Skip to main contentWhat is NTAG 424 DNA?
The NTAG 424 DNA tag, designed by NXP, offers a cost-effective solution for product authentication with its unique SUN (Secure Unique NDEF) feature. Every time a phone taps one of these tags, a different URL is generated. This dynamic URL includes newly encrypted information and additional cryptographic data with each read, ensuring enhanced security and authenticity.
Verifying Authenticity of SUN messages
The SUN feature in NTAG 424 DNA tags allows for the generation of unique URLs with each tap. These URLs are encrypted with a secret key, and the tag’s counter value is incremented to track the number of taps. To verify the authenticity of a URL, the counter value must be provided during authentication. If the counter value is less than or equal to the stored counter value, the URL is considered authentic.
Expiring URLs
As previously noted, the encrypted counter tracks the number of times a tag has been tapped since it was programmed, and this count cannot be altered by the end user. By storing the highest counter value in our database, we can compare it to the counter value a user provides during authentication. For instance, if Certenticat records that a tag has been tapped 7 times, and a user attempts to authenticate with a counter value of 6, we can identify that they are using an outdated URL.
Examining the table, we see that the 4 PM visit is flagged as unauthentic because, knowing the tag has been tapped 7 times, a URL with a counter value of 6 is considered outdated.
| Time | Counter | Authentic |
|---|
| 2PM | 6 | Yes |
| 3PM | 7 | Yes |
| 4PM | 6 | No |
| 5PM | 8 | Yes |
Offline Storage Attack
Counter-based expiration in Certenticat requires knowing how many times a tag has been tapped to determine when to expire the associated URLs. If an attacker taps the tag and stores the generated URL, they could potentially use this URL for authentication later. This vulnerability exists because the counter does not increment unless another legitimate user taps the tag, meaning the stored URL remains valid. If no one else interacts with the tag, the attacker can access the URL without the counter reaching the threshold for expiration. 
