RU2752844C1 - Key generation and distribution system and method for distributed key generation using quantum key distribution (options) - Google Patents

Abstract

FIELD: information protection.

SUBSTANCE: invention relates to key generation systems using quantum key distribution (hereinafter – QKD) technology for cryptographic information protection tools. A classic user key is generated in the first and last node of the QKD network of the reserved quantum route in the modules for generating user keys using preliminary keys according to the selected order of generating the classical user key. In the modules for generating user keys of the first and last nodes of the QKD network of the reserved quantum route, a user key is generated using the quantum user key and the classical user key according to the selected order of combining the quantum user key and the classical user key. The generated user key is transmitted from the module for generating user keys of the first and last nodes of the QKD network of the reserved quantum route to the modules for managing user keys of the first and last nodes of the QKD network of the reserved quantum route. The received user key is stored in the user key storage of the module for managing user keys of the QKD network node. The user key is transmitted from the user key storage of the module for managing user keys of the QKD network node to the user’s encoder that requested the user key.

EFFECT: technical result is an increase in the fault tolerance of the system due to the decentralized processing of user key requests and the calculation of quantum routes.

10 cl, 2 tbl, 2 dwg

Description

The technical field to which the invention relates

The proposed invention relates to the field of cryptographic information security, and, in particular, to systems for generating keys using quantum key distribution (QKD) technology for cryptographic information security tools.

State of the art

QKD technology allows obtaining identical keys simultaneously on two devices connected by a quantum channel. Moreover, for any known QKD protocol, there is a limiting quantum channel length, that is, a limiting distance from each other of two devices between which a quantum key is generated. To increase the maximum length between two devices on which it is necessary to obtain an identical key, an approach is used based on the construction of QKD networks with trusted nodes. Such nodes are connected in series by quantum channels used to generate or transmit a key between edge devices.

The known QKD system, method and device based on trusted transmitters (US patent No. 10348493, priority from 06/01/2016). The system consists of several routing devices used to transmit keys, a QKD device connected to the routing devices and configured to build two or more routes to another QKD device in order to negotiate a quantum key and obtain a shared key. Two or more different routes between QKD devices can include one or more routing devices. Devices of the QKD system can also combine agreed quantum keys obtained from different routes to create a new shared key. The QKD devices of the system can also send information about the selected route to the routing devices prior to the start of the quantum key negotiation process. The system can also have quantum gateway devices through which QKD devices are connected to data transmission devices. Quantum gateway devices can encrypt and decrypt data from data transmission devices using quantum keys received from QKD devices.

In this system, the QKD method is implemented, which consists of choosing two or more routes between two quantum key distribution devices. Each route includes one or more routing devices. After choosing a route, the quantum keys are negotiated on the selected routes.

The known system, device and method have several disadvantages.

Thus, a strict division of devices into two types is used, which does not allow the use of QKD devices as intermediate devices of the selected route.

For the organization of QKD networks, in which many data transmission devices are assumed, in the known system, areas with a redundant set of devices may appear. System performance and resiliency depend on the number of routing devices and the connections between them. At the same time, the system does not imply the use of QKD devices as routing devices. In this regard, a situation may arise in which at one specific point in the network (route) it will be necessary to place devices of both types with duplication of quantum channels. This situation arises if at a certain place in the network it is necessary to connect consumers to the QKD device, and the same place in the network is optimal for building routes through it, i.e. optimal for the placement of the routing device.

Also, this system uses only the agreement of quantum keys when generating a common key, as a result of which the strength of the common key is based only on the strength of the methods for generating quantum keys. Moreover, the strength of the final key obtained by combining quantum keys from several routes when these routes intersect does not exceed the strength of the key from one of the routes, i.e. using multiple overlapping routes is unnecessary.

Also, this system lacks a key store, both quantum and general. The pre-shared key request rate can change over time and can significantly exceed the system's ability to generate pre-shared keys during peak periods, resulting in long waiting times for new pre-shared keys.

A centralized monitoring and control network and a method for transmitting a quantum key in a network are known (US application No. 20190260581, priority dated 03/05/2019).

The centralized network contains

• centralized controller,

• N service nodes configured to communicate with each other,

• M key nodes configured to provide quantum keys to N serving nodes,

wherein

• each of the N serving nodes corresponds to one of the M key nodes, and both N and M are integers greater than or equal to 2.

The centralized controller contains

• processor,

• a memory block configured to store programs and commands,

• transceiver.

Each key node contains

• transceiver,

• a key store configured to store quantum keys,

• key relay processor.

The transceiver is configured with the ability

• reporting information about the topology of the key node to the centralized controller,

• receiving the key relay command delivered by the centralized controller.

The key relay processor is configured to perform quantum key relay based on the key relay command delivered by the centralized controller.

The way is that

• receive, by the centralized controller of the centralized management and control network, Z requests for service, each of which requests the transfer of a service to be performed between two service nodes, where Z is an integer greater than or equal to 1;

• determine by the centralized controller, based on each of Z service requests, the source service node and the target service node corresponding to each service request, and the quantum key consumption parameter of the corresponding service request, while the source service node corresponds to the source key node in M key nodes , and the target serving node corresponds to the target key node in M key nodes;

• the centralized controller determines the key relay commands corresponding to service requests G in service requests Z, based on

идентификатора исходного узла обслуживания и идентификатора целевого узла обслуживания, соответствующего каждому из Z запросов на обслуживание,

the source service node identifier and the target service node identifier corresponding to each of the Z service requests,

параметра потребления квантового ключа каждого из Z запросов на обслуживание, и

the quantum key consumption parameter of each of the Z service requests, and

топологической информации М ключевых узлов в централизованной сети управления и контроля, где G является целым числом, меньшим или равным Z и большим или равным 1, и при этом каждая команда ретрансляции ключа задает путь для ретрансляции квантового ключа между исходным ключевым узлом и целевому ключевому узлом соответствующего запроса на обслуживание;

topological information of M key nodes in a centralized command and control network, where G is an integer less than or equal to Z and greater than or equal to 1, and each key relay command specifies a path for relaying a quantum key between the source key node and the target key node of the corresponding service request;

• the centralized controller delivers the key relay commands corresponding to the service requests G to the key nodes corresponding to the key relay commands, so that the key nodes perform the relay quantum keys based on the key relay commands to generate the corresponding shared quantum keys between the corresponding originating service node and target key nodes. Topological information of M key nodes in a centralized command and control network may contain:

• identifier of each key node,

• the state of the quantum link between each key node and one or more other key nodes, and

• the weight of an edge connecting two adjacent key nodes on each path from the source key node to the destination key node of the corresponding service request.

The known method and device have several disadvantages.

Thus, the centralized controller is the point of failure of the entire network and the bottleneck in the calculation of instructions for transferring the key in the presence of a large number of service requests.

The presence of a single key store in each key node, when an attacker gains access to it, can lead to the compromise of both quantum keys used to protect the transfer of keys according to the instructions of the centralized controller, and quantum keys transferred according to the instructions.

Key relaying in the method involves the transmission of one generated quantum key to the target key node. Thus, the strength of the final quantum key is based only on the strength of the QKD protocol, and the attacker has some, albeit small, information about the quantum key itself, obtained during the QKD protocol execution.

Service requests are processed in a centralized controller, which will not allow simultaneous processing of requests received at different network nodes, but will require each request to wait for its own queue in a centralized controller.

The known method and device are selected as a prototype for the first version of the system and method.

To expand the capabilities of systems with QKD, optical switches are used to optimize the use of quantum communication lines in the construction of systems.

For example, a quantum communication network is known (US application No. 2019/03794636, priority dated 06.06.2019), consisting of network nodes, each of which is equipped with an optical switch having n inputs and m outputs, and each network node contains both a device with source of single photons, and a device with receivers of single photons. In this communication network, a method of network management is implemented, which consists in connecting two network nodes using optical switches with quantum communication lines, including those passing through other network nodes.

The known method and network have several disadvantages.

Each node in the network has redundant equipment to ensure the ability to connect any node to any - each node has both a single photon source and a receiver. Placing only one of the devices with a slight increase in the complexity of the switches will reduce the cost per node.

The network nodes at both ends of the quantum channel have an optical switch. Coordinated operation of two switches without a single control center is not a trivial task. Two switches must switch to the correct position to connect two network nodes and at the same time not break the resulting quantum line due to attempts to organize other quantum lines through these switches or attempts to start generating a quantum key with one of these two nodes. Taking into account the possibility of organizing transit quantum lines, the number of switches that must work consistently and not interrupt the quantum communication line during the generation of quantum keys increases.

