6.15 Write to CC - using Cmd.WriteData, CommMode.PLAINThis step is needed to switch the lifecycle from INITIALIZED to READ-ONLY as per NFCForum T4T spec.
Table 25. Write CC File (0xE103) - using Cmd.WriteData
6.16 Changing the KeyOnly changing of keys nr. 0x2 and 0x0 are shown in the following step. It is highlyrecommended to configure all the Application Keys during personalization procedure.
6.16.1 KeyNo to be changed does not equal AuthKey
Case 1: Key number to be changed ≠ Key number for currently authenticated session
KeyNo 0x02 will be changed, while currently authenticated with KeyNo 0x00. AES-128Master Key key diversification is used in the following example. Keys can be diversifiedusing NXP suggested diversification method described in [13].
Step Command Data Message
1 KSesAuthMAC = 5529860B2FC5FB6154B7F28361D30BF9
2 KSesAuthENC = 4CF3CB41A22583A61E89B158D252FC53
3 Old Key (KeyNo 0x02) = 00000000000000000000000000000000
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 42 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
7 Special functionalities
7.1 Configuration of NDEF application and PICC attributesSpecial command: SetConfiguration
Authentication with key AppMasterKey is needed
CommMode.Full needed
It is possible to configure:
• Enable RandomID• Disable chaining with WriteData• Enable LRP mode (irreversible)• Failed authentication counter configuration• Enable Strong back modulation
7.2 Random ID - RIDThis feature is used to retain end consumer privacy, avoid tracking and to meet latestGDPR regulations. In the combination with PICCData encryption, the real NTAG 424'sUID cannot be revealed, the PICC responds with random ID (4 bytes) during ISO14443-3anticollision.
Note:
• If Random ID feature is enabled, the ATQA value is changed to 0x0304 (default is0x0344).
• Enabling Random ID feature is irreversible process - meaning that it cannot be disabledonce it is enabled.
Prerequisites: Active Authentication with the AppMasterKey (AppKey00)
CommMode: FULL
Step Command Data
1 Cmd = 5C
2 KSesAuthMAC = FE4EDBF46536557E304682F33E63A84F
3 KSesAuthENC = 7951A705F47F3C29B596454DC1490383
4 CmdHeader - Option (Commandoption)
= 00
5 CmdCtr = 0000
6 TI = D779B1D0
8 CmdData = 02 (enable Random ID)
9 IVc = E(KSesAuthENC, A55A || TI ||CmdCtr || 0000000000000000)
14 MAC(KSesAuthMAC, Status ||Cmd || CmdCounter + 1 || TI ||(E(KSesAuthENC, ResponseData) )
= F4593D5FAB671F225798C4EA894195B7
15 Compare R-APDU's MACt andcalculated MACt from step 14
= true - Integrity of message received from the PICCverified
16 ResponseCode || (E(KSesAuthENC,ResponseData)
= 70756055688505B52A5E26E59E329CD6
17 CmdCtr = 0100 (increased by one on the PICC side)
18 IVr for Encryption =E(KSesAuthENC, 5AA5 || TI ||CmdCtr || 0000000000000000)
= 7F6BB0B278EA054CBD238C5D9E9E342B
19 D(KSesAuthENC, IV, ResponseData || Padding)
= 04958CAA5C5E80800000000000000000
20 UID = 04958CAA5C5E80
Table 29. Get NTAG 424 DNA's UID
7.4 Failed Authentications CounterThis feature improves countermeasures for potential side channel attacks, especially inAES mode. In LRP mode, side channel attack resistance is done by protocol itself, but itcan be enabled for LRP mode as well.
Note: Originality keys do not support the failed authentication counter feature. AnyhowOrig.keys (LRP) have SCA resistance by protocol itself.
