	US 12,470,372 B2
	System and method for pre-shared key (PSK) based secure communications with mobile service provider authenticator
Srinivas Kumar, Cupertino, CA (US)
Assigned to SYMMERA INC., Boulder, CO (US)
Filed by SYMMERA, INC., Stamford, CT (US)
Filed on Apr. 26, 2023, as Appl. No. 18/139,480.
Claims priority of provisional application 63/454,612, filed on Mar. 24, 2023.
Prior Publication US 2024/0323685 A1, Sep. 26, 2024
Int. Cl. H04M 1/66 (2006.01); G06F 21/60 (2013.01); H04L 9/08 (2006.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01); H04M 1/68 (2006.01); H04M 3/16 (2006.01); H04W 12/0431 (2021.01); H04W 12/069 (2021.01); H04W 12/30 (2021.01); H04W 12/73 (2021.01)

CPC H04L 9/085 (2013.01) [G06F 21/602 (2013.01); H04L 9/08 (2013.01); H04L 9/0819 (2013.01); H04L 9/083 (2013.01); H04L 9/088 (2013.01); H04L 9/0891 (2013.01); H04L 9/321 (2013.01); H04L 9/3242 (2013.01); H04L 9/3247 (2013.01); H04L 9/3268 (2013.01); H04L 63/0853 (2013.01); H04W 12/0431 (2021.01); H04W 12/069 (2021.01); H04W 12/35 (2021.01); H04W 12/73 (2021.01)]

26 Claims

1. A method of generating, distributing, and managing a lifecycle of a symmetric pre-shared key (PSK) used in client authentication (C-PSK) between applications executing on distributed mobile devices including a client application executing on a client mobile device, a server application executing on a server device, a key distribution service (KDS), a KDS proxy, a KDS interface, a symmetric KDS member PSK (M-PSK), a M-PSK identity hint, a tenant identifier, a device group identifier associated with a tenant identifier, a member domain associated with the group identifier, an application identifier associated with the group identifier, a C-PSK identity hint, a key record, a domain name system (DNS) server, a device directory service (DDS), and a mobile service provider (MSP) server, the method comprising:

authenticating, with the KDS, by the client application executing on the client mobile device, using the tenant identifier, the symmetric KDS member PSK (M-PSK) and the M-PSK identity hint, wherein the client mobile device is registered by an international mobile subscriber identity (IMSI) on the MSP server, configured with the KDS or the KDS proxy, and wherein the client mobile device is configured as a first member of a device group on the KDS;

acquiring, by the client application, the C-PSK from the KDS using at least the group identifier and the C-PSK identity hint, wherein the C-PSK is used as a shared symmetric key for client authentication over a secure transport protocol during communication with the server application executing on the server device, wherein the server device is registered by a DNS hostname in the DNS server, wherein the server device is configured as a second member of the device group on the KDS;

authenticating with the KDS, by the server application executing on the server device, using the tenant identifier, the symmetric KDS member PSK (M-PSK), and the M-PSK identity hint, wherein the server device is registered by a DNS hostname on the DNS server configured with the KDS or the KDS proxy;

acquiring, by the server application, the C-PSK from the KDS using at least the group identifier and the C-PSK identity hint, wherein the C-PSK is used as a shared symmetric key for client authentication over the secure transport protocol during communication with the client application executing on the client device, wherein the client device is registered by a DNS hostname in the DNS server;

initiating, by the client application, a TLS-PSK session, wherein the session is initiated using the acquired C-PSK for the client mobile device in the device group as the PSK used in client authentication, to establish secure communications with the server application executing on the server device; and

renewing, by the client application and the server application, the C-PSK programmatically and automatically using the KDS interface, without requiring human intervention, and without service disruption.