The proposed network makes it possible to connect many pairs of nodes at the same time, but at the same time the problem of the maximum length of the quantum channel remains, i.e. the fundamental problem of the maximum distance between network nodes, between which it is possible to generate a quantum key, remains. The method does not allow generating a common key between nodes, the distance between which exceeds the maximum length of the quantum channel.

Also known is a secure communication system and a channel control method (US patent No. 8041039, priority dated April 19, 2007), comprising a central node and a plurality of remote nodes connected to the central quantum communication lines through an optical switch and data transmission channels through another optical switch.

The secure communication system contains

• central hub;

• many remote nodes, each of which is connected to the central node via an optical transmission line;

moreover, a plurality of channels are installed between the central site and each remote site;

while the set of channels includes

• the first channel used to transmit a quantum signal,

• the second channel used for data transmission,

• where the central node contains

первый коммутатор для переключения первого канала для соединения с выбранным одним из удаленных узлов;

a first switch for switching the first channel to connect to a selected one of the remote nodes;

второй коммутатор для переключения второго канала для соединения с выбранным одним из удаленных узлов;

a second switch for switching a second channel to connect to a selected one of the remote nodes;

контроллер для независимого управления первым коммутатором и вторым коммутатором таким образом, что они соединены с различными удаленными узлами, выбранными из множества удаленных узлов, для осуществления

a controller for independently controlling the first switch and the second switch so that they are connected to different remote sites, selected from a plurality of remote sites, to implement

передачи квантового сигнала,

transmission of a quantum signal,

формирования общего случайного числа через второй канал на основе данных, полученных путем обнаружения квантового сигнала через первый канал и/или криптографической связи с использованием криптографического ключа, извлеченного из общего случайного числа.

generating a common random number through the second channel based on data obtained by detecting a quantum signal through the first channel and / or cryptographic communication using a cryptographic key derived from the common random number.

A channel control method is used for a secure communication device connected to each of a plurality of remote nodes via an optical transmission line,

moreover, a plurality of channels are established with each remote node, while the plurality of channels includes

• the first channel used to transmit a quantum signal, and

• the second channel used for data transmission, and the secure communication device includes:

• the first switch to switch the first channel to connect to the selected one of the remote nodes, and

• the second switch for switching the second channel for connection with the selected one of the remote nodes, and the channel control method contains:

• independently manage the first switch and the second switch so that they connect to different remote sites selected from a set of remote sites

для выполнения передачи квантового сигнала,

to perform transmission of a quantum signal,

для формирования общего случайного числа через второй канал на основе данных, полученных путем обнаружения квантового сигнала через первый канал и/или {из канала} криптографической связи с использованием криптографического ключа, извлеченного из общего случайного числа. В способе реализуется синхронное включение канала передачи данных и квантовой линии связи. Переключение каналов производится в зависимости от скорости выработки квантовых ключей на каждой линии.

to generate a common random number through the second channel based on data obtained by detecting a quantum signal through the first channel and / or {from a cryptographic communication channel} using a cryptographic key derived from the common random number. The method implements the synchronous activation of the data transmission channel and the quantum communication line. Channel switching is performed depending on the rate of generation of quantum keys on each line.

Also, the method proposes to generate a common key for all nodes in the network by transferring one quantum key from the central node to all remote nodes with transmission protection using encryption such as a one-time cipher pad.

The known system and method are taken as prototypes for the second version of the system and method.

However, the known system and method have the following disadvantages.

The use of two independent switches for switching a quantum signal and transmitted data together with the application of one physical channel to each node (optical fiber) creates an increased risk of errors in switching and transmission; moreover, the transmission of a quantum signal requires dark fiber, i.e. it is necessary to interrupt data transmission when transmitting a quantum signal in the same fiber.

Also, the problem of the maximum length of the quantum channel is not solved. The maximum distance between the central and remote sites does not exceed the length of the quantum channel, the distance between two remote sites does not exceed two maximum lengths of the quantum channel, and key generation strictly between a pair of remote sites turns out to be impossible.

The creation of a single key for the interaction of all nodes is controversial from a security point of view, since it allows a third node to gain access to the information transmitted between two nodes.

Channel hopping control is not optimal and does not account for the need for quantum keys between the remote and central site.

Disclosure of invention

The technical result is

1) increasing the fault tolerance of the system due to the decentralized processing of requests for user keys and the calculation of quantum routes,

2) increasing the security of the system due to two independent key storages at each node,

3) improving performance due to parallel processing of requests for custom keys,

4) increasing the strength of user keys by combining a quantum user key and a classic user key,

5) elimination of restrictions on the maximum distance of two system nodes, between which a common key is generated.

For this, according to the first option, a system for generating and distributing keys is proposed, including

• a set of network nodes for the generation and quantum distribution of keys (nodes of the QKD network), and

узлы сети КРК соединены квантовыми линиями связи так, что граф, отображающий связи квантовыми линиями, является связным;

the nodes of the QKD network are connected by quantum communication lines so that the graph displaying the connections by quantum lines is connected;

узлы сети КРК соединены классической линией связи с цифровой сетью передачи данных; причем к каждому узлу сети КРК присоединено, по крайней мере, две квантовые линии связи;

KKK network nodes are connected by a classical communication line with a digital data transmission network; moreover, at least two quantum communication lines are connected to each node of the QKD network;

at the same time, each node of the QKD network includes

• module for generating custom keys,

• module for managing user keys,

• at least two modules for generating quantum keys; moreover

• each module for generating quantum keys is connected to the module for generating user keys by a local digital data transmission line;

• the module for generating user keys is connected to the module for managing user keys by a local digital data transmission line;

in this case, each module for generating quantum keys is configured to

• generate quantum keys together with another module for generating quantum keys connected to this quantum communication line;

• generate random numbers;

• receive requests for generating a quantum key from the user key generation module;

• transfer the generated quantum keys to the modules for generating user keys;

• transmit / receive service data of the QKD protocol from the module for generating user keys;

in this case, the module for generating user keys is configured to

• create requests for generating a quantum key to the modules for generating quantum keys;

• receive quantum keys from the modules for generating quantum keys according to the transmitted requests;

• store quantum keys in a quantum key store;

• encrypt data;

• decrypt data;

• authenticate data;

• check data authentication;

• determine the topology of the QKD network;

• define a quantum route for generating user keys;

• generate user keys together with modules for generating user keys of other nodes of the QKD network on the quantum route;

• receive requests to generate custom keys from custom key management modules;

• transfer custom keys to custom key management modules;

while the user key management module is configured to

• connect user encryptors using a digital data transmission network;

• store user keys in the user key store;

• determine, together with the modules for managing user keys of other nodes of the QKD network, the correspondence of the QKD network node and the user encoders connected to them;

• form a common database of connected user encryptors, containing the correspondence between the QKD network nodes and the connected user encryptors;

• generate requests for generating a user key into the modules for generating user keys;

• receive custom keys from custom key generation modules according to the transmitted requests.

For the operation of the system, a method is proposed for generating and distributing user keys in the system, which consists in the following:

• select the order of generating the quantum user key;

• choose the order of generation of the classic user key;

• choose the order of combining the quantum user key and the classical user key;

• pre-keys are loaded into the modules for generating user keys of the QKD network nodes, and N-1 key is loaded into each module for generating user keys, where N is the number of nodes in the QKD network;

• loading into the module for generating user keys of each QKD network node identification information for communication with other QKD network nodes, which are connected by a quantum communication line with this QKD network node;

• loading into each user key management module the identification information of the user encryptors connected to them;

• transfer from the user key management module of each QKD network node to the user key management modules of all other QKD network nodes data on the connected user encryptors;

• receive the transmitted information about the connected user encryptors in the user key management module of each QKD network node and record it into the common database of connected user encryptors;

• transmitting from the module for generating user keys of each node of the QKD network to the modules for generating user keys of the remaining nodes of the QKD network, the identification information of all neighboring nodes of the QKD network,

• receive in the module for generating user keys of each node of the QKD network the identification information of the neighboring nodes transmitted to it and, on its basis, form the topology of the QKD network,

• receive a request for a user key from a user encryptor connected to the user key management module of a QKD network node, and the request includes the identification information of the user encryptor, for communication with which the user key is required;

• determine from the common database of connected user encryptors the QKD network node to which the user encryptor is connected, for communication with which a user key is required;

• form in the module for managing user keys of the QKD network node a request for a user key indicating the identification information of the current QKD network node and the QKD network node, determined from the common database of connected user encryptors;

• the generated user key request is transmitted from the user key management module to the user key generation module of the QKD network node;

• receive in the module for generating user keys a request for a user key from the module for managing user keys;

• determine the sequence of QKD network nodes (quantum route) and the number k of nodes in the quantum route from the QKD network node that received the user key request to the QKD network node specified in the user key request using the QKD network topology;

