CN106487761B

CN106487761B - Message transmission method and network equipment

Info

Publication number: CN106487761B
Application number: CN201510543931.0A
Authority: CN
Inventors: 倪龙宇
Original assignee: Huawei Device Co Ltd
Current assignee: Huawei Device Co Ltd
Priority date: 2015-08-28
Filing date: 2015-08-28
Publication date: 2020-03-10
Anticipated expiration: 2035-08-28
Also published as: CN106487761A

Abstract

The embodiment of the invention relates to the technical field of communication, in particular to a message transmission method and network equipment, which are used for improving the safety of information transmission among all terminals in a user group. In the embodiment of the invention, the network device can decrypt the first message by using the decryption key of the network device to obtain the original message, then the network device determines N second terminals and the encryption key of each second terminal from the first user group to which the first terminal belongs, encrypts the original message by using the encryption key of each second terminal, and respectively sends the encrypted original message to each second terminal. At least two second terminals in the first user group respectively correspond to different encryption keys. Therefore, even if one second terminal reveals the decryption key of the second terminal, the counterfeiter cannot decrypt the information of other terminals based on the revealed information, and the information transmission safety is improved.

Description

Message transmission method and network equipment

Technical Field

The embodiment of the invention relates to the technical field of communication, in particular to a message transmission method and network equipment.

Background

With the continuous development of communication technology, the modern society has already stepped into the information-oriented era, more and more information is transmitted and shared through the network, and the information security problem comes with it. In order to solve this problem, asymmetric encryption is generally used in the prior art to improve the security of information transmission.

In the peer-to-peer communication process, for example, short messages, instant messages and the like are sent between two terminals, a sending end generally encrypts an original message by using a public key of a receiving end and sends the encrypted message to the receiving end, and the receiving end decrypts the received message by using a private key of the receiving end, so that the original message can be obtained. In the process, the public key of the receiving end can be disclosed to the outside so that other terminals can use the public key for encryption, and the private key can be only stored on the receiving end and used for decrypting the received information encrypted by using the public key, so that the safety of the information transmission process is improved.

In order to further realize convenience of information sharing, user groups can be established among the terminals, one user group can comprise the terminals, and any terminal in the user group can share information to all terminals in the user group. In the prior art, in order to improve the security of information transmission between terminals of a user group, only one set of public key and private key is set for all terminals in the user group, the public key is used for encryption when information is transmitted between the terminals in the user group, and other terminals in the user group can use the private key to decrypt received information.

In the above scheme, since only one set of public key and private key is set for all terminals in the user group, and different terminals in the user group all use the same private key to decrypt the received information, once the private key of a terminal in the user group is leaked, a counterfeiter can receive and decrypt the information in the user group with the identity of any terminal in the user group, and the information transmission security is not high.

Disclosure of Invention

The embodiment of the invention provides a message transmission method and network equipment, which are used for improving the safety of information transmission among terminals in a user group.

In a first aspect, a message transmission method is provided, including:

the network equipment receives a first message sent by a first terminal, wherein the first message is obtained by encrypting an original message by the first terminal by using an encryption key of the network equipment;

the network equipment decrypts the first message by using the decryption key of the network equipment to obtain an original message;

the network equipment determines N second terminals to receive the first message, wherein the first terminal and the N second terminals belong to a first user group, and at least two second terminals in the N second terminals respectively correspond to different encryption keys;

the network equipment acquires N encryption keys respectively corresponding to N second terminals in a first user group;

the network equipment encrypts the original message by using the acquired N encryption keys respectively to obtain N second messages;

the network equipment respectively sends the N second messages to the corresponding N second terminals;

n is greater than or equal to 2.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the determining, by the network device, N second terminals to receive the first message specifically includes:

the network equipment determines a first user group to which the first terminal belongs according to the identifier of the first user group to which the first terminal belongs, wherein the identifier is carried in the first message;

the network equipment determines other terminals except the first terminal in all the terminals included in the determined first user group as N second terminals to receive the first message sent by the first terminal.

With reference to the first aspect, in a second possible implementation manner of the first aspect, the determining, by the network device, N second terminals to receive the first message specifically includes:

and the network equipment determines N second terminals respectively corresponding to the N terminal identifications from the determined first user group according to the N terminal identifications of the first message to be received carried in the first message.

With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the method further includes:

the network equipment determines a third terminal in the first user group; the third terminal is other terminals except the first terminal and the N second terminals in the first user group; the network device encrypts the obtained original message by using an encryption key different from an encryption key corresponding to the third terminal to obtain a third message, and sends the third message to the third terminal.

With reference to any one possible implementation manner of the first aspect to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the acquiring, by the network device, N encryption keys respectively corresponding to N second terminals in the first user group includes:

the network equipment generates an encryption key corresponding to each second terminal in the first user group according to the identifier of each second terminal;

before the network device sends the N second messages to the corresponding N second terminals, the method further includes:

the network equipment generates a decryption key corresponding to each second terminal according to the identifier of each second terminal, and

and respectively sending the generated decryption keys to the corresponding second terminals.

With reference to any one possible implementation manner of the first aspect to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, before the network device receives the first message sent by the first terminal, the method further includes:

the network equipment acquires an encryption key of the network equipment and a decryption key of the network equipment;

the network device sends the encryption key of the network device to the first terminal, and the encryption key is used for the first terminal to encrypt the original message to obtain a first message.

With reference to any one of the possible implementation manners of the first aspect to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the first user group includes a fourth terminal, the fourth terminal further belongs to the second user group, and an encryption key of the fourth terminal in the first user group is the same as an encryption key of the fourth terminal in the second user group;

the fourth terminal is any one of all terminals included in the first user group.

In a second aspect, a network device is provided, including:

a receiving unit, configured to receive a first message sent by a first terminal, where the first message is obtained by the first terminal encrypting an original message using an encryption key of a network device;

the decryption unit is used for decrypting the first message by using a decryption key of the network equipment to obtain an original message;

a determining unit, configured to determine N second terminals to receive the first message; the first terminal and the N second terminals belong to a first user group, and at least two second terminals in the N second terminals respectively correspond to different encryption keys; n is greater than or equal to 2;

the processing unit is used for acquiring N encryption keys respectively corresponding to N second terminals in the first user group, and encrypting the original message by using the acquired N encryption keys respectively to obtain N second messages;

and the sending unit is used for sending the N second messages to the corresponding N second terminals respectively.

