You are on page 1of 5

D.-S. Kim et al.

: On the Design of an Embedded Biometric Smart Card Reader

573

On the Design of an Embedded Biometric Smart Card Reader


Dong-Sun Kim, Member, IEEE, Seung-Yerl Lee, Member, IEEE, Byung-Soo Kim, Member, IEEE, Sung-Chul Lee and Duck-Jin Chung, Member, IEEE
Abstract In this paper, a highly reliable embedded biometric smart card system with cryptography engine is proposed. We explain the system architecture of portable embedded biometric smart card reader to strengthen security for various consumer applications such as mobile cash card. Proposed biometric smart card system is embedded with 75 MHz 32-bit RISC, 6 channel smart card controller and advanced encryption system (AES) cryptography accelerator. It is devised to communicate with smart card with encrypted biometric data using international standard ISO-7816 and provides system peripherals such as LCD display controller and USB host interface. The proposed implementation shows a 70% performance improvement for decryption of protected biometric data compared to the software based smartcard chipset and it is verified using 0.35um CMOS process1. Index Terms Biometric smartcard, cryptography, advanced encryption system, embedded system.

smart card chip for smart card reader and it is suitable for prepayment and identification applications. The proposed system-on-a-chip (SoC) embeds a 32-bit RISC core to support operating systems and standardized smart card interface function with an AES cryptography hardware module for fast security operation. The rest of the paper is organized as follows. Section 2 explains the architecture and components of the smart card chipset. Section 3 shows the verification result and conclusions are explained in section 4.

I. INTRODUCTION Recently, many different kinds of applications such as electronic money, wallet and fingerprint identification are combined with smart card with the rapid developments of smart card technology. Moreover, the application of ecommerce and automatic identification are proved to be a great success and the electronic cash system will be merged with smart card, cellular phones and personal digital assistants [1], [2]. Carrying a wallet or a purse with cash or credit cards will no longer be necessary, smart card technology making payment more convenient. In addition, smart card can be successfully applied to personal identification systems and several governments of united state (US) are switching to smart cards for driver's licenses. One primary reason is that driver's licenses are becoming an important form of identification for individuals [3]. However, smart card system needs a protection methodology for being lost or stolen. In this reason, smart card systems based on cryptography algorithm are developed to solve these problems [4]. As shown in Fig. 1, smart card systems embedded with biometric data such as fingerprint have enabled more reliable applications such as home entertainment, personal identification and prepayment service. In this paper, we propose an embedded biometric

Fig. 1. Biometric smart card application

II. ARCHITECTURE OF AN BIOMETRIC SMART CARD SYSTEM-ON-A-CHIP The smart card controller consists of a 32bit RISC processor, a display control block, a memory block for biometric data, 6 channel smartcard interface block, a power management block, and an AES block as shown in Fig. 2. A. Processor and Power Management Block For a real-time operating system (RTOS), 32-bit RISC with built-in memory management unit (MMU), cache and write buffers is used. An 8K unified cache is directly linked to the CPU core and a 512lines4words size 4-way set associative cache type is used. The MMU, which possesses memory control capability, can change imaginary addresses to actual physical addresses, and has a 64 entry translation look aside buffer (TLB).

1 Dong-Sun Kim is with the Advanced Mobile Technology Research Center, Korea Electronics Technology Institute, Korea (e-mail: dskim@ keti.re.kr). Sung-Chul Lee is with the SoC Center, Korea Electronics Technology Institute, Korea. Seung-Yerl Lee, Byung-Soo Kim and Duck-Jin Chung are with the Department of Information Technology and Telecommunications, Inha University, Incheon, Korea. Contributed Paper Manuscript received April 16, 2008 0098 3063/08/$20.00 2008 IEEE

