NFC Chip Originality Signature
An originality signature is a feature of some NFC chips that cryptographically verifies the chip’s manufacturer. Knowing and subsequently trusting the NFC chip manufacturer is the first foundational step in using an NFC tag for secure applications that require a unique and non-cloned NFC UID. An originality signature applies explicitly to the manufacturer of the NFC chip; it does not prove the authenticity or origin of the item to which the NFC tag is attached.
Example of an NTAG213 Originality Signature
541282798340391163927CF2679A9A068CD403258C9B5345C593575F0FACF81D
Trust
Trust is the foundation of all security systems. The originality signature allows users to verify the manufacturer of the NFC chip. If you trust the manufacturer of the NFC chip, then you can trust the UID. On the other hand, if the manufacturer of the NFC chip is not trusted or known, then the UID can not be trusted. If the originality signature is absent, the NFC UID of NFC chips can not be trusted. Subsequentially, the lack of the originality signature also indicates that chip features such as locking can not be trusted.
Almost all properly designed secure NFC applications use the NFC chip UID. The NFC chip UID is often used as a unique key in an allow-list database for valid NFC tags, and the NFC chip UID is frequently part of a per-tag, application-level data encryption scheme. It is critical to the security of these systems that the UID can be trusted, and the originality signature is the path to trusting the UID.
Design
Originality signatures are based on industry-standard public/private key cryptography. The algorithms behind these systems are cryptographically secure and can not be broken with current computing resources.
Originality Signature Creation
Originality signatures are based on industry-standard public/private key cryptography. The algorithms behind these systems are cryptographically secure and can not be broken with current computing resources.
The manufacturer of the NFC chip creates a public/private key pair and publishes the public key while keeping the private key secret. When each NFC chip is manufactured, the private key is used along with the NFC chip’s UID to create the originality signature, which is written to each NFC chip. Each NFC chip will have a unique originality signature, although it is not intended to be used as a unique identifier.
originality_signature = encrypt(private_key, uid)
Originality Signature Verification
In general, the originality signature of an NFC chip is verified using the process outlined below. Each manufacturer has a slightly different implementation, so the exact process is described in the technical specification for the NFC chip.
- Read the originality signature from the NFC chip. Each chip model has a different command for this. Since a chip-specific command is used to read the originality signature, the software must be able to call chip-specific commands, which requires third-party software. Software that can only read the NDEF data, such as iOS Background NFC Tag Reading, cannot read the originality signature.
- Obtain the appropriate public key and algorithm for the specific NFC chip. Some manufacturers require non-disclosure agreements, so this information has not been published here.
- Use the manufacturer’s public key with the UID, the read originality signature value and the stated algorithm to verify the signature.
- verified = verify(public_key, originality_signature, uid)
Supported NFC Chips
The following manufacturers support the originality signature in these models of their NFC chips. For additional information, see the public NFC chip technical specifications.
NXP
NXP’s ICODE, MIFARE, NTAG and Ultralight series of NFC chips support originality signatures with an Elliptic Curve Cryptography (ECC) algorithm.
- ICODE SLIX2
- NTAG210
- NTAG212
- NTAG213
- NTAG215
- NTAG216
- NTAG224
- NTAG424
- MIFARE DESFire EV2
- MIFARE DESFire Light
- MIFARE Plus
- Ultralight EV1
ST
STMicroelectronics supports originality signatures in their TruST25 series of NFC chips with an Elliptic Curve Cryptography (ECC) algorithm.
- ST25TA521B
- ST25TA02KB
- ST25TV512
- ST25TV02K
- ST25DV02K
Counterfeit NFC Chips
Counterfeit NFC chips exist on the market, often masquerading as the above-supported NFC chips. The originality signature can be used to identify these counterfeit chips if their originality signature is invalid. While it is currently impossible for anyone outside of NXP to manufacture an NFC chip with a new and valid signature, it is important to note that some highly configurable NFC chips may support UID and signature manipulation. A chip with those features would allow for an exact copy to be made of an existing valid NXP tag and would be undetectable.
The GoToTags Desktop App can validate the originality signature of NFC chips that support the feature.