Security

AES Encryption

<\/script>\n
'; }, get iframeSnippet() { const domain = '{ SITE_DOMAIN }'; const type = '{ embed_type }'; const slug = '{ embed_slug }'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme


      
    


    
    

      Widget powered by
      .
      Free, no account required.
    

  





    
    

      
Advanced Encryption Standard (AES) with 128-bit keys used in modern NFC chips (NTAG 424 DNA, DESFire EV3, ICODE DNA) for strong cryptographic security. Provides mutual authentication and encrypted data exchange.

    


    
    
    

      별칭:
      
      AES
      
      AES-128
      
      AES encryption
      
    

    
  


  




  
  

    
AES Encryption


AES (Advanced Encryption Standard) with 128-bit keys is the primary cryptographic
mechanism used in modern NFC chips for secure authentication,
encrypted data exchange, and anti-counterfeiting. AES-128 provides strong symmetric
encryption that is considered computationally infeasible to break with current or
foreseeable technology, making it the foundation for security-sensitive NFC applications.


AES in NFC Chips


Several NFC chip families implement hardware AES acceleration:






Chip
AES Variant
Key Slots
Use Case






NTAG 424 DNA
AES-128
5 keys
SUN / SDM authentication




MIFARE DESFire EV3
AES-128
Up to 28 keys per app
Multi-application secure storage




MIFARE Ultralight AES
AES-128
2 keys
Lightweight authenticated access




ICODE DNA
AES-128
4 keys
Supply chain authentication




ST25TA
AES-128
Configurable
ISO 7816-4 secure messaging






The AES engine runs on a dedicated hardware co-processor within the NFC chip, completing
encryption and decryption operations without exposing key material to the external
interface. Keys are stored in protected memory areas that cannot be read back — only
used for cryptographic operations.


Mutual Authentication Flow


AES enables mutual authentication between reader and
tag, ensuring both parties verify each other's identity before exchanging sensitive data:


    

  1. Reader challenge: The reader sends a random number (RndA) to the tag.
    2. 

  2. Tag response: The tag generates its own random number (RndB), encrypts both
   RndA and RndB with the shared AES key, and returns the ciphertext.
    3. 

  3. Reader verification: The reader decrypts the response using its copy of the AES
   key, verifies that the returned RndA matches what it sent, and sends encrypted
   RndB back to the tag.
    4. 

  4. Tag verification: The tag verifies the returned RndB matches its original value.
    5. 

  5. Session keys: Both parties derive session keys from the exchanged random numbers
   for encrypting subsequent data transfer.
    6. 



Advantages over Password Protection






Feature
Password Protection
AES Encryption






Key length
32 bits
128 bits




Transmission
Plaintext
Encrypted




Session encryption
No
Yes (derived session keys)




Replay resistance
No
Yes (random challenge-response)




Mutual verification
No (reader verifies tag only via PACK)
Yes (both parties verify)




Brute-force difficulty
~4.3 billion attempts
~3.4 x 10^38 attempts






Application: Secure Dynamic Messaging (SDM)


In NTAG 424 DNA, AES encryption powers the
SDM feature. The tag generates a unique AES-CMAC (Cipher-based
Message Authentication Code) on every tap, embedded in the NDEF URL
as query parameters. The backend server verifies this CMAC using the shared key,
confirming both tag authenticity and tap uniqueness. This makes cloning and replay
attacks practically impossible.

  

  

  
  
  




  
  
Related Terms

  

  

    
    DES / 3DES (Triple DES)
    
    Crypto-1
    
    Mutual Authentication
    
    SDM (Secure Dynamic Messaging)
    
    Authentication
    
  





  

  
  

  
  

  
  
  

    
Related Content

    

      
      
        

          
          
NFC Tag Types Explained

          
          Getting Started
          
        

        
        
        
…transport. They support password-protection and optionally aes-encryption , making them suitable for access control and…

        
      
      
      
        

          
          
NFC Chips Compared

          
          Getting Started
          
        

        
        
        
…32-bit password and lock-bits . NTAG DNA and NTAG 424 add aes-encryption and sdm (Secure Dynamic Messaging). MIFARE…

        
      
      
      
        

          
          
NFC Security Deep Dive

          
          Security
          
        

        
        
        
…no real authentication. Why modern chips resist cloning: - aes-encryption — DESFire EV3 supports AES-128 in CBC/CMAC;…

        
      
      
      
        

          
          
NFC Anti-Counterfeiting Guide

          
          Security
          
        

        
        
        
…Low (requires NXP IC) Low 3 — Mutual authentication AES challenge-response with backend Very low Moderate 4 — SDM…

        
      
      
      
        

          
          
MIFARE Classic to DESFire Migration

          
          Security
          
        

        
        
        
…credentials. DESFire EV3 addresses both problems with aes-encryption (AES-128) and mutual authentication.…

        
      
      
      
        

          
          
NFC Relay Attack Explained

          
          Security
          
        

        
        
        
…card signs legitimate challenges) - The card uses aes-encryption (cryptographic material is never exposed to the…

        
      
      
      
        

          
          
MIFARE Classic Security Analysis

          
          Security
          
        

        
        
        
…Target Standard Key Improvement MIFARE Plus ISO 14443-3A AES-128 replacing Crypto-1; backward compatible sector…

        
      
      
      
        

          
          
NFC in Healthcare

          
          Industry
          
        

        
        
        
…and in transit is required. Use password-protection or aes-encryption for tags containing any PHI. Audit logs of all…

        
      
      
    

  

  

  
  




  
자주 묻는 질문


  

    
    

      
      

        
The NFC glossary is a comprehensive reference of technical terms, acronyms, and concepts used in Near Field Communication technology. It is designed for developers, product managers, and engineers who work with NFC and need clear definitions of terms like NDEF, APDU, anti-collision, and ISO 14443.

      

    

    
    

      
      

        
Each glossary term is cross-referenced with related NFC chips, standards, and other terms. For example, the term 'AES-128' links to chips that support AES encryption (NTAG 424 DNA, DESFire EV2/EV3), and the term 'ISO 14443' links to all chips compliant with that standard.

      

    

    
    

      
      

        
Yes. NFCFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai. Use the language selector in the header to switch languages.