RU2831046C1 - Method for generating key between nodes of computer network using quantum key distribution system - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: invention relates to systems for generating keys using quantum key distribution (QKD) technology for cryptographic information security means. Primary connection to the QKD network is performed on the part of the user B1 in a trusted manner on the base TIN BA1 in the territorial area of its service through the trusted local communication line. Primary connection to the QKD network is performed on the side of the user B2 in a trusted manner on the base TIN BA2 in the territorial area of its service through the trusted local communication line. If it is necessary to work from another selected territorial zone, user B1 connects to the QKD network to the selected current TIN A_P serving the selected territorial zone. Local communication key KP with this TIN A_P is generated and transmitted from the TIN A_P to the user B1. A request is sent from user B1 to the TIN A_P for provision of a key for communication with the selected user B2. A request is received in the TIN A_P from the user B1 to provide the key. On the side of the TIN A_P, the search in the QKD network is carried out for the basic TIN for the user B1. An identifier BA1 of the basic TIN for user B1 is obtained in the TIN A_P. A request is sent from the TIN A_P to the TIN BA1 to obtain a key K12 for providing communication between user B1 and user B2.

EFFECT: faster provision of keys for users.

5 cl, 1 dwg

Description

Field of technology to which the invention relates

The proposed invention relates to the field of cryptographic information protection and, in particular, to key generation systems using quantum key distribution (QKD) technology for cryptographic information protection means.

State of the art

QKD systems are used to generate paired encryption keys that are resistant, among other things, to threats using quantum computers. To overcome the fundamental limitation of the maximum length of a quantum channel between two elements of the system, an approach is used based on the construction of quantum key distribution networks with trusted intermediate nodes. Such nodes are sequentially connected by quantum channels used to generate or distribute a key between edge devices and then transmit such keys to user devices.

A QKD device, a QKD system and a QKD method are known (US application No. 20190260581, published on 08/22/2019). A centralized controller in the system receives Z service requests, globally determines, based on the identifier of the source service node and the identifier of the destination service node that correspond to each of the Z service requests, a quantum key consumption parameter and information about the topology of the key nodes in the centralized management and control network, globally optimal key transfer instructions corresponding to the G requests, and additionally delivers the key transfer instructions corresponding to the G requests to the key nodes corresponding to the key transfer instructions, so that the key nodes perform quantum key transfer based on the key transfer instructions to generate a common quantum key between the source key node and the destination key node.

The known device, system and method have a number of disadvantages.

Thus, to form a common quantum key, it is necessary to determine in advance the initial key node and the destination key node between which the key is required, which corresponds to the unambiguous connection of consumers of such a key to these nodes. Generating a common key is possible with simultaneous connection of users to the initial key node and the destination node. Also, the definition of key transmission instructions and, accordingly, key transmission routes is carried out in a single control center, which is a vulnerable point of network failure in the event of an intruder attack, moreover, additional time is required to transmit requests to the control center and subsequent sending of instructions to the system nodes, and some calculations could be performed locally on the system nodes.

A system for generating and distributing keys and a method for distributed key generation in such a system are known (RU Patent No. 2752844). According to the method, a classic user key is generated in the first and last node of the QRK network of the reserved quantum route in the user key generation modules using preliminary keys according to the selected order of generating the classic user key. A user key is generated in the user key generation modules of the first and last nodes of the QRK network of the reserved quantum route using the quantum user key and the classic user key according to the selected order of combining the quantum user key and the classic user key. The generated user key is transmitted from the user key generation module of the first and last nodes of the QRK network of the reserved quantum route to the user key management modules of the first and last nodes of the QRK network of the reserved quantum route. The received user key is stored in the user key storage of the user key management module of the QRK network node. The user key is transferred from the user key storage of the user key management module of the KRK network node to the user encryptor that requested the user key.

The known method was chosen as a prototype.

