Security

SDM (Secure Dynamic Messaging)

<\/script>\n
'; }, get iframeSnippet() { const domain = '{ SITE_DOMAIN }'; const type = '{ embed_type }'; const slug = '{ embed_slug }'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme


      
    


    
    

      Widget powered by
      .
      Free, no account required.
    

  





    
    

      
A feature in NFC chips (NTAG 413/424 DNA) that dynamically generates authentication data embedded in NDEF messages. The tag's URL changes with every tap, carrying encrypted or CMAC-signed chip state for backend verification.

    


    
    
    

      별칭:
      
      SDM
      
      Secure Dynamic Messaging
      
    

    
  


  




  
  

    
What Is SDM?


SDM (Secure Dynamic Messaging) is a firmware-level feature in NXP's NTAG 413 DNA and NTAG 424 DNA chip families that dynamically injects authenticated data into NDEF messages at the moment of each tap. Unlike traditional static NDEF storage, SDM-enabled tags modify their output on every read, embedding encrypted chip state, UID, counter values, and AES-CMAC authentication codes directly into the URL payload.


How SDM Works Internally


When a reader issues an NDEF read command, the tag's hardware AES engine performs real-time cryptographic operations:


    

  1. Template URL: The tag stores a base URL with placeholder offsets for dynamic data fields.
    2. 

  2. PICC data injection: At the configured offset, the chip inserts its encrypted UID and current NFC read counter using a configured AES key.
    3. 

  3. CMAC computation: The chip calculates an AES-CMAC over the entire NDEF payload using a second AES key and inserts it at the CMAC offset.
    4. 

  4. Counter increment: The internal read counter advances monotonically, ensuring no two taps produce the same output.
    5. 



SDM Configuration Parameters






Parameter
Description






SDM File Number
Which file triggers SDM (typically file 02)




PICC Data Offset
Byte position for encrypted UID+counter




CMAC Offset
Byte position for the authentication MAC




Meta Read Key
AES key number for PICC data encryption




File Read Key
AES key number for CMAC generation






Backend Verification Flow


When a user taps an SDM-enabled tag, the phone opens the dynamically generated URL. The backend server parses the PICC data and CMAC, decrypts the PICC data to extract the UID and counter, recomputes the CMAC, and verifies the counter is strictly greater than the last recorded value. If all checks pass, the tag is authenticated as genuine and not replayed.


SDM vs Password Protection


Password protection in NTAG 21x uses a static 32-bit password transmitted in plaintext. SDM provides cryptographically stronger security: 128-bit AES keys, encrypted data, per-tap uniqueness, and counter-based replay prevention.


Practical Considerations


    

  • Key provisioning: Each tag must be individually provisioned with unique or diversified AES keys during manufacturing.
    • 

  • Server infrastructure: SDM requires a verification backend capable of AES decryption and CMAC validation.
    • 

  • URL length: Dynamic fields add approximately 50-80 characters. Ensure the tag has sufficient user memory.
    • 



SDM is the foundation of NXP's SUN (Secure Unique NFC) authentication ecosystem and the current state of the art in NFC tag security.

  

  

  
  
  




  
  
Related Terms

  

  

    
    AES Encryption
    
    SUN (Secure Unique NFC)
    
    NTAG DNA (Technology)
    
  





  

  
  

  
  

  
  
  

    
Related Content

    

      
      
        

          
          
NFC Chips Compared

          
          Getting Started
          
        

        
        
        
…lock-bits . NTAG DNA and NTAG 424 add aes-encryption and sdm (Secure Dynamic Messaging). MIFARE Classic (NXP) — The…

        
      
      
      
        

          
          
NFC vs RFID: Detailed Comparison

          
          Getting Started
          
        

        
        
        
…(ISO 15693 / nfc-v ) Anti-counterfeiting NFC (NTAG 424 DNA sdm ) Smart poster / URL launch NFC ( ndef-uri ) Frequency…

        
      
      
      
        

          
          
NFC Security Deep Dive

          
          Security
          
        

        
        
        
…password-protection Replay attack Application Moderate SDM counters, nonces Side-channel Hardware Very high Secure IC…

        
      
      
      
        

          
          
NFC Anti-Counterfeiting Guide

          
          Security
          
        

        
        
        
…AES challenge-response with backend Very low Moderate 4 — SDM + backend Encrypted URL params + server verify Extremely…

        
      
      
      
        

          
          
MIFARE Classic to DESFire Migration

          
          Security
          
        

        
        
        
…UID randomization No Optional (random UID) Optional SUN / SDM No No Yes (EV3 only) Typical memory 1 KB / 4 KB 2–32 KB…

        
      
      
      
        

          
          
MIFARE Classic Security Analysis

          
          Security
          
        

        
        
        
…transaction MAC NTAG 424 DNA ISO 14443-3A aes-encryption , sdm , originality-signature For a structured migration guide…

        
      
      
      
        

          
          
NFC in Retail

          
          Industry
          
        

        
        
        
…cryptographic signature High — requires NXP private key SDM / SUN message Tag generates AES-encrypted mirror data on…

        
      
      
      
        

          
          
NFC in Logistics and Supply Chain

          
          Industry
          
        

        
        
        
…BOM snapshot in quality management system NTAG DNA with SDM links finished VIN to assembly record — tamper-evident…

        
      
      
    

  

  

  
  




  
자주 묻는 질문


  

    
    

      
      

        
The NFC glossary is a comprehensive reference of technical terms, acronyms, and concepts used in Near Field Communication technology. It is designed for developers, product managers, and engineers who work with NFC and need clear definitions of terms like NDEF, APDU, anti-collision, and ISO 14443.

      

    

    
    

      
      

        
Each glossary term is cross-referenced with related NFC chips, standards, and other terms. For example, the term 'AES-128' links to chips that support AES encryption (NTAG 424 DNA, DESFire EV2/EV3), and the term 'ISO 14443' links to all chips compliant with that standard.

      

    

    
    

      
      

        
Yes. NFCFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai. Use the language selector in the header to switch languages.