574

IEEE Transactions on Consumer Electronics, Vol. 54, No. 2, MAY 2008

exchange, card inactivation, and order of exclusion. All data processing is done by the interrupt and its associated interrupt service routine. The smart card Interface (ICCIF) consists of a digital back-end and an analog front as shown in Fig. 3. In the case of the smart card clock, the duty cycle must be between 45% and 55% during normal operation, as stated in the standard. The frequency should be in the range of 1 MHz to 5 MHz, and there must be no more than 1% change in frequency during card use. Analog driver block is consists of DC-DC converter and Fault Monitoring and card detection circuit. As shown in Fig. 4, DC-DC converter consists of a controller based on pulse frequency modulation (PFM), a voltage divider, a comparator, and an internal 500 KHz oscillator. When the VFB falls below VREF, the square-wave oscillator affects the switching operation of M1 to increase VCC. Storing energy in the Lext and transferring it to the Cext results from the rapid switching operation of M1. When the VFB is higher than VREF, the M1 is OFF and keep the VCC from increasing. This is the principle of PFM. To boost up the output voltage above the input, the following equation (1) was adopted. The relation between duty-ratio D and voltagetransfer ratio GV is
Vo 1 GV = = Vi (1 D )

Fig. 2. Block diagram of biometric smartcard chipset

The built-in power management block is implemented to reduce the overall power consumption. It switches the chip from normal operation mode to power save mode when there is no computing operation. In the idle mode, the operation of all blocks except the real-time clock is suspended. During idle mode, the SDAM switches to self-refresh mode in order to prevent data loss. In order to come out of the idle mode, the RTC wake-up signal or the UART ring-indicate input is used. The suspension mode and the slow mode reduce the power consumption by halting the processor and by slowing down the operating speed. The occurrence of a peripheral interrupt will make the system come out of these modes. B. Display and Memory Control Block Display block controls a 4 or 8 gray level mono STN LCD in single panel form that has a screen size of 320240. The signals to control the display are exchanged using advanced peripheral bus (APB) for low-speed peripherals. The memory control block consists of a dynamic RAM control block and a static RAM control block. The Dynamic RAM control block can control the SDRAM with a maximum of 128 Mbytes and 4 banks of SDRAMs can be connected. The Static RAM control block controls the SRAM, flash ROM and ROM. C. Smart Card Interface Block Six Smart card interface blocks are available for various card terminal applications. Communication with the card is mainly done through the hardware interrupt. One reader can manage all kinds of IC-Card regardless of the operating voltage, while conventional reader was needed interface ICs for 3.3V and for 5V IC-Card respectively. Four UARTs and GPIOs are designed for peripheral interface. The built-in USB enables high-speed data transfer of various application programs associated with the Smart card and facilitates OS upgrade. The Smart card interface supports T = 0, T = 1 asynchronous protocol from ISO 78133. Smart card (ICC) data processing is achieved in full hardware without any software intervention. The steps of the card operation process are as follows: card insertion and activation, information

(1)

That is, when D is 0, GV has the smallest value, 1, and when D is 1, GV is infinite. Therefore, through the control of D from 0 to 1, the output voltage could be programmed above input supply voltage.