However, the known method has a number of disadvantages:

• to generate a user key, it is necessary to determine in advance a pair of system nodes to which users are connected;

• both users for whom the key is generated must be simultaneously connected to specific nodes of the system; without this, it is impossible to determine for which pair of nodes of the QKD network to reserve the quantum route and begin generating a common user key;

Disclosure of invention

The technical result is

1) increasing convenience for users, consisting in the ability to connect users to arbitrary remote control units of the CRC network at arbitrary times,

2) reducing the time it takes to provide keys to users due to the fact that there is no need to wait for the second user to connect to the KRK network.

For this purpose, a method for generating and distributing keys in a quantum key distribution network is proposed, including,

• a set of N trusted intermediate nodes (TINs), where

ο The DPUs are connected by fiber-optic communication lines,

ο each DPU in the network is assigned a unique node identifier Ai, i from 1 to N;

ο each DPU is connected to a digital data transmission network, ο each DPU has a trusted local communication line for connecting users;

• a set of M computing devices (users), at least two, serving the needs of certain individuals or other technical systems, and

ο each user in the quantum key distribution (QKD) network is assigned a unique identifier Bi, i from 1 to M,

ο each user in the KRK network is assigned a basic DPU with the identifier BAi after the first request,

ο each user is registered on his/her basic DPU,

ο each user knows the identifiers of all other users with whom he needs a key to communicate,

ο each user is connected to a digital data transmission network; each DPU is designed with the ability to

• generation of a quantum-protected key with any other DPU

• generation of a quantum key QK with any neighboring DPU,

• calculation of the quantum route to any other DPU,

• determining the identifier of the base DPU based on the specified user identifier,

• registration of users, and when a user is registered on the DPU, authentication of this user is performed in the quantum key distribution (QKD) network,

• formation, upon registration of the user at the current DPU, of a local communication key KN between the DPU and the user, which is saved in the DPU and with the user,

• generate and transmit encrypted messages to the user using the generated communication key KN via a trusted local communication line,

• store generated keys for user pairs

• serve users in a specific territorial zone; each user has the ability to

• receive and transmit data via a digital data network,

• receive and transmit data to the DPU when connected via a trusted local communication line,

• encrypt and decrypt data on the generated communication key KN,

• store and process data during operation; the method consists in the fact that:

• carry out, in a trusted manner, on the part of user B1, the initial connection to the KRK network on the base DPU BA1 in the territorial zone of its service through a trusted local communication line, during which the following actions are performed:

ο register the user with the assignment of the identifier B1,

ο carry out user authentication in the KRK network with the generation of a local communication key K1,

ο transmit the identifier of this DPU BA1 to the user as a base one,

ο transmit the local communication key K1 to the user;

• carry out, in a trusted manner, on the part of user B2, the initial connection to the KRK network on the base DPU BA2 in the territorial zone of its service through a trusted local communication line, during which the following actions are performed:

ο register the user with the assignment of the identifier B2,

ο carry out user authentication in the KRK network with the generation of a local communication key K2,

ο transmit the identifier of this DPU VA2 to the user as a base one,

ο transmit the local communication key K2 to the user;

• if it is necessary to work from another selected territorial zone, a connection is made from the user B1 side to the KRK network to the selected current DPU _AR servicing the selected territorial zone;

• generate and transmit from the DPU A _R to the user B1 a local communication key KP with this DPU;

• send a request from user B1 to the DPU A _R to provide a key for communication with the selected user B2;

• receive a request to the DPU A _R from user B1 to provide a key;

• conduct a search on the part of the DPU _AR in the KRK network for the base DPU for user B1;

• receive in the DPU A _R the identifier BA1 of the basic DPU for user B1;

• send a request from DPU A _R to DPU BA1 to obtain key K12 to ensure communication between user B1 and user B2;

• conduct a search on the part of DPU BA1 in the KRK network for the base DPU for user B2;

• receive in DPU BA1 the identifier BA2 of the basic DPU for user B2;

• initiate, from the side of the DPU VA1, the generation of a quantum-protected key K12 from the DPU VA2;