Every KeyID.AppKeys has its own instance of counter set:
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 45 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
• TotFailCtr (2 bytes)– Increases by 1 on each unsuccessful authentication– Decreases by value defined with TotFailCtrDecr– when TotFailCtrLimit is reached, related key cannot be used for Authentication
anymore• SeqFailCtr (1 byte)
– Increases by 1 on each consecutive failed authentication– If value 50d reached, subsequent authentication attempts are delayed - gradually on
all next 50d. Until 255d.– successful Authentication resets counter to 0
• SpentTimeCtr (2 bytes)– Counts the time "spent" after defined FWT, caused by delayed response of Failed
Authentications Counter feature– Increased by SpentTimeUnit, which depends on FWT
When changing an KeyID.AppKey with Cmd.ChangeKey, the related instance set ofthese three counters is reset to their default values at delivery.
Each failed authentication will increase targeted Key's counter of TotFailCtr by 1. Ona successful Authentication, TotFailCtr it is decreased by TotFailCtrDecr value (default10), to cope with false - positives. By default after 50 consecutive failed authenticationattempts NTAG 424 DNA starts to introduce a delay into its response (SW code responseof 91AD).
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 47 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
Figure 12. Failed authentication counter processing during the second part of theAuthentication
7.5 TagTamperNTAG 424 DNA TagTamper offers an NFC Forum-compliant solution to reflect, if thesealing of a product is opened. This works without a dedicated app on the NFC reader/writer device. It only requires the capability of reading out NFC Forum Type 4 Tag [5].NTAG 424 DNA TagTamper has four pads. Two pads are used for antenna connectionand the other two used to connect a detection wire. At start-up, the IC checks thatthe tag tamper wire. If opened, this will be recorded as permanent status in NVM(TTPermStatus). The result can be mirrored in the NDEF message.
Measurement is done automatically during the boot-up of the NTAG 424 NDA. It willbe only done during processing of the first ISO/IEC 14443-4 command after completeactivation, if the current TTPermStatus is still set to Close. It does not have any influenceon any ISO standard time constraints. If PICC detects open tamper loop, TTPermStatusis updated. Measurement on the boot will not be triggered anymore.
In addition, a specific command (Cmd.GetTTStatus) triggers tamper loop measurementand the Tag returns both the permanent (TTPermStatus) and current status(TTCurrStatus) of the tamper loop connection. NTAG 424 DNA is a passive tag poweredby an RF field, therefore it cannot trigger measurement by itself. Physical design of afinal tag application with counter measures should be used to mitigate fraudulent use - asopening and fixing the tamper loop / seal in between measurements.
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 48 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
7.6 SDMReadCtr LimitThe SDMReadCtrLimit can be enabled by setting a customized value withCmd.ChangeFileSettings. It can be retrieved with Cmd.GetFileSettings. This way readingof the NDEF file can be limited after SDMReadCtr reaches SDMReadCtrLimit. WhenSDMReadCtrLimit is reached, no reading with Cmd.ReadData or Cmd.ISOReadBinarycan be executed. This feature can be a potential risk for DoS attacks.
Main use cases:
• To limit usage/tap number of a single PICC• To limit conditions for Secure Dynamic Messaging side channel attacks
Feature can be disabled by Cmd.ChangeFileSettings, or by setting the SDMReadCtrLimitvalue to FFFFFF.
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 49 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
8 Originality Signature Verification
8.1 Symmetric checkFour (4) secret originality keys (also named as PICC Keys) are present on eachindividual NTAG 424 DNA, type of AES-128:
• Are written on the IC at the production in the NXP factory• Keys are created in NXP Fabs HSM and never leave secure environment• Cannot be changed after the IC leaves the NXP factory• Originality Check is done by executing a successful LRP Authentication (not AES!)
with one of the Originality keys. LRP mode needs to be enabled with commandCmd.SetConfiguration.
• These keys are shared only towards NXP's licenseesSharing procedure of these keys is written in the data sheet [1].
