Bluetooth data transmission encryption method based on intelligent terminal

By combining the generation of a temporary session key with the root key of the access hardware security module, a session encryption key is generated and an integrity check code is calculated, which solves the problems of key leakage and data tampering in Bluetooth data transmission and achieves higher security and flexibility.

CN121568100BActive Publication Date: 2026-06-23深圳市乾海芯联科技有限公司 +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
深圳市乾海芯联科技有限公司
Filing Date
2026-01-23
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing Bluetooth data transmission schemes suffer from session key leakage when the terminal operating system is compromised by malware, and the encryption algorithms lack forward security and flexibility, making data susceptible to interception and tampering in Bluetooth transmission environments.

Method used

A temporary session key is generated and the root key is obtained by accessing the hardware security module built into the smart terminal. A session encryption key is generated through the key derivation function, and the data is encrypted using a symmetric encryption algorithm. At the same time, an integrity check code is calculated based on a hash function, thus separating the encryption and integrity check processes.

Benefits of technology

It effectively isolates the risk of software-level key leakage, prevents session encryption keys from being cracked, reduces the computing requirements of receiving devices, expands the application potential of IoT devices, and provides a clear integrity verification mechanism.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121568100B_ABST
    Figure CN121568100B_ABST
Patent Text Reader

Abstract

The application relates to the field of Bluetooth data transmission security technology and discloses a Bluetooth data transmission encryption method based on an intelligent terminal. After the intelligent terminal and a receiving device establish a Bluetooth connection, a temporary session key is generated. A built-in hardware security module of the terminal is accessed to obtain a pre-stored root key. The root key and the temporary session key are used as inputs to generate a session encryption key with higher strength through a key derivation function. The session encryption key is used to encrypt data to be transmitted by using a symmetric encryption algorithm. The hash value of the original transmission data is independently calculated based on a hash function and used as an integrity check code of the data. The encrypted data and the integrity check code are encapsulated and sent to the receiving device through a Bluetooth protocol stack. The application strengthens the security of the key by combining hardware security and dynamic negotiation, and improves the anti-attack ability and reliability of Bluetooth data transmission by adopting an independent integrity check mechanism.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of Bluetooth data transmission security technology, specifically to a Bluetooth data transmission encryption method based on a smart terminal. Background Technology

[0002] In the field of Bluetooth communication based on smart terminals, ensuring the confidentiality and integrity of data transmission is a core technical requirement. Current common solutions primarily rely on software-level dynamic key negotiation protocols, such as ECDH key exchange. This approach generates a temporary session key through negotiation between the communicating parties and directly uses this key to perform symmetric encryption on the transmitted data. Another approach is to directly use a pre-installed fixed key within the smart terminal's hardware security environment for encryption, thereby enhancing the security level of the key itself.

[0003] Existing schemes relying on purely software-based dynamic key negotiation are vulnerable to having their generated session keys stolen from memory when the terminal operating system is compromised by malware. Once this session key is leaked, the corresponding communication session content can be completely decrypted. While schemes using fixed keys in hardware improve key storage security, they lack forward security. If the encrypted data of a single session is cracked, or the fixed key is leaked due to physical attacks, all historical and future communications using that key are at risk of being decrypted. Regarding data integrity verification, existing technologies often employ an integrated encryption and authentication approach. This approach deeply couples integrity verification with the encryption process, and its flexibility is limited by the choice of specific algorithms.

[0004] The Bluetooth transmission environment is inherently open, making data vulnerable to interception and tampering. A method is needed to effectively address the risk of key leakage after the terminal software layer is compromised, and to solve the problem of reliable integrity verification between different encryption devices. This requires that the key generation process not only remain at the software level but also introduce higher-level security elements; the data integrity protection mechanism should have stronger adaptability and explicit verification logic. Summary of the Invention

[0005] The purpose of this invention is to provide a Bluetooth data transmission encryption method based on smart terminals to solve the problems mentioned in the background art.

[0006] To achieve the above objectives, the present invention provides a Bluetooth data transmission encryption method based on a smart terminal, the method comprising:

[0007] After the smart terminal and the receiving device establish a Bluetooth connection, a temporary session key is generated;

[0008] Access the hardware security module built into the smart terminal to obtain the pre-stored root key;

[0009] The root key and the temporary session key are taken as input and processed by the key derivation function to generate the session encryption key;

[0010] Using the session encryption key, a symmetric encryption algorithm is employed to encrypt the data to be transmitted;

[0011] The hash value of the transmitted data is calculated based on the hash function, and the hash value is used as the data integrity check code;

[0012] The encrypted data is encapsulated together with the integrity check code and sent to the receiving device via the Bluetooth protocol stack.