• assign and save in the DPU BA1 the generated quantum-protected key as key K12 for communication between user B1 and user B2;

• assign and save in the DPU BA2 the generated quantum-protected key as key K12 for communication between user B1 and user B2;

• calculate in DPU BA1 the quantum route to DPU A _R ;

• transmit key K12 from DPU BA1 along the calculated quantum route to DPU A _R , and on each segment of the quantum route between neighboring DPUs A _I and DPUs A _J

ο encrypt the key K12 on the quantum key QK _IJ between adjacent DPUs,

ο transmit the key K12 in encrypted form Y _IJ =ENC_QK _IJ (K12) on the quantum key QK _IJ between these DPUs;

• receive in the DPU A _R the encrypted key Y _IJ from the penultimate DPU of the quantum route;

• decrypt the received encrypted key Y _IJ in the DPU A _R and obtain the key K12;

• encrypt the received key K12 in the DPU A _R using the local communication key KP;

• transfer the encrypted key K12 from the DPU A _R to user B1;

• receive encrypted key K12 on the user side B1;

• decrypt the encrypted key K12 on the user B1 side using the local communication key KP, obtaining the requested key K12 for communication with user B2;

• if necessary, disconnect from the A _R DPU on the part of user B1;

• carry out, from the user B2 side, a connection to the KRK network to the selected current DPU A _T ;

• generate and transmit from the DPU A _T to the user B2 a local communication key KT with this DPU;

• send a request from user B2 to the DPU A _T to provide a key for communication with the selected user B1;

• receive a request from user B2 to the DPU A _T to provide a key;

• conduct a search on the part of the DPU _AT in the KRK network for the base DPU for user B2;

• receive in the DPU A _T the identifier BA2 of the basic DPU for user B2;

• send a request from DPU A _T to DPU BA2 to obtain key K12 to ensure communication between user B1 and user B2;

• calculate in DPU BA2 the quantum route to DPU A _T ;

• transmit key K12 from DPU BA2 along the calculated quantum route to DPU A _T , and on each segment of the quantum route between neighboring DPUs A _I and DPUs A _J

ο encrypt the key K12 on the quantum key QK _IJ between adjacent DPUs,

ο transmit the key K12 in encrypted form Y _IJ =ENC_QK _IJ (K12) on the quantum key QK _IJ between these DPUs;

• receive in the DPU A _T the encrypted key Y _IJ from the penultimate DPU of the quantum route;

• decrypt the received encrypted key Y _IJ in the DPU A _T and obtain the key K12;

• encrypt the K12 key in the DPU _AT using the local communication key KT;

• transfer the encrypted key K12 from the DPU A _T to user B2;

• receive encrypted key K12 on the user side B2;

• decrypt the encrypted key K12 on the user B2 side using the local key KT, obtaining the requested key K12 for communication with user B1;

• if necessary, disconnect from the A _T control panel on the part of user B2;

• if necessary, carry out an exchange of messages between user B1 and user B2, encrypted using key K12, via a digital data transmission network.

Additionally, after receiving a request to the DPU A _R from user B1 to provide a key for communication with the selected user B2

• conduct a search on the part of the DPU _AR in the KRK network for the base DPU for user B2;

• receive in the DPU A _R the identifier BA2 of the basic DPU for user B2;

• initiate, from the side of the DPU _AR, the generation of a quantum-protected key from the DPU BA2;

• assign and save in the DPU A _R the generated quantum-protected key with key K12 for the pair of users B1 and B2;

• assign and save in the DPU BA2 the generated quantum-protected key as key K12 for the pair of users B1 and B2;

• encrypt the received key K12 in the DPU A _R using the local communication key KP;

• transfer the encrypted key K12 from the DPU A _R to user B1;

• receive encrypted key K12 on the user side B1;

• decrypt the encrypted key K12 on the user B1 side using the local key KP, obtaining the requested key K12 for communication with user B2;

• if necessary, disconnect from the A _R DPU on the part of user B1;

• from the user B2 side, they connect to the KRK network to the selected current DPU A _T and receive the K12 key.

