NTAG^® 413 DNA Secure Unique NFC Message for Direct Access to Web Services ARCHIVED

• Fully compliant to the ISO/IEC 14443, all parts 1 to 4
• Fully compliant to the ISO/IEC 7816-4 file selection and APDU handling
• Fully compliant passive target compliant to ISO/IEC18092
• Features 7-byte UID according to ISO/IEC14443 – 3

• Fully compliant to the NFC Forum Tag 4 Type technical specification
• Fully compliant to NDEF data structure configurations

• One 32-byte standard data file, formatted as Capability Container (CC)
• One 128-byte standard data file for NDEF file
• Flexible mirroring offset for UID, NFC counter, and CMAC
• Flexible separators position and length

• Secure Unique NFC Message (SUN)
• Three AES 128-bit application keys featuring key versions
• Incremental NFC taps Counter
• AES-based dynamic CMAC as part of the NDEF data
• Three-pass mutual authentication (optional)
• Optional three-pass mutual authentication
• Plain, CMACed, and encrypted communication (configurable)
• Secure retrievals of NFC tap counter (optional)
• ECC-based NXP originality signature

NTAG 413 DNA offers the personalization of NFC tag with a different type of NDEF records and a flexible setting of the NDEF file to define the mirrored parameters and CMAC input offset. At personalization of the tag, the individual application keys and different access to NDEF file with those keys can be set independently.

NTAG 413 DNA’s core crypto function is compliant to FIPS PUB 197 (FIPS 197) Advanced Encryption Standard (AES). CMAC is calculated according to NIST Special Publication 800-38B and uses only 8 even bytes from last encrypted block.

A cryptographically method, which is generating unique secure NDEF data in each tap based on Secure Dynamic Messaging, explained in.

Mirroring items (UID, NFC tap counter, CMAC), separators position, and length as well as can be defined for the NDEF data. Upon the first read command within a session, the file content is generated according to the predefined settings and will be available therefrom. A variable offset allows selecting the data to be included for the CMAC calculation.

The NFC tap counter is incremented on each tap and the unique response data will be generated along with a CMAC. For connecting directly to a web-service without any dedicated application on an NFC device, the NDEF data needs to be formatted to a URI record.

7-byte fixed UID is programmed in the chip and can be mirrored within the NDEF message.

A 3-byte up counter is incremented only once per each session when the NDEF file is read. This counter value can be optionally mirrored in plain into the NDEF message. The encrypted counter value can be read out after authentication by using the assigned application key.

The 8-byte CMAC can be optionally mirrored into the NDEF message. CMAC is calculated on the message length defined. It is possible to consider only the UID and/or the NFC Counter for CMAC calculation.

NTAG 413 DNA offers 3-pass mutual authentication based on challenge-response protocol identical with the application key. This mutual authentication enables the authentication of the tag and terminal (only who knows the keys) simultaneously.

NTAG 413 DNA offers a static ECC signature calculated on the UID of the chip. This ECC signature can be used to verify the tag's genuineness using the public key provided by NXP.

NTAG 413 DNA features can be integrated to design robust product authentication. Concatenating of the multiple features, e.g., ECC signature, history-based UID tracking, SUN, and 3-pass mutual authentication to design enhanced reliability in product authentication.

NXP offers commercially the customization of the chip content (securely key injection known as trust provisioning, personalization of NDEF message and file settings).