AnsweredAssumed Answered

How to verify the CMAC myself?

Question asked by Manuel Mertl on Jun 15, 2020
Latest reply on Jul 23, 2020 by Jonathan Iglesias

Intro/Goal:

Hi, my name is Manuel and  I am software engineer. Recently I bought some of your NTAG 424 DNA, that I want to use for a product authenticity solution.

 

Documents/Material:

I read through some documents but mainly the following two:
https://www.nxp.com/docs/en/data-sheet/NT4H2421Gx.pdf 

https://www.nxp.com/docs/en/application-note/AN12196.pdf 

 

Hardware:

I bought a Identiv u Trust 3700 F CL reader that is connected to my MacBook Pro and i am running the NXP TagXplorer.

 

Configuration:

Using this as an example URL, where I have 3 custom params at the end, "n", "t", "p":

my-test-for-tags.com/scan?uid=00000000000000&ctr=000000&cmac=0000000000000000&n=2&t=1&p=3

 

I activated "ADD TAG UID", "ADD INTERACTION COUNTER" and "ENABLE SUN MESSAGE". I also set the calculated offset Index at 33 which is right after the questionmark in the URL (i hope this is correct?!)

 

 

after writing this information to the tag i am going to NTAG 424 DNA Secruity settings where i hit "Authenticate First"

 

(for this first try i dont want to change any of the default keys on the chip, that would be my next step once i get this simple example working)

 

 

After being successfully authenticated

 

I am going to the "File Management" options and set the following data:

 

 

 

Problem:

When i go now to NDEF Operations and click on READ NDEF button, it will give me for example this URI here:

 

https://my-test-for-tags.com/scan?uid=044B6A4A4E6880&ctr=000021&cmac=3E12626CBBFB3FB9&n=002&t=1&p=3

if i click the Read from Tag button again it gives me:
https://my-test-for-tags.com/scan?uid=044B6A4A4E6880&ctr=000022&cmac=211167FD30F03BEA&n=002&t=1&p=3

 

which gives me the same uid, but an incremented counter and a new cmac which i guess is correct.

 

This data is now being sent to the backend, but how can i now recalculate the cmac(3E12626CBBFB3FB9) given in the URI from the two params uid(044B6A4A4E6880) and ctr(000021) in my backend?

 

I guess I also need to know the key that was used to encrypt it also on the backend, correct?

I guess in this default case the key is just 16bits of zero like this 0000000000000000, correct?

 

But how exactly would this calculation now work? I cant figure it out with the two documents above.

Can you please give me a step by step example for this cmac calculation on my backend with my values given here?

 

Thanks for your help in advance.

Outcomes