Brand Protection with Secure NFC Tags


Enterprise feature in beta

This feature is only available to our Enterprise customers and is currently in beta. If you are interested in using this feature, please contact us.
This a beta capability - we may make significant changes before the final version.

Cryptographically secure NFC tags are a new generation of NFC tags that are very difficult to counterfeit but still work with existing NFC readers, such as most modern smartphones.

In this tutorial, you'll learn how to use and manage cryptographically secure NFC tags with the EVRYTHNG Product Cloud. What makes these tags special is that they generate a unique signature for every scan. Cryptographically secure tags, provisioned for the EVRYTHNG Product Cloud, contain the unique signature as query string parameters of a GS1 Digital Link. The EVRYTHNG Secure NFC Gateway allows brand owners to write redirection rules based on the result of decrypting the signature of tags. Allowing to redirect to different experiences depending on the results.

How the URL of a Secure NFC tags protects against Counterfeits

We currently support two secure NFC tag providers, NXP and EM Microelectronic. Both tags, NXP's NTAG 424 DNA and EM Microelectronic's em|echo-V tags, contain a secret AES-128 symmetric key that is stored in a secured memory space. Each time a tag is scanned, the tag increases its counter by one, then generates a cryptographically secure signature by encrypting the UID (or EPC) and counter together. It then adds the signature to its Digital Link and returns the entire URL to the reader.

NFC tag providers use slightly different approaches in the way they manage tag security and format URLs, which is why the EVRYTHNG Secure NFC Gateway uses a plugin architecture to accommodate these differences. Without going into details, consider the different URL templates. Both tags use the GS1 Digital Link standard, but the query string parameters differ:

For the NTAG 424 DNA, the enc parameter contains the the UID and counter encrypted.

Scan once:

Scan again and notice how enc changed:

For the em|echo-V tag, the signature is contained in the aes parameter. It is the encrypted combination of the EPC and counter.

Scan once:

Scan again and notice how aes changed:


EVRYTHNG Secure NFC Gateway architectureEVRYTHNG Secure NFC Gateway architecture

EVRYTHNG Secure NFC Gateway architecture

The EVRYTHNG Secure NFC Gateway adds support for cryptographically secure NFC tags to the EVRYTHNG Redirector. The architecture shows an NFC tag with a secret AES-128 key, a tag-specific UID (or EPC), a counter and a Digital Link. The Digital Link maps to a Thng, the other components secure the tag. As previously mentioned, the tag generates a new URL every time it is scanned.

Unlike redirections triggered by scanning a QR code or regular NFC tag, the URL of a cryptographically secure NFC tag goes through the EVRYTHNG Secure NFC Tags Gateway, before reaching the EVRYTHNG Redirector. The gateway uses provider-specific modules to decrypt and authenticate each request. AES-128 is a symmetric protocol, thus tag and gateway use the same key to encrypt and decrypt. The gateway also keeps track of the scan counter by storing it as a Thng Property. Comparing the decrypted counter and the Thng's counter detects URLs being used more than once.

Note that a secure NFC tag can only prevent a tag from being copied. A counterfeiter could still store redirection URL on an NFC tag. To prevent a redirection from being reused, the gateway generates a new one-time password for every redirection, which the gateway encrypts with its private key. The Web client obtains the corresponding public key from the domains EVRYTHNG app. If the one-time password expired, the client knows the redirection is invalid.

Implicit Scan action for an authentic tagImplicit Scan action for an authentic tag

Implicit Scan action for an authentic tag

The gateway creates an Implicit Scan Action with the authentication result from the provider-specific module as custom fields. These values can be used in a redirection rule header and body. The action above shows the tag being authentic.

Use case: Barry The Bear Endorses the EVRYTHNG Secure NFC Gateway

Spot the secure BarrySpot the secure Barry

Spot the secure Barry

We asked Barry the Bear, the infamous GS1 Digital Link mascot, to try the EM Microelectronic em|echo-V tag. The em|echo-V tag is a dual frequency tag that supports both NFC and RFID.

Barry the Bear Web experienceBarry the Bear Web experience

Barry the Bear Web experience

To test the EVRYTHNG Secure NFC Gateway, hold your smart phone close to the label of Barry the Bear. Your phone will read the NFC tag and open the Digital Link in the browser. If the tag is authentic, you will be redirected to the default Barry the Bear Web experience.

What happens if a Barry the Bear impostor tries to copy and reuse a signed URL? After all, the signature is authentic and the EVRYTHNG Secure NFC Gateway will be able to authenticate the signature.

Try scanning this QR code to find out.

Simulate a replay attackSimulate a replay attack

Simulate a replay attack

Behind the scenes, three redirection rules map the authentication outcome to different URLs.

Redirection for authentic tagsRedirection for authentic tags

Redirection for authentic tags

If the tag is authentic, the user is redirected to the Barry to Bear Web experience.

Redirection for counterfeit tags. The URL was used twiceRedirection for counterfeit tags. The URL was used twice

Redirection for counterfeit tags. The URL was used twice

If the signature can be decrypted but the URL was used twice (the URL counter is lower or equal the Thng's counter), the user is redirected to a site indicating the URL was replayed. This is how a Barry the Bear impostor will be detected.

Redirection for counterfeit tags that could not be authenticatedRedirection for counterfeit tags that could not be authenticated

Redirection for counterfeit tags that could not be authenticated

And if the signature could not be decrypted, either because the signature is wrong or entirely missing, the user is also redirected to a site to warn the user of that fact.

Adding new tags to the EVRYTHNG Product Cloud

You might have asked yourself how the EVRYTHNG Secure NFC Gateway knows which provider and security credentials to use and how to access Thngs. It does this through the domain name used in the tag's URL. A cryptographically secure tag belongs to one redirection domain. A redirection domain consists of a domain name, a Trusted App API key, a provider and security credentials required by the provider and a set of tags of the same type.