Additionally, the key K12, before being transmitted along the quantum route from the base DPU BA1 to the current DPU A _R to which the user is connected, is encrypted using the communication key K1 of the user and his base DPU, while

• receive on the user side B1 from the DPU A _R the key K12 encrypted sequentially on the communication key K1 and the local key KP;

• decrypt the received encrypted key on the user B1 side using the local key KP, obtaining the communication key encrypted using the communication key K1;

• decrypt the received encrypted key on the user B1 side using the local key K1, obtaining the requested key K12 for communication with user B2.

Additionally, when requesting a key for communication with another user, the user specifies a pair of base DPU identifiers corresponding to the pair of users in the request.

Additionally, the requested key K12 is transmitted from the base DPU BA1 to the user via a digital data transmission network with protection on the communication key K1.

Trusted intermediate node networks (TINs) allow generating keys for arbitrary pairs of network nodes for subsequent transmission to user devices connected to them. It is usually necessary to determine the pair of TIN network nodes to which user devices are connected to begin generating the key. Stationary key consumers are usually connected to TIN network nodes, so at the time of requesting a key for communication with another consumer, the pair of TIN network nodes to which they are connected is known. In the case of key consumers moving between TIN network nodes, which is in demand for mobile devices, it is impossible to predict in advance with which TIN network node the key will need to be generated.

The users of the CRC network are considered to be computing devices serving the needs of certain individuals or other technical systems. For individuals, these may be, for example, stationary or portable computers or tablets of company employees, and for technical systems - end devices such as routers, routers, video recorders, etc.

To solve this problem, in the proposed method, each user device connected to the CRK network is registered (assigned) to a pre-selected base node of the CRK network. In the case of stationary users, the functioning of the CRK network does not change, since they are always connected to their base nodes. The base nodes of the CRK network of different users may coincide.

To obtain a key for communication with another mobile device, a connection is made to an arbitrary node of the CRK network, let's call it the current node, at an arbitrary time. The CRK network has all the necessary information about registered user devices and their base nodes of the CRK network. Therefore, a request for a key for communication between one mobile device and another mobile device is redirected from the current node of the first user to the base node of the first user. The key for communication between two users is generated between a pair of base nodes of the CRK network and is stored in them until requested by the users. The first user will receive his key immediately, and the second, when he connects to some node of the CRK network, not necessarily his base one. Due to this, the time for the user to receive the key is reduced, since the second user does not need to connect to the CRK network node to start generating the key.

It should be noted that there are different options for connecting users to the DPU. The most common case is when users connect to different current DPUs, each of which does not coincide with any of the users' basic DPUs.

In this case, there are options in which, for example, a user connects to the base DPU of the second user. For the first user, however, this DPU will be the current DPU. The current DPU to which users connect may be the same for both users. In this case, the same key will be transmitted twice, once from the base DPU of the first user, the second time from the base DPU of the second user. If one of the users connects to his base DPU, i.e. the current and base DPUs of the user coincide, then the search for the base DPU becomes trivial and transmission along the quantum route is not performed, since the route consists of a single DPU.

If both users connect to their base DPUs, the situation described in the prototype will occur.

The transmission of the generated key from the base node of the QRK network to the current node is carried out along a quantum route with sequential re-encryption of the transmitted key on quantum keys.

A quantum route is a sequence of adjacent DPUs connecting two DPUs between which a key must be transmitted (the definition and formation of a rational quantum route is proposed, for example, in Russian patent No. 2764458).

In this case, quantum routes connect the base and current DPU of one user.

Adjacent DPUs are DPUs connected by a quantum communication channel and, therefore, capable of generating a common quantum key to protect the transmission of key information for communication between two users.