[0013] Preferably, the operation of generating a temporary session key includes the following detailed steps:

[0014] Call the random number generator service provided by the smart terminal operating system to generate a cryptographically secure random number;

[0015] Read the system clock of the smart terminal to obtain the current timestamp accurate to milliseconds;

[0016] Obtain the unique device identifier of the smart terminal;

[0017] The random number, the timestamp, and the device's unique identifier are concatenated and combined.

[0018] The concatenated data is processed using a hash function, and the fixed-length output is used as the temporary session key for this Bluetooth session.

[0019] Preferably, the process of accessing the hardware security module built into the smart terminal to obtain the pre-stored root key includes the following detailed steps:

[0020] Applications on smart terminals call the secure application programming interface provided by the hardware security module;

[0021] The hardware security module verifies the digital signature of the calling application to ensure that it is a trusted application;

[0022] After successful verification, the hardware security module reads the pre-stored root key from its protected storage area;

[0023] The root key is injected into the hardware security module through a secure process during the manufacturing stage of the smart terminal. The hardware security module is a trusted execution environment or a secure element. The access and use of the root key are always protected by the hardware security module and will not be exposed to the ordinary execution environment.

[0024] Preferably, the process of generating the session encryption key through the key derivation function includes the following detailed steps:

[0025] Use the root key as the master key input for the key derivation function;

[0026] Use the temporary session key as the salt value input for the key derivation function;

[0027] Set the iteration count parameter of the key derivation function, which is dynamically determined according to the security level of the smart terminal;

[0028] Execute the key derivation function's operation flow to generate output data of a specified length;

[0029] Extract the desired byte sequence from the output data to serve as the final session encryption key.

[0030] Preferably, the step of using the session encryption key and employing a symmetric encryption algorithm to encrypt the data to be transmitted includes the following detailed steps:

[0031] The Advanced Encryption Standard (AES) algorithm was selected as the symmetric encryption algorithm, and the cryptographic block chain mode was determined as the operating mode.

[0032] The initial vector required for the cryptographic block chain pattern is derived from the temporary session key;

[0033] The data to be transmitted is padded according to the block size of the encryption algorithm to meet the block alignment requirements;

[0034] Using the session encryption key and the initial vector, the padded data block is iteratively encrypted according to the rules of the cryptographic block chain pattern;

[0035] All encrypted data blocks are combined sequentially to form the final encrypted data.

[0036] Preferably, the step of calculating the hash value of the transmitted data based on the hash function and using the hash value as the data integrity check code includes the following steps:

[0037] Select a specific version of the secure hash algorithm family as the hash function, and input the original data to be transmitted into the hash function for calculation;

[0038] The hash function is iteratively compressed to process the data through multiple rounds of transformation, generating a fixed-length hash value of 256 bits. This hash value is then used as an integrity check code and associated with the encrypted data for storage.

[0039] Preferably, the step of encapsulating the encrypted data together with the integrity check code and sending it to the receiving device via the Bluetooth protocol stack includes the following steps:

[0040] Encapsulate the encrypted data and integrity check code according to the format defined by the Bluetooth Low Energy attribute protocol;

[0041] Add the necessary header information to the data packet, including the service identifier, feature handle, and data packet sequence number;

[0042] Submit the encapsulated data packet to the data link layer of the Bluetooth protocol stack;

[0043] The data link layer segments data packets into data frames that conform to the Bluetooth core specification size;

[0044] Data frames are sent to the receiving device via the Bluetooth physical channel.

[0045] Preferably, the step of calling the random number generator service provided by the smart terminal operating system to generate a cryptographically secure random number includes the following detailed steps:

[0046] Applications on smart terminals trigger random number generation requests through system call interfaces;

[0047] The operating system kernel accesses the hardware random number generator to collect raw random data from physical entropy sources, including temperature sensor noise or system clock jitter.

[0048] The collected raw random data is preprocessed, and the bias is eliminated by a debiasing algorithm to generate entropy pool data;

[0049] Input the entropy pool data into the pseudo-random number generator, perform multiple rounds of permutation and obfuscation operations, and output a random number sequence that meets cryptographic security standards.

[0050] Preferably, the step of setting the iteration count parameter of the key derivation function, wherein the iteration count parameter is dynamically determined according to the security level of the smart terminal, includes the following detailed steps:

[0051] Query the security policy configuration file of the smart terminal and read the current security level identifier;

[0052] The basic iteration count value is obtained by retrieving the preset iteration count mapping table based on the security level identifier;

[0053] Monitor the real-time system resource status of smart terminals, including CPU utilization and memory usage, and computing resource adjustment factors;

[0054] Multiply the base iteration count by the resource adjustment factor to obtain the dynamic iteration count parameter, and then pass it to the key derivation function.