Fig. 3. Smartcard interface block diagram


VCC

LDRV Lext M1

VLXLimiter

VFB

Divider

Driver PFM Controller

+ VREF Voltage Divider

Cext

PGND

500KHz Oscillator

VDD

PD

PG

GND

Fig. 4. Block diagram of the embedded DC-DC converter

D.-S. Kim et al.: On the Design of an Embedded Biometric Smart Card Reader

575

A fault detection circuit has been adopted to monitor Vbatlow (battery under voltage detection), Voutlow (IC-Card supply under voltage detection) and Icclim (IC-Card over current detection). In order to monitor these states, we designed the comparator with the characteristic of hysteresis. Due to the variation of the external load, the decrement of battery power, the occurrence of short current when a card is inserted and the generated voltage from DC-DC converter is hard to maintain a regular point. Therefore, it is required to design a comparator which is independent of the variation of the generated power supply. We design the circuit to generate the power-good (PG) and the power-down (PD) signals from a card detector. These signals are independent of the power supply variation within a 0.25V. A card detection circuit monitors the insertion or removal of the card and has a 40s de-bouncing delay. When a card is inserted in a coupler, the card detector activates start-up signal and starts the converter. When a card is removed, the card detector activates powerdown mode and stops the converter. A bi-directional level shifter circuit adapts the signal voltage levels of the I/Os. Using this circuit, I/O signal lines could be controlled between the MCU and the IC-Card. The internal clock circuit has been implemented using a schmitt-trigger and a voltage controlled oscillator (VCO). The maximum clock frequency was programmed to 500 KHz for DC-DC converter. A digital controller of the customer part designed in the ICcard interface is illustrated in Fig. 5. It is made up of the block in charge of interfacing to the host, the block controlling activation/deactivation of IC-Cards, IC-Card protocol extractor, and the serial data transceiver to an IC-Card. The block in charge of interfacing to the host is for advanced micro-controller bus architecture (AMBA) compliant systemon-a-chip peripheral that is adapted in this work, considering design reuse. The block handling activation/deactivation of an IC-Card makes decision whether the insertion signal applied from the analog driver is correct, as an IC-Card is inserted. And then it activates the IC-Card, that powers up the inserted card in an ordered manner. The activation sequence has been divided into several equal phases, timed by the value programmed in the activation time register. If the activation sequence is successfully complete, the operation proceeds to the ATR stage. If an abnormal execution occurs during the activation sequence, the digital controller instantly senses the movement of the IC-Card relative to the IC-Card interface, and deactivates all signals of IC-Card interface. The protocol handler of an IC-Card plays an important role in transferring received information to MCU, controlling timing of the ATR receiving from the IC-Card and reading the protocol in the ATR. In the case of receiving an abnormal ATR, such as inappropriate timing for receiving an ATR and an incorrect ATR, digital controller immediately takes action in either deactivating IC-Card or warm-resetting by the request of the protocol handler. If ATR is correctly received, MCU reads information of the ATR and selects the relevant IC-Card interface for merchant before it takes actions on authentication.

Fig. 5. Detailed digital controller of the customer block

D. AES Cryptography Module We designed the AES encryption module based on Rijindael algorithm that has been accepted as a standard. The module supports 128, 192, and 256-bit differential key length. The AES encryption algorithm is a block encryption method that supports 128, 192, and 256-bit block size. Encryption and decryption are progressed according to 10, 12, and 14 round forms depending on the block and key length, with each round receiving a different key from the key control block. The AES cryptography module is divided as shown in Fig. 6: the key addition block, the shift row block, the mix column block, and the substitution block. The key addition block is byte-unit XOR arithmetic between the round key and the encryption data. The shift row and substitution blocks consist of internal registers and look-up table. Finally, the mix column block consists of GF (28) multiplication and XOR arithmetic. In this way, the key control block generates the next sub-round key, using the relationship between the present key and the previous key. Each blocks block diagram and its operation principles are described in the following sections. The substitution block divides the 256-bit data into 32 8-bit units and transforms them into a new 256-bit data by using each bit as the address of the S-box. 32 S-boxes are stored in the internal registers to perform parallel arithmetic. The shift row block divides the 256-bit data into 2 128-bit units. Each 128bit unit runs the shift arithmetic in units of bytes. By doing so, the entire data becomes evenly reordered.

Fig. 6. AES cryptography module

576

IEEE Transactions on Consumer Electronics, Vol. 54, No. 2, MAY 2008

s'0 s'1 s'2 s'3

s'4 s'5 s'6 s'7

s'8 s'9 s'10 s'11

s'12 s'13 s'14 s'15

02 03 01 01 01 02 03 01 = 01 01 02 03 03 01 01 02 (a) Equation of Mix Column

s0 s1 s2 s3

s4 s5 s6 s7

s8 s9 s10 s11

s12 s13 s14 s15

TABLE II PERFORMANCE OF AES CRYPTOGRAPHY MODULE CPU 50MIPS RISC 100MIPS RISC Full H/W Efficiency Feature Gladman AES ANSI-C DES Gladman AES ANSI-C DES OSC & USB

