FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

NTAG 424 SUN uses a Cmd Counter to allow replay attack protection, but what if max is reached?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NTAG 424 SUN uses a Cmd Counter to allow replay attack protection, but what if max is reached?

‎03-19-2022 01:36 AM
815 Views
piejanssens
Contributor II

I read in the data sheet that the counter is stored in a 16bit unsigned integer. This means the max value the counter could hold is 65,535. I read that both PCD and PICC increase the counter. So each tap results in +2? If that assumption is correct that would mean the tag can be tapped 32,767 before reaching the max.
After this I think the data sheet describes that the counter is reset to 0, right?

If an application is using the counter to prevent replay attacks then this could be an issue. I wanted to keep track of the last validated counter on server side and require new signature validations to contain a higher CmdCount than previously stored. This is however, not a good enough solution because it will reset to 0 after reaching the maximum.

Is there any other way to implement a counter check against replay attacks that can cope with the counter reset?

0 Kudos
Reply
2 Replies

‎03-22-2022 08:00 PM
797 Views
fangfang
NXP TechSupport
NXP TechSupport

Hello @piejanssens 

About resetting to 0 please kindly refer to the blow:

The CmdCtr is reset to 0000h at PCD and PICC after a successful AuthenticateEV2First authentication and it is maintained as long as the PICC remains authenticated.

And if arrives the max value. If the CmdCtr holds the value FFFFh and a command maintaining the active
authentication arrives at the PICC, this leads to an error response and the command is
handled like the MAC was wrong.

 

Have a nice day.

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-----------------------------------------------------------------------------

 

 

0 Kudos
Reply

‎03-22-2022 08:49 PM
790 Views
piejanssens
Contributor II

Does this mean that:

1) CmdCtr never resets to 0000h by reaching FFFFh+1, instead it will produce an error. 

2) Once reached FFFFh you would need to perform AuthenticateEV2First to reset it to 0000h. This is usually done when unlocking the tag for repgrogramming?

0 Kudos
Reply