With reference to the second aspect, in a first possible implementation manner of the second aspect, when determining N second terminals to receive the first message, the determining unit is specifically configured to:

determining a first user group to which the first terminal belongs according to the identifier of the first user group to which the first terminal belongs, wherein the identifier is carried in the first message;

and determining other terminals except the first terminal in all the terminals included in the determined first user group as N second terminals to receive the first message sent by the first terminal.

With reference to the second aspect, in a second possible implementation manner of the second aspect, when determining N second terminals to receive the first message, the determining unit is specifically configured to:

and determining N second terminals respectively corresponding to the N terminal identifications from the determined first user group according to the N terminal identifications of the first message to be received, which are carried in the first message.

With reference to the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the determining unit is further configured to:

determining a third terminal in the first user group; the third terminal is other terminals except the first terminal and the N second terminals in the first user group;

a processing unit further to:

encrypting the obtained original message by using an encryption key different from an encryption key corresponding to the third terminal to obtain a third message;

a sending unit, further configured to:

and sending the third message to the third terminal.

With reference to any one possible implementation manner of the second aspect to the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, when the processing unit acquires N encryption keys respectively corresponding to the N second terminals in the first user group, the processing unit is specifically configured to:

generating an encryption key corresponding to each second terminal in the first user group according to the identifier of each second terminal;

generating a decryption key corresponding to each second terminal according to the identifier of each second terminal;

a sending unit, further configured to:

With reference to any one possible implementation manner of the second aspect to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the processing unit is further configured to:

before the receiving unit receives a first message sent by a first terminal, acquiring an encryption key of network equipment and a decryption key of the network equipment;

a sending unit, further configured to:

and sending the encryption key of the network equipment to the first terminal, wherein the encryption key is used for encrypting the original message by the first terminal to obtain a first message.

With reference to any one of the second aspect to the fifth possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the first user group includes a fourth terminal, the fourth terminal further belongs to the second user group, and an encryption key of the fourth terminal in the first user group is the same as an encryption key of the fourth terminal in the second user group;

In a third aspect, a network device is provided, including:

the receiver is used for receiving a first message sent by a first terminal, wherein the first message is obtained by encrypting an original message by the first terminal by using an encryption key of network equipment;

the processor is used for decrypting the first message by using a decryption key of the network equipment to obtain an original message, determining N second terminals to receive the first message, obtaining N encryption keys corresponding to the N second terminals in the first user group respectively, and encrypting the original message by using the obtained N encryption keys to obtain N second messages; the first terminal and the N second terminals belong to a first user group, and at least two second terminals in the N second terminals respectively correspond to different encryption keys; n is greater than or equal to 2;

and the transmitter is used for respectively transmitting the N second messages to the corresponding N second terminals.

With reference to the third aspect, in a first possible implementation manner of the third aspect, when determining N second terminals to receive the first message, the processor is specifically configured to:

With reference to the third aspect, in a second possible implementation manner of the third aspect, when determining N second terminals to receive the first message, the processor is specifically configured to:

With reference to the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the processor is further configured to:

a transmitter, further configured to:

and sending the third message to the third terminal.

With reference to any one of the third to the fourth possible implementation manners of the third aspect, in a fourth possible implementation manner of the third aspect, when the processor acquires N encryption keys respectively corresponding to the N second terminals in the first user group, the processor is specifically configured to:

a transmitter, further configured to:

With reference to any one possible implementation manner of the third aspect to the fourth possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect, the processor is further configured to:

before the receiver receives a first message sent by a first terminal, acquiring an encryption key of network equipment and a decryption key of the network equipment;

a transmitter, further configured to:

With reference to any one of the third to fifth possible implementation manners of the third aspect, in a sixth possible implementation manner of the third aspect, the first user group includes a fourth terminal, the fourth terminal also belongs to the second user group, and an encryption key of the fourth terminal in the first user group is the same as an encryption key of the fourth terminal in the second user group; wherein the fourth terminal is any one of all terminals included in the first user group.

In the embodiment of the present invention, the network device may decrypt the first message using the decryption key of the network device to obtain the original message, and then the network device determines N second terminals and the encryption key of each second terminal from the first user group to which the first terminal belongs, encrypts the original message using the encryption key of each second terminal, and sends the encrypted message to each second terminal, so that each second terminal may decrypt the received message using the decryption key of the second terminal, because the encryption keys corresponding to at least two second terminals in the first user group are different, that is, the decryption keys corresponding to at least two second terminals in the first user group are different. Therefore, even if one second terminal reveals the decryption key of the second terminal, the counterfeiter cannot decrypt the information of other terminals based on the revealed information, and the information transmission safety is improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without inventive efforts.

Fig. 1 is a schematic diagram of a system architecture for message transmission according to an embodiment of the present invention;

fig. 2a is a schematic diagram of a method for transmitting a message implemented by a network device according to an embodiment of the present invention;

fig. 2b is a schematic diagram of another message transmission method implemented by the network device side according to the embodiment of the present invention;

fig. 3 is a schematic structural diagram of a network device according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of another network device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more clearly apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

As shown in fig. 1, a system architecture diagram applicable to the embodiment of the present invention is shown. The system architecture includes a network device 101, and the network device 101 is connected to a plurality of terminals through a network 109. The system architecture further comprises at least one user group, each user group may comprise at least two terminals. Each terminal may belong to a number of different user groups. For example, as shown in fig. 1, a system architecture applicable to the embodiment of the present invention includes a first user group 102 and a second user group 103, where the first user group 102 includes a terminal 104, a terminal 105, and a terminal 106, and the second user group 103 includes a terminal 104, a terminal 105, a terminal 107, and a terminal 108. The terminal 104 and the terminal 105 belong to both the first user group 102 and the second user group 103.