8.2 Asymmetric checkNTAG 424 DNA contains the NXP Originality Signature:
• It is computed according to Elliptic Curve DSA (ECDSA) based on the UID• Key pair created in NXP Fabs HSM. Private key stored in high secure HSM in NXP
premises• Signature is 56 bytes long and according to SEC standard the secp224r1 curve is
taken
Asymmetric procedure consists of:
• retrieve Originality Signature (56 bytes) from the PICC with Cmd.Read_Sig command(NTAG 424 needs to be in ISO14443 - Layer 4 level).
• public key is required by the verifier - available for public below• ECDSA signature verifying operation needs to be applied - procedure and sample code
(C#, Java, C) can be found in Application Note [9]
NTAG public key:048A9B380AF2EE1B98DC417FECC263F8449C7625CECE82D9B916C992DA209D68
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 51 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
9 System implementation concepts
Most common system used with NTAG 424 DNA is pictured below.
Figure 13. NFC and cloud integration
9.1 Online systemThis kind of system is possible with NFC device broadband connectivity (data transfer)and robust backend system - usually cloud based service. By this approach, no keysneed to be stored on NFC device, thus no secure element is used on NFC device. It isused only for relaying messages between cloud and the NTAG. It is advisable that all thekeys (or master key) are securely stored on backend's HSM.
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 52 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
9.2 Offline systemOffline systems usually target closed loop, offline authentication applications. Applicationprovides a proof of authenticity of the Tag or the product to which the Tag is applied to.
For optimal secure solution, host side needs to have:
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
11 References
[1] Data sheet — NTAG 424 Product data sheet, doc.no. 4654**[1]
[2] NIST SpecialPublication800-38B
— National Institute of Standards and Technology (NIST) – Recommendation for Block CipherModes of Operation: The CMAC Mode for Authentication, May 2005.
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 55 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
12 Legal information
12.1 DefinitionsDraft — A draft status on a document indicates that the content is stillunder internal review and subject to formal approval, which may resultin modifications or additions. NXP Semiconductors does not give anyrepresentations or warranties as to the accuracy or completeness ofinformation included in a draft version of a document and shall have noliability for the consequences of use of such information.
12.2 DisclaimersLimited warranty and liability — Information in this document is believedto be accurate and reliable. However, NXP Semiconductors does notgive any representations or warranties, expressed or implied, as to theaccuracy or completeness of such information and shall have no liabilityfor the consequences of use of such information. NXP Semiconductorstakes no responsibility for the content in this document if provided by aninformation source outside of NXP Semiconductors. In no event shall NXPSemiconductors be liable for any indirect, incidental, punitive, special orconsequential damages (including - without limitation - lost profits, lostsavings, business interruption, costs related to the removal or replacementof any products or rework charges) whether or not such damages are basedon tort (including negligence), warranty, breach of contract or any otherlegal theory. Notwithstanding any damages that customer might incur forany reason whatsoever, NXP Semiconductors’ aggregate and cumulativeliability towards customer for the products described herein shall be limitedin accordance with the Terms and conditions of commercial sale of NXPSemiconductors.
Right to make changes — NXP Semiconductors reserves the right tomake changes to information published in this document, including withoutlimitation specifications and product descriptions, at any time and withoutnotice. This document supersedes and replaces all information supplied priorto the publication hereof.
Suitability for use — NXP Semiconductors products are not designed,authorized or warranted to be suitable for use in life support, life-critical orsafety-critical systems or equipment, nor in applications where failure ormalfunction of an NXP Semiconductors product can reasonably be expectedto result in personal injury, death or severe property or environmentaldamage. NXP Semiconductors and its suppliers accept no liability forinclusion and/or use of NXP Semiconductors products in such equipment orapplications and therefore such inclusion and/or use is at the customer’s ownrisk.
