{ "url": "https://proudtek.com/guides/ntag424-dna-sun-cmac-authentication/", "sourceUrl": "https://proudtek.com/guides/ntag424-dna-sun-cmac-authentication/", "title": "NTAG424 DNA SUN + CMAC Authentication", "description": "NTAG424 DNA (NT4H2421Gx / NT4H2421Tx) is NXP's flagship authentication NFC chip, combining ISO/IEC 14443-4 compliance, AES-128 cryptography and the...", "kind": "article", "imageUrl": "https://proudtek.com/landing-images/ntag424-dna-tamper-evident-tag.jpg", "imageAlt": "NTAG424 DNA chip with SUN + CMAC authentication flow diagram", "imageGallery": [ { "url": "https://proudtek.com/landing-images/ntag424-dna-tamper-evident-tag.jpg", "alt": "NTAG424 DNA chip with SUN + CMAC authentication flow diagram" } ], "breadcrumbs": [ { "name": "Home", "url": "https://proudtek.com/" }, { "name": "Guides", "url": "https://proudtek.com/guides/" }, { "name": "NTAG424 DNA SUN + CMAC Authentication", "url": "https://proudtek.com/guides/ntag424-dna-sun-cmac-authentication/" } ], "summary": [ "NTAG424 DNA (NT4H2421Gx / NT4H2421Tx) is NXP's flagship authentication NFC chip, combining ISO/IEC 14443-4 compliance, AES-128 cryptography and the..." ], "faq": [ { "question": "Can I verify the SUN MAC without a server?", "answer": "Technically yes (a mobile app can embed the diversification master key and verify locally) but this defeats the security model because the master key is now on thousands of user devices. Production deployments always verify server-side against a key management system (HSM, AWS KMS, HashiCorp Vault). The tag's URL lands on your verification endpoint, which returns authenticated (200) or counterfeit (403) as an HTTP response." }, { "question": "Does NTAG424 DNA work on iPhones without an app?", "answer": "Yes. iOS 11+ supports background NDEF tag reading in the Core NFC framework. Tapping an NTAG424 DNA tag with a valid URL opens that URL in Safari automatically, no app install needed. The only requirement is that the URL uses HTTPS (which your verification endpoint should be doing anyway). Android 4.4+ has the same behavior via the NFC Foreground Dispatch system." }, { "question": "What prevents a counterfeiter from cloning the tag UID?", "answer": "The UID alone is not sensitive. It's public. What prevents cloning is the CMAC signature. Without the per-tag SDMMACKey (derived from the brand's master key and held only in the HSM), an attacker cannot compute a valid MAC for any given UID+CTR pair. Even if an attacker reads a legitimate tag's current URL and tries to replay it, the server rejects any CTR less than or equal to the last-seen value for that UID." }, { "question": "What happens when the 24-bit read counter wraps?", "answer": "After 16,777,215 reads the counter wraps to zero. This only matters in automation scenarios. Consumer-facing authentication tags will never reach this limit in their lifetime. For high-read-volume deployments (ticketing, industrial), the server can detect wrap and reset its per-UID last-seen CTR, or the deployment can use NTAG424 DNA in a mode where counter wrap triggers tag re-issuance." }, { "question": "Can NTAG424 DNA be pre-encoded at the factory?", "answer": "Yes. Proud Tek pre-encodes per-customer. We need your master key (delivered via encrypted channel or generated inside our Thales/Utimaco HSM with shared custody), the URL template and the per-tag UID/CTR mirroring configuration. Every shipment includes a CSV manifest mapping UID to per-tag SDMMACKey and SDMEncKey (when File 03 encryption is enabled)." }, { "question": "Is NTAG424 DNA the right choice for EU Digital Product Passport?", "answer": "For high-value textiles and electronics where counterfeit risk or tamper risk is material — yes. The ESPR implementing acts recommend but do not mandate cryptographic authentication; NTAG213 or NTAG216 can satisfy the data-carrier requirement at lower cost for categories where authentication is not required. For batteries under Regulation 2023/1542 the tamper-evidence clause makes NTAG424 DNA TT the natural choice." }, { "question": "Why choose NTAG424 DNA over MIFARE DESFire EV3?", "answer": "Different problems. NTAG424 DNA is designed for public, consumer-smartphone authentication. One URL per tap, no app, AES-protected. MIFARE DESFire EV3 is designed for enterprise multi-application smart cards (access control, cashless payment, transit) where a proprietary reader with a SAM performs authenticated transactions. Use NTAG424 DNA for brand-facing tags that consumers tap with their phone; use DESFire EV3 for employee badges, transit cards and physical access." } ], "procurementFields": [], "collectionGuidanceFields": [], "coreGuidanceFields": [], "articleGuidanceFields": [ { "label": "Best for", "value": "NTAG424 DNA SUN + CMAC Authentication supports RFID and NFC evaluation, comparison, and sourcing decisions." }, { "label": "Compare first", "value": "Compare NTAG424 DNA SUN + CMAC Authentication against reader compatibility, chip family, material, and deployment environment." }, { "label": "What to confirm", "value": "Confirm target application, compatibility requirements, customization needs, quantity, and sample expectations before quoting NTAG424 DNA SUN + CMAC Authentication." } ], "sourceLinks": [], "related": [], "productSpecs": [], "machineJsonUrl": "https://proudtek.com/machine/guides/ntag424-dna-sun-cmac-authentication.json", "machineTextUrl": "https://proudtek.com/machine/guides/ntag424-dna-sun-cmac-authentication.txt", "author": { "name": "Proud Tek Editorial Team", "title": "RFID & NFC Technical Content Team", "expertise": [ "RFID manufacturing", "NFC technology", "Access control systems", "Smart card engineering" ] }, "publisher": "Proud Tek Co., Limited", "datePublished": "2026-04-18", "dateModified": "2026-06-10T18:00:00Z", "lastReviewedDate": "2026-06-10T18:00:00Z", "credentials": [ "ISO 9001:2015", "ISO 14001:2015", "RoHS Compliant", "CE Marking", "REACH Compliant" ], "generatedAt": "2026-03-16T01:42:30.697Z" }