The network device stores the corresponding relation information of the user group and the terminal identification. That is, the network device determines the user group to which any terminal belongs according to the correspondence between the user group and the terminal identifier, and may also determine all terminals included in any user group. Any terminal can share information to any user group to which the terminal belongs, that is, any terminal can send the information to all other terminals included in any user group to which the terminal belongs, or part of terminals in the user group, so that the information sharing speed is improved.

The user group may be created in a variety of ways. For example, a creator of a user group may send a request for creating the user group to the network device, where the request for creating carries an identifier of each terminal in the user group, and the network device may create the user group according to the request for creating the user group. Later maintenance of the user group and increase and decrease of terminals in the user group belong to the prior art, and are not described herein.

The terminals such as the terminal 104, the terminal 105, the terminal 106, the terminal 107, and the terminal 108 may be communication terminals such as a mobile phone terminal, a PC terminal, and a tablet terminal.

Based on the system architecture shown in fig. 1, fig. 2a shows a message transmission method implemented by a network device side according to an embodiment of the present invention, which includes the following steps:

step 201, a network device receives a first message sent by a first terminal, where the first message is obtained after the first terminal encrypts an original message by using an encryption key of the network device; the original message can be a message which is acquired by the first terminal and needs to be sent and is not encrypted; the original message may include specific call content between the first terminal and other terminals, such as short message content and instant message content;

step 202, the network device decrypts the first message by using the decryption key of the network device to obtain the original message;

step 203, the network device determines N second terminals to receive the first message, where the first terminal and the N second terminals belong to a first user group, and at least two of the N second terminals have different encryption keys corresponding to the respective second terminals; n is greater than or equal to 2;

step 204, the network device obtains N encryption keys respectively corresponding to the N second terminals in the first user group;

step 205, the network device encrypts the original message by using the obtained N encryption keys, respectively, to obtain N second messages;

in step 206, the network device sends the N second messages to the corresponding N second terminals, respectively.

To describe the above flow more clearly, fig. 2b shows a schematic flow chart of a message transmission method implemented by the network device side according to an embodiment of the present invention, and as shown in fig. 2b, the first user group 302 includes a first terminal 303, and N second terminals, which are a second terminal 304, second terminals 305, …, and a second terminal 306, respectively. The first terminal 303 obtains an original message, encrypts the original message by using an encryption key of the network device to obtain a first message, and the first terminal 303 sends the first message to the network device 301.

The network device 301 receives a first message sent by the first terminal 303, where the first message carries an identifier of a first user group to which the first terminal belongs; the network device decrypts the first message by using the decryption key of the network device to obtain the original message, and determines the first user group to which the first terminal belongs according to the identifier of the first user group. The network device 301 determines N second terminals to receive the first message from all terminals included in the first user group, where the first terminal and the N second terminals belong to the first user group, and there are at least two second terminals in the first user group that have different corresponding encryption keys. As shown in fig. 2b, the encryption key of the second terminal 304 is different from the encryption key of the second terminal 305 in the second terminal 304, the second terminal 305, … and the second terminal 306. In a preferred embodiment, the encryption keys of any two terminals in all terminals included in the first user group are different, so as to improve the security of information transmission.

The network device 301 obtains N encryption keys corresponding to the N second terminals in the first user group, encrypts the original message using the obtained N encryption keys, respectively, to obtain N second messages, and sends the N second messages to the corresponding N second terminals, respectively. Specifically, the network device 301 obtains the encryption key of the second terminal 304, the encryption key of the second terminal 305, …, and the encryption key of the second terminal 306 in the first user, encrypts the original message using the encryption key of the second terminal 304 to obtain the second message 1, and sends the second message 1 to the second terminal 304, and the second terminal 304 decrypts the second message 1 using the decryption key of the second terminal 304 to obtain the original message. The original message is encrypted by using the encryption key of the second terminal 305 to obtain a second message 2, and the second message 2 is sent to the second terminal 305, and the second terminal 305 decrypts the second message 2 by using the decryption key of the second terminal 305 to obtain the original message. The original message is encrypted by using the encryption key of the second terminal 306 to obtain a second message N, and the second message N is sent to the second terminal 306, and the second terminal 306 decrypts the second message N by using the decryption key of the second terminal 306 to obtain the original message.

Because the encryption keys corresponding to the at least two second terminals in the first user group are different, that is, the decryption keys corresponding to the at least two second terminals in the first user group are different. Therefore, even if one second terminal reveals the decryption key of the second terminal, the counterfeiter cannot decrypt the information of other terminals based on the revealed information, and the information transmission safety is improved.

The embodiment of the invention is suitable for the first terminal in the first user group to send the message to one or more second terminals included in the first user group, and the information sharing speed between the terminals in the first user group is improved.

The first terminal, the second terminal, and the third terminal in the embodiment of the present invention are only used to distinguish different terminals in the first user group, the first terminal in the embodiment of the present invention may be any terminal in the first user group, the second terminal may be any terminal included in the first user group to which the first terminal belongs, except the first terminal, and the third terminal may be any terminal included in all terminals included in the first user group, except the first terminal and the second terminal. The first user group in the embodiment of the present invention includes a fourth terminal, and the fourth terminal is any one of all terminals included in the first user group, for example, the fourth terminal may be the first terminal, or the fourth terminal may be the second terminal, and the like.

Preferably, the fourth terminal in the embodiment of the present invention further belongs to the second user group, and in particular, the fourth terminal may belong to one second user group or may belong to a plurality of second user groups. In a specific implementation, each user group to which the fourth terminal belongs corresponds to one encryption key and one decryption key. And when the encryption keys of the fourth terminal under different user groups are different, the decryption keys of the fourth terminal under different user groups are also different. One implementation manner is that the encryption key of the fourth terminal in the first user group to which the fourth terminal belongs is different from the encryption keys corresponding to any two user groups in all the second user groups to which the fourth terminal belongs. In order to improve the manageability of the key and simplify the complexity of the key, the encryption key of the fourth terminal in the first user group is the same as the encryption key of the fourth terminal in the at least one second user group. Alternatively, a preferred implementation manner is that the encryption key of the fourth terminal in the first user group is the same as the corresponding encryption key of the fourth terminal in all the second user groups.