[0055] Preferably, submitting the encapsulated data packet to the data link layer of the Bluetooth protocol stack includes the following detailed steps:

[0056] The data link layer parses the packet header information and extracts the service identifier and feature handle;

[0057] Add a link-layer frame header to the data packet, including the destination address and source address fields;

[0058] Calculate the frame check sequence of the data packet and generate error detection codes using the cyclic redundancy check algorithm;

[0059] The data packet is divided into multiple data frames that conform to the Bluetooth Low Energy Protocol Maximum Transmission Unit Size, and a sequence number is assigned to each data frame.

[0060] Compared with the prior art, the beneficial effects of the present invention are:

[0061] By accessing the hardware security module built into the smart terminal, a root key that is completely isolated from the ephemeral session key dynamically negotiated at the software level is obtained. Both are then input into a key derivation function to generate the final session encryption key. This design ensures that the generation of the session encryption key must simultaneously meet two conditions: a ephemeral key negotiated through the normal Bluetooth protocol and secure access to the hardware security module. Even if the application layer or operating system layer of the smart terminal is compromised by malware, leading to the leakage of the ephemeral session key, the attacker cannot deduce the true session encryption key because they cannot access the protected root key in the hardware security module. Conversely, even if the root key of the hardware security module is theoretically leaked due to an extreme physical attack, because the ephemeral key for each communication session is independent and dynamically changing, the attacker cannot use the root key to deduce the encryption key for any other session, thus effectively limiting the scope of the security incident.

[0062] Independent of the encryption process, the hash value of the original data to be transmitted is calculated based on a hash function as the integrity check code, and this code is encapsulated and transmitted along with the encrypted data. This method separates data integrity verification from the data encryption and decryption process. After receiving the data, the receiving device can first decrypt the encrypted data, then calculate the hash value of the decrypted plaintext data, and compare it with the transmitted integrity check code. This separate processing mechanism allows the system to use lightweight symmetric encryption algorithms without built-in authentication functions, reducing the computational requirements of the receiving device and broadening the application potential of the solution on resource-constrained IoT devices. The integrity check code directly corresponds to the plaintext data, providing a clear and independent verification step. In the event of communication anomalies or during security audits, it helps to quickly locate whether the problem occurred during the data encryption stage or the transmission tampering stage. Attached Figure Description

[0063] Figure 1 This is a schematic diagram illustrating the working principle of the Bluetooth data transmission encryption method based on a smart terminal according to the present invention.

[0064] Figure 2 A flowchart for generating a temporary session key;

[0065] Figure 3 A flowchart for generating session encryption keys;

[0066] Figure 4 Analysis diagram for dynamically adjusting the number of key derivation iterations;

[0067] Figure 5 This diagram illustrates the data encryption processing and integrity verification analysis. Detailed Implementation

[0068] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0069] Please see Figure 1 This invention provides a Bluetooth data transmission encryption method based on a smart terminal. The method includes: after the smart terminal establishes a Bluetooth connection with a receiving device, generating a temporary session key; the method calls the random number generator service provided by the smart terminal's operating system to generate a cryptographically secure random number; the smart terminal's application triggers a random number generation request through a system call interface; the operating system kernel accesses the hardware random number generator to collect raw random data from physical entropy sources, including temperature sensor noise or system clock jitter; the collected raw random data is preprocessed, and bias is eliminated through a debiasing algorithm to generate entropy pool data; the entropy pool data is input into a pseudo-random number generator to perform multiple rounds of permutation and obfuscation operations, outputting a random number sequence that conforms to cryptographic security standards; the smart terminal's system clock is read to obtain a timestamp accurate to milliseconds; the smart terminal's unique device identifier is obtained; the random number, the timestamp, and the unique device identifier are concatenated; a hash function is applied to the concatenated data; and the fixed-length output result obtained is used as the temporary session key for this Bluetooth session.

[0070] The application on the smart terminal accesses the hardware security module built into it to obtain the pre-stored root key. The application on the smart terminal calls the secure application interface provided by the hardware security module. The hardware security module verifies the digital signature of the calling application to ensure that it is a trusted application. After successful verification, the hardware security module reads the pre-stored root key from its protected storage area. The root key is injected into the hardware security module through a secure process during the manufacturing stage of the smart terminal. The hardware security module is a trusted execution environment or secure element. The access and use of the root key are always protected by the hardware security module and will not be exposed to the ordinary execution environment.