• reserve the quantum route, transmitting from the module for generating user keys of the QKD network node, which received the user key request, to the modules for generating user keys of the network nodes of the QKD, with identifiers corresponding to the remaining identifiers of the QKD network nodes in the quantum route, messages on the reservation of the quantum route;

• calculate i = 1;

• (A) sending a quantum key generation request from the user key generation unit to the quantum key generation unit of the ith node of the reserved quantum route and from the user key generation unit to the quantum key generation unit of the (i + 1) th node of the reserved quantum route, and

если i-й узел сети КРК имеет несколько модулей выработки квантового ключа, то посылают запрос в модуль выработки квантовых ключей, соединенный квантовой линией связи с (i+1)-м узлом сети КРК;

if the i-th node of the QKD network has several modules for generating a quantum key, then sending a request to the module for generating quantum keys connected by a quantum communication line with the (i + 1) th node of the QKD network;

если (i+1)-й узел сети КРК имеет несколько модулей выработки квантового ключа, то посылают запрос в модуль выработки квантовых ключей, соединенный квантовой линией связи с i-м узлом сети КРК;

if the (i + 1) th node of the QKD network has several modules for generating a quantum key, then sending a request to the module for generating quantum keys connected by a quantum communication line with the i-th node of the QKD network;

• generate a quantum key in the modules for generating a quantum key of the i-th and (i + 1) -th nodes of the QKD network;

• the received quantum key is transmitted from the quantum key generation module to the user key generation module at the i-th and (i + 1) -th node of the QKD network;

• place the obtained quantum key in the storage of quantum keys of the modules for generating user keys of the i-th and (i + 1) -th nodes of the QKD network;

• if i <k-1, then

вычисляют i=i+1;

calculate i = i + 1;

переходят к этапу А;

go to stage A;

• requesting a random number in the module for generating user keys from the module for generating quantum keys of the QKD network node with an identifier corresponding to the first QKD network node of the reserved quantum route;

• generate the requested random number using the random number generator of the module for generating quantum keys;

• the generated random number is transmitted from the quantum key generation module to the user key generation module of the QKD network node with the identifier corresponding to the first node of the reserved quantum route;

• generate a quantum user key at the first and last node of the QKD network of the reserved quantum route using a random number in the module for generating user keys of the first node of the QKD network and quantum keys in the quantum key stores of the nodes of the QKD network included in the reserved quantum route, according to the selected order of generation of the quantum custom key;

• generate a classic user key in the first and last node of the QKD network of the reserved quantum route in the modules for generating user keys using pre-key keys according to the selected order of generation of the classic user key;

• a user key is generated in the modules for generating user keys of the first and last nodes of the QKD network of the reserved quantum route using the quantum user key and the classical user key according to the selected order of combining the quantum user key and the classical user key;

• the generated user key is transmitted from the user key generation module of the first and last nodes of the QKD network of the reserved quantum route to the modules for managing the user keys of the first and last nodes of the QKD network of the reserved quantum route;

• save the received user key in the user key storage of the user key management module of the QKD network node;

• transfer the user key from the user key storage of the user key management module of the QKD network node to the user encryptor that requested the user key.

In the proposed method, it can be provided that

• the topological metrics of the QKD network, which complement the topology of the QKD network, are determined in the modules for generating user keys and transmitted to other modules for generating user keys, and the topological metrics include

количество квантовых ключей в хранилище квантовых ключей;

the number of quantum keys in the quantum key store;

скорость выработки квантовых ключей с соседними узлами сети КРК;

the rate of generation of quantum keys with neighboring nodes of the QKD network;

скорость расходования и количество квантовых ключей на зарезервированных квантовых маршрутах;

the rate of expenditure and the number of quantum keys on the reserved quantum routes;

• when determining the quantum route, the modules for generating user keys take into account topological metrics, which are added to the topology of the QKD network;

• when a quantum route is reserved, the reservation message is supplemented with information about the number of required quantum keys for the reservation.

In the proposed method, it can also be provided that the request for a quantum key to the quantum key generation module contains the characteristics of the requested quantum key: length, maximum availability time of the quantum key, key generation mode.

In addition, the proposed method may provide that the request for a user key to the user key management module contains the characteristics of the requested quantum key: length, maximum readiness time of the user key, the need to use the classic user key when calculating the user key.

It is also proposed, according to the second option, a system for generating and distributing keys, including

• a set of network nodes for the generation and quantum distribution of keys (nodes of the QKD network), and

узлы сети КРК соединены квантовыми линиями связи, так, что граф, отображающий связи квантовыми линиями, является связным;

the nodes of the QKD network are connected by quantum communication lines, so that the graph displaying the connections by quantum lines is connected;

узлы сети КРК соединены классической цифровой сетью передачи данных;

QKD network nodes are connected by a classic digital data transmission network;

moreover, at least two quantum communication lines are connected to each node of the QKD network;

at the same time, the QKD network node includes

• module for generating custom keys,

• module for managing user keys,

• at least two modules for generating quantum keys;

moreover, the connection with the quantum communication lines of the QKD network nodes can be performed both directly and through an optical switch; moreover

• the number of optical switches does not exceed the number of QKD network nodes;

• each optical switch has one optical input and tons of optical outputs that allow connecting up to tons of quantum communication lines to one node of the QKD network;

• each optical switch is connected by a local digital data transmission line to a user key generation module connected by a quantum communication line to the optical input of the optical switch;

wherein each module for managing user keys is connected to the module for generating user keys by a local digital data transmission line and configured to

• receive and transmit data to user encryptors through a digital data transmission network;

• store user keys in the user key store;

• determine, together with the modules for managing user keys of other nodes of the QKD network, the correspondence of the QKD network node and the user encoders connected to them;

• form a common database of connected user encryptors, containing the correspondence between the QKD network nodes and the connected user encryptors;

• create requests for generating a custom key to the modules for generating custom keys;

• receive user keys from modules for generating user keys according to the transmitted requests;

wherein each module for generating quantum keys is associated with the module for generating user keys by a local digital data transmission line and is configured to

• generate quantum keys together with another module for generating quantum keys connected by a quantum communication line;

• generate random numbers;

• receive requests for generating a quantum key from the user key generation module;

• transfer the generated quantum keys to the modules for generating user keys;

• transmit and receive service data of the QKD protocol from the module for generating user keys;

in this case, the module for generating user keys is configured to

• create requests for generating a quantum key to the modules for generating quantum keys;

• receive quantum keys from the modules for generating quantum keys according to the transmitted requests;

• store quantum keys in a quantum key store;

• encrypt data;

• decrypt data;

• carry out data authentication;

• check data authentication;

• determine the topology of the QKD network;

• define a quantum route for generating user keys;

• manage channel switching inside the optical switch;

• generate user keys together with modules for generating user keys of other nodes of the QKD network on a quantum route,

• receive requests to generate custom keys from custom key management modules;

• transfer custom keys to custom key management modules.

For the operation of the system, according to the second version, a method for generating and distributing user keys in the system is proposed, which consists in the fact that

• select the order of generating the quantum user key;

• choose the order of generation of the classic user key;

• choose the order of combining the quantum user key and the classical user key;

• pre-keys are loaded into the modules for generating user keys of the QKD network nodes, and N-1 key is loaded into each module for generating user keys, where N is the number of nodes in the QKD network;

• loading into the module for generating user keys of each node of the QKD network identification information for communication with other nodes of the QKD network, which are connected by a quantum communication line with this node of the QKR network;

• loading into each user key management module the identification information of the user encryptors connected to them;

• transfer from the user key management module of each QKD network node to the user key management modules of all other QKD network nodes data on the connected user encryptors;

• receive the transmitted information about the connected user encryptors in the user key management module of each QKD network node and collect it into a common database of connected user encryptors;

• transmitting from the module for generating user keys of each node of the QKD network to the modules for generating user keys of all other nodes of the QKD network, identification information of all neighboring nodes of the QKD network;

• receive in the module for generating user keys of each node of the QKD network the transmitted identification information of the neighboring nodes and, on its basis, form the topology of the QKD network;

• receive a request for a user key from a user encryptor connected to the user key management module of a QKD network node, and the request includes the identification information of the user encryptor, for communication with which the user key is required;

• determine from the common database of connected user encryptors the QKD network node to which the user encryptor is connected, for communication with which a user key is required;

• form a request for a user key in the user key management module of the QKD network node, indicating the identification information of the QKD network node that received the request for the user key, and the QKD network node, determined from the common database of connected user encryptors;

• the generated user key request is transmitted from the user key management module to the user key generation module of the QKD network node;

• receive in the module for generating user keys a request for a user key from the module for managing user keys;

• determine the sequence of QKD network nodes (quantum route) and the number k of nodes in the quantum route from the QKD network node that received the user key request to the QKD network node specified in the user key request using the QKD network topology;