For example, the fourth terminal belongs to user group a, user group B, and user group C at the same time. And any two encryption keys of the fourth terminal in the user group A, the fourth terminal in the user group B and the fourth terminal in the user group C are different, and at the moment, the decryption key of the fourth terminal in the user group A, the decryption key of the fourth terminal in the user group B and any two decryption keys of the fourth terminal in the user group C are different. Or the encryption key of the fourth terminal in the user group A is the same as the encryption key of the fourth terminal in the user group B, the encryption key of the second terminal in the user group A is different from the encryption key of the fourth terminal in the user group C, the decryption key of the fourth terminal in the user group A is the same as the decryption key of the fourth terminal in the user group B, and the decryption key of the second terminal in the user group A is different from the decryption key of the fourth terminal in the user group C. Or, preferably, the encryption key of the fourth terminal in the user group a, the encryption key of the fourth terminal in the user group B, and the encryption key of the fourth terminal in the user group C are all the same, and in this case, the decryption key of the fourth terminal in the user group a, the decryption key of the fourth terminal in the user group B, and the decryption key of the fourth terminal in the user group C are all the same.

In the embodiment of the present invention, the key form of the network device, the first terminal, or the second terminal may use an asymmetric key, or may use a symmetric key, or other key forms.

When the form of the key is an asymmetric key, that is, the encryption key of any terminal included in the network device and the user group is a public key, and the decryption key of any terminal included in the network device and the user group is a private key; under the form, even if the information is intercepted by a third party in the information transmission process, the risk of information content leakage is very low, and the safety coefficient of the form is higher.

When the key form is a symmetric key, that is, the encryption key and the decryption key of the network device are the same, the encryption key and the decryption key of any terminal included in the user group are the same. The form can also meet the basic requirement of information transmission privacy in the user group, but if the information is intercepted by a third party in the information transmission process, the risk of information content leakage is higher, and the safety factor is lower.

In the step 201, before the first terminal encrypts the original message by using the encryption key of the network device, there are multiple ways for the first terminal to obtain the encryption key of the network device, and several optional implementations of "way a1, way a2, way a3, and way a 4" are provided in the embodiment of the present invention:

mode a1, the network device establishes an encryption key and a decryption key of the network device with the first terminal in a negotiation mode before the session. At this time, the first terminal stores the encryption key of the network device in the storage device of the first terminal, and when the first terminal needs to encrypt the original message by using the encryption key of the network device, the pre-stored encryption key of the network device can be acquired from the storage device of the first terminal. The network device stores the decryption key of the network device in the storage device of the network device, and when the network device receives the first message, the network device can acquire the decryption key of the network device from the storage device of the network device for decryption.

Mode a2, the network device assigns an encryption key and a decryption key to the network device. After the network device obtains the encryption key of the network device and the decryption key of the network device, the network device stores the decryption key of the network device on the storage device of the network device, so that the network device decrypts the received first message. On the other hand, the network device sends the encryption key of the network device to the first terminal in advance in a notification manner, or after receiving the request message sent by the first terminal, the network device is triggered to send the encryption key of the network device to the first terminal, so that the first terminal encrypts the original message to obtain the first message.

Mode a3, the key generation device distributes an encryption key and a decryption key to the network device. The key generation device sends the decryption key of the network device to the network device, or the key generation device sends the decryption key of the network device to the network device after receiving the request message sent by the network device, so that the network device decrypts the received first message. On the other hand, the key generation device sends the encryption key of the network device to the first terminal in advance in a notification manner, or after the key generation device receives the request message sent by the first terminal, the key generation device sends the encryption key of the network device to the first terminal, so that the first terminal encrypts the original message to obtain the first message.

In the mode a4, the network device or other key generating device generates the decryption key of the network device according to the identifier of the network device in combination with the preset algorithm rule, and the network device, other key generating device or the first terminal generates the decryption key of the network device according to the identifier of the network device in combination with the preset algorithm rule. The preset algorithm rules can be defined by themselves, the network equipment encryption keys obtained by corresponding calculation according to different network equipment identifications are different, and the network equipment decryption keys obtained by corresponding calculation according to different network equipment identifications are also different. The key generation device or the network device in the embodiment of the present invention may generate an encryption key and a decryption key of the network device in advance according to the identifier of the network device, store the decryption key of the network device in the network device, and send the encryption key of the network device to the first terminal, so that the first terminal stores the encryption key and the decryption key in advance. When the first terminal needs to encrypt the original message by using the encryption key of the network device, the encryption key of the network device stored in advance can be obtained from the storage device of the first terminal, or the encryption key of the network device can be generated by combining a preset algorithm rule according to the identifier of the network device when the first terminal sends the first message.

In the step 204, the network device may obtain the encryption key corresponding to the second terminal in multiple manners, and the embodiment of the present invention provides several optional implementations of the following "manner b1, manner b2, manner b3, manner b4, and manner b 5":

mode b1, the network device establishes the encryption key and the decryption key of each second terminal in a negotiation mode before the session. At this time, the network device may store the encryption key of each second terminal in the storage device of the network device, so that the network device encrypts the original message using the encryption key of the second terminal. On the other hand, the second terminal prestores the decryption key of the second terminal, so that the second terminal decrypts the received second message by using the decryption key of the second terminal.

Mode b2, each second terminal is assigned an encryption key and a decryption key by the network device. At this time, the network device may store the encryption key of each second terminal in the storage device of the network device, so that the network device encrypts the original message using the encryption key of the second terminal. On the other hand, the network device may transmit the decryption key of each second terminal to each second terminal in advance in a notification manner. Or, when the network device sends the second message to the second terminal, the network device sends the decryption key of the second terminal to the second terminal. Another implementation manner is that, before or after receiving the second message, the second terminal obtains the decryption key of the second terminal from the network device by sending a request message to the network device, so that the second terminal decrypts the received second message by using the decryption key of the second terminal.

