Authentication NFC

NTAG 424 DNA Tamper-Evident Tags

AES-128 NFC

NTAG 424 DNA tamper-evident NFC tag for anti-counterfeiting and product authentication

Quick answer

This NXP secure NFC chip family is NXP's flagship NFC sticker chip for product authentication: AES-128 mutual authentication plus Secure Dynamic Messaging (SDM) generates a cryptographically unique URL on every tap, making cloning mathematically infeasible without the secret key. The TagTamper variant adds a bridge-antenna loop that irreversibly registers a tamper event in the chip's CTTES register when the sticker is peeled. Standard sizes Ø22 / Ø25 / Ø30 / Ø38 mm and 30×45 mm label, NFC Forum Type 4 Tag, native iPhone 7+ and all NFC Android verification with no app required. The general-purpose flagship product behind our application-specific NFC tags for spirits, cosmetics, olive oil, sneakers, luxury handbags, pharmaceuticals, batteries and Digital Product Passports.

  • AES-128 Secure Dynamic Messaging (SDM): every tap generates a unique, signed URL parameter (PICCData + CMAC) that cannot be replayed without the secret key — cloning is mathematically infeasible.
  • Tamper-evident bridge-antenna loop (TagTamper variant): the antenna connection irreversibly breaks on peel and the chip permanently records 'tampered' in its CTTES register — reported on every subsequent tap.
  • NFC Forum Type 4 Tag — native read on iPhone 7+ and all NFC Android. Consumers verify authenticity with a standard phone tap, no app required.
Request samples
10+ Years ISO 9001 500+ Clients 50+ Countries

At a glance

Use these short answers to decide whether this page matches the project before moving into the detail.

Chip silicon

NXP NTAG 424 DNA (NT4H2421Gx) — AES-128 mutual authentication + SDM NXP NTAG 424 DNA TagTamper (NT4H2421Tx) — adds tamper-loop CTTES register

Memory architecture

416 bytes user memory across 3 standard NDEF data files (file 1 / file 2 / file 3) 5-key role-based access architecture: app master + 4 application keys

Cryptographic security
  • AES-128 mutual authentication per ISO/IEC 14443-4 + ISO/IEC 9798
  • SDM Secure Dynamic Messaging — single-use authentication code per tap
  • SUN URL: PICCData (encrypted UID + counter) + optional encrypted file mirror + CMAC signature
  • Per-tag diversified key via CMAC-AES (NXP AN10922) from buyer master secret
RF + protocol
  • 13.56 MHz HF carrier, ISO/IEC 14443-4 Type A transmission protocol
  • NFC Forum Type 4 Tag operation — native phone read, no app required
  • Read distance 20-40 mm with consumer phone antennas (chip class 6)
  • Apple Core NFC framework (iOS 14+) + Android NFC API ready
Tamper-evidence mechanism
  • Bridge-antenna loop routes RF coil through breakable trace at sticker edge
  • Peeling severs trace — chip detects open circuit, sets CTTES register
  • CTTES is one-way write-only — cannot be reset or forged
  • Tamper status surfaced in SUN payload on every tap forever after
Form factors + sizes
  • Ø22 mm (compact bottle-cap / cosmetics seal)
  • Ø25 mm (standard balanced size)
  • Ø30 mm (extended read range)
  • Ø38 mm (luxury packaging / wine capsule)
  • 30×45 mm rectangular label format
  • Custom shapes from MOQ 5,000 (rectangle / oval / void-pattern die-cuts)
Substrate + adhesive
  • PET face stock (75 µm transparent or matte white) — standard
  • Paper (FSC-certified, 80 gsm) — wine-label / pharmacy-box variant
  • Acrylic permanent adhesive (3M 467MP / 9472LE) — surface-energy ≥30 mN/m
  • Optional clear-on-clear (transparent face + transparent adhesive) for premium glass
  • Anti-metal variant: ferrite spacer for metal substrate compatibility
Personalisation + encoding
  • AES-128 per-tag diversified key provisioning at our secure encoding line
  • SDM URL template encoded per buyer (verify.brand.com?picc=...&cmac=...)
  • Variable digital print on face — UID / serial / QR / brand artwork
  • Encrypted UID-to-key CSV delivered for backend integration
Application verticals
  • Wine + spirits anti-counterfeit (under-cap or capsule placement)
  • Pharmaceutical anti-tamper (sits ON TOP of mandated GS1 DataMatrix)
  • Luxury cosmetics and fragrance refill prevention
  • Luxury fashion and leather-goods authentication (handbags / sneakers)
  • EU Digital Product Passport carrier (textile / electronics / battery)
Backend integration patterns
  • SDM signature verification: open-source Python / Node / Go reference libraries
  • Counter-anomaly anti-cloning: detect non-monotonic / geographic-impossibility taps
  • Tamper-state surfacing: CTTES decoded into 'Authentic / Tampered / Cloned' result
  • REST API integration with brand DTC apps + e-commerce verification widgets
Standards + compliance
  • ISO/IEC 14443-4 Type A transmission protocol
  • ISO/IEC 7816-4 file structure (NDEF over Type 4 Tag)
  • FIPS PUB 197 (AES) + NIST SP 800-38B (CMAC) cryptographic primitives
  • NFC Forum Type 4 Tag Operation Specification
  • EU ESPR 2024/1781 + EU FMD 2011/62/EU + US FDA DSCSA framework support
Procurement
  • MOQ 1,000 pieces (provisioned), 50-100 non-provisioned engineering samples
  • Lead time 15-20 business days (chip lot dependent)
  • Encrypted key CSV delivered separately from physical inventory
  • RoHS / REACH compliant materials, FDA 21 CFR 175.105 indirect-food-contact PSA option

