SUN (Secure Unique NFC)
NXP's authentication technology that generates a unique, cryptographically signed URL with every tap. Each scan produces a different message, making replay attacks impossible. Used in NTAG 223/224/424 DNA chips.
What Is a SUN Message?
SUN (Secure Unique NFC) is an authenticationauthenticationIdentity verification of NFC tags/readers via passwords or cryptographyView full → technology developed by NXP Semiconductors that generates a cryptographically unique URL every time an NFC tagNFC tagPassive unpowered device storing data, powered by reader's RF fieldView full → is tapped. Unlike static NDEF payloads, a SUN-enabled tag produces a different message each time, making replay attacks mathematically impossible. SUN is implemented on NTAG 223 DNA, NTAG 224 DNA, and NTAG 424 DNA chip families.
How SUN Works
SUN leverages the chip's hardware AES-128 cryptographic engine combined with an internal read counter:
- Counter increment: The tag's internal NFC counter increments by one. This counter is monotonic and cannot be reset.
- CMAC generation: The chip computes an AES-CMAC over the current counter value, UID, and optionally additional data using a secret key stored in protected memory.
- URL assembly: The CMAC and counter are encoded into the NDEF URI payload as query parameters (e.g.,
https://verify.example.com/tag?uid=04A1...&ctr=000042&cmac=A7F3...). - Backend verification: The server retrieves the tag's secret key, computes the expected CMAC for the received counter value, and compares it.
Because the counter increases with every tap and the CMAC depends on a secret key that never leaves the chip, an attacker cannot predict future valid URLs.
SUN vs Static Authentication
| Feature | Static NDEF | SUN Message |
|---|---|---|
| URL per tap | Same every time | Unique every time |
| Replay resistance | None | Full (counter-based) |
| Clone detection | Not possible | Detected via counter mismatch |
| Backend required | No | Yes (verification server) |
| Chip support | Any NDEF tag | NTAG 223/224/424 DNA only |
Relationship to SDM
SUN and SDM (Secure Dynamic Messaging) are closely related. SDM is the underlying chip firmware mechanism enabling dynamic content injection into NDEF messages. SUN is the application-layer term for the authentication use case built on top of SDM. Configuring a tag for SUN involves setting SDM parameters: PICC data offset, CMAC offset, and cryptographic key slot.
Use Cases
- Brand protection: Luxury goods and pharmaceuticals use SUN for per-tap verification that a product is genuine.
- Warranty validation: Each tap creates a unique event, building an immutable interaction history.
- Event ticketing: SUN-enabled wristbands generate a unique token per gate entry, preventing ticket sharing.
- Supply chain tracking: Counter values reveal how many times a tag was read, detecting unauthorized handling.
Related Terms
Related Guides
Pertanyaan yang Sering Diajukan
The NFC glossary is a comprehensive reference of technical terms, acronyms, and concepts used in Near Field Communication technology. It is designed for developers, product managers, and engineers who work with NFC and need clear definitions of terms like NDEF, APDU, anti-collision, and ISO 14443.
Each glossary term is cross-referenced with related NFC chips, standards, and other terms. For example, the term 'AES-128' links to chips that support AES encryption (NTAG 424 DNA, DESFire EV2/EV3), and the term 'ISO 14443' links to all chips compliant with that standard.
Yes. NFCFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai. Use the language selector in the header to switch languages.