• reserve a quantum route, transmitting from the module for generating user keys of the QKD network node, which received the request for the user key, to the modules for generating user keys of the network nodes of the QKD, with identifiers corresponding to the remaining identifiers of the QKD network nodes in the reserved quantum route of the message on the reservation of the quantum route;

• calculate i = 1;

• (A) sending a quantum key generation request from the user key generation unit to the quantum key generation unit of the ith node of the reserved quantum route and from the user key generation unit to the quantum key generation unit of the (i + 1) th node of the reserved quantum route, and

если i-й узел сети КРК имеет несколько модулей выработки квантового ключа, то посылают запрос в модуль выработки квантовых ключей, соединенный квантовой линией связи с (i+1)-M узлом сети КРК;

if the i-th node of the QKD network has several modules for generating a quantum key, then sending a request to the module for generating quantum keys connected by a quantum communication line with the (i + 1) -M node of the QKD network;

если (i+1)-й узел сети КРК имеет несколько модулей выработки квантового ключа, то посылают запрос в модуль выработки квантовых ключей, соединенный квантовой линией связи с i-м узлом сети КРК;

if the (i + 1) th node of the QKD network has several modules for generating a quantum key, then sending a request to the module for generating quantum keys connected by a quantum communication line with the i-th node of the QKD network;

• if the modules for generating quantum keys of the i-th and (i + 1) -th nodes of the QKD network are connected by a quantum communication channel through an optical switch, then

если модуль выработки квантовых ключей (i+1)-го узла сети КРК подключен к j-му выходу оптического коммутатора, то задают коммутацию квантовых каналов в оптическом коммутаторе из модуля выработки пользовательских ключей i-го узла сети КРК со входа оптического коммутатора на j-й выход;

if the module for generating quantum keys of the (i + 1) th node of the QKD network is connected to the j-th output of the optical switch, then switching of quantum channels in the optical switch is set from the module for generating user keys of the i-th node of the QKK network from the input of the optical switch to j- th exit;

если модуль выработки квантовых ключей i-го узла сети КРК подключен к j-му выходу оптического коммутатора, то задают коммутацию квантовых каналов в оптическом коммутатор из модуля выработки пользовательских ключей (i+1)-го узла сети КРК со входа оптического коммутатора на j-й выход;

if the module for generating quantum keys of the i-th node of the QKD network is connected to the j-th output of the optical switch, then switching of quantum channels is set in the optical switch from the module for generating user keys of the (i + 1) -th node of the QKD network from the input of the optical switch to j- th exit;

• generate a quantum key in the modules for generating a quantum key of the i-th and (i + 1) -th nodes of the QKD network;

• the received quantum key is transmitted from the quantum key generation module to the user key generation module at the i-th and (i + 1) -th node of the QKD network;

• place the obtained quantum key in the storage of quantum keys of the modules for generating user keys of the i-th and (i + 1) -th nodes of the QKD network;

• if i <k-1, then

вычисляют i=i+1;

calculate i = i + 1;

переходят к этапу А;

go to stage A;

• requesting a random number in the module for generating user keys from the module for generating quantum keys of the QKD network node with an identifier corresponding to the first node of the reserved quantum route;

• generate the requested random number using the random number generator of the module for generating quantum keys;

• the generated random number is transmitted from the quantum key generation module to the user key generation module of the QKD network node with the identifier corresponding to the first node of the reserved quantum route;

• generate a quantum user key at the first and last nodes of the QKD network of the reserved quantum route using a random number in the module for generating user keys of the first node of the QKD network and quantum keys in the quantum key stores of the nodes of the QKD network of the reserved quantum route, according to the selected order of generation of the quantum user key;

• generate a classic user key at the first and last node of the QKD network of the reserved quantum route in the modules for generating user keys using pre-key keys according to the selected order of generation of the classic user key;

• a user key is generated in the modules for generating user keys of the first and last nodes of the QKD network of the reserved quantum route using the quantum user key and the classical user key according to the selected order of combining the quantum user key and the classical user key;

• the generated user key is transmitted from the user key generation module of the first and last nodes of the QKD network of the reserved quantum route to the modules for managing the user keys of the first and last nodes of the QKD network of the reserved quantum route;

• save the received user key in the user key storage of the user key management module of the QKD network node;

• transfer the user key from the user key storage of the user key management module of the QKD network node to the user encryptor that requested the user key.

In the proposed method, it can be provided that

• the topological metrics of the QKD network, which complement the topology of the QKD network, are determined in the modules for generating user keys and transmitted to other modules for generating user keys, and the topological metrics include

количество квантовых ключей в хранилище квантовых ключей;

the number of quantum keys in the quantum key store;

скорость выработки квантовых ключей с соседними узлами сети КРК;

the rate of generation of quantum keys with neighboring nodes of the QKD network;

скорость расходования и количество квантовых ключей на зарезервированных квантовых маршрутах;

the rate of expenditure and the number of quantum keys on the reserved quantum routes;

• take into account topological metrics when determining the quantum route in the module for generating user keys;

• when reserving a quantum route, the reservation message is supplemented with information about the number of required quantum keys for reservation.

In the proposed method, it can also be provided that the request for a quantum key to the quantum key generation module contains the characteristics of the requested quantum key: length, maximum availability time of the quantum key, key generation mode.

In addition, the proposed method may provide that the request for a user key to the user key management module contains the characteristics of the requested quantum key: length, maximum readiness time of the user key, the need to use the classic user key when calculating the user key.

The proposed system (hereinafter referred to as the QKD network) is generally designed to generate and distribute keys between any pair of nodes included in it. The generated keys can be used both by the nodes of the system itself and transmitted to external devices connected to the nodes. The method for generating and distributing keys is implemented in the first version of the node (QKD network node). The system allows generating keys, the strength of which is based on the strength of both quantum keys obtained using QKD protocols with proven secrecy, and classical keys. Combining two keys of a different nature allows you to obtain a strong key even if one of the composite keys is successfully attacked. Thus, an increase in the strength of user keys is achieved.

The QKD network nodes are connected by quantum communication lines. Moreover, for each quantum communication line in the QKD network node, a separate module for generating quantum keys is allocated. Due to this, a high speed of generation of quantum keys on the QKD network segments is achieved, i.e. on a pair of modules for generating quantum keys connected by quantum communication lines. A set of modules for generating quantum keys in one QKD network node allows you to build QKD networks of arbitrary topology. In this case, parallel generation of quantum keys can be carried out on all segments of the QKD network, which includes a given QKD network node, increasing the final rate of generation of user keys.

Note that the modules for generating quantum keys in the general case are of two types: some contain a source of single photons, others - a receiver of single photons. The QKD network node can contain modules for generating quantum keys of one or another type. The only requirement imposed on these modules is that from one end of the quantum communication line there must be a source of single photons, and from the other end of the same quantum communication line there must be a receiver of single photons.

To connect external devices that need to transfer a user key, for example, encryptors, the QKD network node is equipped with a user key management module.

This module serves three purposes.

The first is the unification of the identification information of the QKD network nodes, by translating the requests of the user key with the indication of the identification information of the encryptors into the requests of the user key inside the QKD network with the indication of the identification information of the nodes of the QKD network. Thus, the identification information of pairs of scramblers can have different forms.

The second is storing user keys in a dedicated key store. Thus, the likelihood of accidental or deliberate use of the generated user key after transmission to the user key management modules is reduced. Also, due to this storage, a deferred issuance of a user key to an external device is possible if it was not connected at the time the user key was generated.

The third is the impossibility at the physical level to connect an external device to a node from which it is not supposed to issue user keys.

Note that the connected user encryptors (or other external devices designed to obtain a user key from the QKD network) initiate a method for generating and distributing user keys by transmitting a user key request to the user key management module. For the correct processing of requests for a user key on the QKD network node, it is necessary that each QKD network node can determine the QKD network node to which another user encryptor is connected, with which the user key is requested.

For these purposes, each user key management module forms a common database of connected user encryptors, which contains information about which user encryptors are connected to the QKD network and to which node of the QKD network. This database allows you to translate the identification information of the encryptors into the identification information of the QKD network nodes to which these encryptors are connected. A common database is a specific structure stored in the memory of a module during system operation.

User key management modules are used to interact with user encryptors external to the system. In the event that it is not planned in principle to connect user encryptors to a specific QKD network node and user keys will not be issued from this QKD network node, then a simplified implementation of the QKD network node is possible, in which the user key management module is excluded. In this case, the possibility of interaction with this node from outside the system is also excluded, which makes it possible to create a more secure implementation of the QKD network node. The need for such a secure implementation may arise when implementing a system that connects, for example, remote geographic objects, between which the distance is significantly more than 100 km (the maximum distance for known QKD systems), and between them there are sparsely populated hard-to-reach territories. Then, the safe implementation of the QKD network node will simplify the organization of the location of such a node and reduce the frequency of routine on-site monitoring of the QKD network node.