Why brands deploy NTAG 424 DNA over NTAG213 / 216

  • AES-128SDM cryptographic engine — FIPS PUB 197
  • 32-bitMonotonic read counter — replay defense
  • 5-keyRole-based access architecture
  • 0 appsNative phone NFC verification
  • Static NFC URL is trivially clonable. A brand deploys NTAG213 stickers encoding their authentication URL; a counterfeiter reads the URL from any authentic product, duplicates it onto thousands of blank NTAG213 stickers and applies them to fake products; consumers scanning any fake sticker see the same 'Authentic' page as the original.
  • Tamper evidence destroyed without NFC detection. A pharmaceutical company using holographic void labels for tamper evidence discovers that a sophisticated counterfeiter can remove the hologram with a heat gun and reapply it to a refilled package without activating the hologram's void pattern; no digital record of the opening event exists.
  • Backend authentication server required but not maintained. A luxury brand deploys NFC authentication requiring consumers to hit a backend API to verify the tag signature; 18 months after launch, the API service is discontinued and all existing tags in the market become unverifiable.
  • Key management complexity prevents adoption. A beverage brand's security team understands that cryptographic NFC authentication requires key provisioning and management; without a clear path to AES key diversification, key rotation and secure key delivery to the encoding facility, the project stalls in procurement.
  • Consumer friction from app requirement. A cosmetics brand's initial NFC authentication deployment requires consumers to download a dedicated brand app; app store reviews cite the download requirement as a barrier, and active user rates are under 3%.

How Proud Tek solves NFC authentication sourcing problems

Hologram / NTAG213 sticker / static QR

  • Static URL: identical bytes on every tap — counterfeiter clones authentic URL onto 10,000 blank chips
  • Hologram void-pattern can be lifted with heat gun and reapplied to refilled packaging
  • Static QR has no cryptographic tie to physical tag — screenshot and reprint defeats it
  • No tamper digital record — consumer cannot tell genuine-but-opened from genuine-sealed
  • Brand-app download barrier crushes consumer engagement to 3% range

NTAG 424 DNA SUN + bridge-antenna tamper loop (this page)