[0071] The root key and the temporary session key are used as inputs and processed by a key derivation function to generate a session encryption key. The root key is used as the master key input to the key derivation function, and the temporary session key is used as the salt value input. The iteration number parameter of the key derivation function is set. The iteration number parameter is dynamically determined according to the security level of the smart terminal. The security policy configuration file of the smart terminal is queried to read the current security level identifier. The preset iteration number mapping table is retrieved according to the security level identifier to obtain the basic iteration number value. The real-time system resource status of the smart terminal, including the CPU utilization and memory usage, is monitored to calculate the resource adjustment factor. The basic iteration number value is multiplied by the resource adjustment factor to obtain the dynamic iteration number parameter, which is passed to the key derivation function. The operation flow of the key derivation function is executed to generate output data of a specified length. The required length of byte sequence is extracted from the output data as the final session encryption key.

[0072] Using the session encryption key, a symmetric encryption algorithm is employed to encrypt the data to be transmitted. The Advanced Encryption Standard (AES) algorithm is selected as the symmetric encryption algorithm, and the cryptographic block chaining mode is determined as the operating mode. The initial vector required for the cryptographic block chaining mode is derived based on the temporary session key. The data to be transmitted is padded according to the block size of the encryption algorithm to meet the block alignment requirements. Using the session encryption key and the initial vector, the padded data blocks are iteratively encrypted according to the rules of the cryptographic block chaining mode. All encrypted data blocks are combined sequentially to form the final encrypted data.

[0073] The hash value of the transmitted data is calculated based on the hash function. This hash value is used as the data integrity check code. A specific version of the secure hash algorithm family is selected as the hash function. The original data to be transmitted is input into the hash function for calculation. The compression function of the hash function is executed iteratively to transform the data in multiple rounds, generating a hash value with a fixed length of 256 bits. This hash value is used as the integrity check code and stored in association with the encrypted data.

[0074] The encrypted data and the integrity check code are encapsulated together and sent to the receiving device through the Bluetooth protocol stack. The encrypted data and integrity check code are encapsulated according to the format defined by the Bluetooth Low Energy Attribute Protocol. Necessary header information, including service identifier, feature handle, and data packet sequence number, is added to the data packet. The encapsulated data packet is submitted to the data link layer of the Bluetooth protocol stack. The data link layer parses the header information of the data packet, extracts the service identifier and feature handle, adds a link layer frame header to the data packet, including destination address and source address fields, calculates the frame check sequence of the data packet, generates an error detection code using the Cyclic Redundancy Check (CRC) algorithm, divides the data packet into multiple data frames conforming to the maximum transmission unit size of the Bluetooth Low Energy Protocol, assigns a sequence number to each data frame, and sends the data frames to the receiving device through the Bluetooth physical channel.

[0075] Example 1: See Figure 2 In specific implementation, the operation of generating a temporary session key calls the random number generator service provided by the smart terminal's operating system to generate a cryptographically secure random number. The smart terminal's application initiates a random number generation request to the operating system kernel through a system call interface. After responding to the request, the operating system kernel accesses the hardware random number generator. The hardware random number generator collects raw random data from physical entropy sources, including temperature sensor noise and system clock jitter. It preprocesses the collected raw random data, eliminates data bias through a debiasing algorithm, and generates entropy pool data. The entropy pool data is input into a pseudo-random number generator, which performs multiple rounds of permutation and obfuscation operations, outputting a random number sequence that conforms to cryptographic security standards. In some embodiments, the system clock register of the smart terminal is read to obtain the current timestamp value accurate to milliseconds. The device information storage area of ​​the smart terminal is read to obtain the unique device identifier of the smart terminal. The random number sequence, the timestamp value, and the unique device identifier are concatenated to form a combined data block. A hash function is applied to the concatenated combined data block for processing. The hash function operation process is represented by the following formula:

[0076]

[0077] in: Indicates a temporary session key. Represents a hash function. Represents cryptographically secure random numbers. Represents a timestamp accurate to milliseconds. A unique device identifier representing a smart terminal. This indicates a bitwise XOR operation. It can be understood that the hash function uses the SHA-256 algorithm from the secure hash algorithm family. In specific implementations, the random number generator service provided by the smart terminal operating system is implemented based on a dedicated hardware module. This dedicated hardware module continuously collects random data from physical entropy sources, including temperature sensor noise and system clock jitter. It performs a bias removal algorithm on the collected raw random data to remove data bias and generate entropy pool data. The entropy pool data is input into a pseudo-random number generator for multiple rounds of permutation and obfuscation operations, outputting a cryptographically secure random number sequence. In some embodiments, the smart terminal's system clock provides a timestamp accurate to milliseconds. The smart terminal's unique device identifier is read from the device hardware information. The random number sequence, timestamp value, and unique device identifier are bitwise XORed. The XOR result is input into the hash function for calculation, and the hash function outputs a fixed-length temporary session key. Optionally, the hash function operation includes multiple rounds of compression function iteration, performing transformation processing on the input data to generate a fixed-length hash value output. It is understandable that the temporary session key generation process involves XOR and hash operations on random numbers, timestamps, and device identifiers. The temporary session key is used in the subsequent Bluetooth data transmission encryption process. In specific implementation, the smart terminal application accesses the random number generation function of the operating system kernel through the system call interface. The operating system kernel calls the hardware random number generator driver to collect raw random data from the physical entropy source. The raw random data is preprocessed by a bias reduction algorithm and then stored in the entropy pool. The entropy pool data serves as the input to the pseudo-random number generator. The pseudo-random number generator performs multiple rounds of permutation and obfuscation operations to generate a cryptographically secure random number sequence for temporary session key calculation.