Additionally, the key transmitted to the user from his base node of the CRK network can be pre-encrypted on a local key stored by the user and his base node at the stage of the user's registration in the CRK network. Due to additional encryption, the security of distributed keys is also increased, since they become inaccessible to the nodes of the CRK network when they are transmitted from the base node of the CRK network to the current node.

Additionally, if the condition is met that the user who is the first of the pair of users to request a key for communication with another user does not disconnect from the current node of the CRC network before receiving the requested key, the generation of a key for communication between two users may be carried out not between the two base nodes of these users, but between the current node of the first user and the base node of the second user. Such guarantees may be implemented, for example, by organizational measures for obtaining communication keys from the CRC network.

To simplify the search for user base nodes, during the initial registration of a user in the QRK network, he/she may be transferred not only the user identifier and the local key for communication with the QRK network base node, but also the identifier of the base node. Users exchange not only their identifiers in the QRK network to form requests, but also the identifiers of their base nodes of the QRK network. When requesting a key for communication with another user, the current QRK network node is transferred a pair of user identifiers for which a key for communication is required, and a corresponding pair of identifiers of the QRK network base nodes. In this case, the QRK network does not independently search for user base nodes, but generates a quantum-protected key between the specified base DPUs.

The procedure for searching for basic user nodes, in general, consists of forming and sending requests from one DPU to all other DPUs and receiving responses to requests via a digital data transmission network. The procedure can be organized in different ways; in general, for example, the request can be sent in clear form, but it is preferable to send the request encrypted. To encrypt such service requests, quantum-protected keys generated between the nodes of the QRK network for the needs of the QRK network can be used.

In security models that allow the transmission of key information to the user via a digital data transmission network from the QCD network, the quantum-protected key generated by two base DPUs can be transmitted directly from the base DPU to the user with protection on the communication key of the user and the base DPU.

After receiving the first key for communication between two users, these users can again access the CRC network after some time if it is necessary to receive a new key. Such a need may arise, for example, when the load on the key is exhausted, the key lifetime expires. Each user in different pairs composed of a set of CRC network users can act both as the first user initiating the creation of a key for communication, and as the second user receiving a previously created key from his base DPU.

Thus, the convenience of users' work in the KRK network is increased; now users do not need to be tied to a specific location or service area of a specific DPU.

At the same time, the time it takes to provide keys to users is reduced due to the fact that there is no need to wait for the second user to connect to the KRK network.

Brief description of the drawings

The graphic image shows a diagram of a control room network consisting of 5 remote control units with two connected users.

The numbers on the figure indicate:

1 - DPU of the KRK network,

2 - user,

3 - trusted local communication line,

4 - quantum communication channel between the DPU (shown by double lines),

5 - digital data transmission network.

Implementation of the invention

The proposed method can be implemented in any suitable QRC network, for example, using the well-known ViPNet QTS system (https://infotecs.ru/products/vipnet-qts/).

ViPNet RUKS hardware and software systems with modified software are selected as DPU. Single-mode optical fiber of SMF-28 type of acceptable length is selected as quantum communication channel 4. Trusted local communication line 3 is implemented as an Ethernet protocol channel. For example, a laptop with an additional software module can be used as a user computing device.

The corresponding changes to the software and modified software modules for the DPU and computing devices of users can be formed by a programming specialist (programmer) based on knowledge of the functions performed in the method.

Let the CRC network consist of 5 DPUs with identifiers A1, A2, A3, A4, A5. Two users in the system are assigned identifiers B1 and B2. The users know the identifiers of other users with whom they can establish secure interaction.

To implement the method, perform the following steps:

Select some DPU, for example, with identifier A2 as the base for the user with identifier B1. Perform the initial connection of the user to this DPU via a trusted local communication line, register the user on this DPU, generate a local communication key K1 in the DPU. Transfer the communication key and identifier A2 to the user.

Similarly, some DPU is selected, for example, with the identifier A4 as the base for the user with the identifier B2. The user is initially connected to this DPU via a trusted local communication line, the user is registered on this DPU, and a local communication key K2 is generated in the DPU. The communication key and the identifier A4 are transmitted to the user.

