SUPPORTING MULTIPLE PRE-SHARED KEYS IN WI-FI NETWORKS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Status of Claims Claims 1-20 are subject to examination. Priority The claimed foreign priority (INDIA 202341072217 10/23/2023) in this application under 35 U.S.C. 119(a)-(d) or (f), is acknowledged. Drawings The figures submitted on 1/31/24 are acknowledged. Information Disclosure Statement The information disclosure statement filed on 1/31/24, 2/18/25 is in compliance with the provisions of 37 CFR 1.97, and has been considered and a copy is enclosed with this Office Action. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-3, 13, 14, 15, 16, 19, 20, is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha et al., US 20200162917 A1 in view of Gaonkar et al., 20190372973. Referring to claim(s) 1, Anantha substantially discloses a network device for facilitating client devices to connect to a Wi-Fi network, the network device comprising at least one processor, one or more communications modules, and storage storing computer-executable instructions which, when executed by the at least one processor to: [0015] The guests may have multiple devices that may need Wi-Fi access for the Internet and Wi-Fi-enabled devices. Further, it is a best security practice to change Wi-Fi credentials for every guest visit, particularly when Wi-Fi access may be used for physical access to the shared use space. receive a connection request from a client device, the connection request including a Media Access Control (MAC) address associated with the client device and being generated using a first pre-shared key; [0135] At step 654, the primary guest device can connect to the network using the SSID/PSK. For example, the primary guest device may attempt to connect to the AP(s) using the SSID/PSK when the primary guest device is within a range of the AP(s) (e.g., Wi-Fi range, Bluetooth® range, etc.). In response to the attempt to connect, the AP(s) can transmit a request to the AAA appliance(s) for the PSK mapped to the MAC address of the primary guest device and the SSID. Since the AAA appliance(s) have previously mapped the PSK to the MAC address of the primary guest device and the SSID (e.g., at step 652), the AAA appliance(s) can return this PSK. The AAA appliance(s) can successfully authenticate the primary guest device using this PSK, and send a response back to the AP(s) indicating successful authentication. [0138] The request can include one or more of a user name of the secondary guest device, a name of the secondary guest device name, the MAC address of the secondary guest device, and/or other identifier associated with the user of the secondary guest device or the secondary guest device. access a database comprising a plurality of records associated with a service set identifier (SSID) for the Wi-Fi network, each record associating a MAC address with a respective pre-shared key of a plurality of pre-shared keys, and comprising the plurality of pre-shared keys, to determine whether the database comprises a said record associated with the MAC address; [0134] The Cisco® ISE appliance(s) can maintain mappings of MAC addresses of client devices, PSKs, and SSIDs, including a mapping of the MAC address of the primary guest device, the PSK of the primary guest device, and the SSID of the shared use space. At the specified start time, the network management system and/or AP(s) can send a request to the Cisco® ISE appliance(s) to activate the SSID/PSK for the primary guest device depending on an outcome of the determining whether the database comprises the said record perform a first process or a second process, wherein the first process is performed if the database does comprise the said record and the first process is not performed if the database does not comprise the said record ( [0135] For example, the primary guest device may attempt to connect to the AP(s) using the SSID/PSK when the primary guest device is within a range of the AP(s) (e.g., Wi-Fi range, Bluetooth® range, etc.). In response to the attempt to connect, the AP(s) can transmit a request to the AAA appliance(s) for the PSK mapped to the MAC address of the primary guest device and the SSID. Since the AAA appliance(s) have previously mapped the PSK to the MAC address of the primary guest device and the SSID (e.g., at step 652), the AAA appliance(s) can return this PSK. The AAA appliance(s) can successfully authenticate the primary guest device using this PSK, and send a response back to the AP(s) indicating successful authentication. Note: The device is only authenticated when the MAC address of the device with SSID and PSK is mapped. Hence, the device is not authenticated when the MAC address is not mapped. and a second process is performed comprising generating a new record for the database for authenticating the client device on the network. [0017] Alternatively, or in addition, the network management system can create a Pre-Shared Key (PSK) group that is operative from the specified start time to the specified end time and associate the PSK with the primary guest device(s) and SSID. [0136] For example, the first AP to which the primary guest device attempts to connect can add the IP address and MAC address of the primary guest device and the SSID Anantha does not specifically mention about, which is well-known in the art, which Gaonkar discloses, determining a second pre-shared key based at least on the said record; and authenticating the client device using the second pre-shared key ( [0010] a device in a wireless network receives an association request sent by a node to associate with the network. The association request comprises a media access control (MAC) address of the node. The device establishes a secure connection between the node and the network using a pre-shared key (PSK). The device sends a second PSK to the node via the secure connection. The second PSK is unique in the network to the node and the node uses the second PSK for future communications with the network. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing second pre-shared key. The second pre-shared key would enable unique communication between the nodes as compared to other nodes in the network, after the secure communication is established. The second pre-shared key would not allow other nodes to decrypt information, para 10. Referring to claim 13, the network system claim is similarly analyzed and rejected for the same rationale as the device claim 1. Referring to claim 15, the method claim is similarly analyzed and rejected for the same rationale as the device claim 1. Referring to claim 20, the medium claim is similarly analyzed and rejected for the same rationale as the device claim 1. Referring to claim 19, Anantha discloses wherein the connection requests are associated with the SSID, and the new record is associated with the SSID, para 135. Referring to claim(s) 2, Anantha discloses, wherein the storage comprises the database ( [0021] The AAA appliance(s) 106 can control access to computing resources, facilitate enforcement of network policies, audit usage, and provide information necessary to bill for services. The AAA appliance can interact with the network controller appliance(s) 104 and with databases and directories containing information for users, devices, things, policies, billing, and similar information to provide authentication, authorization, and accounting services. In some embodiments, the AAA appliance(s) 106 can utilize Remote Authentication Dial-In User Service (RADIUS) or Diameter to communicate with devices and applications. In some embodiments, one or more Cisco® Identity Services Engine (ISE) appliances can operate as the AAA appliance(s) 106. [0024] The fabric control plane node(s) 110 can serve as a central database for tracking all users, devices, and things as they attach to the network fabric 120, and as they roam around. The fabric control plane node(s) 110 can allow network infrastructure (e.g., switches, routers, WLCs, etc.) to query the database to determine the locations of users, devices, and things attached to the fabric instead of using a flood and learn mechanism. In this manner, the fabric control plane node(s) 110 can operate as a single source of truth about where every endpoint attached to the network fabric 120 is located at any point in time. Referring to claim(s) 3, Anantha discloses, communicating with the database using the one or more communications modules ( [0021] The AAA appliance(s) 106 can control access to computing resources, facilitate enforcement of network policies, audit usage, and provide information necessary to bill for services. The AAA appliance can interact with the network controller appliance(s) 104 and with databases and directories containing information for users, devices, things, policies, billing, and similar information to provide authentication, authorization, and accounting services. In some embodiments, the AAA appliance(s) 106 can utilize Remote Authentication Dial-In User Service (RADIUS) or Diameter to communicate with devices and applications. In some embodiments, one or more Cisco® Identity Services Engine (ISE) appliances can operate as the AAA appliance(s) 106. [0024] The fabric control plane node(s) 110 can serve as a central database for tracking all users, devices, and things as they attach to the network fabric 120, and as they roam around. The fabric control plane node(s) 110 can allow network infrastructure (e.g., switches, routers, WLCs, etc.) to query the database to determine the locations of users, devices, and things attached to the fabric instead of using a flood and learn mechanism. In this manner, the fabric control plane node(s) 110 can operate as a single source of truth about where every endpoint attached to the network fabric 120 is located at any point in time. Referring to claim(s) 14, Anantha discloses, a storage device on which the database is stored, wherein the storage device is communicatively coupled to the one or more network devices ( [0021] The AAA appliance(s) 106 can control access to computing resources, facilitate enforcement of network policies, audit usage, and provide information necessary to bill for services. The AAA appliance can interact with the network controller appliance(s) 104 and with databases and directories containing information for users, devices, things, policies, billing, and similar information to provide authentication, authorization, and accounting services. In some embodiments, the AAA appliance(s) 106 can utilize Remote Authentication Dial-In User Service (RADIUS) or Diameter to communicate with devices and applications. In some embodiments, one or more Cisco® Identity Services Engine (ISE) appliances can operate as the AAA appliance(s) 106. [0024] The fabric control plane node(s) 110 can serve as a central database for tracking all users, devices, and things as they attach to the network fabric 120, and as they roam around. The fabric control plane node(s) 110 can allow network infrastructure (e.g., switches, routers, WLCs, etc.) to query the database to determine the locations of users, devices, and things attached to the fabric instead of using a flood and learn mechanism. In this manner, the fabric control plane node(s) 110 can operate as a single source of truth about where every endpoint attached to the network fabric 120 is located at any point in time. Referring to claim(s) 16, Anantha discloses, reading the second pre-shared key from the said record (para 134). Claim(s) 4, 9, is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar and YOSHIKAWA WO 2021131756 A1. Referring to claim(s) 4, Anantha discloses wherein generating a new record for the database is performed in a manner dependent on whether the client device, as cited in claim 3. Anantha in view of Gaonkar do not disclose, which YOSHIKAWA discloses, determining whether the client device is using WPA3 or WPA2, in a manner dependent on whether the client device is using WPA3 or WPA2 ( (Whether or not the pre-shared key of WPA and WPA2 may be used as the password of WPA3 is set in the communication device 102 by the user. Alternatively, the communication device 102 determines this step based on whether or not the number of characters in the character string set as the pre-shared key of WPA and WPA2 is equal to or greater than the predetermined number of characters required as the password of WPA3. May be good. The communication device 102 determines Yes in this step when the number of characters of the pre-shared key is equal to or greater than the predetermined number of characters, and determines No in this step when the number of characters is less than the predetermined number of characters, 3rd last para, page 9 the AP that receives the authentication request from the STA always sends the authentication success. Since WPA3 generates a new key each time authentication is performed, the security is improved as compared with WPA2 which reuses the pre-shared key. In this embodiment, when WPA3 is selected as the authentication method, the encryption key corresponds to the password, 3rd last para, page 3. Note: WPA3 requires new key generated each time, versus WPA2 reuses the key accordingly the key stored is updated for the WPA3 each time. