SDM (Secure Dynamic Messaging)
A feature in NFC chips (NTAG 413/424 DNA) that dynamically generates authentication data embedded in NDEF messages. The tag's URL changes with every tap, carrying encrypted or CMAC-signed chip state for backend verification.
What Is SDM?
SDM (Secure Dynamic Messaging) is a firmware-level feature in NXP's NTAG 413 DNA and NTAG 424 DNA chip families that dynamically injects authenticated data into NDEF messages at the moment of each tap. Unlike traditional static NDEF storage, SDM-enabled tags modify their output on every read, embedding encrypted chip state, UID, counter values, and AES-CMAC authenticationauthenticationIdentity verification of NFC tags/readers via passwords or cryptographyView full → codes directly into the URL payload.
How SDM Works Internally
When a reader issues an NDEF read command, the tag's hardware AES engine performs real-time cryptographic operations:
- Template URL: The tag stores a base URL with placeholder offsets for dynamic data fields.
- PICC data injection: At the configured offset, the chip inserts its encrypted UID and current NFC read counter using a configured AES key.
- CMAC computation: The chip calculates an AES-CMAC over the entire NDEF payload using a second AES key and inserts it at the CMAC offset.
- Counter increment: The internal read counter advances monotonically, ensuring no two taps produce the same output.
SDM Configuration Parameters
| Parameter | Description |
|---|---|
| SDM File Number | Which file triggers SDM (typically file 02) |
| PICC Data Offset | Byte position for encrypted UID+counter |
| CMAC Offset | Byte position for the authentication MAC |
| Meta Read Key | AES key number for PICC data encryption |
| File Read Key | AES key number for CMAC generation |
Backend Verification Flow
When a user taps an SDM-enabled tag, the phone opens the dynamically generated URL. The backend server parses the PICC data and CMAC, decrypts the PICC data to extract the UID and counter, recomputes the CMAC, and verifies the counter is strictly greater than the last recorded value. If all checks pass, the tag is authenticated as genuine and not replayed.
SDM vs Password Protection
Password protection in NTAG 21x uses a static 32-bit password transmitted in plaintext. SDM provides cryptographically stronger security: 128-bit AES keys, encrypted data, per-tap uniqueness, and counter-based replay prevention.
Practical Considerations
- Key provisioning: Each tag must be individually provisioned with unique or diversified AES keys during manufacturing.
- Server infrastructure: SDM requires a verification backend capable of AES decryption and CMAC validation.
- URL length: Dynamic fields add approximately 50-80 characters. Ensure the tag has sufficient user memory.
SDM is the foundation of NXP's SUN (Secure Unique NFC) authentication ecosystem and the current state of the art in NFC tagNFC tagPassive unpowered device storing data, powered by reader's RF fieldView full → security.
Related Terms
Related Guides
अक्सर पूछे जाने वाले प्रश्न
The NFC glossary is a comprehensive reference of technical terms, acronyms, and concepts used in Near Field Communication technology. It is designed for developers, product managers, and engineers who work with NFC and need clear definitions of terms like NDEF, APDU, anti-collision, and ISO 14443.
Each glossary term is cross-referenced with related NFC chips, standards, and other terms. For example, the term 'AES-128' links to chips that support AES encryption (NTAG 424 DNA, DESFire EV2/EV3), and the term 'ISO 14443' links to all chips compliant with that standard.
Yes. NFCFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai. Use the language selector in the header to switch languages.