Applications — Applications that are described herein for any of theseproducts are for illustrative purposes only. NXP Semiconductors makesno representation or warranty that such applications will be suitablefor the specified use without further testing or modification. Customersare responsible for the design and operation of their applications andproducts using NXP Semiconductors products, and NXP Semiconductorsaccepts no liability for any assistance with applications or customer productdesign. It is customer’s sole responsibility to determine whether the NXPSemiconductors product is suitable and fit for the customer’s applicationsand products planned, as well as for the planned application and use ofcustomer’s third party customer(s). Customers should provide appropriatedesign and operating safeguards to minimize the risks associated withtheir applications and products. NXP Semiconductors does not accept anyliability related to any default, damage, costs or problem which is basedon any weakness or default in the customer’s applications or products, orthe application or use by customer’s third party customer(s). Customer isresponsible for doing all necessary testing for the customer’s applicationsand products using NXP Semiconductors products in order to avoid adefault of the applications and the products or of the application or use bycustomer’s third party customer(s). NXP does not accept any liability in thisrespect.
Export control — This document as well as the item(s) described hereinmay be subject to export control regulations. Export might require a priorauthorization from competent authorities.
Evaluation products — This product is provided on an “as is” and “with allfaults” basis for evaluation purposes only. NXP Semiconductors, its affiliatesand their suppliers expressly disclaim all warranties, whether express,implied or statutory, including but not limited to the implied warranties ofnon-infringement, merchantability and fitness for a particular purpose. Theentire risk as to the quality, or arising out of the use or performance, of thisproduct remains with customer. In no event shall NXP Semiconductors, itsaffiliates or their suppliers be liable to customer for any special, indirect,consequential, punitive or incidental damages (including without limitationdamages for loss of business, business interruption, loss of use, loss ofdata or information, and the like) arising out the use of or inability to usethe product, whether or not based on tort (including negligence), strictliability, breach of contract, breach of warranty or any other theory, even ifadvised of the possibility of such damages. Notwithstanding any damagesthat customer might incur for any reason whatsoever (including withoutlimitation, all damages referenced above and all direct or general damages),the entire liability of NXP Semiconductors, its affiliates and their suppliersand customer’s exclusive remedy for all of the foregoing shall be limited toactual damages incurred by customer based on reasonable reliance up tothe greater of the amount actually paid by customer for the product or fivedollars (US$5.00). The foregoing limitations, exclusions and disclaimers shallapply to the maximum extent permitted by applicable law, even if any remedyfails of its essential purpose.
Translations — A non-English (translated) version of a document is forreference only. The English version shall prevail in case of any discrepancybetween the translated and English versions.
Security — Customer understands that all NXP products may be subjectto unidentified or documented vulnerabilities. Customer is responsiblefor the design and operation of its applications and products throughouttheir lifecycles to reduce the effect of these vulnerabilities on customer’sapplications and products. Customer’s responsibility also extends to otheropen and/or proprietary technologies supported by NXP products for usein customer’s applications. NXP accepts no liability for any vulnerability.Customer should regularly check security updates from NXP and follow upappropriately. Customer shall select products with security features that bestmeet rules, regulations, and standards of the intended application and makethe ultimate design decisions regarding its products and is solely responsiblefor compliance with all legal, regulatory, and security related requirementsconcerning its products, regardless of any information or support that maybe provided by NXP. NXP has a Product Security Incident Response Team(PSIRT) (reachable at [email protected]) that manages the investigation,reporting, and solution release to security vulnerabilities of NXP products.
12.3 Licenses
Purchase of NXP ICs with NFC technology
Purchase of an NXP Semiconductors IC that complies with one of theNear Field Communication (NFC) standards ISO/IEC 18092 and ISO/IEC 21481 does not convey an implied license under any patent rightinfringed by implementation of any of those standards. Purchase of NXPSemiconductors IC does not include a license to any NXP patent (or otherIP right) covering combinations of those products with other products,whether hardware or software.
12.4 TrademarksNotice: All referenced brands, product names, service names andtrademarks are the property of their respective owners.
NTAG — is a trademark of NXP B.V.NXP — wordmark and logo are trademarks of NXP B.V.