Mode b3, each second terminal is assigned an encryption key and a decryption key by the key generation apparatus. At this time, the key generation device may send the encryption key of each second terminal of the network device in advance by way of notification, or the network device may obtain the encryption key of each second terminal from the key generation device by way of sending a request message to the key generation device, and further store the encryption key of each second terminal in the storage device of the network device, so that the network device encrypts the original message by using the encryption key of the second terminal. On the other hand, the key generation device may transmit the decryption key of each second terminal to each second terminal in advance by way of notification. Or before or after receiving the second message, the second terminal acquires the decryption key of the second terminal from the key generation device by sending a request message to the key generation device, so that the second terminal decrypts the received second message by using the decryption key of the second terminal.

In the mode b4, the network device generates the encryption key of the second terminal according to the identifier of each second terminal in combination with the preset algorithm rule, and the network device or the second terminal generates the decryption key of the second terminal according to the identifier of the second terminal in combination with the preset algorithm rule. The preset algorithm rule can be defined by self, the second terminal encryption keys obtained by corresponding calculation according to different second terminal identifications are different, and the second terminal decryption keys obtained by corresponding calculation according to different second terminal identifications are also different. Specifically, the network device may generate, in advance, an encryption key corresponding to each second terminal according to the identifier of each second terminal, and store the encryption key of each second terminal, or after determining N second terminals that are to receive the first message sent by the first terminal, the network device generates, according to the identifier of each second terminal, an encryption key corresponding to each second terminal, so that the network device encrypts the original message using the encryption key of the second terminal. On the other hand, the network device generates decryption keys corresponding to each second terminal according to the identifier of each second terminal, and sends the generated decryption keys to the corresponding second terminals respectively. Or before or after the second terminal receives the second message, the second terminal acquires the decryption key of the second terminal generated by the network device according to the identifier of the second terminal by sending a request message to the network device, so that the second terminal decrypts the received second message by using the decryption key of the second terminal. Another implementation manner is that before or after the second terminal receives the second message, the second terminal generates a decryption key of the second terminal according to the identifier of the second terminal, so that the second terminal decrypts the received second message by using the decryption key of the second terminal.

In the mode b5, the key generation device generates the encryption key and the decryption key of the second terminal according to the identifier of each second terminal and by combining the preset algorithm rule. Specifically, the key generation device may generate, in advance, an encryption key corresponding to each second terminal according to the identifier of each second terminal, and send the encryption key of each second terminal to the network device in a notification manner, so that the network device stores the encryption key of each second terminal, or the network device obtains the encryption key corresponding to each second terminal in a manner of sending a request message to the key generation device, so that the network device encrypts the original message using the encryption key of the second terminal. On the other hand, the key generation device generates decryption keys corresponding to each second terminal according to the identifier of each second terminal, and sends the generated decryption keys to the corresponding second terminals respectively. Or before or after the second terminal receives the second message, the second terminal acquires the decryption key of the second terminal generated by the network device according to the identifier of the second terminal by sending a request message to the key generation device, so that the second terminal decrypts the received second message by using the decryption key of the second terminal.

Further, in the embodiment of the present invention, the first terminal encrypts the original message by using the encryption key of the network device to obtain the first message, where the first message carries encryption indication information, and is used to enable the network device to determine that the information is the encryption information according to the encryption indication information, so that the network device decrypts the received first message by using the decryption key of the network device. Similarly, the network device encrypts the original message by using the encryption key of the second terminal to obtain a second message, where the second message carries encryption indication information, and is used for the second terminal to determine that the information is the encryption information according to the encryption indication information, so that the second terminal decrypts the received second message by using the decryption key of the second terminal.

In another implementation, the encryption indication message can also indicate the user group to which the encryption key used by the second message belongs. For example, when the second terminal belongs to the first user group and belongs to the second user group, and the encryption key of the second terminal in the first user group is different from the encryption key of the second user group, the encryption indication information in the second message can also indicate that the network device encrypts the original message using the encryption key of the second terminal in the first user group to obtain the second message, so that the second terminal decrypts using the decryption key of the second terminal in the first user group.

The form of the encryption indication information may be various, and is only exemplified to name a few, for example, adding an encryption identification header to the information, adding an encryption information integrity check identification to the information, adding an encrypted information ciphertext to the information, adding other types of identification to the information, and the like.

In the embodiment of the present invention, the first terminal may share the original message to all other terminals in the first user group, or may share the original message to some terminals in the first user group, and a specific implementation manner may be any one of the following manners c1 to c 3:

in the manner c1, the first terminal shares the original message to all other terminals in the first user group except the first terminal, that is, all terminals in the first user group except the first terminal are the second terminals, and each second terminal can receive the second message and correctly decrypt the original message from the second message.

Specifically, the first message carries an identifier of a first user group to which the first terminal belongs, the network device determines the first user group to which the first terminal belongs according to the identifier of the first user group to which the first terminal belongs, and the network device determines, as N second terminals to receive the first message sent by the first terminal, other terminals, except the first terminal, of all terminals included in the determined first user group. That is, in this case, the first subscriber group includes one first terminal and N second terminals. The network device further determines a second terminal encryption key corresponding to each of the N second terminals.

The network device decrypts the first message to obtain an original message, then encrypts the original message by using a second terminal encryption key corresponding to each second terminal, and sends the encrypted original message to the corresponding second terminals, so that each second terminal decrypts the message by using the respective second terminal decryption key to obtain the original message. Each second terminal can independently store the decryption key of the second terminal, and at least two encryption keys corresponding to the second terminals in the first user group are different. Therefore, even if one second terminal reveals the decryption key of the second terminal, the counterfeiter cannot decrypt the information of other terminals based on the revealed information, and the information transmission safety is improved.

An optional implementation manner is that the encryption keys corresponding to any two terminals in all the terminals included in the first user group are different. It will be appreciated by those skilled in the art that when the encryption key of a different second terminal is different, the decryption key of the different second terminal is also different.