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing knowing of client device is using WPA3 or WPA2. Since WPA3 generates a new key each time authentication is performed, the security would be improved using the WPA3 as compared with WPA2. When WPA2 is used by the client the pre-shared key would be reused for authentication. When WPA3 is selected as the authentication method, the encryption key would correspond to the password. 3rd last para, page 9. Referring to claim(s) 9, YOSHIKAWA discloses wherein determining whether the client device is using WPA2 or WPA3 comprises processing the connection request to determine an indication of whether the client device is using WPA2 or WPA3 (3rd last para, page 9). Claim(s) 5, 6, 17, is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar, YOSHIKAWA, Dhammawat et al., 20200162915 and Olshansky 20200396604. Referring to claim(s) 5, 6, Anantha discloses generating a new record for the database associating the MAC address with a fourth pre-shared key, as cited in claim 1. Anantha in view of Gaonkar and YOSHIKAWA do not disclose, which Dhammawat discloses, authenticating the client device using a third pre-shared key, the third pre-shared key being a common pre-shared key; [0028] A group of known client devices, such as client devices owned and/or operated by a family, may have a common or shared pre-shared key (PSK). dependent on the authentication of the client device using the third pre-shared key being successful, providing access to a device to enable the client device to register with the network; [0029] In still another embodiment, the password-mapped identifier may also be mapped with a media access control (MAC) address of a client device. The mapping of password-mapped identifier and MAC address may also be stored at a WLAN controller. The WLAN controller may determine whether the password-mapped identifiers of the source and destination client devices are the same. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing common pre-shared key. A common or shared pre-shared key (PSK) would enable securing client devices owned and/or operated by trusted group such as a family. Anantha in view of Gaonkar, Dhammawat and YOSHIKAWA do not disclose, which Olshansky discloses, receiving a request from the client device to register with the network using the captive portal (para 52). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing the captive portal. A captive portal is a web page accessed with a web browser that is displayed to connected users before they are granted broader access to network resources. Captive portals are used to present a landing or log-in page. Hence, the captive portal would enable communication of user with resources through the Wifi / wireless network. Referring to claim 17, Dhammawat discloses dependent on the authenticating the client device using the second pre-shared key being successful: performing a handshake with the client device; and providing the client device with access to the network, para 28, 29. Referring to claim 6, Olshansky also discloses the network device to host the captive portal, para 52. Claim(s) 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar, YOSHIKAWA, ZHANG et al., CN 116016633 A Referring to claim(s) 7, Anantha discloses wherein the second process comprises, after generating a new record for the database associating the MAC address with a fourth pre-shared key, as cited in claim 1. Anantha in view of Gaonkar and YOSHIKAWA do not disclose, which ZHANG discloses, sending a message to the client device instructing the client device to disconnect and send a connection request using the fourth pre-shared key; ( receiving the encryption reconnection pre-shared key sent by the receiving server; and sending the encryption reconnection pre-shared key to the configuration centre. Specifically, the specific implementation of the receiving server to create the encryption reconnection shared key is as follows: obtaining the shared key parameter of the client in the initial handshake message in the service terminal; creating a reconnection pre-shared key based on the service terminal key material corresponding to the initial transmission key of the service terminal and the shared key parameter of the client terminal; encrypting the re-connected pre-shared key based on the configuration key, obtaining the encrypted re-connected pre-shared key, sending the encrypted re-connected pre-shared key to the client, Specifically, the client shared key parameter, refers to the key parameter sent by the sending server can be shared with the receiving server. the client shared key parameter, may include a client public key, and other service end is used for creating a parameter of the reconnection shared key. under the condition that the communication protocol is QUIC protocol compatible TLS1.3, the client end shared key parameter, can include the client public key, ECDHE algorithm related to elliptic curve function and base point G and so on. wherein the reconnection pre-shared key is another pre-shared key created based on the connection between the sending server and the receiving server, the re-connection pre-shared key is used for authentication when the sending server and the receiving server are reconnected. the service end initial transmission key corresponding to the service end key material, specifically is based on the pre-shared key creating service end initial transmission key generated in the key process. 