Key Schedule Encryption Decryption 449 333 5 89.8/66.6 1641 430 1374 387 25 2763 870 2439 675 27

' s0, c s ' 0e 0b 0d 09 0, c s1, c 09 0e 0b 0d s1, c ' = s2,c 0d 09 0e 0b s2,c ' 0b 0d 09 0e s3, c s3, c (b) Reverse transform of Mix Column

65.64/54.96 102.33/90.33

IC Card Interface

Fig. 7. Mix column and inverse mix column

PMU

The values for the mix column block are obtained by coefficient value of shift row data and matrix arithmetic as shown in Fig. 7 (a). If the matrix multiplication is expanded, it is divided into multiplication and addition arithmetic within GF (28). In order to do the reverse transform of the mix column, only the coefficient values need to be changed as shown in Fig. 7 (b). Therefore, the same hardware can be used in both encryption and decryption by selecting and using the coefficient values through the MUX. The last key addition block does bitwise XOR operation on the 256-bit data and the 256-bit key from application software. IV. EXPERIMENTAL RESULTS Table 1 summarizes the specification of the proposed biometric smartcard chipset manufactured in this work and Fig. 8 shows the layout of the full chip and prototype evaluation board. IC-Card interface block which is in the middle of upper side. The manufactured IC, with full size is 7890m 7890 m, was packaged in a 352-pin plastic ball grid array (PBGA). The number of the total gates is about 400,000, not including internal memory. The range of operating clock frequency is 40MHz up to 75MHz at 3.3V. And two on-chip DC-DC converters are designed and embedded to supply IC-Card with the clock as well as both 3.3V and 5V to accommodate all types of IC-Card. The total current consumption is about 300mA at 5V operation and 190mA at 3.3V operation.
TABLE I SPECIFICATIONS Supply Voltage Clock Frequency Current Consumption @ 5V Card Operation Current Consumption @ 3.3V Card Operation Number of Gates Full CMOS Chip Area Number of Pins OSC, DC/DC Converter, Memory 3.3 V 40 MHz ~ 75 MHz 300mA 190mA 400,000 7890 m 7890 m 352 On-Chip

Digital

32-bit RISC Core

Dual Port RAM

(a) Full layout diagram


JTAG/Debug Port Power unit RS232 Biometric smart card chip Smart Media 128M SDRAM Ethernet port

(b) Evaluation board Fig. 8. Layout diagram and prototype evaluation board

Table 2 shows the simulation results on Gladmans AES C code and DES C code using embedded development tool, assuming zero wait memory access. Results show that the hardware implementation is on average 60 times faster when encrypting and 100 times faster when decrypting compared to other alternatives. This increase in performance implies that the hardware based AES module can be effectively applied to real-time electronic commerce systems. In addition, by reducing the computational load of the microcontroller, the hardware based AES can contribute in creating various new services, as well as bringing cost reduction. In addition, ICCard interface performs serial data communication defined by the ISO7816 specification to exchange data. This serial data transceiver adopted FIFO architecture to adjust the rate of communication speed flexibly. Data transfer that is processed as bytes is converted to a serial stream. The format of serial data specified by ISO7816 specification is made up of one start bit, eight individual bits, one parity bit, and two stop bits.