Mode c2, the first terminal transmits the second information to a part of the second terminals in the first subscriber group. The identifier of the first user group to which the first terminal belongs is carried in the first message, and the identifiers of the N terminals to receive the first message. At this time, the network device determines a first user group to which the first terminal belongs according to the identifier of the first user group to which the first terminal belongs, which is carried in the first message; and the network equipment determines N second terminals respectively corresponding to the N terminal identifications from the determined first user group according to the N terminal identifications of the first message to be received carried in the first message.

Specifically, the first user group includes a first terminal and M second terminals, where M is a positive integer greater than N. And the network equipment determines N second terminals respectively corresponding to the N terminal identifications from the M second terminals in the determined first user group according to the N terminal identifications of the first message to be received, which are carried in the first message. The network device decrypts the first message to obtain an original message, then encrypts the original message by using second terminal encryption keys corresponding to the N second terminals to obtain a second message, and sends the second message to the N corresponding second terminals, so that the N second terminals decrypt the message by using the second terminal decryption keys to obtain the original message. Therefore, the purpose that the first terminal shares the original message to only part of the terminals of the first user group can be achieved.

In the mode c3, in the above mode c2, the first user group includes M second terminals, the first message carries N terminal identifiers, and the network device determines, from the M second terminals included in the first user group, N second terminals corresponding to the N terminal identifiers, and then includes (M-N) third terminals in the first user group besides the first terminal and the N second terminals, that is, the third terminals are other terminals in the first user group except the first terminal and the N second terminals. The network equipment determines a third terminal in the first user group; the network device encrypts the obtained original message by using an encryption key different from an encryption key corresponding to the third terminal to obtain a third message, and sends the third message to the third terminal. The third message is used for preventing the third terminal from being successfully decrypted by using the decryption key of the third terminal so as to obtain the original message. That is, when the first terminal shares the original message with a part of terminals in the first user group, that is, the second terminal, the third terminal in the first user group may receive a message, but the third terminal cannot correctly decrypt the message, that is, the third terminal cannot acquire the original message. Specifically, the encryption key different from the encryption key of the third terminal may be the encryption keys of other terminals except the third terminal, for example, the encryption key of any second terminal, or other special encryption keys that are not allocated and are not used.

The following description will be made in detail with reference to a specific example:

the identifier of the first user group is 003, and the first user group includes four terminals, namely a terminal a, a terminal B, a terminal C and a terminal D.

Scene one

The terminal a serves as a first terminal, and the terminal a needs to share one original message to all other terminals in the first user group, that is, the terminal a needs to share the original message to the terminal B, the terminal C, and the terminal D, and the terminal B, the terminal C, and the terminal D serve as a plurality of second terminals. The terminal A encrypts the original message by using the encryption key of the network equipment to obtain a first message, and sends the first message to the network equipment, wherein the first message comprises a first user group identifier 003, and the network equipment receives the first message, decrypts the first message by using the decryption key of the network equipment, and acquires the original message. The network device determines the identifiers of the other terminal B, the terminal C and the terminal D corresponding to the first user group identifier 003, and the encryption key of the terminal B, the encryption key of the terminal C and the encryption key of the terminal D. The network equipment encrypts the original message by using the encryption key of the terminal B to obtain a second message B, and sends the second message B to the terminal B, the terminal B decrypts the received second message B by using the decryption key of the terminal B, and the terminal B obtains the original message; the network equipment encrypts the original message by using the encryption key of the terminal C to obtain a second message C, and sends the second message C to the terminal C, the terminal C decrypts the received second message C by using the decryption key of the terminal C, and the terminal C obtains the original message; the network equipment encrypts the original message by using the encryption key of the terminal D to obtain a second message D, and sends the second message D to the terminal D, the terminal D decrypts the received second message D by using the decryption key of the terminal D, and the terminal D obtains the original message.

Scene two

The terminal a serves as a first terminal, and the terminal a needs to share an original message to a second terminal B and a second terminal C in the first user group. The terminal A encrypts the original message by using the encryption key of the network equipment to obtain a first message, and sends the first message to the network equipment, wherein the first message comprises the first user group identifier 003, the identifier of the terminal B and the identifier of the terminal C. The network device receives the first message, decrypts the first message by using the network device decryption key, and acquires the original message. The network device determines a first user group identifier 003, and determines a terminal B and a terminal C, an encryption key of the terminal B and an encryption key of the terminal C from a first user group corresponding to the first user group identifier 003, where the terminal B and the terminal C are second terminals. The network equipment encrypts the original message by using the encryption key of the terminal B to obtain a second message B, and sends the second message B to the terminal B, the terminal B decrypts the received second message B by using the decryption key of the terminal B, and the terminal B obtains the original message; the network equipment encrypts the original message by using the encryption key of the terminal C to obtain a second message C, and sends the second message C to the terminal C, the terminal C decrypts the received second message C by using the decryption key of the terminal C, and the terminal C obtains the original message; the network device does not send any message to terminal D.

Scene three

The terminal a serves as a first terminal, and the terminal a needs to share an original message to a second terminal B and a second terminal C in the first user group. The terminal A encrypts the original message by using the encryption key of the network equipment to obtain a first message, and sends the first message to the network equipment, wherein the first message comprises the first user group identifier 003, the identifier of the terminal B and the identifier of the terminal C. The network device receives the first message, decrypts the first message by using the network device decryption key, and acquires the original message. The network device determines a first user group identifier 003, and determines a terminal B and a terminal C, an encryption key of the terminal B and an encryption key of the terminal C from a first user group corresponding to the first user group identifier 003, where the terminal B and the terminal C are second terminals. The network equipment encrypts the original message by using the encryption key of the terminal B to obtain a second message B, and sends the second message B to the terminal B, the terminal B decrypts the received second message B by using the decryption key of the terminal B, and the terminal B obtains the original message; the network equipment encrypts the original message by using the encryption key of the terminal C to obtain a second message C, and sends the second message C to the terminal C, the terminal C decrypts the received second message C by using the decryption key of the terminal C, and the terminal C obtains the original message.

