A method and apparatus for providing improved security and improved
roaming transition times in wireless networks. In the present invention,
the same pairwise master key (PMK) from an authentication server can be
used across multiple access points and a new pairwise transition key
(PTK) is derived for each association of a station to any of the access
points. A plurality of access points are organized in functional
hierarchical levels and are operable to advertise an indicator of the PMK
cache depth supported by a group of access points (N) and an ordered list
of the identifiers for the derivation path. Access points in each level
in the cache hierarchy compute the derived pairwise master keys (DPMKs)
for devices in the next lower level in the hierarchy and then deliver the
DPMKs to those devices. An access point calculates the PTK as part of the
security exchange process when the station wishes to associate to the
access point. The station also computes the PTK as part of the security
exchange process. The station calculates all the DMPKs in the hierarchy
as part of computing the PTK. The method and apparatus of the present
invention allows the cache depth to vary per station, but it remains
constant for a given station within a key circle.