  • AES-128 SDM: every tap is a single-use cryptographic code; cloning requires secret key extraction (chip-level write-only key)
  • Bridge-antenna severs on peel; CTTES register permanent — tamper status surfaces forever after
  • Counter-anomaly detection: non-monotonic or geographically-impossible taps flag suspected clones
  • Native phone NFC, no app — opens consumer engagement rate from 3% to 14-18% in observed deployments
  • 5-key role-based access lets recyclers / regulators / service-providers read distinct file slots without master key
  • SDM as the anti-cloning mechanism: NTAG 424 DNA with SDM generates a unique authentication code on every tap by encrypting the UID, a read counter and a file data mirror with the AES-128 session key; even if a counterfeiter reads 10,000 authentic taps, each SDM code is single-use and cryptographically tied to the tag's internal key. Mathematically infeasible to replicate without the secret key.
  • Tamper-evident loop permanently records opening: Proud Tek's TagTamper NTAG 424 DNA tags route the antenna connection through a breakable bridge at the sticker edge; when the sticker is peeled, the bridge breaks and the chip permanently registers the event in its CTTES (Counter Tamper Tamper Event Status) register. Reported on every subsequent tap.
  • SDM URL self-verification architecture: Proud Tek implements SDM so that your verification URL contains all cryptographic data needed for offline verification. Your backend decrypts the code locally without an always-on API; the authentication works even if your verification server is temporarily unavailable.
  • AES key provisioning as a managed service: Proud Tek handles AES master key generation, diversification per-tag using CMAC-AES (NXP AN10922) or customer-supplied algorithm, and secure delivery of the key mapping CSV; buyers do not need in-house key management infrastructure.
  • App-free verification standard: NTAG 424 DNA SDM opens a standard HTTPS URL on any NFC smartphone. No app download required; the consumer sees your branded verification page in their standard mobile browser.

Per-tap data published from a Proud Tek NTAG 424 DNA tag

  • PICCData = AES-128(UID + read counter, master-derived diversified key) — per-tag and per-tap unique.
  • Optional file data mirror = AES-128(file 2 contents + tamper status, session key) — surfaces customer-defined data conditionally.
  • CMAC = AES-128 truncated MAC over the entire SUN URL — 8-byte signature appended as &cmac= parameter.
  • Read counter monotonically increments per successful authentication — non-monotonic counter sequence flags suspected clone.
  • Backend libraries (Python / Node / Go) reference-implement the AN12196 verification algorithm in 200-300 lines.

How NTAG 424 DNA Secure Dynamic Messaging works step by step

SDM is the core cryptographic protocol that makes NTAG 424 DNA tags impossible to clone in practice. The mechanism splits into provisioning, tap-time computation and backend verification.

  • At provisioning: Proud Tek generates a master secret K_master and derives a per-tag diversified key K_diversified = CMAC-AES(K_master, UID) per NXP AN10922. K_diversified is written into the NTAG 424 DNA application key slot — chip-internal, write-only, never readable.
  • At each tap: the chip increments its 32-bit read counter, encrypts {UID || read_counter} with K_diversified to form PICCData, computes CMAC = AES-128(K_diversified, URL_template_bytes), and appends both as URL parameters (e.g., verify.brand.com?picc=AABBCCDDEEFF...&cmac=11223344).
  • At verification: the consumer's phone opens the URL via native NFC and the backend recovers UID + counter by decrypting PICCData with K_master-derived key, validates CMAC, checks counter monotonicity against last-recorded counter, reads CTTES tamper bit, and renders 'Authentic + Sealed' / 'Authentic but Tampered' / 'Suspected Clone'.
  • Tamper status: the CTTES register is read during authentication; once set by a bridge-antenna break, it remains '1' permanently and is surfaced in the SDM payload and verification page until the SKU is destroyed.
  • Counter anomaly defense: backend logs counter + IP + timestamp; sequential taps from geographically impossible locations or counters that decrement / repeat are auto-flagged as suspected cloning attempts and surfaced to brand-protection investigators.