Application note Rev. 1.8 — 17 November 2020COMPANY PUBLIC 507218 56 / 59
NXP Semiconductors AN12196NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints
TablesTab. 1. Abbreviations .....................................................3Tab. 2. SDM Session Key Generation ........................ 10Tab. 3. Decryption of PICCData ..................................12Tab. 4. Decryption of PICCData ..................................13Tab. 5. CMAC calculation when CMACInputOffset
== CMACOffset ...............................................15Tab. 6. CMAC calculation when CMACInputOffset !
= CMACOffset ................................................. 17Tab. 7. Communication modes in SSM .......................19Tab. 8. Example of CommMode.MAC on
Cmd.GetFileSettings command .......................21Tab. 9. Example of CommMode.FULL on
Cmd.Write to File No 0x02 ..............................22Tab. 10. ISO14443-4 PICC Activation ...........................24Tab. 11. Select NDEF Application using
Cmd.ISOSelect ................................................25Tab. 12. Get file settings of NDEF File ..........................26Tab. 13. Get Version ..................................................... 27Tab. 14. Cmd.AuthenticateEV2First using Key No
Tab. 18. Write NDEF File - using Cmd.WriteData ......... 32Tab. 19. Change NDEF file settings using
Cmd.ChangeFileSettings .................................34Tab. 20. Cmd.AuthenticateEV2First using Key No
0x03 .................................................................35Tab. 21. Select Proprietary Application using
Cmd.ISOSelectFile .......................................... 36Tab. 22. Write Proprietary File (0xE105) - using
Cmd.WriteData ................................................ 37Tab. 23. Select NDEF Application using Cmd.Select .... 38Tab. 24. Cmd.AuthenticateEV2NonFirst using Key
No 0x00 ...........................................................39Tab. 25. Write CC File (0xE103) - using
Cmd.WriteData ................................................ 40Tab. 26. Example for Cmd.ChangeKey in Secure
Messaging using Case 1 .................................40Tab. 27. Example for Cmd.ChangeKey in Secure
Messaging using Case 2 .................................41Tab. 28. Enabling Random ID - RID ............................. 43Tab. 29. Get NTAG 424 DNA's UID .............................. 45Tab. 30. Asymmetric Originality Signature
Fig. 8. Plain communication in SSM .......................... 20Fig. 9. MACed communication in SSM ...................... 21Fig. 10. Fully enciphered communication in SSM ........ 22Fig. 11. Failed authentication counter processing
during the first part of the Authentication .........47Fig. 12. Failed authentication counter processing
during the second part of theAuthentication ..................................................48
Fig. 13. NFC and cloud integration .............................. 52Fig. 14. Main use case system concept .......................52Fig. 15. Offline system concept using SE and
6.11 ISO SELECT Proprietary file by EF Name .......366.12 Write to Proprietary File - using
Cmd.WriteData, CommMode.FULL ................. 376.13 ISO SELECT CC file by EF Name ...................386.14 AuthenticateAESNonFirst with key 0x00 ......... 396.15 Write to CC - using Cmd.WriteData,
CommMode.PLAIN .......................................... 406.16 Changing the Key ............................................406.16.1 KeyNo to be changed does not equal
AuthKey ........................................................... 406.16.2 KeyNo to be changed equals AuthKey ............ 417 Special functionalities ...................................... 437.1 Configuration of NDEF application and
PICC attributes ................................................ 437.2 Random ID - RID .............................................437.3 Get UID ............................................................447.4 Failed Authentications Counter ........................457.5 TagTamper ....................................................... 487.6 SDMReadCtr Limit ...........................................498 Originality Signature Verification .....................508.1 Symmetric check ............................................. 508.2 Asymmetric check ............................................509 System implementation concepts ................... 529.1 Online system ..................................................529.2 Offline system ..................................................5310 Supporting tools ............................................... 5410.1 Software ...........................................................5411 References ......................................................... 5512 Legal information ..............................................56
Please be aware that important notices concerning this document and the product(s)described herein, have been included in section 'Legal information'.