The network device further determines a terminal D except the terminal a, the terminal B and the terminal C from the first user group corresponding to the first user group identifier 003, the terminal D is a third terminal, the network device obtains an encryption key of the terminal D, encrypts the original message by using an encryption key different from the encryption key of the terminal D to obtain a third message, and sends the third message to the terminal D, and when the terminal D decrypts the received third message by using a decryption key, the terminal D cannot correctly decrypt the original message, so that the terminal D cannot parse the content of the message although receiving the message, and finally only the information is presented to the terminal B and the terminal C.

From the above, it can be seen that: the network device can decrypt the first message by using the decryption key of the network device to obtain the original message, then the network device determines N second terminals and the encryption key of each second terminal from the first user group to which the first terminal belongs, encrypts the original message by using the encryption key of each second terminal, and respectively sends the encrypted message to each second terminal, so that each second terminal can decrypt the received information by using the decryption key of the second terminal, and the decryption keys corresponding to at least two second terminals in the first user group are different, namely the decryption keys corresponding to at least two second terminals in the first user group are different. Therefore, even if one second terminal reveals the decryption key of the second terminal, the counterfeiter cannot decrypt the information of other terminals based on the revealed information, and the information transmission safety is improved.

Fig. 3 illustrates a schematic diagram of a network device structure.

Based on the same conception, an embodiment of the present invention provides a schematic structural diagram of a network device, configured to execute the above-described flow, and as shown in fig. 3, the network device includes a receiving unit 401, a decryption unit 402, a determining unit 403, a processing unit 404, and a sending unit 405:

a receiving unit 401, configured to receive a first message sent by a first terminal, where the first message is obtained by the first terminal encrypting an original message using an encryption key of a network device;

a decryption unit 402, configured to decrypt the first message using a decryption key of the network device to obtain an original message;

a determining unit 403, configured to determine N second terminals to receive the first message; the first terminal and the N second terminals belong to a first user group, and at least two second terminals in the N second terminals respectively correspond to different encryption keys; n is greater than or equal to 2;

a processing unit 404, configured to obtain N encryption keys corresponding to the N second terminals in the first user group, and encrypt the original message using the obtained N encryption keys, respectively, to obtain N second messages;

a sending unit 405, configured to send the N second messages to the corresponding N second terminals respectively.

Preferably, when determining the N second terminals to receive the first message, the determining unit 403 is specifically configured to:

Preferably, the determining unit 403 is further configured to:

the processing unit 404 is further configured to:

the sending unit 405 is further configured to:

and sending the third message to the third terminal.

Preferably, when acquiring N encryption keys respectively corresponding to the N second terminals in the first user group, the processing unit 404 is specifically configured to:

the sending unit 405 is further configured to:

Preferably, the processing unit 404 is further configured to:

the sending unit 405 is further configured to:

Preferably, the first user group includes a fourth terminal, the fourth terminal also belongs to the second user group, and the encryption key of the fourth terminal in the first user group is the same as the encryption key of the fourth terminal in the second user group;

Fig. 4 illustrates another network device architecture.

Based on the same concept, an embodiment of the present invention provides another schematic diagram of a network device structure, configured to execute the above method flow, as shown in fig. 4, where the method includes:

a receiver 501, configured to receive, under the control of the processor 504, a first message sent by a first terminal, where the first message is obtained after the first terminal encrypts an original message using an encryption key of a network device;

a processor 504, configured to decrypt the first message using a decryption key of the network device to obtain an original message, determine N second terminals to receive the first message, obtain N encryption keys corresponding to the N second terminals in the first user group, and encrypt the original message using the obtained N encryption keys to obtain N second messages; the first terminal and the N second terminals belong to a first user group, and at least two second terminals in the N second terminals respectively correspond to different encryption keys; n is greater than or equal to 2;

a transmitter 506, configured to send the N second messages to the corresponding N second terminals, respectively, under the control of the processor 504;

a memory 505 for storing information and data.

Preferably, when determining N second terminals to receive the first message, the processor 504 is specifically configured to:

Preferably, the processor 504 is further configured to:

the transmitter 506 is further configured to:

and sending the third message to the third terminal.

Preferably, when acquiring N encryption keys respectively corresponding to the N second terminals in the first user group, the processor 504 is specifically configured to:

the transmitter 506 is further configured to:

Preferably, the processor 504 is further configured to:

a transmitter 506, further configured to:

In FIG. 4, a bus architecture (represented by bus 500), bus 500 may include any number of interconnected buses and bridges, bus 500 linking together various circuits including one or more processors, represented by processor 504, and memory, represented by memory 505. The bus 500 may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface 503 provides an interface between the bus 500 and the receiver 501 and transmitter 506. The receiver 501 and the transmitter 506 may be one element or may be multiple elements, such as multiple receivers and transmitters, providing a means for communicating with various other devices over a transmission medium. Data processed by processor 504 is transmitted over a wireless medium via antenna 502, and further, antenna 502 receives data and transmits data to processor 504.

The processor 504 is responsible for managing the bus 500 and general processing, and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory 505 may be used to store data used by processor 504 in performing operations.

Alternatively, the processor 504 may be a CPU (central processing unit), an ASIC (Application specific integrated Circuit), an FPGA (Field Programmable Gate Array), or a CPLD (Complex Programmable Logic Device).

It should be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A method for message transmission, comprising:

the method comprises the steps that network equipment receives a first message sent by a first terminal, wherein the first message is obtained after the first terminal encrypts an original message by using an encryption key of the network equipment;

the network equipment decrypts the first message by using a decryption key of the network equipment to obtain the original message;

the network equipment determines N second terminals to receive the first message, wherein the first terminal and the N second terminals belong to a first user group, and at least two of the N second terminals respectively correspond to different encryption keys;

the network equipment acquires N encryption keys respectively corresponding to the N second terminals in the first user group;

the network equipment uses the obtained N encryption keys to encrypt the original message respectively to obtain N second messages;

the N is greater than or equal to 2.

2. The method of claim 1, wherein the determining, by the network device, N second terminals to receive the first message specifically includes:

the network equipment determines the first user group to which the first terminal belongs according to the identifier of the first user group to which the first terminal belongs, wherein the identifier of the first user group to which the first terminal belongs is carried in the first message;

and the network equipment determines other terminals except the first terminal in all the terminals included in the first user group as the N second terminals to receive the first message sent by the first terminal.