NTAG 424 DNA vs standard NFC chips for authentication

Feature NTAG213 / NTAG216 NTAG 424 DNA
Anti-cloning None: static UID and URL trivially copiedAES-128 SDM — cryptographically infeasible to clone
Authentication method None (read-only URL)Mutual AES-128 + SDM per-tap unique code
Tamper evidence NoneCTTES register: irreversible permanent digital record (TagTamper variant)
Verification Static URL: cannot distinguish genuine from cloneDynamic per-tap URL — mathematically unique
App required No (NDEF URL)No (SDM URL opens in mobile browser)
Cost vs NTAG213 LowerHigher: justified for authentication / DPP / regulated-product use cases
Role-based access Single password (PWD_AUTH)5-key role architecture (master + 4 application keys)

Provisioning and backend integration

  • AES key provisioning: Proud Tek generates a unique diversified AES-128 key per tag using CMAC-AES (NXP AN10922) and delivers the UID-to-key mapping in an encrypted CSV for import into your verification backend.
  • SDM configuration: we configure the SUN message format (PICC data encryption, CMAC inclusion, file data mirror) to match your backend verification API requirements.
  • Read counter baseline: the initial tap counter value and expected increment range are included in the key mapping CSV for anomaly detection implementation.
  • Verification backend reference implementation: Proud Tek provides Python / Node.js reference implementations of the NTAG 424 DNA SDM verification algorithm (AN12196) for integration into your backend.
  • Tamper status API field: the CTTES tamper status is included in the decrypted PICC data; your backend maps this to a consumer-facing 'Tampered / Not Tampered' status on the verification page.
  • Key rotation: re-use the same master key across production batches (zero backend change) or rotate to a new master key for new SKU generations with a separate key set.

NTAG 424 DNA timeline — from chip launch to flagship anti-counterfeit standard

  1. 2001 — NFC Forum founded

    NXP, Sony and Nokia found the NFC Forum to standardise short-range (13.56 MHz) tag-based interaction; ISO/IEC 14443 Type A becomes the dominant transmission protocol for NFC tag chips.

  2. 2007-2013 — NTAG21x family establishes static-URL NFC

    NXP launches NTAG203 → NTAG213 → NTAG216, addressing the consumer-NFC URL-encode-and-tap use case; static UID + NDEF URL provides convenience but offers no anti-cloning protection.

  3. 2014 — iPhone 6 + Apple Pay normalise NFC handsets

    Apple ships iPhone 6 with NFC; combined with widespread Android NFC support, every consumer smartphone now ships with native NFC reading capability — but iOS Core NFC URL-launch is restricted to NDEF URI records until 2018.

  4. 2018 — iOS 12 background NFC + NTAG 424 DNA launch

    Apple iOS 12 enables background NDEF reading on iPhone XS/XR — tag-tap-to-URL works without an app for the first time. NXP launches NTAG 424 DNA (NT4H2421Gx): AES-128 mutual authentication + Secure Dynamic Messaging — the first commodity NFC sticker chip with cryptographically unique per-tap output.

  5. 2019-2020 — TagTamper variant + early luxury adopters

    NXP releases NTAG 424 DNA TagTamper (NT4H2421Tx) adding the bridge-antenna CTTES register; early-adopter premium spirits, wine, cosmetics, fashion and pharmaceutical brands deploy NTAG 424 DNA SUN authentication on flagship lines.

  6. 2021-2023 — DPP + Battery Passport regulatory tailwind

    Aura Blockchain Consortium (LVMH / Prada / Cartier) publishes NTAG 424 DNA + ledger reference architecture; EU Battery Regulation 2023/1542 mandates Battery Passport from 18 Feb 2027; EU Ecodesign for Sustainable Products Regulation 2024/1781 establishes Digital Product Passport framework.

  7. 2024 — Cross-industry DPP standardisation

    GS1 Digital Link 1.3 publication + CIRPASS interoperability work make NTAG 424 DNA + GS1 Digital Link the de-facto reference architecture for DPP carrier hardware across textile, electronics, battery and pharmaceutical verticals.

