SUN (Secure Unique NFC)
NXP's authentication technology that generates a unique, cryptographically signed URL with every tap. Each scan produces a different message, making replay attacks impossible. Used in NTAG 223/224/424 DNA chips.
What Is a SUN Message?
SUN (Secure Unique NFC) is an authentication technology developed by NXP Semiconductors that generates a cryptographically unique URL every time an NFC tag is tapped. Unlike static NDEF payloads, a SUN-enabled tag produces a different message each time, making replay attacks mathematically impossible. SUN is implemented on NTAG 223 DNA, NTAG 224 DNA, and NTAG 424 DNA chip families.
How SUN Works
SUN leverages the chip's hardware AES-128 cryptographic engine combined with an internal read counter:
- Counter increment: The tag's internal NFC counter increments by one. This counter is monotonic and cannot be reset.
- CMAC generation: The chip computes an AES-CMAC over the current counter value, UID, and optionally additional data using a secret key stored in protected memory.
- URL assembly: The CMAC and counter are encoded into the NDEF URI payload as query parameters (e.g.,
https://verify.example.com/tag?uid=04A1...&ctr=000042&cmac=A7F3...). - Backend verification: The server retrieves the tag's secret key, computes the expected CMAC for the received counter value, and compares it.
Because the counter increases with every tap and the CMAC depends on a secret key that never leaves the chip, an attacker cannot predict future valid URLs.
SUN vs Static Authentication
| Feature | Static NDEF | SUN Message |
|---|---|---|
| URL per tap | Same every time | Unique every time |
| Replay resistance | None | Full (counter-based) |
| Clone detection | Not possible | Detected via counter mismatch |
| Backend required | No | Yes (verification server) |
| Chip support | Any NDEF tag | NTAG 223/224/424 DNA only |
Relationship to SDM
SUN and SDM (Secure Dynamic Messaging) are closely related. SDM is the underlying chip firmware mechanism enabling dynamic content injection into NDEF messages. SUN is the application-layer term for the authentication use case built on top of SDM. Configuring a tag for SUN involves setting SDM parameters: PICC data offset, CMAC offset, and cryptographic key slot.
Use Cases
- Brand protection: Luxury goods and pharmaceuticals use SUN for per-tap verification that a product is genuine.
- Warranty validation: Each tap creates a unique event, building an immutable interaction history.
- Event ticketing: SUN-enabled wristbands generate a unique token per gate entry, preventing ticket sharing.
- Supply chain tracking: Counter values reveal how many times a tag was read, detecting unauthorized handling.
Related Terms
Related Content
NFC Chips Compared
Getting Started…control NTAG DNA and Secure Tags NTAG 424 DNA introduces sun-message (Secure Unique NFC Message) — the tag generates an…
MIFARE Classic to DESFire Migration
Security…Type 4 UID randomization No Optional (random UID) Optional SUN / SDM No No Yes (EV3 only) Typical memory 1 KB / 4 KB 2–32…
NFC in Retail
Industry…signature High — requires NXP private key SDM / SUN message Tag generates AES-encrypted mirror data on each…
NFC for Wine and Spirits Authentication
Industry…technical standard of choice: Each tap generates a unique SUN message containing an AES-CMAC over the UID and a read…
Building an NFC-Based Product
Advanced…control, payment NTAG DNA / DNA TagTamper 2 144 B AES + sun-message ( sdm ) Brand protection, authentication ICODE…
NFC Tag Not Detected: Diagnosis Guide
Troubleshooting…(user action required to start) - NTAG 424 DNA SDM with SUN message requires iOS 14 or later - Tag type must be…
자주 묻는 질문
The NFC glossary is a comprehensive reference of technical terms, acronyms, and concepts used in Near Field Communication technology. It is designed for developers, product managers, and engineers who work with NFC and need clear definitions of terms like NDEF, APDU, anti-collision, and ISO 14443.
Each glossary term is cross-referenced with related NFC chips, standards, and other terms. For example, the term 'AES-128' links to chips that support AES encryption (NTAG 424 DNA, DESFire EV2/EV3), and the term 'ISO 14443' links to all chips compliant with that standard.
Yes. NFCFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai. Use the language selector in the header to switch languages.