3rd last para, page 10) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing disconnection and using another key. A replacing of the pre-shared key (PSK) would ensure that the old PSK is not used for any misuse and a reconnection is made with the new PSK for securing client devices, 3rd last para, page 10 Claim(s) 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar, YOSHIKAWA, Florit et al., 20210391984. Referring to claim(s) 8, Anantha discloses generating a new record for the database associating the MAC address with the fifth pre-shared key, as cited in claim 1. Anantha in view of Gaonkar and YOSHIKAWA do not disclose, which Florit discloses, authenticating the client device using an identified fifth pre-shared key, wherein the fifth pre-shared key is identified by iteratively attempting authentication using a different one of the stored plurality of pre-shared keys until authentication is successful ( [0055] In an example, the first station will continue to transmit different PSK IDs to the second station, until the first station receives a PSK_ID status of “accept” from the second station. For example, the first station may transmit a first PSK_ID to the second station and wait for a responsive message from the second station indicating a PSK_ID status of “accept” or “reject.” If the PSK_ID status is “reject,” the first station may transmit a second PSK_ID to the second station, and wait for a responsive message from the second station) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing iteratively attempting authentication using a different PSK. Having multiple valid PSKs and using a different PSK when a PSK is not successful would enable additional chances of using the pre-shared keys (PSK) for authentication and securing client devices. Claim(s) 10, is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar, YOSHIKAWA, Dhammawat, Olshansky and TANG et al., 20070197190. Referring to claim(s) 10, Dhammawat discloses, the third pre-shared key being a common key; [0028] A group of known client devices, such as client devices owned and/or operated by a family, may have a common or shared pre-shared key (PSK). if the number of unsuccessful authentication attempts exceeds a predetermined threshold, attempting to handshake with the client device using a third pre-shared key [0029] In still another embodiment, the password-mapped identifier may also be mapped with a media access control (MAC) address of a client device. The mapping of password-mapped identifier and MAC address may also be stored at a WLAN controller. The WLAN controller may determine whether the password-mapped identifiers of the source and destination client devices are the same. Anantha in view of Gaonkar, Dhammawat, Olshansky and YOSHIKAWA do not disclose, which Tang discloses, if authenticating the client device using the second pre-shared key is unsuccessful: track a number of unsuccessful authentication attempts using the second pre-shared key (claim 5) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing the different available PSK. Having multiple valid PSKs and using a different PSK when a PSK is not successful would enable additional chances of using the pre-shared keys (PSK) for authentication and securing client devices, claim 5. Claim(s) 11, is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar, YOSHIKAWA, Dhammawat, Olshansky, TANG and Tanaka et al., 20130145149. Referring to claim(s) 11, Anantha in view of Gaonkar, YOSHIKAWA, Dhammawat, Olshansky, TANG do not disclose, which Tanaka discloses, wherein tracking the number of unsuccessful authentication attempts includes communicating with one or more further network devices operating in the network, para 25. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing tracking of authentication attempts. Collection of information for the authentication attempts would enable updating the system software such that there would be lesser unsuccessful authentication attempts. Claim(s) 12, is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar, YOSHIKAWA, Dhammawat, Olshansky and TANG. Referring to claim(s) 12, Olshansky discloses captive portal art, provide access to a captive portal to enable the client device to register with the network; receive a request from the client device to register with the network using the captive portal (para 52), Dhammawat discloses if the handshake with the client device is successful (para 29), Anantha discloses generate a new record for the database associating the MAC address with a fourth pre-shared key as rejected in claim 1. Claim(s) 18, is/are rejected under 35 U.S.C. 103 as being unpatentable over Anantha in view of Gaonkar and LIU CN 112423300 A. Referring to claim(s) 18, Anantha in view of Gaonkar do not disclose, which Liu discloses, wherein each of the plurality of pre-shared keys is associated with a respective network configuration, abstract. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention disclosed by Anantha to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing network configuration information. A pre-shared key (PSK) tied with the network configuration information would ensure that the PSK cannot be used for different network configuration. This would limit misuse of the PSK for other network configuration, abstract. Conclusion Pertinent prior arts: Chaki et al., US 10362452 B2 discloses, wherein the credential information is at least one of an identity and type information corresponding to each nodes in the group including the first client and the second client, a pre-shared key, a service set identifier (SSID) corresponding to the first client, a basic service set identifier (BSSID) corresponding to the first client, and medium access control (MAC) addresses of all nodes in the group including the second client, claim 23. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973. The examiner can normally be reached on M-F 9-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado, can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HARESH N PATEL/Primary Examiner, Art Unit 2496