Let's go step by step through the process of adding a new set of secure NFC tags.

Create a new project and EVRYTHNG Application

This EVRYTHNG Application provides access for the EVRYTHNG Secure NFC Gateway to Thngs. It must also contain at least one redirection rule related to tag authentication.

Obtain a domain name which you own and create valid GS1 Digital Links for Thngs

Your tags must contain valid Digital Link URLs. Because all requests must go through the EVRYTHNG Secure NFC Gateway, you need to configure a domain name to point to, the EVRYTHNG Secure NFC Gateway's host name. Optionally, the parameter validFor can be specified in seconds to set the timeout for the one-time password that can be used to secure the redirection URL.. When a new domain is registered, the EVRYTHNG Secure NFC Gateway generates a private/public key pair to secure the redirection. The EVRYTHNG Secure NFC Gateway stores the public key as a custom field its EVRYTHNG application. A user-experience can secure the redirection by including a one-time password. The gateway generates a one-time password for every request. It can be added to the redirection as query string parameter: otp={action.customFields.otp} . In addition to the query string parameter otp, the Web client also required an EVRYTHNG App API key and the ID of the thng which maps to the secure NFC tag. The Web client decrypts the one-time password and raises an alert if the redirection is expired. To flag expired one-time passwords, we recommend creating an alert in the dashboard by creating an _InvalidClientRedirections action. The gateway provides a redirection validation endpoint that performs all the aforementioned steps.


Note that the App API key is also a query parameter to avoid Cross-Origin Resource Sharing (CORS) errors. The gateway returns HTTP status code 200 if the redirection is valid and HTTP status code 498 if the redirection expired.

If you'd like to test the redirection validation feature in your Web client, this code will get you started:

const url = new URLSearchParams(;
if (url.get('otp') === null)
  throw new Error("No one-time password found (query string parameter 'otp' is missing) Add the one-time password in the Redirector as follows: otp={action.customFields.otp}");
const otp = url.get('otp');
const apiKey = url.get('apiKey') || url.get('app');
if (apiKey === null)
  throw new Error('EVRYTHNG App API key is missing');
const thngId = url.get('thng');
if (thngId === null)
  throw new Error('thng Id is missing');
const request = new Request(`${thngId}/validateRedirection?otp=${otp}&apiKey=${apiKey}`);
const response = await fetch(request); 
if (+response.status !== 200) {
  if (+response.status === 498) {
    alert('Invalid redirection');
  } else {
    alert('Something went wrong');

Create a new redirection domain

When registering a new redirection domain, the EVRYTHNG Secure NFC Gateway generates a unique AES-128 key (returned in secretKey) to encrypt and decrypt security-relevant information. It also created a private/public key-pair to authenticate redirections.

    "validFor": 5,
    "secretKey": "652c8...95a76",
    "otpPublicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvPCcIrPxdFppmqjWk1fk\nswoc8zBhZmi31Ikym+ECsTBkuXDtKZ98C4+LOi27MvleJ9RYrvt2hML1lKmAript\nsLr+YN2ISAi8jWblPywL+fgEQyPhJZUzdMiSxsDj8jg5cG0+ZpjOz4YHeCL2PJ2R\nfgpMV4CfBjvGPEGfGeweOT/Zky+VRA9OSXWhEDUdsIW4jru4DY/G/4dvwUwNJoqa\nrx7yPwTyvHe15t2lSk/8rtdVfGo39ipArUCcGiWM4UumZoyIGfSyxtFdPVv7z6td\nhC5AnOtXD0/Em8gH5y7Q52jFR+ddeMJRBqa+51HU9+tXvGH68b39qFqlNZjvcoVJ\ntQIDAQAB\n-----END PUBLIC KEY-----\n",
    "trustedAppApiKey": "EU9Sw...KeOvD"

Setup tag credentials

Next, configure the authentication mechanism by specifying the provider as well as provider-specific security information.

Configuring a domain for NXP NTAG 424 DNA

NXP NTAG 424 DNA tags can be verified using NXP's remote service, Authenticator v2 API or verifying the URL locally using the private key. to use NXP Authenticator v2 API, the configuration requires provider==nxp, keyIdMetaRead, keyIdFileAccess, nTagApiKey and provider:

    "keyIdFileAccess": "13",
    "keyIdMetaRead": "12",
    "nTagApiKey": "64b8cb...949efe",
    "provider": "nxp"

To verify NXP NTAG 424 DNA tags locally, use provider==nxp-local and the parameter symmetricTagKey which contains the same symmetric key that is stored on the tags

    "provider": "nxp-local",
    "symmetricTagKey": "FFAE0...01C6"

Configuring a domain for em | echo-V tags

EM Microelectronic only requires otp, the AES-128 OTP Crypto Key:

  "otp": "F0..00",
  "provider": "em"

Add redirection rules to the Redirector

You'll need redirection rules that respond to the state of a tag as shown in the beginning of the tutorial. The EVRYTHNG Secure NFC Gateway will send the following Action custom fields to the Redirector (e.g.,action.customFields.replay):

  • validSecret: true if the signature was successfully verified. false, if the signature is missing or could not be decrypted.

  • replay: true means the signature was successfully verified but the URL was already used. It's a counterfeit tag, even though validSecret is true.

  • matchUidAndTag: true means the signature does not match the tag. The signature is valid but it belongs to a different tag.

  • validTag is a summary feature of the verification process. validTag is true if validSecret is true, replay is false and matchUidAndTag is also true.

Furthermore, each Thng must be assigned to a Product and both need a valid GS1 identifier. The Product needs the identifier gs1:01 and the Thng needs the identifier gs1:21.