The Secure Dynamic Messaging (SDM) feature allows to program NXP’s MIFARE DESFire EV3 IC in a way to store NDEF messages as defined in the NFC Forum Tag Type 4 specification. A unique IC individual NDEF message is generated on each tap, whereas a backend server evaluates the data that was generated by the IC.
2. 1EXTERNAL
CONFIDENTIAL AND INTEGRITY PROTECTED DATA EXCHANGE USING NDEF READING
V I A S EC U R E D Y N AM I C M ES SAG I N G ( S D M ) FE AT U R E
• MIFARE DESFire EV3 IC can be programmed to store NDEF messages as defined in the NFC Forum Tag Type 4 specification
• A unique IC individual message is generated on each tap, e.g. an NDEF message holding a URL linking to a website
• SDM feature allows to add security to the NDEF message
− By attaching confidentiality and integrity protected meta-data to the URI (e.g. UID, SDM counter, CMAC)
− Reading with standard NDEF readers (standard NFC enabled mobile device), no specific mobile app is needed
• It allows confidential and integrity protected data exchange without requiring a preceding authentication
• SDM is compatible and already known from NTAG® 424 DNA
Unique IC individual
NDEF message is
generated on each
tap
Communication
works with
standard NFC data
exchange format
(NDEF) – no special
app or hardware is
needed
Backend server can
evaluate the
confidential data
that was generated
by the IC
3. 2EXTERNAL
CONFIDENTIAL AND INTEGRITY PROTECTED DATA EXCHANGE USING NDEF READING
V I A S EC U R E D Y N AM I C M ES SAG I N G ( S D M ) FE AT U R E
Backend
OK Unique Message
NDEF Message
with SDM protection
SDM Key
SDM Key
Browser
App
1) MIFARE DESFire EV3 IC contains NDEF message and SDM configuration
2) Tapping the MIFARE DESFire EV3 product-based card to an NFC Forum compliant reading device (e.g. mobile phone)
3) Card calculates SDM authentication code (CMA, SDM counter increase, data encryption, etc.) upon each tap
4) Device reads tap-unique URL with SDM authentication code and sends information to the server backend
5) Server backend verifies SDM data and authentication code
6) Based on the verification result, server backend sends information back to the device
4. 3EXTERNAL
TECHNICAL DETAILS: HOW TO ENABLE THE SDM FEATURE ON THE CARD
On MIFARE DESFire EV3
• Can be enabled for an application that is NDEF formatted (contains a CC File and a NDEF File including an appropriate NDEF message)
• The SDM feature enablement is done during the creation of the NDEF File, a Standard Data File inside the MIFARE DESFire application
• SDM specific settings and configurations for the NDEF File can be afterwards done using the ChangeFileSettings command
− Here it is defined with data that shall be attached to the NDEF message (to the URL) and how the data shall be protected (encrypted or MACed)
− Example data that can be attached to the NDEF message include the SDM counter, UID, some encrypted data, a secure checksum (CMAC), etc.
• Once enabled, the specified data is automatically generated and attached to the NDEF message upon a new card tap
https://www.nxp.com/ & & &Encrypted
UID
Encrypted
Data
CMAC
5. 4EXTERNAL
MORE INFORMATION ABOUT THE SECURE DYNAMIC MESSAGING FEATURE
Item Number Availability
Datasheet - MIFARE DESFire EV3 DS4489 NXP DocStore (confidential)
Application Note - MIFARE DESFire EV3 Quick-Start Guide AN5755 NXP website (public)
Application Note - MIFARE DESFire EV3 Features and Hints AN5881 NXP DocStore (confidential)
Application Note - Feature and Functionality Comparison between
MIFARE DESFire EV2 and MIFARE DESFire EV3
AN5756 NXP website (public)
RFID Discover Software SW1866 NXP DocStore (confidential)
NXP Reader Library (Windows based) SW1717 NXP DocStore (confidential)