NTAG 424 DNA Personalization

ulrik1 · ‎07-03-2020

Hi,

We are considering the NTAG 424 DNA tags for a system we're building and really like the built in AES encryption (even though an asymmetric algorithm would have been even more useful).

My question relates to the personalization and the private key of the AES encryption of the tags:

Is it considered good practise to use the same private key for all tags in the system? Or is it possible to use different keys for each tag or batches of tags?

Having a single private key for 1.000s of tags makes that single private key extremely valuable and is effectively the single most important thing in the system.

Thanks in advance,

Ulrik

Kan_Li · ‎07-06-2020

Hi Ulrik,

It depends on how high security you want to achieve. Each tag has a different key would be the best.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ulrik1 · ‎07-06-2020

Hi Kan,

Thanks for your reply.

If using different keys for each tag, how will you determine which key to use when validating/decrypting data from the tag? I.e. when a URL containing the SUN is requested from the validation server.

Best,

Ulrik

Kan_Li · ‎07-07-2020

Hi Ulrik,

NXP suggests to use a master key which is securely stored (e.g. in NXP MIFARE SAM secure module). Then this master key is UID diversified to get unique key for each UID/tag. We have “key diversification” application note, as well as how to use SAM as key storage and that SAM performs also key diversification application note.

Please kindly refer to the following links for details.

https://www.nxp.com/docs/en/application-note/AN10922.pdf

https://www.nxp.com/docs/en/application-note/AN10969.pdf

https://www.nxp.com/docs/en/application-note/AN10975.pdf

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ulrik1 · ‎07-14-2020

Hi again Kan,

Thanks for providing details for UID diversification. Thats is very useful.

With NTAG 424 DNA is it possible to include the tag UID unencrypted in the URL using mirroring? This will be needed in order to derive the derive the tag specific key from the master key on the backend.

Kan_Li · ‎07-15-2020

Hi Ulrik,

Do you mean something like the following example?

If yes, it is possible. Please kindly refer to https://www.nxp.com/docs/en/application-note/AN12196.pdf for more details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------