Skip to main content

Typical two-node QKD setup

A typical Quantum Key Distribution (QKD) setup connects two trusted locations, oftenhere called Node A and Node B. Each node contains the components needed to generate, manage and use cryptographic key material for encrypted communication between the two sites.

At both nodes, a QKD system is connected through an optical quantum channel. This channel is used to generate shared secret key material between the two QKD devices. The QKD system does not transmit the user’s data payload. Its purpose is to create fresh cryptographic keys that are available at both ends of the link.

The generated key material is passed to a Key Management System (KMS) at each node. The KMS stores, synchronizes and manages the keys and makes them available to authorized encryption devices or applications through a defined key interface. This separation is important: the QKD system is responsible for key generation, while the KMS is responsible for key handling, delivery and lifecycle management.

image.png

The actual user data is handled by the normal communication infrastructure. A user, application or service sends plaintext data to an encryptor or transport encryption layer. The encryptor requests suitable keys from the local KMS and uses them to protect the data, for example with symmetric encryption such as AES. The encrypted data is then sent over the data channel to the other node.

At the receiving side, the corresponding encryptor requests the matching key material from its local KMS and decrypts the data for the receiving user or application. In this way, both nodes can communicate securely while the applications themselves do not need to interact directly with the QKD system.