This is an awesome project! For anyone building physical Bitcoin projects with NFC tags, utilizing NTAG424 DNA tags is a massive upgrade over generic NTAG213/215 tags.
NTAG424 DNA supports SUN (Secure Unique NDEF). It generates a new AES-128 cryptographic signature (CMAC) on every single scan, which is dynamically appended to the URL query string.
This gives you two critical security properties:
Anti-Cloning: An attacker cannot simply read the NDEF data and clone the tag to another blank tag, because the signature changes on every tap.
Server-side Verification: The verifying server decrypts and validates the CMAC signature to confirm the scan is fresh and authentic, without the tag ever having to reveal its root key.
If you pair NTAG424 DNA SUN with a FOSS server, you get a highly secure physical Casascius coin where the key is safely encrypted, and tap verification is completely secure against replay attacks. Very cool implementation!
This is an awesome project! For anyone building physical Bitcoin projects with NFC tags, utilizing NTAG424 DNA tags is a massive upgrade over generic NTAG213/215 tags.
NTAG424 DNA supports SUN (Secure Unique NDEF). It generates a new AES-128 cryptographic signature (CMAC) on every single scan, which is dynamically appended to the URL query string.
This gives you two critical security properties:
If you pair NTAG424 DNA SUN with a FOSS server, you get a highly secure physical Casascius coin where the key is safely encrypted, and tap verification is completely secure against replay attacks. Very cool implementation!