The method for generating and distributing user keys assumes decentralized control over the generation of user keys. The QKD network node to which the device requesting the key is connected can independently determine the necessary chain of QKD network nodes (quantum route), which will allow generating a user key. To determine a quantum route, each QKD network node performing route calculation must have complete information about the existing quantum communication lines in the QKD network, as well as about the efficiency of their use.

A quantum route is an ordered sequence of QKD network nodes, in which each subsequent node is connected to the previous quantum communication channel.

The first QKD network node in this sequence is the QKD network node, in the user key generation module of which a user key request is received. The last node of the QKD network in the quantum route is the node of the QKD network, with which it is necessary to generate a user key in accordance with a request for a user key. The sequence of QKD network nodes can be specified, for example, by an ordered array of identifiers of these nodes.

In general, there are various ways to choose a quantum route. The quantum route for each pair of QKD network nodes can be predetermined and fixed in advance. But in this case, it may turn out to be inoperative in the event of a violation of the generation of quantum keys (for example, a drop in the rate of key generation, irregularity of key generation) between any pair of nodes in the QKD network of the quantum route, and even more so if it is impossible to generate quantum keys.

Dynamic methods for determining a quantum route allow you to build a route that is optimal according to some attribute at a particular moment in time.

When determining a quantum route, it is proposed to minimize the time required to generate quantum keys on all consecutive pairs of QKD network nodes in order to increase the speed of generating a user key.

For this, it is proposed to use the following parameters of a quantum communication channel and QKD network nodes, which characterize the efficiency of generating a user key on a certain route (indicators of the efficiency of a quantum communication line):

• the number of accumulated quantum keys in the storage of quantum keys at the nodes of the QKD network on the proposed quantum route,

• the rate of generation of quantum keys at a QKD network node with neighboring QKD network nodes,

• rate of expenditure of quantum keys,

• the number of quantum keys on the reserved quantum routes for generating quantum user keys,

• the sizes of quantum keys and the size of the requested user key,

• the selected method of transferring the quantum component of the user key and the method of combining the quantum and user components of the user key.

Information about the performance indicators of quantum communication lines of the entire QKD network is transmitted to each node of the QKD network using service messages. Each node of the QKD network discloses to all other nodes of the QKD network in the system information about the neighboring nodes of the QKD network and the efficiency of quantum communication lines connected to this node. By combining its disclosed information with similar information from other nodes of the QKD network, each node of the QKD network can form the topology of the QKD network, representing it, for example, in the form of a graph, where the nodes will be the nodes of the QKD network, and the edges are quantum communication lines. Then each edge of the graph can be associated with a weight that shows the efficiency of the quantum communication line, calculated on the basis of performance indicators. Thus, at each node of the QKD network, a weighted graph is stored, according to which the QKD network node determines the quantum route. The values of the performance indicators can be determined by the modules for generating custom keys based on the analysis of statistics for the generation of quantum keys during the operation of the system or pre-fixed by the manufacturer. In the first case, when the values of performance indicators change, it is necessary to update the network topology (weighted graph) at the QKD network node, where the values of the performance indicators were updated, and send the updated topology to all other QKD network nodes. In the second case, the values of the performance indicators do not change during the operation of the QKD network.

FIG. 1 shows an example of a QKD network consisting of 6 QKD network nodes. Lines indicate quantum communication channels. Then the quantum route from node 1 to node 6 can take the following values:

• 1, 2, 3, 6;

• 1, 2, 3, 4, 5, 6;

• 1,2,3,5,6;

• 1, 4, 5, 6;

• 1, 4, 3, 6;

• 1, 4, 3, 5, 6;

• 1, 4, 5, 3, 6.

After calculating the quantum route, the module for generating user keys reserves this route so that the modules for generating user keys of other nodes of the QKD network can take into account the calculated reserved route on which quantum keys will be spent when calculating the next quantum routes.

The storage of the generated quantum keys, as well as the control of the generation of quantum keys, is carried out in the modules for generating user keys. Thus, the control of the generation of quantum keys is simplified, including when it is necessary to switch optical switches, since the quantum route and its reservation at the nodes of the QKD network is performed in the modules for generating user keys, which allows these modules to collect information about the necessary quantum keys and form a generation sequence. quantum keys with neighboring network nodes. Moreover, the calculation of routes and the subsequent generation of user keys directly in the modules for generating user keys allows parallel calculation of these routes for requests received at different nodes, in contrast, for example, from a prototype, in which requests come to a single control center, which calculates them sequentially. ...

A decentralized control system for the generation of quantum and user keys increases the fault tolerance of the system as a whole, since the failure of one node of the QKD network only leads to the impossibility of implementing such routes that use the failed node without affecting other routes. With sufficient redundancy of links, the failure of one node will not affect the system's ability to perform its functions of creating custom keys, but will only affect the speed of performing these functions.

An example of sufficient redundancy of links is such a topology of links with quantum communication lines, in which any pair of QKD network nodes can be connected by two independent routes, such that they only have the same initial and final nodes, and all intermediate nodes are different.

The second version of the system allows you to optimize some segments of the QKD network. For this, optical switches are used, with the help of which it is possible to reduce the number of modules for generating quantum keys in one node of the QKD network. Several modules for generating quantum keys in a QKD network node are replaced by one module for generating quantum keys. This module for generating quantum keys is connected by an additional quantum communication line to the input of the optical switch, and the quantum communication lines that connected this node of the QKD network with the conjugated nodes are connected to the outputs of the optical switch. That is, in fact, the optical switch is placed in the gap of the quantum communication line.

The optical switch is controlled from the QKD network node in which the modules for generating quantum keys were replaced with one module. For this, the optical switch is connected by a service line with the module for generating user keys of this node of the QKD network.

The following limitation is imposed on adding optical switches. There should not be two QKD network nodes connected to two optical switches built into the break of the same quantum communication line. This restriction is necessary so that two nodes of the QKD network do not control one quantum communication line, and therefore, the inclusion of a particular quantum communication line was determined strictly by one node of the QKD network and was unambiguous.

In the second version of the system, as in the first, a simplified implementation of the QKD network node is possible, made without modules for managing user keys.

The addition of optical switches modifies the way custom keys are generated and distributed based on the characteristics of the optical switches.

In this case, the generation of quantum keys by segments is carried out sequentially according to the principle of time sharing with sequential switching of the optical switch according to the received information about the reservation of the quantum route. First, the optical switch is switched on in the position that organizes a continuous quantum communication line with the QKD network node preceding this one in the reserved quantum route, and after the successful generation of the quantum key on this segment, the optical switch is switched on to the position for organizing a quantum communication line with the next node in the reserved quantum route to generate a quantum key on this segment of the quantum route. The overall speed of generating user keys decreases, but the cost of the QKD network node, its weight and dimensions, as well as the total length of the optical fiber used for quantum communication lines of the QKD network, also decrease.

Brief Description of Drawings

FIG. 1 shows a diagram of a system of 6 QKD network nodes according to the first option.

FIG. 2 shows a diagram of a system of 6 QKD network nodes according to the second option with the addition of an optical switch.

Figures

1 - module for generating custom keys

2 - module for generating quantum keys

2 (a) - module for generating quantum keys of the source type

2 (b) - module for generating quantum keys of the receiver type

3 - module for managing user keys

4 - optical switch

5 - KKK network node

5.x, where x from 1 to 6 is the QKD network node with number x

6 - user encoder

7 - quantum communication line

8 - local communication line between the module for generating quantum keys and the module for generating user keys

9 - service digital communication line between the module for managing user keys of the KKK network node and the user encoder.

Implementation of the invention

The proposed system, device and method can be implemented, for example, using the well-known single-pass QKD system (RF patent No. 2706175) and ViPNet Coordinator HW 100 hardware and software systems (article at https://infotecs.ru/upload/iblock/60a /ViPNet_Coordinator_HW100_web_apri_2018.pdf).

A single-mode optical fiber of the SMF-28 type of admissible length is selected as the quantum communication line 7. An Ethernet patch cord is selected as the local communication lines 8 connecting the quantum key generation modules and the custom key generation modules.

Modules for generating quantum keys are implemented using this single-pass QKD system, and at one end of the quantum communication line, a module is installed containing a source of single photons (hereinafter referred to as a source type module, 2 (a)), and at the other end, a module containing a receiver of single photons (hereinafter referred to as a receiver-type module, 2 (b)). Modules for generating custom keys 1 are implemented using the ViPNet Coordinator HW100 hardware and software complex with modified software. The modified software can be compiled by a programming specialist (programmer). User key management module 3 can be implemented as additional software that runs on ViPNet Coordinator HW100.