  8. 2026 — Today: flagship general-purpose tamper-evident NFC SKU

    Operating notes from high-value-pharma-bottle, premium-spirits-cap, luxury-cosmetics-seal, regulated-document-envelope and art-provenance-cert programmes converge on NTAG 424 DNA TagTamper as the chip-family anchor product, with Proud Tek's application-specific tags (wine, spirits, cosmetics, olive oil, sneakers, handbags, pharmaceutical, battery, DPP) all built on this same NTAG 424 DNA platform.

Useful next pages

Use these linked product, guide and comparison pages to keep the next click specific and practical.

Standard NFC stickers

For applications that do not require cryptographic authentication.

NTAG213 NFC stickers NTAG216 NFC stickers

Application-specific NTAG 424 DNA tags

Vertical-specific NFC authentication tags built on the NTAG 424 DNA platform.

NFC wine bottle tags NFC spirits authentication labels NFC cosmetics authentication labels NFC luxury handbag tags NFC pharmaceutical labels

Chip-level technical reference

Deep-dive specifications and chip-family comparisons relevant to this SKU.

NTAG 424 DNA SUN + CMAC authentication encyclopedia NFC anti-metal stickers (NTAG 424 DNA + ferrite variant)

FAQ

What makes NTAG 424 DNA impossible to clone?

NTAG 424 DNA uses AES-128 Secure Dynamic Messaging (SDM). Every tap generates a cryptographically unique URL parameter derived from the tag's secret AES key, UID and a monotonically incrementing read counter. A counterfeiter copying the URL from one tap cannot reuse it (it is single-use), cannot predict the next one (AES-128 is computationally infeasible to break), and cannot extract the key from the chip (the key is write-only). Cloning is mathematically infeasible without the secret key.

Does the consumer need to download an app to verify the tag?

No. NTAG 424 DNA SDM works with any NFC-enabled smartphone's native NFC reading function. The tag opens a standard HTTPS URL in the consumer's mobile browser. No app download required. The SDM authentication code is passed as a URL parameter and validated on your backend server transparently. The consumer sees your branded verification page.

What happens when the tamper-evident loop breaks?

When the sticker is peeled from its surface, the tamper loop antenna bridge breaks and the chip permanently records this event in its CTTES (Counter Tamper Tamper Event Status) register. This register is read-only and cannot be reset. Even if the sticker is re-adhered or the physical antenna bridge is somehow reconnected, the digital tamper flag remains permanently set and is reported on every subsequent authentication tap.

How do you handle AES key management for large deployments?

Proud Tek generates a unique diversified AES-128 key for each tag using a master secret and the tag's UID per NXP AN10922 CMAC-AES. The master key never leaves Proud Tek's secure encoding facility. You receive an encrypted CSV mapping each UID to its diversified key for import into your verification backend. For ongoing production, we support re-use of the same master key (so new production batches integrate with your existing backend without changes) or rotation to a new master key with a separate key set.

What is the minimum order for NTAG 424 DNA tamper-evident tags?

1,000 pieces. This MOQ reflects the AES key provisioning setup cost and tamper-loop production requirements. For evaluation, we can provide 50-100 non-provisioned NTAG 424 DNA samples for development and testing. Contact us for pricing on sample sets.

Can NTAG 424 DNA tags be used on metal surfaces?

Standard NTAG 424 DNA stickers are designed for non-metal surfaces. For metal surface applications requiring NTAG 424 DNA authentication, we offer an anti-metal NTAG 424 DNA variant with a ferrite spacer layer between the antenna and the metal substrate. Contact us for availability and pricing as this is a custom product.

How does NTAG 424 DNA support the EU Digital Product Passport?

NTAG 424 DNA's 5-key role-based access architecture maps directly to the DPP stakeholder model: master key (Proud Tek encoder), application key 1 (consumer-readable public file), key 2 (brand-owner-only file), key 3 (service-provider repair-history file), key 4 (recycler end-of-life file). Each stakeholder reads only the files their role authorises. The chip carries the GS1 Digital Link 1.3 + ISO/IEC 15459 unique identifier per the EU ESPR 2024/1781 framework.

Sources & references

Primary standards, OEM datasheets and regulatory documents cited by this article. All URLs were verified on the access date shown below.