[0078] Example 2: In specific implementation, accessing the hardware security module built into the smart terminal and obtaining the pre-stored root key involves the smart terminal's application calling the secure application interface provided by the hardware security module. The hardware security module verifies the digital signature of the calling application to ensure it is a trusted application. After successful verification, the hardware security module reads the pre-stored root key from its protected storage area. The digital signature verification process is represented by the following formula:

[0079]

[0080] in: This indicates the verification result. This represents the verification function. This represents the digital signature of the application. This indicates the public key stored in the hardware security module. This represents the hash value of the application code. In some embodiments, the application of the smart terminal accesses the secure application interface of the hardware security module through a system call. The secure application interface provides a standardized function interface for root key acquisition operations. After receiving the call request, the hardware security module executes a digital signature verification process to verify the matching of the digital signature of the calling application with the pre-stored certificate. After confirming that the application is a trusted application, access to the protected storage area is allowed. Optionally, the root key is injected into the hardware security module through a secure process during the smart terminal manufacturing stage. The secure process includes writing the root key into the protected storage area of ​​the hardware security module in a controlled environment. The protected storage area is a physically isolated secure storage space. It can be understood that the hardware security module is a trusted execution environment or a secure element. A trusted execution environment provides an isolated execution environment, while a secure element provides an independent hardware security area. In a specific implementation, when the hardware security module verifies the digital signature of the calling application, it uses the stored public key to decrypt the digital signature and compares the decryption result with the hash value of the application code. If the comparison result matches, the verification is successful. In some embodiments, the hardware security module reads a pre-stored root key from its protected storage area, which is a read-only memory or an encrypted partition in flash memory. The root key is stored in ciphertext and decrypted internally during reading. Optionally, access to and use of the root key are always protected by the hardware security module, which restricts root key read operations through access control policies based on application identity and digital signature verification results.

[0081] Example 3: See Figure 3 In specific implementation, the key derivation function is used to generate the session encryption key. This includes using the root key as the master key input and the temporary session key as the salt input. The iteration count parameter of the key derivation function is set, dynamically determined based on the security level of the smart terminal. The smart terminal's security policy configuration file is queried, the current security level identifier is read, and a preset iteration count mapping table is retrieved based on the security level identifier to obtain the basic iteration count value. The real-time system resource status of the smart terminal, including CPU utilization and memory usage, is monitored, a resource adjustment factor is calculated, and the basic iteration count value is multiplied by the resource adjustment factor to obtain the dynamic iteration count parameter, which is then passed to the key derivation function. The key derivation function's operation flow is executed, generating output data of a specified length. A byte sequence of the required length is extracted from the output data as the final session encryption key. In some embodiments, the key derivation function employs a cryptographic-based key derivation function algorithm. The operation flow of the key derivation function includes multiple rounds of hash iteration operations, where the input data is repeatedly processed using a hash function during the iteration process. Optionally, the dynamic determination process of the iteration count parameter is expressed by the following formula:

[0082]

[0083] in: This represents the number of dynamic iterations. This represents the basic iteration count. This refers to the resource adjustment factor. It can be understood that the resource adjustment factor is calculated based on CPU utilization and memory usage. In specific implementations, querying the security policy configuration file of the smart terminal includes accessing the system security policy storage area, reading the security level identifier (which represents the current security policy level), and retrieving a preset iteration number mapping table based on the security level identifier. The iteration number mapping table stores the correspondence between security levels and basic iteration numbers. In some embodiments, monitoring the real-time system resource status of the smart terminal includes obtaining the CPU utilization percentage and memory usage percentage through the system interface, and calculating the resource adjustment factor using a linear function. When monitoring the real-time system resource status of the smart terminal, the linear function used to calculate the resource adjustment factor by obtaining the CPU utilization and memory usage values ​​through the system interface is specifically implemented as a weighted average of these two indicators. The linear function combines CPU utilization and memory usage through preset weight coefficients, which are dynamically adjusted according to the security level of the smart terminal to ensure that the resource adjustment factor accurately reflects the current system resource status. The implementation of this linear function relies on the security policy configuration of the smart terminal. The weighting coefficients are read from the security policy configuration file and calculated in conjunction with real-time system resource data to dynamically optimize the iteration number parameter of the key derivation process. Optionally, the resource adjustment factor is calculated based on a weighted average of CPU utilization and memory usage.