Here is an example of a system of 6 nodes connected by quantum communication lines, as shown in FIG. 1. Node 1 consists of a module for managing user keys, a module for generating user keys, and two modules for generating quantum keys of the source type. Node 2 consists of a module for generating user keys and two modules for generating quantum keys of the receiver type. Node 3 consists of a user key management module, a user key generation module, three source-type quantum keys generation modules, and one receiver-type quantum key generation module. Node 4 consists of a module for generating user keys, two modules for generating quantum keys of the source type and one module for generating quantum keys of the type receiver. Node 5 consists of one module for generating user keys, three modules for generating quantum keys of the receiver type. Node 6 consists of a user key management unit, a user key generation unit, a source type quantum key generation unit, and a receiver type quantum key generation unit.

To implement the method, the following actions are performed:

The order of transmission of the quantum user key is selected, for example, according to the known method according to the patent of the Russian Federation No. 2708511.

The order of transmission of the classic user key is selected, for example, by preloading the classic user keys by a trusted courier without further transmission.

The order of combining the quantum user key and the classical user key is selected, for example, by bitwise addition (using the XOR operation) of the quantum user key and the classical user key.

Pre-keys K1_2, K1_3, K1_4, K1_5, K1_6 are loaded into the module for generating user keys of node 1, keys K1_2, K2_3, K2_4, K2_5, K2_6 into the module for generating user keys of node 2, keys K1_3, K2_3, K3_4, K3_5, K3 for generating user keys of node 3, keys K1_4, K2_4, K3_4, K4_5, K4_6 to the module for generating user keys of node 4, keys K1_5, K2_5, K3_5, K4_5, K5_6 to the module for generating user keys of node 5, keys K1_6, K2_6, K3_6, K4 , K5_6 to the module for generating custom keys of node 6.

The identification information is loaded into the modules for generating user keys. For example, the identifier of the system node and its IP address can be used as such information. Let the node identifier take the value ID_i for the i-th node, where i is the node number. Node 1 is loaded with ID_1, ID_2, ID_4. Node 2 is loaded with ID_1, ID_2, ID_3. Node 3 is loaded with ID_2, ID_3, ID_4, ID_5, ID_6. Node 4 is loaded with ID_1, ID_3, ID_4, ID_5. Node 5 is loaded with ID_3, ID_4, ID_5, ID_6. Node 6 is loaded with ID_3, ID_5, ID_6.

The information about the connected encryptors of the system users is loaded into the user key management module. For example, an encryptor with the ID_E_1 identifier is connected to node 1, and an encryptor with the ID_E_2 identifier is connected to node 6. For example, the ViPNet L2 10G hardware and software complex can be used as a user encryption device (article at https://infotecs.ru/about/press-centr/news/infoteks-i-eci-telecom-proveli-ispytaniya-na- sovmestimost-svoikh-produktov.html).

The user key management module transmits information about the connected user encryptors 6 to the user key management modules of other nodes. Then, the user key management module of node 1 sends information of the form {ID_1, ID_E_1} to the user key management module of nodes 3 and 6. Similarly, the user key management module of node 6 sends information of the form {ID_6, ID_E_2} to the address of the user key management modules of nodes 1 and 3.

The user key management modules receive the transmitted information. After that, each module for managing user keys combines it into a common database of connected encryptors, which can be represented in the form of an ordered structure, for example, a table. The general database of connected user encryptors at each node will have the form shown below in table. 1.

Modules for generating user keys of each node transmit information about neighboring nodes to modules for generating user keys of all other nodes. For node 1, nodes 2 and 4 are adjacent. For node 2, nodes 1 and 3. For node 3, nodes 2, 4, 5, 6. For node 4, nodes 1, 3.5. For node 5 - nodes 3, 4, 6. For node 6 - nodes 3, 5. For example, identifiers of neighboring nodes can be used as information about neighboring nodes. Then Node 1 sends information of the form {ID_1; ID_2, ID_4}, Node 2 - {ID_2; ID_1, ID_3}, Node 3 - {ID_3; ID_2, ID_4, ID_5, ID_6} etc.

Modules for generating user keys receive the transmitted information and form, on the basis of it, the QKD network topology. Such a topology of the QKD network can be represented, for example, in the form of a table. 2.

Let the user key be requested by the encryptor with the ID_E_1 identifier to communicate with the encryptor with the ID_E_2 identifier.

The encryptor with the identifier ID_E_1 sends a request for the user key to the user key management module of the node 1, indicating in the request the identifier of the target encryptor ID_E_2.

The module for managing user keys of node 1 according to the common database of connected user encryptors (Table 1) determines the network node corresponding to the encryptor with the ID_E_2 identifier, i.e. node 6 with identifier ID_6.

The user key management module generates a user key request to the user key generation module indicating the current and target network node {ID_1, ID_6}. The generated request is transmitted to the module for generating user keys of node 1.

The user key generation module receives a request from the user key management module and starts determining the quantum route. The first identifier in the quantum route is ID_1, the last is ID_6. Further, according to the QKD network topology table (Table 2), the remaining route identifiers are determined. The quantum route is obtained, for example, {ID_1, ID_4, ID_3, ID_6}. Nodes 1, 4, 3, 6 correspond to this quantum route.

The module for generating user keys of node 1 transmits a message on the reservation of the route for generating a user key between nodes 1 and 6 to the modules for generating user keys of nodes 4, 3, 6.

The user key generation unit of node 1 transmits a quantum key generation request to a quantum key generation unit connected by a quantum line to the quantum key generation unit of node 4. The user key generation unit of node 4 transmits a quantum key generation request to a quantum key generation unit connected by a quantum communication line with the module for generating a quantum key of node 1, and in a module for generating a quantum key connected by a quantum line with the module for generating a quantum key of node 3. The module for generating user keys of node 3 transmits a request for generating a quantum key to a module for generating a quantum key connected by a quantum communication line with the module generating a quantum key of node 4, and to a quantum key generating module connected by a quantum communication line with a quantum key generating module of node 6. The user keys generating module of node 6 transmits a request for generating a quantum key to a quantum key generating module, connected by a quantum communication line with the module for generating a quantum key of node 3.

The modules for generating a quantum key that have received a request for generating a quantum key, using the selected QKD protocol, generate quantum keys: key QK1 in the modules for generating quantum keys of nodes 1 and 4, connected by a quantum communication line, key QK2 in modules for generating quantum keys of nodes 4 and 3, connected quantum communication line, the QK3 key in the modules for generating quantum keys of nodes 3 and 6.

The generated quantum keys are transferred to the modules for generating user keys of the corresponding nodes and placed in the quantum key storage, i.e. the QK1 key is placed in the storage of quantum keys of the modules for generating user keys of nodes 1 and 4, the QK2 key in the storage of nodes 4 and 3, and the QK3 key in the storage of nodes 3 and 6.

A random number is requested from the module for generating user keys from the module for generating quantum keys of node 1.

The requested random number is generated using the random number generator of the quantum key generating unit.

The generated random number is transferred from the quantum key generation unit to the user key generation unit of node 1.

Using the keys QK1, QK2, QK3, the received random number is transmitted to node 6 using the selected method.

The given random number is assigned in nodes 1 and 6 with a quantum user key KQ.

Assign, according to the selected method for generating the classic user key, the pre-allocated key K1_6 with the classic user key KC.

A user key K is generated at node 1 and at node 6 according to the selected method of combining a quantum user key and a classical user key, i.e. K = KQ ⊕ KС, where ⊕ is the XOR operation (exclusive OR).

The generated user key K is transmitted from the modules for generating user keys of nodes 1 and 6 to the modules for managing user keys of nodes 1 and 6 and is stored in the storage of user keys of nodes 1 and 6, respectively.

The user key K is transferred from the storage of user keys of node 1 to the encryptor with the identifier ID_E_1 and from the storage of user keys of the node 6 to the encryptor with the identifier ID_E_2.

A specialist in the field of programming (programmer) can implement the actions of the proposed method as part of a program or function.

To implement the second version of the system, an optical switch is additionally installed, for example, implemented on the basis of the Sercalo sw1x4 optical switch (article at http://www.shs-systems.ru/catalog/sercalo / SW /).

Here is an example of a 6-node system connected by quantum communication lines, as shown in FIG. 2. The composition of nodes 1, 2, 3, 4, 6 corresponds to the composition of the system nodes according to the first option. Node 5 in the composition contains only one module for generating quantum keys of the receiver type, connected to the quantum communication lines with the input of the optical switch. The outputs of the optical switch are connected by quantum communication lines with modules for generating quantum keys of the type source of nodes 3, 4, 6.