If it is necessary to obtain a key for communication with the second user, the first user connects to the DPU in whose service area he is currently located. Let it be DPU A1. This DPU will be the current one for the first user. In DPU A1, a local communication key KZ is formed and transmitted to the user.

A request for a communication key is generated for users B1 and B2, which is transmitted to DPU A1. A search is conducted from DPU A1 in the KRK network of the base DPU of user B1. As a result, it is determined that DPU A2 is the base DPU for user B1 and the request for a communication key for a pair of users is redirected to this base DPU.

A search is carried out from the side of DPU A2 in the QRC network of the base DPU of user B2. As a result, it is determined that the base DPU for user B2 is A4. A quantum-protected key K12 is generated between the pair of DPUs A2 and A4, for example, according to the ISTOQ-M protocol (MP 26.5.003-2023 Methodological recommendations TC26. Information technology. Cryptographic protection of information. Key system of a fully connected multi-tenant encrypted communication network based on the QCS VRK with DPU, Moscow, Technical Committee for Standardization "cryptographic protection of information, 2023).

The obtained quantum-protected key is stored in the memory of the second user's base DPU (DPU A4) until required.

A quantum route is determined from DPU A2 to DPU A1. Let the quantum route consist of DPUs with the following identifiers: A2, A3, A1. Between DPUs A2, A3, a quantum key Q1 is generated, and between DPUs with A3, A1, a quantum key Q2 is generated.

The obtained quantum-protected key K12 is encrypted on the quantum key Q1, for example, using the key container KEHR15 (R 1323565.1.017-2018 Recommendations for standardization. Information technology. Cryptographic protection of information. Cryptographic algorithms accompanying the use of block encryption algorithms, Moscow, Standartinform, 2018.), and transmitted from the DPU A2 to the next DPU of the quantum route A3. At this DPU, the transmitted key K12 is decrypted on the key Q1 and encrypted on the key Q2. Then the encrypted key is transmitted to the next DPU of the quantum route A1, where the received key is decrypted on the key Q2 and the requested communication key K12 is obtained.

The communication key K12 is encrypted on the local communication key of the current DPU and the first user KZ. The encrypted key is transmitted to the user via the local communication line. The user decrypts the received encrypted key on the local communication key KZ and receives the requested communication key K12 for communication with the second user. Now the user can disconnect from the current DPU.

The second user, when it is necessary to obtain a key for communication with the first user, connects to the DPU in whose service area he is currently located. Let this be DPU A5. This DPU will be the current one for the second user. In DPU A5, a local communication key K4 is formed and transmitted to the user.

A request for a communication key is generated for users B1 and B2, which is transmitted to DPU A5. A search is conducted from DPU A5 in the KRK network of the base DPU of the user with B2. As a result, it is determined that the base DPU for user B2 is DPU A4 and the request for a communication key for a pair of users is redirected to this base DPU.

DPU A4 has a previously saved key K12 for communication between users B1 and B2. A quantum route is determined from DPU A4 to DPU A5. Let the quantum route consist of DPUs with the following identifiers: A4, A5. A quantum key Q3 is generated between DPUs A4 and A5.

The resulting quantum-protected key K12 is encrypted on the quantum key Q3 and transmitted from the DPU A4 to the next DPU of the quantum route A5. At this DPU, the transmitted key K12 is decrypted on the key Q3.

The communication key K12 is encrypted on the local communication key of the current DPU A5 and the second user K4. The encrypted key is transmitted to the user via the local communication line. The user decrypts the received encrypted key on the local communication key K4 and receives the requested communication key K12 for communication with the first user. Now the second user can also disconnect from the current DPU.

Now both users B1 and B2 have the K12 key for communication and can, if necessary, carry out secure interaction with each other via a digital data transmission network.