[0084] See Figure 4This paper demonstrates the dynamic adjustment mechanism of the number of iterations during key derivation in a Bluetooth data transmission encryption system. The chart clearly shows the changing patterns of the number of iterations under different security levels and system resource conditions through a time series. The chart uses a scatter plot to display the actual iteration values ​​at each time point, and different colors distinguish between low, medium, and high security level configurations. The blue trend line visually reflects the overall trend of the number of iterations. The chart data fully demonstrates the system's intelligent mechanism of dynamically adjusting the number of key derivation iterations based on real-time resource conditions such as CPU utilization and memory usage. This adaptive adjustment ensures both encryption strength and system performance optimization. The chart shows that the number of iterations adjusts accordingly when system resources are strained, while maintaining a higher number of iterations under high security requirements to ensure encryption security. The dynamic adjustment process shown in the chart fully follows the design principles of the key derivation function, achieving intelligent configuration of iteration parameters through the product of the basic number of iterations and the resource adjustment factor, providing flexible and robust security for Bluetooth data transmission.

[0085] Example 4: In specific implementation, the data to be transmitted is encrypted using a symmetric encryption algorithm with a session encryption key. This includes selecting an Advanced Encryption Standard (AES) algorithm as the symmetric encryption algorithm and determining the cryptographic block chain mode as the operating mode. The initial vector required for the cryptographic block chain mode is derived based on the temporary session key. The data to be transmitted is padded according to the block size of the encryption algorithm to meet the block alignment requirements. The padded data blocks are iteratively encrypted using the session encryption key and the initial vector according to the rules of the cryptographic block chain mode. The encryption process of the cryptographic block chain mode is represented by the following formula:

[0086]

[0087] in: This represents the i-th ciphertext block. This indicates the encryption function using the session encryption key K. This represents the i-th plaintext block. This indicates the previous ciphertext block; for the first data block... The initial vector is equal to the number of encrypted data blocks that are combined sequentially to form the final encrypted data. The hash value of the transmitted data is calculated based on the hash function and used as the integrity check code of the data. This includes selecting a specific version of the secure hash algorithm family as the hash function, inputting the original data to be transmitted into the hash function for calculation, executing the compression function of the hash function, iterative processing, performing multiple rounds of transformation on the data to generate a fixed-length 256-bit hash value, and outputting the hash value as the integrity check code associated with the encrypted data and stored. In some embodiments, see Table 1. The data padding operation follows the block size requirements of the Advanced Encryption Standard (AES) algorithm. The AES algorithm uses a fixed 128-bit block size to group the data to be transmitted. The padding process ensures that the data length is an integer multiple of the block size.

[0088] Table 1: Data Population Rules Table

[0089] Remaining data length (bytes) padding byte values Number of padding bytes 0 16 16 1 15 15 2 14 14 ... ... ... 15 1 1

[0090] Optionally, the initialization vector is derived from the temporary session key. The derivation process uses a hash function to process the temporary session key and random numbers. It is understood that the cryptographic block chain mode provides chain-dependent data encryption to enhance security. In specific implementations, the hash function calculation uses a 256-bit version of the secure hash algorithm to perform multiple rounds of compression function iterations on the input data. The compression function includes bitwise operations and logical operations to generate a fixed-length hash value output. In some embodiments, the session encryption key and initialization vector are used in the encryption process. The encryption function executes the Advanced Encryption Standard (AES) algorithm, which includes multiple rounds of byte substitution and row shift operations. Optionally, the integrity check code is associated with the encrypted data and stored by appending it to the end of the data packet. It is understood that the hash value calculation covers the entire original data to ensure data integrity verification.

[0091] See Figure 5This chart details the entire process of data block encryption and integrity verification during Bluetooth data transmission encryption. The chart uses a multi-axis composite display. The main axis uses bar charts to compare the numerical changes of plaintext and corresponding ciphertext data blocks, intuitively demonstrating the transformation effect of the encryption algorithm on the data. The line chart in the secondary axis shows the time consumption required for each data block encryption process, reflecting the computational complexity of the encryption process. The third axis shows the cumulative calculation process of the integrity check code, demonstrating the working principle of the data integrity verification mechanism through the gradual accumulation of hash values. The entire chart clearly reveals the chain-like dependencies between data blocks in the cryptographic block chaining encryption process, as well as the collaborative working mechanism of encryption processing and integrity verification. The data in the chart fully demonstrates the working characteristics of the Advanced Encryption Standard (AES) algorithm in the cryptographic block chaining mode, including data block padding, iterative encryption, and the establishment of chain-like dependencies. Simultaneously, the integrity check code generation process also verifies the effectiveness of secure hash algorithms in data integrity protection, providing a comprehensive visual analysis for understanding the complete Bluetooth data encryption transmission process.