The implementation of the method according to the second embodiment coincides with the implementation of the method according to the first embodiment up to the step of determining the quantum route.

Let the quantum route {ID_1, ID_4, ID_5, ID_6} be defined. Nodes 1, 4, 5, 6 correspond to this quantum route.

The module for generating user keys of node 1 transmits a route reservation message for generating a user key between nodes 1 and 6 to the modules for generating user keys of nodes 4, 5, 6.

The user key generation unit of node 1 transmits a quantum key generation request to a quantum key generation unit connected by a quantum line to the quantum key generation unit of node 4. The user key generation unit of node 4 transmits a quantum key generation request to a quantum key generation unit connected by a quantum communication line with the module for generating a quantum key of node 1, and into a module for generating a quantum key connected by a quantum communication line with the module for generating a quantum key of node 5. The module for generating user keys of node 5 switches the switching of the optical switch from input to output corresponding to the quantum communication line to node 4, then transmits a request for generating a quantum key to a quantum key generation module connected by a quantum communication line with a quantum key generation module of node 4. The quantum key generation modules, which have received a quantum key generation request, use the selected QKD protocol to form a quantum Antique keys: key QK1 in the quantum key generation modules of nodes 1 and 4, connected by a quantum communication line, QK2 key in the quantum key generation modules of nodes 4 and 5. The user key generation module switches the switching of the optical switch from input to output corresponding to the quantum communication line to node 6, then transmits a quantum key generation request to a quantum key generation module connected by a quantum communication line to a quantum key generation module of node 6. The user key generation module of node 6 transmits a quantum key generation request to a quantum key generation module connected by a quantum communication line to the module generating the quantum key of node 5.

The modules for generating a quantum key that have received a request for generating a quantum key, using the selected QKD protocol, generate quantum keys: the QK3 key in the modules for generating quantum keys of nodes 5 and 6.

The generated quantum keys are transferred to the modules for generating user keys of the corresponding nodes and placed in the quantum key storage, i.e. the QK1 key is placed in the storage of quantum keys of the modules for generating user keys of nodes 1 and 4, the QK2 key in the storage of nodes 4 and 5, and the QK3 key in the storage of nodes 5 and 6.

Then, a user key is generated and the execution of the method is completed in the same way as in the first embodiment.

Claims (138)