  1. NXP NTAG 424 DNA — NFC Forum Type 4 Tag compliant IC with 416 bytes user memory, AES-128 cryptography, SUN/SDM messaging (product page + NT4H2421Gx data sheet)NXP Semiconductors · Sep 1, 2018 · accessed Apr 25, 2026

    Primary chip silicon datasheet — NT4H2421Gx (DNA) and NT4H2421Tx (DNA TagTamper) feature matrix.

  2. NXP AN12196 — NTAG 424 DNA and NTAG 424 DNA TagTamper features and hints (SDM / SUN message configuration)NXP Semiconductors · Apr 1, 2019 · accessed Apr 25, 2026

    Reference application note — SDM URL template configuration, PICCData encryption, CMAC computation, tamper-status surfacing.

  3. NXP AN10922 — Symmetric key diversifications (CMAC-AES key derivation reference)NXP Semiconductors · Jun 1, 2010 · accessed Apr 25, 2026

    Per-tag AES-128 diversification algorithm — deriving K_diversified from K_master + UID via CMAC-AES.

  4. FIPS PUB 197 — Advanced Encryption Standard (AES)US NIST · Nov 26, 2001 · accessed Apr 25, 2026

    Federal Information Processing Standard for the AES block cipher used as the SDM cryptographic primitive.

  5. NIST SP 800-38B — Recommendation for Block Cipher Modes of Operation: the CMAC Mode for AuthenticationUS NIST · May 1, 2005 · accessed Apr 25, 2026

    CMAC algorithm specification used by NTAG 424 DNA for SUN URL signature.

  6. ISO/IEC 14443-4 — Identification cards — Contactless ICs — Proximity cards — Part 4: Transmission protocolISO · Jun 1, 2018 · accessed Apr 25, 2026

    RF transmission protocol stack underlying NFC Forum Type 4 Tag operation.

  7. NFC Forum Type 4 Tag Operation SpecificationNFC Forum · Dec 1, 2020 · accessed Apr 25, 2026

    Native phone-readable NDEF-over-Type-4-Tag specification — basis for app-free consumer authentication.

  8. FDA Drug Supply Chain Security Act (DSCSA) — unit-level serialization and traceability requirementsUS FDA · Aug 25, 2023 · accessed Apr 25, 2026

    U.S. pharmaceutical serialisation framework — NFC sits ON TOP of mandated GS1 DataMatrix, not in place of it.

  9. EU Falsified Medicines Directive 2011/62/EU + Delegated Regulation 2016/161 — unique identifier and anti-tampering device for prescription medicinesEuropean Commission · Feb 9, 2016 · accessed Apr 25, 2026

    EU pharma anti-tamper Article 3 + 5 requirements — NTAG 424 DNA TagTamper provides electronic ATD layer beyond mandated DataMatrix.

  10. EU Ecodesign for Sustainable Products Regulation (ESPR) 2024/1781 — framework for the Digital Product PassportEUR-Lex · Jul 18, 2024 · accessed Apr 25, 2026

    DPP framework — NTAG 424 DNA 5-key role-based access architecture supports stakeholder-segregated DPP file slots (consumer / brand / service-provider / recycler).

10+ Years RFID Manufacturing
ISO 9001 Certified Factory
500+ Enterprise Clients
50+ Countries Served

Proud Tek is a Shenzhen-based RFID & NFC manufacturer supplying hotel chains, transit operators, event venues and retail brands worldwide. Every order includes free samples, RF testing and dedicated project support.

Get a Quick Quote

Tell us about your project and we'll respond within one business day. Fields marked (asterisk) are required.

We'll only use this to reply to your inquiry.
Optional, but helps us route your inquiry faster.
e.g. 5,000 pcs
e.g. hotel, event, asset tracking
Chip preference, timeline, special requirements...

Next step

Ready to discuss your project?

Use the contact route when you are ready for pricing, samples, or compatibility help, or continue into the linked product and comparison pages below.

Request NTAG424 DNA quote ✉ Email inquiry directly NTAG216 NFC stickersNFC wine bottle tags