[ HOW IT WORKS — 04 ]
ENCRYPTION, IN DEPTH
The overview at /encryption tells you what the system guarantees. This page shows more of the machinery — down to where operational security starts. That line is marked at the bottom.
01 /
THE CHIP
The patch carries a secure element in NXP’s NTAG 424 DNA family. Keys go in once, at encoding, and the silicon has no instruction for reading them back out — extraction means destroying the die, and the key with it.
It computes AES-128 on board and implements SUN — Secure Unique NFC — which is the chip’s way of never saying the same thing twice. No battery; it runs on the phone’s field for the duration of the tap.
02 /
THE MESSAGE
A tap hands your phone exactly one thing: a URL. Everything the server needs to judge the piece rides in it.
The uuid says which piece — it is public and identical in every link that garment ever issues. e is the encrypted payload: chip identity and tap counter, AES-128 in CBC mode. m is a CMAC over the payload, per RFC 4493 / NIST SP 800-38B. A new counter makes a new e and a new m, every tap.
03 /
THE CHECK
Server-side, in order: decrypt e with the piece’s key — keys live with us, never in the page. Verify m with a constant-time comparison. Require the counter to have moved strictly forward. Require the identity to match the uuid. Only then pull the record and render the verdict.
Miss any step and you get the failure page — the same one, whatever failed. Traffic is rate-limited; the thresholds are not published.
[ WHY UNIFORM FAILURE ]
A verifier that explains its rejections is teaching. Ours declines the job: pass, or the flat failure page. The distance between "wrong signature" and "stale counter" is information we keep.
04 /
THE STANDARDS
AES-128 (FIPS 197). CMAC (RFC 4493 / NIST SP 800-38B). SHA-256 (FIPS 180-4) for the provenance chain, whose linkage is drawn on The Chain page.
Nothing here is house-rolled cryptography. The primitives are the boring, audited ones. The engineering is in how they are keyed, sequenced, and refused.
05 /
WHAT WE DON’T PUBLISH, AND WHY
Key derivation and storage. The encoding-station procedure. Service internals. Exact rate thresholds.
Publishing them would not make the system stronger for you — it would only make rehearsing an attack cheaper. The sections above are the parts that protect your piece. The unpublished parts protect the sections above.