	US 12,301,563 B2
	System and method for pre-shared key (PSK) based wireless access point authentication
Srinivas Kumar, Cupertino, CA (US)
Assigned to SYMMERA INC., Samford, CT (US)
Filed by SYMMERA INC., Stamford, CT (US)
Filed on Apr. 26, 2023, as Appl. No. 18/139,508.
Claims priority of provisional application 63/454,612, filed on Mar. 24, 2023.
Prior Publication US 2024/0323686 A1, Sep. 26, 2024
Int. Cl. H04L 9/08 (2006.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01); H04W 12/0431 (2021.01); H04W 12/069 (2021.01); H04W 12/30 (2021.01); H04W 12/73 (2021.01)

CPC H04L 63/0853 (2013.01) [H04L 9/08 (2013.01); H04L 9/0819 (2013.01); H04L 9/083 (2013.01); H04L 9/085 (2013.01); H04L 9/088 (2013.01); H04L 9/0891 (2013.01); H04L 9/321 (2013.01); H04L 9/3242 (2013.01); H04L 9/3247 (2013.01); H04L 9/3268 (2013.01); H04W 12/0431 (2021.01); H04W 12/069 (2021.01); H04W 12/35 (2021.01); H04W 12/73 (2021.01)]

16 Claims

1. A method of distributing a symmetric internal wireless access point (WAP) pre-shared key (IWAP-PSK) for secure wireless authentication by a device with a WAP in a production network including a supplicant program executing on the device, the WAP configured for multi-SSID (service set identifier) mode of operation, a key distribution service (KDS), a KDS proxy, a KDS interface, a symmetric KDS member PSK (M-PSK), a M-PSK identity hint, a tenant identifier, a device group identifier associated with the tenant identifier, a member domain associated with the device group identifier, an application identifier associated with the device group identifier, the IWAP-PSK identity hint, an internal WAP SSID (IWAP-SSID), a guest WAP pre-shared key (GWAP-PSK), a guest WAP SSID (GWAP-SSID), a key record, a dynamic host configuration protocol (DHCP) server, and a domain name system (DNS) server, the method comprising:

authenticating, by the supplicant program with the WAP, using the GWAP-SSID and GWAP-PSK, to establish initial wireless access for the device over the production network;

authenticating, with the KDS, by the supplicant program executing on the device, using the tenant identifier, the symmetric KDS member PSK (M-PSK) and the M-PSK identity hint, wherein the device is registered by a DNS hostname on the DNS server configured with the KDS or KDS proxy, and configured as a first member a device group on the KDS;

retrieving, by the supplicant program, the IWAP-PSK from the KDS, using at least the device group identifier and the IWAP-PSK identity hint, for use as a shared symmetric key for authentication with the wireless access point; and

authenticating, by the supplicant program with the WAP, using the IWAP-SSID and the retrieved IWAP-PSK to establish secure wireless access for the device over the production network to perform a switch-over from a guest SSID to an internal SSID wireless network.