1. The system for generating and distributing keys, including set of network nodes for the generation and quantum distribution of keys (nodes of the QKD network), and the nodes of the QKD network are connected by quantum communication lines so that the graph displaying the connections by quantum lines is connected; KKK network nodes are connected by a classical communication line with a digital data transmission network; moreover, at least two quantum communication lines are connected to each node of the QKD network; in this case, each node of the QKD network includes module for generating custom keys, user key management module, at least two modules for generating quantum keys; moreover each module for generating quantum keys is connected to the module for generating user keys by a local digital data line; the module for generating user keys is connected to the module for managing user keys by a local digital data line; wherein each quantum key generation module is configured to generate quantum keys together with another quantum key generation module connected to the given quantum communication line; generate random numbers; receive requests to generate a quantum key from the user key generation module; transfer the generated quantum keys to the modules for generating user keys; transmit / receive service data of the QKD protocol from the module for generating user keys; the module for generating user keys is configured to generate requests for generating a quantum key to the modules for generating quantum keys; receive quantum keys from the modules for generating quantum keys according to the transmitted requests; store quantum keys in a quantum key store; encrypt data; decrypt data; authenticate data; check data authentication; determine the topology of the QKD network; define a quantum route for generating user keys; generate user keys together with modules for generating user keys of other nodes of the QKD network on a quantum route; receive requests to generate custom keys from custom key management modules; transfer custom keys to custom key management modules; wherein the user key management module is configured to connect user encryptors using a digital data transmission network; store custom keys in a custom key store; determine, together with the modules for managing user keys of other nodes of the QKD network, the correspondence of the network node of the QKD and the user encoders connected to them; form a common database of connected user encryptors, containing the correspondence between the QKD network nodes and the user encryptors connected to them; generate requests for the generation of a user key into the modules for the generation of user keys; receive custom keys from custom key generation modules according to the transmitted requests. 2. A method for generating and distributing user keys in the system, which consists in the fact that select the order of generating the quantum user key; select the order of generating the classic user key; selecting the order of combining the quantum user key and the classical user key; pre-keys are loaded into modules for generating user keys of the QKD network nodes, and N-1 key is loaded into each module for generating user keys, where N is the number of network nodes of the QKD; loading into the module for generating user keys of each QKD network node identification information for communication with other QKD network nodes, which are connected by a quantum communication line with this QKD network node; loading into each user key management module the identification information of the user encryptors connected to them; transmitting from the module for managing user keys of each node of the QKD network to the modules for managing user keys of all other nodes of the network of the QKD data on the connected user encryptors; receive in the module for managing user keys of each node of the QKD network the transmitted information about the connected user encryptors and write it into a common database of connected user encryptors; the identification information of all neighboring QKD network nodes is transmitted from the module for generating user keys of each node of the QKK network to the modules for generating user keys of the remaining nodes of the QKK network; QKD network topology; receiving a request for a user key from a user encryptor connected to a user key management module of a KKK network node, the request including identification information of a user encryptor for communication with which a user key is required; determine from the common database of connected user encryptors the node of the QKD network to which the user encryptor is connected, for communication with which a user key is required; form in the module for managing user keys of the KKK network node a request for a user key indicating the identification information of the current KKK network node and the KKK network node, determined from the common database of connected user encryptors; transmitting the generated user key request from the user key management module to the user key generation module of the KKK network node; receiving, in the user key generation module, a request for a user key from the user key management module; determining the sequence of QKD network nodes (quantum route) and the number k of nodes in the quantum route from the QKD network node receiving the user key request to the QKD network node indicated in the user key request using the QKD network topology; reserve the quantum route, transmitting from the module for generating user keys of the QKD network node, which received the user key request, to the modules for generating user keys of the network nodes of the QKD, with identifiers corresponding to the remaining identifiers of the QKD network nodes in the quantum route, messages on the reservation of the quantum route; calculate i = 1; (A) sending a quantum key generation request from the user key generation unit to the quantum key generation unit of the ith node of the reserved quantum route and from the user key generation unit to the quantum key generation unit of the (i + 1) th node of the reserved quantum route, and if The i-th node of the QKD network has several modules for generating a quantum key, then a request is sent to the module for generating quantum keys connected by a quantum communication line with the (i + 1) th node of the QKD network; if the (i + 1) th node of the QKD network has several modules for generating a quantum key, then sending a request to the module for generating quantum keys connected by a quantum communication line with the i-th node of the QKD network; generate a quantum key in the modules for generating a quantum key of the i-th and (i + 1) -th nodes of the QKD network; transmitting the obtained quantum key from the quantum key generation unit to the user key generation unit at the i-th and (i + 1) -th node of the QKD network; place the obtained quantum key in the storage of quantum keys of the modules for generating user keys of the i-th and (i + 1) -th nodes of the QKD network; if i <k-1, then calculate i = i + 1, go to stage A; requesting a random number in the module for generating user keys from the module for generating quantum keys of the QKD network node with an identifier corresponding to the first QKD network node of the reserved quantum route; generate the requested random number using the random number generator of the quantum key generating unit; transmitting the generated random number from the module for generating quantum keys to the module for generating user keys of the QKD network node with an identifier corresponding to the first node of the reserved quantum route; a quantum user key is generated at the first and last QKD network node of the reserved quantum route using a random number in the module for generating user keys of the first QKD network node and quantum keys in the quantum key storages of the QKD network nodes included in the reserved quantum route, according to the selected order of generation of the quantum user key; generate a classic user key in the first and last QKD network node of the reserved quantum route in the user key generation units using pre-key keys according to the selected order of generation of the classic user key; generating a user key using a quantum user key and a classical user key in the user key generation units of the first and last QKD network nodes of the reserved quantum route using the quantum user key and the classical user key according to the selected order of combining the quantum user key and the classical user key; transmitting the generated user key from the user key generation unit of the first and last QKD network nodes of the reserved quantum route to the user key management modules of the first and last QKD network nodes of the reserved quantum route; storing the obtained user key in the user key storage of the user key management module of the QKK network node; transferring the user key from the user key storage of the user key management module of the KKK network node to the user encryptor requesting the user key. 3. The method for generating and distributing user keys according to claim 2, in which topological metrics of the QKD network are determined in the modules for generating user keys and transmitted to other modules for generating user keys, which complement the topology of the QKD network, and the topological metrics include the number of quantum keys in the quantum key store; the rate of generation of quantum keys with neighboring nodes of the QKD network; the rate of expenditure and the number of quantum keys on the reserved quantum routes; when determining the quantum route, the modules for generating user keys take into account topological metrics that supplement the topology of the QKD network; when a quantum route is reserved, the reservation message is supplemented with information about the number of required quantum keys for the reservation. 4. The method for generating and distributing user keys according to claim 2, in which the quantum key request to the quantum key generation module contains the characteristics of the requested quantum key: length, maximum time of the quantum key ready, key generation mode. 5. The method for generating and distributing user keys according to claim 2, in which the request for the user key to the user key management module contains the characteristics of the requested quantum key: length, maximum readiness time of the user key, the need to use the classic user key when calculating the user key. 6. The system for generating and distributing keys, including set of network nodes for the generation and quantum distribution of keys (nodes of the QKD network), and the nodes of the QKD network are connected by quantum communication lines so that the graph displaying the connections by quantum lines is connected; QKD network nodes are connected by a classic digital data transmission network; moreover, at least two quantum communication lines are connected to each node of the QKD network; at the same time, the QKD network node includes module for generating custom keys, user key management module, at least two modules for generating quantum keys; moreover, the connection with the quantum communication lines of the QKD network nodes can be performed both directly and through an optical switch; moreover the number of optical switches does not exceed the number of QKD network nodes; each optical switch has one optical input and m optical outputs, allowing up to m quantum communication lines to be connected to one QKD network node; each optical switch is connected by a local digital data line to a user key generation module connected by a quantum communication line to an optical input of the optical switch; wherein each module for managing user keys is connected to the module for generating user keys by a local digital data transmission line and is configured to receive and transmit data to user encryptors via a digital data transmission network; store custom keys in a custom key store; determine, together with the modules for managing user keys of other nodes of the QKD network, the correspondence of the network node of the QKD and the user encoders connected to them; form a common database of connected user encryptors, containing the correspondence between the QKD network nodes and the user encryptors connected to them; create requests for generating a custom key to the modules for generating custom keys; receive custom keys from custom key generation modules according to the transmitted requests; wherein each module for generating quantum keys is connected to the module for generating user keys by a local digital data line and is configured to generate quantum keys together with another module for generating quantum keys connected by a quantum communication line; generate random numbers; receive requests to generate a quantum key from the user key generation module; transfer the generated quantum keys to the modules for generating user keys; transmit and receive service data of the QKD protocol from the module for generating user keys; the module for generating user keys is configured to generate requests for generating a quantum key to the modules for generating quantum keys; receive quantum keys from the modules for generating quantum keys according to the transmitted requests; store quantum keys in a quantum key store; encrypt data; decrypt data; authenticate data; check data authentication; determine the topology of the QKD network; define a quantum route for generating user keys; manage channel switching inside the optical switch; generate user keys together with modules for generating user keys of other nodes of the QKD network on a quantum route, receive requests for generating user keys from modules for managing user keys; pass custom keys to custom key management modules. 7. A method for generating and distributing user keys in the system, which consists in the following: select the order of generating the quantum user key; select the order of generating the classic user key; selecting the order of combining the quantum user key and the classical user key; pre-keys are loaded into modules for generating user keys of the QKD network nodes, and N-1 key is loaded into each module for generating user keys, where N is the number of network nodes of the QKD; loading into the module for generating user keys of each QKD network node identification information for communication with other QKD network nodes, which are connected by a quantum communication line with this QKD network node; loading into each user key management module the identification information of the user encryptors connected to them; transmitting from the module for managing user keys of each node of the QKD network to the modules for managing user keys of all other nodes of the network of the QKD data on the connected user encryptors; receive in the module for managing user keys of each node of the QKD network the transmitted information about the connected user encryptors and collect it into a common database of connected user encryptors; transmitting from the module for generating user keys of each node of the QKD network to the modules for generating user keys of all other nodes of the network of the QKD identification information of all neighboring nodes of the network of the QKD; receive in the module for generating user keys of each node of the QKD network the identification information of the neighboring nodes transmitted to it and, on its basis, form the topology of the QKD network; receiving a request for a user key from a user encryptor connected to a user key management module of a KKK network node, the request including identification information of a user encryptor for communication with which a user key is required; determine, according to the common database of connected user encryptors, the QKD network node to which the user encryptor is connected, for communication with which a user key is required; generating a request for a user key in the user key management module of the QKD network node indicating the identification information of the QKD network node that received the request for the user key and the QKD network node determined from the common database of connected user encryptors; transmitting the generated user key request from the user key management module to the user key generation module of the KKK network node; receiving, in the user key generation module, a request for a user key from the user key management module; determining the sequence of QKD network nodes (quantum route) and the number k of nodes in the quantum route from the QKD network node receiving the user key request to the QKD network node indicated in the user key request using the QKD network topology; reserve a quantum route, transmitting from the module for generating user keys of the QKD network node, which received the user key request, to the modules for generating user keys of the network nodes of the QKD, with identifiers corresponding to the remaining identifiers of the QKD network nodes in the reserved quantum route of the message on the reservation of the quantum route; calculate i = 1, (A) sending a quantum key generation request from the user key generation unit to the quantum key generation unit of the ith node of the reserved quantum route and from the user key generation unit to the quantum key generation unit of the (i + 1) th node of the reserved quantum route, wherein if the i-th node of the QKD network has several modules for generating a quantum key, then sending a request to the module for generating quantum keys connected by a quantum communication line with the (i + 1) th node of the QKD network; if the (i + 1) th node of the QKD network has several modules for generating a quantum key, then sending a request to the module for generating quantum keys connected by a quantum communication line with the i-th node of the QKD network; if the modules for generating quantum keys of the ith and (i + 1) th nodes of the QKD network are connected by a quantum communication channel through an optical switch, then if the module for generating quantum keys of the (i + 1) th node of the QKD network is connected to the j-th output of the optical switch, then switching of quantum channels in the optical switch is set from the module for generating user keys of the i-th node of the QKK network from the input of the optical switch to j- th exit; if the module for generating quantum keys of the i-th node of the QKD network is connected to the j-th output of the optical switch, then switching of quantum channels in the optical switch is set from the module for generating user keys of the (i + 1) -th node of the QKD network from the input of the optical switch to j- th exit; generate a quantum key in the modules for generating a quantum key of the i-th and (i + 1) -th nodes of the QKD network; transmitting the obtained quantum key from the quantum key generation unit to the user key generation unit at the i-th and (i + 1) -th node of the QKD network; place the obtained quantum key in the storage of quantum keys of the modules for generating user keys of the i-th and (i + 1) -th nodes of the QKD network; if i <k-1, then calculate i = i + 1; go to stage A; requesting a random number in the module for generating user keys from the module for generating quantum keys of the QKD network node with the identifier corresponding to the first node of the reserved quantum route; generate the requested random number using the random number generator of the quantum key generating unit; transmitting the generated random number from the quantum key generation unit to the user key generation unit of the QKD network node with the identifier to the corresponding first node of the reserved quantum route; generate a quantum user key at the first and last nodes of the QKD network of the reserved quantum route using a random number in the module for generating user keys of the first node of the QKD network and quantum keys in the quantum key stores of the nodes of the QKD network of the reserved quantum route, according to the selected order of generating the quantum user key; generate a classic user key at the first and last QKD network node of the reserved quantum route in the user key generation modules using pre-key keys according to the selected order of generation of the classic user key; generating a user key using a quantum user key and a classical user key in the user key generation units of the first and last QKD network nodes of the reserved quantum route using the quantum user key and the classical user key according to the selected order of combining the quantum user key and the classical user key; transmitting the generated user key from the user key generation unit of the first and last QKD network nodes of the reserved quantum route to the user key management modules of the first and last QKD network nodes of the reserved quantum route; storing the obtained user key in the user key storage of the user key management module of the QKK network node; transferring the user key from the user key storage of the user key management module of the KKK network node to the user encryptor requesting the user key. 8. The method for generating and distributing user keys according to claim 7, in which topological metrics of the QKD network are determined in the modules for generating user keys and transmitted to other modules for generating user keys, which complement the topology of the QKD network, and the topological metrics include the number of quantum keys in the quantum key store; the rate of generation of quantum keys with neighboring nodes of the QKD network; the rate of expenditure and the number of quantum keys on the reserved quantum routes; take into account topological metrics when determining the quantum route in the module for generating user keys; When a quantum route is reserved, the reservation message is supplemented with information about the number of required quantum keys for the reservation. 9. The method for generating and distributing user keys according to claim 7, in which the request for a quantum key to the quantum key generation module contains the characteristics of the requested quantum key: length, maximum readiness time of the quantum key, key generation mode. 10. The method for generating and distributing user keys according to claim 7, in which the request for the user key to the user key management module contains the characteristics of the requested quantum key: length, maximum readiness time of the user key, the need to use the classic user key when calculating the user key.

Images