3. The method of claim 1, wherein the determining, by the network device, N second terminals to receive the first message specifically includes:

and the network equipment determines the N second terminals respectively corresponding to the N terminal identifications from the determined first user group according to the N terminal identifications to be received in the first message carried in the first message.

4. The method of claim 3, further comprising:

the network equipment determines a third terminal in the first user group; the third terminal is other terminals except the first terminal and the N second terminals in the first user group; and the network equipment encrypts the obtained original message by using an encryption key different from the encryption key corresponding to the third terminal to obtain a third message, and sends the third message to the third terminal.

5. The method according to any one of claims 1 to 4, wherein the network device obtains N encryption keys respectively corresponding to the N second terminals in the first user group, and includes:

the network equipment generates a decryption key corresponding to each second terminal according to the identifier of each second terminal, and generates a decryption key corresponding to each second terminal

6. The method of any one of claims 1 to 4, wherein before the network device receives the first message sent by the first terminal, the method further comprises:

and the network equipment sends the encryption key of the network equipment to the first terminal, so that the first terminal encrypts the original message to obtain the first message.

7. The method according to any of claims 1 to 4, wherein the first user group comprises a fourth terminal, the fourth terminal further belonging to a second user group, the encryption key of the fourth terminal in the first user group being the same as the encryption key of the fourth terminal in the second user group;

wherein the fourth terminal is any one of all terminals included in the first user group.

8. A network device, comprising:

a receiving unit, configured to receive a first message sent by a first terminal, where the first message is obtained by the first terminal after encrypting an original message using an encryption key of the network device;

the decryption unit is used for decrypting the first message by using a decryption key of the network equipment to obtain the original message;

a determining unit, configured to determine N second terminals to receive the first message; the first terminal and the N second terminals belong to a first user group, and at least two of the N second terminals respectively correspond to different encryption keys; said N is greater than or equal to 2;

a processing unit, configured to obtain N encryption keys corresponding to the N second terminals in a first user group, and encrypt the original message using the obtained N encryption keys, respectively, to obtain N second messages;

and the sending unit is used for respectively sending the N second messages to the corresponding N second terminals.

9. The network device of claim 8, wherein, when determining the N second terminals that are to receive the first message, the determining unit is specifically configured to:

determining the first user group to which the first terminal belongs according to the identifier of the first user group to which the first terminal belongs, which is carried in the first message;

determining other terminals except the first terminal in all the terminals included in the first user group as the N second terminals to receive the first message sent by the first terminal.

10. The network device of claim 8, wherein, when determining the N second terminals that are to receive the first message, the determining unit is specifically configured to:

and determining the N second terminals respectively corresponding to the N terminal identifications from the determined first user group according to the N terminal identifications of the first message to be received, which are carried in the first message.

11. The network device of claim 10, wherein the determining unit is further configured to:

the processing unit is further configured to: encrypting the obtained original message by using an encryption key different from an encryption key corresponding to the third terminal to obtain a third message;

the sending unit is further configured to: and sending the third message to the third terminal.

12. The network device of any of claims 8 to 11,

the processing unit, when acquiring N encryption keys respectively corresponding to the N second terminals in the first user group, is specifically configured to: generating an encryption key corresponding to each second terminal in the first user group according to the identifier of each second terminal; generating a decryption key corresponding to each second terminal according to the identifier of each second terminal;

the sending unit is further configured to: and respectively sending the generated decryption keys to the corresponding second terminals.

13. The network device of any of claims 8 to 11,

the processing unit is further configured to: before the receiving unit receives a first message sent by a first terminal, acquiring an encryption key of the network equipment and a decryption key of the network equipment;

the sending unit is further configured to: and sending the encryption key of the network equipment to the first terminal, so that the first terminal encrypts the original message to obtain the first message.

14. The network device according to any of claims 8 to 11, wherein the first user group comprises a fourth terminal, the fourth terminal further belonging to a second user group, the encryption key of the fourth terminal in the first user group being the same as the encryption key of the fourth terminal in the second user group;

15. A network device, comprising:

a receiver, configured to receive a first message sent by a first terminal, where the first message is obtained after an encryption key of the network device is used by the first terminal to encrypt an original message;

a processor, configured to decrypt the first message using a decryption key of the network device to obtain the original message, determine N second terminals to receive the first message, obtain N encryption keys corresponding to the N second terminals in a first user group, and encrypt the original message using the obtained N encryption keys to obtain N second messages; the first terminal and the N second terminals belong to the first user group, and at least two of the N second terminals respectively correspond to different encryption keys; said N is greater than or equal to 2;

16. The network device of claim 15, wherein the processor, when determining N second terminals to receive the first message, is specifically configured to:

17. The network device of claim 15, wherein the processor, when determining N second terminals to receive the first message, is specifically configured to:

18. The network device of claim 17,

the processor is further configured to: determining a third terminal in the first user group; the third terminal is other terminals except the first terminal and the N second terminals in the first user group; encrypting the obtained original message by using an encryption key different from an encryption key corresponding to the third terminal to obtain a third message;

the transmitter is further configured to: and sending the third message to the third terminal.

19. The network device of any of claims 15 to 18,

the processor, when acquiring N encryption keys respectively corresponding to the N second terminals in the first user group, is specifically configured to: generating an encryption key corresponding to each second terminal in the first user group according to the identifier of each second terminal; generating a decryption key corresponding to each second terminal according to the identifier of each second terminal;

the transmitter is further configured to: and respectively sending the generated decryption keys to the corresponding second terminals.

20. The network device of any of claims 15 to 18,

the processor is further configured to: before the receiver receives a first message sent by a first terminal, acquiring an encryption key of the network equipment and a decryption key of the network equipment;

the transmitter is further configured to: and sending the encryption key of the network equipment to the first terminal, so that the first terminal encrypts the original message to obtain the first message.

21. The network device according to any of claims 15 to 18, wherein the first user group comprises a fourth terminal, the fourth terminal further belonging to a second user group, the encryption key of the fourth terminal in the first user group being the same as the encryption key of the fourth terminal in the second user group;