US 12,225,110 B2
Key management system
Guanghui Gao, Jiangsu (CN)
Assigned to INSPUR SUZHOU INTELLIGENT TECHNOLOGY CO., LTD., Jiangsu (CN)
Appl. No. 18/015,801
Filed by INSPUR SUZHOU INTELLIGENT TECHNOLOGY CO., LTD., Jiangsu (CN)
PCT Filed May 27, 2021, PCT No. PCT/CN2021/096545
§ 371(c)(1), (2) Date Jan. 12, 2023,
PCT Pub. No. WO2022/033122, PCT Pub. Date Feb. 17, 2022.
Claims priority of application No. 202010819554.X (CN), filed on Aug. 14, 2020.
Prior Publication US 2023/0275747 A1, Aug. 31, 2023
Int. Cl. H04L 9/08 (2006.01)
CPC H04L 9/0822 (2013.01) [H04L 9/0852 (2013.01)] 10 Claims
OG exemplary drawing
 
1. A key management system, comprising:
a control node;
multiple computing nodes, all of the multiple computing nodes are connected to the control node; and
multiple Quantum Key Distribution (QKD) nodes, all of the multiple QKD nodes are connected to the control node, and each of the multiple QKD nodes is connected to one of the multiple computing nodes,
wherein each of the multiple QKD nodes is configured to generate a root key, generate Key Encryption Keys (KEKs) between the QKD node and a plurality of other QKD nodes according to a first instruction sent by the control node, and generate, according to a second instruction sent by the control node, a Data Encryption Key (DEK) corresponding to a user on the one of the multiple computing nodes connected to the QKD node;
wherein each of the multiple OKD nodes is further configured to send the KEKs to the corresponding plurality of other QKD nodes such that the corresponding plurality of other QKD nodes encrypt the KEKs with own root keys;
wherein each of the multiple computing nodes is configured to, in response to receiving a request of the user for a DEK between the user and a second user on a further computing node, send the request to the control node;
wherein the QKD node connected to the one of the multiple computing nodes that sent the request is configured to generate the DEK between the user and the second user on the further computing node in response to receiving the second instruction;
wherein the OKD node is further configured to delete an unencrypted KEK and an unencrypted DEK;
wherein each of the multiple computing nodes is further configured to, in response to receiving plaintext data to be transmitted sent by the user to the second user on the further computing node, send the plaintext data to be transmitted to the QKD node connected to the one of the multiple computing nodes; and
wherein the OKD node is further configured to, in response to receiving the plaintext data to be transmitted, decrypt, with the root key, an encrypted KEK between the QKD node and a further QKD node connected to the further computing node to yield a decrypted KEK, decrypt an encrypted DEK between the user and the second user on the further computing node with the decrypted KEK to yield a decrypted DEK, encrypt the plaintext data to be transmitted with the decrypted DEK to obtain ciphertext data to be transmitted, and return the ciphertext data to be transmitted to the computing node.