D.-S. Kim et al.: On the Design of an Embedded Biometric Smart Card Reader

577

V. CONCLUSION In this paper, we show a biometric smart card interface IC for electric commercial applications. It mainly embeds a 32-bit RISC microcontroller, AES cryptography module, smart card interface controller and two DC-DC converters for 3.3V and 5V compatible IC-Card operation. Using biometric smartcard controller, one reader can obtain biometric user data from all kinds of IC-Card regardless of the operating voltage while conventional reader is needed IC-Card interface for 3.3V and for 5V IC-Card respectively. And for stable operation, the fault monitoring circuit is designed. Proposed biometric smartcard chipset is implemented on a standard 0.35um triple-metal double-poly CMOS process and it can be used for portable authenticator in electronic cash system that needs highly reliable personal authentication. REFERENCES
[1] David D. Hwang, and Ingrid Verbauwhede, Design of Portable Biometric Authenticators Energy, performance, and Security Tradeoffs, IEEE Transactions on Consumer Electronics, vol. 50, no. 4, pp. 1222-1231, Nov. 2004. Afzel Noore, Highly Robust Biometric Smart Card Design, IEEE Transactions on Consumer Electronics, vol. 46, no. 4, pp. 4-8, Nov. 2000. http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=167 27&TEMPLATE=/ContentManagement/ContentDisplay.cfm Y. S. Moon, H. C. Ho, and K. L. Ng, A Secure System with Biometric Capability, Proceedings of the 1999 IEEE Canadian Conference on Electrical and Computer Engineering, vol. 1, pp.261-266, May 1999. F. L. Luo, Six Self-Lift DC-DC Converters, Voltage Lift Technique, IEEE Transactions on Ind. Electrons, vol. 48, pp.1268-1271, Dec. 2001. Bruno Struif, and Dirk Scheuermann, Smartcards with Biometric User Verification, Proceedings of the 2002 IEEE International Conference on Multimedia and Expo, vol. 2, pp. 589-592, Aug. 2002. Raul Sanchez-Reillo, Smart Card Information and Operations using Biometrics, IEEE Aerospace and Electronic Systems Magazine, vol. 16, no. 4, pp. 3-6, April 2001. E. Biham, New types of cryptanalytic attacks using related keys, LNCS 765, pp. 398-409, 1993. Willem Jonker and Jean-Paul Linnartz, Digital Rights Management in Consumer Electronics Products, IEEE Signal Processing Magazine, pp. 81-91, March 2004.

Dong-Sun Kim (M99) was born in Incheon, Korea in 1972. He received B.S and M.S degrees in the School of Electronics and Electrical Engineering in 1997 and 1999, respectively, from INHA University, Incheon, Korea. In 2005, he received a Ph.D. degree from the School of Information and Telecommunication Engineering of INHA University, Incheon, Korea. Since 1999, he has been with the Korea Electronics Technology Institute (KETI), Gyeonggi-do, Korea and working on R&D at the Advanced Mobile Technology Research Center, where he currently is a senior researcher and team leader. He is a member of IEEE. His research interests are in the areas of wireless/wired communication systems, wireless sensor networks, VLSI & SoC design, multimedia codec design, computer architecture, and embedded system design. Seung-Yerl Lee received B.S. and M.S degrees in the School of Information and Telecommunication Engineering from INHA University, Korea in 2003 and 2005, respectively. He is currently a Ph.D. candidate in the School of Information and Telecommunication Engineering in INHA University. His research interests include wireless communication hardware design, WPAN, WLAN, and VLSI & SoC design. Byung-Soo Kim was born in Seoul, South Korea in 1984. He received the B.S. degree from the school of Information and Telecommunication Engineering from the INHA University, South Korea in 2006. He is currently pursuing the M.S. degree in Information and Communication Engineering at INHA University, South Korea. His research interests are wireless communication hardware design, JPEG2000, Genetic Algorithm and VLSI & SoC design. Sung-Chul Lee was born in Korea on 1969. He received a B.S and M.S degree in the school of Information and Telecommunication Engineering from Chonbuk University, Korea in 1993 and 1995, respectively. Since 1995, he has been with the Korea Electronics Technology Institute (KETI), Gyeonggido, Korea and working on R&B at the SoC Center. His research interests are in the areas of VLSI & SoC design and mixed signal design. Duck-Jin Chung was born in Korea on Feb. 8, 1948. He received a B.S degree in electrical engineering from Seoul National University,Korea in 1970, and a M.S. degree from Utah State University in 1984. In 1988, he received a Ph.D. degree from the University of Utah. He is currently a professor at the Sschool of Information and Communication Engineering of INHA University, Incheon, Korea. He is a member of IEEE. His research interests are VLSI & SoC design, computer architecture, and embedded system design.

[2] [3] [4] [5] [6] [7] [8] [9]