[0092] Example 5: In a specific implementation, the encrypted data and integrity check code are encapsulated together and sent to the receiving device via the Bluetooth protocol stack. This includes encapsulating the encrypted data and integrity check code according to the format defined by the Bluetooth Low Energy attribute protocol, adding necessary header information to the data packet (including service identifier, feature handle, and data packet sequence number), submitting the encapsulated data packet to the data link layer of the Bluetooth protocol stack, parsing the header information of the data packet, extracting the service identifier and feature handle, adding a link layer frame header to the data packet (including destination address and source address fields), calculating the frame check sequence of the data packet, and generating an error detection code using a cyclic redundancy check algorithm. The frame check sequence calculation is expressed by the following formula:

[0093]

[0094] in: Represents the frame check sequence. This represents the Cyclic Redundancy Check (CRBC) algorithm. The data packet content is represented by a segmentation process that divides the data packet into multiple data frames conforming to the Bluetooth Low Energy (BLE) Maximum Transmission Unit (MTU) size. Each data frame is assigned a sequence number and transmitted to the receiving device via the Bluetooth physical channel. In some embodiments, the data packet encapsulation process follows the Bluetooth Low Energy Attribute Protocol (BLE) format. Encrypted data and integrity check codes are organized into Attribute Protocol Data Units (APUs). Each APU contains an attribute opcode and an attribute value field. When adding necessary header information to the data packet, the service identifier identifies the Bluetooth service type, the feature handle specifies the data feature location, and the data packet sequence number identifies the data packet order. Optionally, when adding a link layer frame header at the data link layer, the destination address field specifies the Bluetooth address of the receiving device, and the source address field specifies the Bluetooth address of the sending device. It can be understood that the data packet segmentation operation is based on the BLE maximum transmission unit size, which defines the maximum payload length of a single data frame. In specific implementations, when the data link layer processes and encapsulates data packets, it parses the packet header information to extract the service identifier and feature handle. The service identifier is used to match the Bluetooth service configuration, and the feature handle is used to locate data attributes. A link layer frame header is added to the data packet, containing a destination address field and a source address field. The destination address field is written with the 48-bit Bluetooth address of the receiving device, and the source address field is written with the 48-bit Bluetooth address of the sending device. The frame check sequence of the data packet is calculated, and the cyclic redundancy check (CRC) algorithm is used to process the data packet content. The CRC algorithm uses polynomial division to generate error detection codes. In some embodiments, the data packet segmentation process is performed according to the data frame size defined in the Bluetooth core specification. The data frame size is determined by the Bluetooth Low Energy Protocol's maximum transmission unit (MTU) parameter. A sequence number is assigned to each data frame, which is used for data frame reassembly and sequence verification. Optionally, the frame check sequence is appended to the end of the data packet to form a complete transmission unit.

[0095] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.

[0096] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A Bluetooth data transmission encryption method based on a smart terminal, characterized in that, Secure communication is achieved through dynamic key negotiation and encryption algorithms. The method includes the following operations: After the smart terminal and the receiving device establish a Bluetooth connection, a temporary session key is generated; Access the hardware security module built into the smart terminal to obtain the pre-stored root key; The root key and the temporary session key are taken as input and processed by the key derivation function to generate the session encryption key; Using the session encryption key, a symmetric encryption algorithm is employed to encrypt the data to be transmitted; The hash value of the transmitted data is calculated based on the hash function, and the hash value is used as the data integrity check code; The encrypted data is encapsulated together with the integrity check code and sent to the receiving device via the Bluetooth protocol stack. The process of generating a temporary session key includes the following detailed steps: Call the random number generator service provided by the smart terminal operating system to generate a cryptographically secure random number; Read the system clock of the smart terminal to obtain the current timestamp accurate to milliseconds; Obtain the unique device identifier of the smart terminal; The random number, the timestamp, and the unique device identifier are concatenated and combined. The concatenated data is processed using a hash function, and the fixed-length output is used as the temporary session key for this Bluetooth session.

