NTAG 424 DNA vs MIFARE DESFire Light
NTAG 424 DNA offers 256 bytes memory with AES-128 + SUN authentication security, making it ideal for product authentication, anti-counterfeiting, secure access. MIFARE DESFire Light provides 640 bytes with AES-128 + LRP security, suited for transit tickets, loyalty, micro-payment tokens.
NTAG 424 DNA
MIFARE DESFire Light
NTAG 424 DNA vs MIFARE DESFire Light
NTAG 424 DNA and MIFARE DESFire Light are both AES-capable single-application chips at relatively accessible price points. Their differences reveal how similar security foundations serve radically different application domains — one optimized for consumer-facing authenticationauthenticationIdentity verification of NFC tags/readers via passwords or cryptographyView full →, the other for transit gate throughput in controlled infrastructure.
Overview
MIFARE DESFire Light is NXP's cost-reduced DESFire variant, offering 640 bytes of EEPROMEEPROMNon-volatile memory technology retaining data without powerView full → across a single-application file system secured by AES-128 with the LRP (Leakage Resilient Primitive) cipher option. It targets disposable transit tickets and low-value micropayment tokens where full DESFire EV3 cost is difficult to justify but Crypto-1Crypto-1Broken proprietary cipher in MIFARE Classic (reverse-engineered 2008)View full → weakness cannot be tolerated. Unlike full DESFire, it supports only one application and up to three data files within that application. Its ISO 14443ISO 14443Standard for contactless smart cards at 13.56 MHz (Types A and B)View full →-4 (T=CL) compliance at up to 424 kbps enables the fast authenticated transactions required at transit gates during peak commuter hours.
NTAG 424 DNA also targets a single application, but in the anti-counterfeiting domain rather than transit. Its 256 bytes and SDM engine generate per-tap SUN MACs verifiable by any web server via standard HTTPS — no reader infrastructure required beyond the consumer's own smartphone. The SUN URL changes on every tap through an AES-128 MAC, making tag cloning cryptographically futile without knowledge of the secret key.
Key Differences
- SDM capability: NTAG 424 DNA has SDM — the ability to embed a changing AES-128 MAC into a URL on every tap for server-side verification. DESFire Light does not have SDM. Authentication on DESFire Light is reader-initiated mutual AES, requiring a custom reader application.
- Memory: DESFire Light offers 640 bytes organized into up to three files within one application. NTAG 424 DNA offers 256 bytes organized as three AES-protected files.
- LRP cipher: DESFire Light supports the LRP (Leakage Resilient Primitive) cipher option in addition to AES-128 — providing additional resistance to side-channel attacks. NTAG 424 DNA does not implement LRP.
- Transaction speed: DESFire Light at 424 kbps with LRP completes transit gate transactions in under 100 ms — a hard operational requirement for high-throughput transit gates. NTAG 424 DNA operates at 106 kbps, adequate for product tap interactions.
- Consumer UX: NTAG 424 DNA SDM works on any NFC phone without an app — the tap returns a URL that a standard browser opens and the backend validates. DESFire Light requires a dedicated reader application to perform AES mutual authenticationmutual authenticationTwo-way identity verification between reader and tagView full →.
- Cost: DESFire Light at $0.30–$0.70 is slightly more expensive than NTAG 424 DNA at $0.25–$0.60 at comparable volumes, reflecting the additional file system and LRP cipher implementation.
Technical Comparison
| Parameter | NTAG 424 DNA | MIFARE DESFire Light |
|---|---|---|
| NFC Tag Type | Type 4 (ISO 14443-4) | Type 4 (ISO 14443-4) |
| User memoryUser memoryTag memory portion available for user data storageView full → | 256 bytes | 640 bytes |
| Security | AES-128 + SDM | AES-128 + LRP |
| SDM / SUN authentication | Yes | No |
| LRP cipher support | No | Yes |
| Applications | 1 | 1 |
| Files per application | 3 | Up to 3 |
| Data rate | 106 kbps | 106 / 212 / 424 kbps |
| Transit gate suitability | No (106 kbps) | Yes (424 kbps with LRP) |
| Consumer app-free verification | Yes | No |
| Write endurance | 500,000 writes | 200,000 writes |
| Data retention | 10 years | 10 years |
| Unit cost (volume) | $0.25–$0.60 | $0.30–$0.70 |
Use Cases
Where NTAG 424 DNA Excels
- Consumer-facing product authentication: Any tap by a consumer's NFC smartphone returns a server-verifiable URL. Ideal for luxury goods, pharmaceuticals, and electronics accessories where the verification happens in a browser without an app.
- Anti-counterfeiting at volume: Millions of unique tags can be deployed with per-tap AES-128 MAC verification — no reader infrastructure required on the consumer side.
- Open-world deployments: NTAG 424 DNA's SDM works whenever a consumer brings their phone to the tag. DESFire Light's AES requires the operator to control the reader.
Where MIFARE DESFire Light Excels
- Limited-use transit tickets: Weekly or multi-day passes where AES-protected stored value must be decremented at gate readers without Crypto-1's well-known vulnerabilities.
- Closed-loop micropayment tokens: Vending machines, laundry, and parking systems where the operator controls both the card stock and the readers.
- Transit operator migration from Classic: Transit agencies replacing Crypto-1 Classic cards with AES-protected stock at minimum additional cost per card.
Verdict
DESFire Light is the cost-minimized AES transit token — choose it for single-application transit and micropayment deployments in controlled reader environments where 424 kbps transaction speed and LRP cipher matter. NTAG 424 DNA is the anti-counterfeiting label chip — choose it when consumer smartphone verification via SDM SUN is the goal and reader infrastructure is a consumer's own phone. They serve adjacent security tiers in completely different deployment environments with no meaningful overlap in practice.
Rekomendasi
Choose NTAG 424 DNA when you need dynamic URL authentication without an app; choose MIFARE DESFire Light when you need DESFire security in a cost-optimized package.