Claims (91)

A method for generating and distributing keys in a quantum key distribution network that includes a set of N trusted intermediate nodes (TINs), where the TINs are connected by fiber-optic communication lines; each DPU in the network is assigned a unique node identifier Ai, i from 1 to N; each DPU is connected to a digital data transmission network, each DPU has a trusted local communication line for connecting users; a set of M computing devices (users), at least two, serving the needs of certain individuals or other technical systems, and each user in the quantum key distribution (QKD) network is assigned a unique identifier Bi, i from 1 to M; each user in the QKD network is assigned a basic DPU with the identifier BAi after the first request; each user is registered on his basic DPU; each user knows the identifiers of all other users, for communication with whom he requires a key; each user is connected to a digital data transmission network; each DPU is designed with the ability generation of a quantum-protected key with any other DPU; generation of a quantum key QK with any neighboring DPU; calculation of the quantum route to any other DPU; determining the identifier of the base DPU based on the specified user identifier; user registration, and when a user registers on the DPU, this user is authenticated in the quantum key distribution (QKD) network; formation, upon registration of the user at the current DPU, of a local communication key KN between the DPU and the user, which is saved in the DPU and with the user; generate and transmit encrypted messages to the user using the generated communication key KN via a trusted local communication line; store generated keys for user pairs; serve users in a specific territorial zone; each user has the ability to receive and transmit data via a digital data transmission network; receive and transmit data to the DPU when connected via a trusted local communication line; encrypt and decrypt data on the generated communication key KN; store and process data during operation; the method is that: carry out, in a trusted manner, on the part of user B1, the initial connection to the KRK network on the base DPU BA1 in the territorial zone of its service through a trusted local communication line, during which the following actions are performed: register the user and assign the identifier B1; carry out user authentication in the CRC network with the generation of a local communication key K1; transmit the identifier of this DPU BA1 to the user as a base one; transmit the local communication key K1 to the user; carry out, in a trusted manner, on the part of user B2, the initial connection to the KRK network on the base DPU BA2 in the territorial zone of its service through a trusted local communication line, during which the following actions are performed: register the user and assign the B2 identifier; carry out user authentication in the KRK network with the generation of a local communication key K2; transmit the identifier of this DPU VA2 to the user as a base one; transmit the local communication key K2 to the user; if it is necessary to work from another selected territorial zone, a connection is made from the user B1 side to the KRK network to the selected current DPU _AR servicing the selected territorial zone; generate and transmit from the DPU A _R to the user B1 a local communication key KR with this DPU; send a request from user B1 to DPU A _r to provide a key for communication with the selected user B2; receive a request from user B1 to the DPU A _R to provide a key; conduct a search on the part of the DPU A _R in the KRK network for the base DPU for user B1; receive in the DPU A _R the identifier BA1 of the basic DPU for user B1; send a request from DPU A _R to DPU BA1 to obtain key K12 to ensure communication between user B1 and user B2; from the side of DPU BA1, a search is carried out in the KRK network of the base DPU for user B2; receive in DPU BA1 the identifier BA2 of the basic DPU for user B2; initiate, from the side of the DPU VA1, the generation of a quantum-protected key K12 from the DPU VA2; assign and save in the DPU BA1 the generated quantum-protected key as key K12 for communication between user B1 and user B2; assign and save in the DPU BA2 the generated quantum-protected key as key K12 for communication between user B1 and user B2; calculate in DPU BA1 the quantum route to DPU A _R ; transmit from DPU BA1 the key K12 along the calculated quantum route to DPU A _R , and on each segment of the quantum route between neighboring DPUs A _I and DPUs A _J encrypt the key K12 on the quantum key QK _IJ between adjacent DPUs; transmit the key K12 in encrypted form Y _IJ =ENC_QK _IJ (K12) on the quantum key QK _IJ and between these DPUs; receive in the DPU A _R the encrypted key Y _IJ from the penultimate DPU of the quantum route; decrypt the received encrypted key Y _IJ in the DPU A _R and obtain the key K12; encrypt the received key K12 in the DPU A _R using the local communication key KP; transmit the encrypted key K12 from the DPU A _R to user B1; receive encrypted key K12 on the user side B1; decrypt the encrypted key K12 on the user B1 side using the local communication key KP, obtaining the requested key K12 for communication with user B2; if necessary, disconnect from the DPU A _R on the part of user B1; carry out, from the user B2 side, a connection to the KRK network to the selected current DPU A _T ; generate and transmit from the DPU A _T to the user B2 a local key for communication between the CT and this DPU; send a request from user B2 to the DPU A _T to provide a key for communication with the selected user B1; receive a request to the DPU A _T from user B2 to provide a key; from the side of the DPU A _T, a search is carried out in the KRK network of the base DPU for user B2; receive in the DPU A _T the identifier BA2 of the basic DPU for user B2; send a request from DPU A _T to DPU BA2 to obtain key K12 to ensure communication between user B1 and user B2; calculate in DPU BA2 the quantum route to DPU A _T ; transmit from DPU BA2 the key K12 along the calculated quantum route to DPU A _T , and on each segment of the quantum route between neighboring DPUs A _I and DPUs A _J encrypt the key K12 on the quantum key QK _IJ between adjacent DPUs; transmit the key K12 in encrypted form Y _IJ =ENC_QK _IJ (K12) on the quantum key QK _IJ between these DPUs; receive in the DPU A _T the encrypted key Y _IJ from the penultimate DPU of the quantum route; decrypt the received encrypted key Y _ij in the DPU A _T and obtain the key K12; encrypt the K12 key in the DPU _AT using the local communication key KT; transmit the encrypted key K12 from the DPU A _T to user B2; receive encrypted key K12 on the user side B2; decrypt the encrypted key K12 on the user B2 side using the local key KT, obtaining the requested key K12 for communication with user B1; if necessary, disconnection from the A _T DPU is carried out by user B2; if necessary, they exchange messages between user B1 and user B2, encrypted with key K12, via a digital data transmission network. 2. The method according to paragraph 1, in which after receiving a request to the DPU A _R from user B1 to provide a key for communication with the selected user B2 from the side of the DPU A _R, a search is carried out in the KRK network of the base DPU for user B2; receive in the DPU A _R the identifier BA2 of the basic DPU for user B2; initiate, from the side of the DPU A _R, the generation of a quantum-protected key from the DPU BA2; assign and save in the DPU A _R the generated quantum-protected key with key K12 for the pair of users B1 and B2; assign and save in the DPU BA2 the generated quantum-protected key as key K12 for the pair of users B1 and B2; encrypt the received key K12 in the DPU A _R using the local communication key KP; transmit the encrypted key K12 from the DPU A _R to user B1; receive encrypted key K12 on the user side B1; decrypt the encrypted key K12 on the user B1 side using the local key KR, obtaining the requested key K12 for communication with user B2; if necessary, disconnect from the DPU A _R on the part of user B1; On the user side B2 connects to the KRK network to the selected current DPU A _T and receives the K12 key. 3. The method according to item 1, in which the key K12, before being transmitted along the quantum route from the base DPU BA1 to the current DPU A _R to which the user is connected, is encrypted using the communication key K1 of the user and his base DPU, wherein receive on the user side B1 from the DPU A _R the key K12 encrypted sequentially on the communication key K1 and the local key KR; decrypt the received encrypted key on the user B1 side using the local key KP, obtaining the communication key encrypted on the communication key K1; decrypt the received encrypted key on the user B1 side using the local key K1, obtaining the requested key K12 for communication with user B2. 4. The method according to item 1, wherein the user, when requesting a key for communication with another user, specifies a pair of identifiers of base DPUs corresponding to the pair of users in the request. 5. The method according to item 1, in which the transmission of the requested key K12 from the base DPU BA1 to the user is carried out via a digital data transmission network with protection on the communication key K1.

Images