2. The Bluetooth data transmission encryption method based on a smart terminal according to claim 1, characterized in that, Accessing the hardware security module built into the smart terminal to obtain the pre-stored root key includes the following detailed steps: Applications on smart terminals call the secure application programming interface provided by the hardware security module; The hardware security module verifies the digital signature of the calling application to ensure that it is a trusted application; After successful verification, the hardware security module reads the pre-stored root key from its protected storage area; The root key is injected into the hardware security module through a secure process during the manufacturing stage of the smart terminal. The hardware security module is a trusted execution environment or a secure element. The access and use of the root key are always protected by the hardware security module and will not be exposed to the ordinary execution environment.

3. The Bluetooth data transmission encryption method based on a smart terminal according to claim 1, characterized in that, The process of generating the session encryption key through the key derivation function includes the following detailed steps: Use the root key as the master key input for the key derivation function; Use the temporary session key as the salt value input for the key derivation function; Set the iteration count parameter of the key derivation function, which is dynamically determined according to the security level of the smart terminal; Execute the key derivation function's operation flow to generate output data of a specified length; Extract the desired byte sequence from the output data to serve as the final session encryption key.

4. The Bluetooth data transmission encryption method based on a smart terminal according to claim 1, characterized in that, The process of encrypting the data to be transmitted using the session encryption key and a symmetric encryption algorithm includes the following detailed steps: The Advanced Encryption Standard (AES) algorithm was selected as the symmetric encryption algorithm, and the cryptographic block chain mode was determined as the operating mode. The initial vector required for the cryptographic block chain pattern is derived from the temporary session key; The data to be transmitted is padded according to the block size of the encryption algorithm to meet the block alignment requirements; Using the session encryption key and the initial vector, the padded data block is iteratively encrypted according to the rules of the cryptographic block chain pattern; All encrypted data blocks are combined sequentially to form the final encrypted data.

5. The Bluetooth data transmission encryption method based on a smart terminal according to claim 1, characterized in that, The step of calculating the hash value of the transmitted data based on the hash function and using the hash value as the data integrity check code includes the following steps: Select a specific version of the secure hash algorithm family as the hash function, and input the original data to be transmitted into the hash function for calculation; The hash function is iteratively compressed to process the data through multiple rounds of transformation, generating a fixed-length hash value of 256 bits. This hash value is then used as an integrity check code and associated with the encrypted data for storage.

6. The Bluetooth data transmission encryption method based on a smart terminal according to claim 1, characterized in that, The step of encapsulating the encrypted data together with the integrity check code and sending it to the receiving device via the Bluetooth protocol stack includes the following steps: Encapsulate the encrypted data and integrity check code according to the format defined by the Bluetooth Low Energy attribute protocol; Add the necessary header information to the data packet, including the service identifier, feature handle, and data packet sequence number; Submit the encapsulated data packet to the data link layer of the Bluetooth protocol stack; The data link layer segments data packets into data frames that conform to the Bluetooth core specification size; Data frames are sent to the receiving device via the Bluetooth physical channel.

7. The Bluetooth data transmission encryption method based on a smart terminal according to claim 1, characterized in that, The process of calling the random number generator service provided by the smart terminal operating system to generate a cryptographically secure random number includes the following detailed steps: Applications on smart terminals trigger random number generation requests through system call interfaces; The operating system kernel accesses the hardware random number generator to collect raw random data from physical entropy sources, including temperature sensor noise or system clock jitter. The collected raw random data is preprocessed, and the bias is eliminated by a debiasing algorithm to generate entropy pool data; Input the entropy pool data into the pseudo-random number generator, perform multiple rounds of permutation and obfuscation operations, and output a random number sequence that meets cryptographic security standards.

8. The Bluetooth data transmission encryption method based on a smart terminal according to claim 3, characterized in that, Setting the iteration count parameter of the key derivation function, which is dynamically determined based on the security level of the smart terminal, includes the following detailed steps: Query the security policy configuration file of the smart terminal and read the current security level identifier; The basic iteration count value is obtained by retrieving the preset iteration count mapping table based on the security level identifier; Monitor the real-time system resource status of smart terminals, including CPU utilization and memory usage, and computing resource adjustment factors; Multiply the base iteration count by the resource adjustment factor to obtain the dynamic iteration count parameter, and then pass it to the key derivation function.

9. The Bluetooth data transmission encryption method based on a smart terminal according to claim 6, characterized in that, Submitting the encapsulated data packet to the data link layer of the Bluetooth protocol stack includes the following detailed steps: The data link layer parses the packet header information and extracts the service identifier and feature handle; Add a link-layer frame header to the data packet, including the destination address and source address fields; Calculate the frame check sequence of the data packet and generate error detection codes using the cyclic redundancy check algorithm; The data packet is divided into multiple data frames that conform to the Bluetooth Low Energy Protocol Maximum Transmission Unit Size, and a sequence number is assigned to each data frame.