# Security Model

TAGBASE is designed from the ground up with a zero-trust mindset. It assumes all links, devices, and clients may be compromised — and anchors security to the only element that can't be faked: the physical tag’s cryptographic chip.

***

### Core Principles

* **Hardware-based security**: Built on NTAG 424 DNA, a secure NFC chip from NXP with AES-128 encryption.
* **Delta-based verification**: A two-step process ensures that validation is not just based on the tag content, but on a session-specific change between two interactions.
* **No shared secrets in clients**: All sensitive logic is handled server-side — clients are treated as untrusted.
* **Stateless server design**: Reduces attack surface and makes the system resilient to request flooding and token replay.
* **Time-bound session linking**: Prevents link harvesting, sharing, and replay attacks.

***

### Verification Logic

Each verification flow consists of two taps:

1. **First Tap**:
   * Generates a signed CMAC-secured URL.
   * Initiates a short-lived session with metadata: tag UID, counter value, timestamp.
2. **Second Tap**:
   * Must occur within a short time window.
   * Backend compares second request’s tag state (counter, UID) with first.
   * If delta is valid → the tag is authenticated.
   * If delta is invalid → the tag or interaction is flagged as suspicious.

***

### Tag-Level Security

| Feature             | Description                                                         |
| ------------------- | ------------------------------------------------------------------- |
| **UID Locking**     | Each chip has a unique, immutable identifier.                       |
| **CMAC Generation** | Server validates the tag-generated cryptographic MAC using AES-128. |
| **Read Counter**    | Increments with each tap — used in delta comparison.                |
| **URL Obfuscation** | Signed parameters are encoded — raw URLs are meaningless if copied. |

***

### Attack Vectors & Mitigations

| Threat                  | Mitigation                                                            |
| ----------------------- | --------------------------------------------------------------------- |
| **Cloned Tag**          | Cannot replicate the secure chip’s CMAC logic or counter state.       |
| **Link Replay**         | Links expire and require valid delta transitions.                     |
| **Reverse Engineering** | Core cryptographic logic runs only on the secure tag and the backend. |

***

### Optional Enhancements

* **Geo + device fingerprinting** (optional): flag unexpected tap locations or device patterns.
* **Blockchain immutability**: for products requiring proof of ownership.
* **Audit trail**: detailed per-tag verification logs for forensics or compliance.

***

### Summary

TAGBASE security is rooted in the physical world — not in obscurity or client-side logic. By requiring a real chip with secure hardware to complete the validation, and combining this with cryptographically signed, time-bound interactions, TAGBASE delivers an **unclonable, app-free product verification** system.

***

Next: Environment & Requirements