Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments and Amendments
Applicant’s arguments and amendments have been fully considered. Based on the new scope of the claims the standing rejection has been withdrawn and new grounds of rejection have been set forth in further view of United States Patent Application Publication No.: 2019/0116493 (Cyril et al.).

Claim Objections
Claim 9 objected to because of the following informalities: 
Claim 9 is listed as dependent of claim 9, the claim cannot be self-dependent. Based on the claim contents claims 9 has been treated as a dependent of claim 8 for the sake of examination.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: 2019/0116493 (Cyril et al.) in view of United States Patent Application Publication No.: 2019/0268335 (Targali).

As Per Claim 1: Shah et al. teaches: A method of authenticating a device to a network service provider (NSP), comprising:

- receiving, at an authentication server, a message indicative of a user device (UD) in communication with an access point (AP) and having provided thereby an Extensible Authentication Protocol (EAP) response including an outer identity associated with the NSP and included in an EAP profile stored at the UD;
- establishing a secure communications tunnel to the UD;
	(Cyril et al., Paragraph [0003], “In another aspect, a connection profile can be generated that comprises a username that is set to the device identifier, and a password generated by inputting the device identifier into a predefined function, such as a one way hash function. The connection profile can be transmitted to the user device. The connection profile can comprise network identifier information (e.g., service set identifier (SSID) information, network access point identification information, etc.) that can be used by the user device to establish a communication session with an authentication device (e.g., server). As such, the connection profile can also comprise an authentication identifier. A service provider is later able to apply a specific type of authentication for devices that provide the authentication identifier as part (e.g., in an outer identifier of an extensible authentication protocol message) of an authentication process.”).
	(Cyril et al., Paragraph [0072], “At step 234, the user device 210 can transmit an authentication request to the authentication device 204. The authentication request can be generated based on a connection profile, such as the first connection profile, the second connection profile, and/or the like. The authentication request can comprise a username (e.g., in a username field). The authentication request comprise a password (e.g., in password field). The username and/or password can comprise values from 
	(Cyril et al., Paragraph [0073], “The authentication request can comprise an inner portion and an outer portion. The inner portion can be after (e.g., in data sequence order) the outer portion. The inner portion can comprise the username and/or password. The outer portion can comprise the authentication identifier. The inner portion can comprise an inner identifier (e.g., inner identity) of an extensible authentication protocol (EAP) message, such as an EAP Tunneled Transport Layer Security (TTLS) message, an EAP TTLS password authentication protocol (PAP) message, an EAP transport layer security message, an EAP-TTLS with generic token card (GTC), other versions of EAP transport layer security, and/or any authentication protocol that utilizes a username and password. The outer portion can comprise an outer identifier (e.g., outer identity) of the EAP message.”).

- transmitting, via the secure communications tunnel, a request for inner identity and password information included in the EAP profile stored at the UD;
	(Cyril et al., Paragraph [0073], “The authentication request can comprise an inner portion and an outer portion. The inner portion can be after (e.g., in data sequence order) the outer portion. The inner portion can comprise the username and/or password. The outer portion can comprise the authentication identifier. The inner portion can comprise an inner identifier (e.g., inner identity) of an extensible authentication protocol (EAP) message, such as an EAP Tunneled Transport Layer Security (TTLS) message, an EAP TTLS password authentication protocol (PAP) message, an EAP transport layer security message, an EAP-TTLS with generic token card (GTC), other versions of EAP transport layer security, and/or any 
	(Cyril et al., Paragraph [0075], “At step 238, the authentication device 204 can authorize the request by authenticating data associated with the request. The request can be authenticated according to the type of authentication determined in step 236. For example, if the type of authentication comprises the default authentication, then the username and password in the authentication request can be compared to a corresponding stored username and stored password (e.g., received from a user, generated by a user, selected by a user). If the type of authentication comprises the dynamic authentication, then the username received in the request can be input into the predefined function to obtain a result. The result can be compared to the password. If the result matches, the password, then the request can be successfully authenticated. If the result does not match the password, then the authentication of the user device 210 fails.”).

Shah et al. does not explicitly teach the following limitation however Targali in analogous art does teach the following limitation:
- requesting, from a device management server, device information with service status associated with the UD; and
- authenticating the UD to the NSP in response to receiving inner identity information matching received device information for a device having active status. 
	(Targali, Paragraph [0041], “Various examples provide at least one of: increased privacy of PII; reduced risk of use of unauthorized or stolen terminals; or protection from DDoS attacks. While the embodiments described herein generally focus on the use of an IMSI and an IMEI, it may be appreciated that these techniques may be applied to other forms of PII. For example, embodiments herein that process IMSIs can additionally or alternatively process other types of subscriber identifier, such as a 5G 
	(Targali, Paragraph [0046], “In various examples, a network terminal, e.g., LTE or 5G, can connect to a home network via a serving network. The terminal can have a terminal identifier (TID), such as an IMEI or other PEI, and a network subscriber can have a subscriber identifier (SID), such as an IMSI or other SUPI. In some nonlimiting examples, a network node can determine that a SID and a TID are authorized for joint use and, in response, transmit authorization information. In some nonlimiting examples, a network node can receive an attach request having verification data and encrypted identification data. The network node can receive decrypted identity data and determine that the identity data corresponds with the verification data. In some nonlimiting examples, the terminal can send an attach request comprising encrypted SID and TID data, and a cryptographic hash, to a network node.”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Targali into the method of Cyril et al. as Targali teaches improved assurance of authentication to the method of Cyril et al. where basic structure has been demonstrated in Cyril et al. such as (Cyril et al., Paragraphs [0034] & [0077]).

As Per Claim 2: The rejection of claim 1 is incorporated and further Cyril et al. and Targali do not explicitly teach the following limitation:
- the inner identity information comprises one or more of a mobile equipment identifier (MEID) and a Media Access Control address (MAC address) of the UD. 

	(Cyril et al., Paragraph [0035], “The device identifier 108 can be, can comprise, and or be associated with user credentials. For example, the user credentials can be information associated with the user device 102 such as, a username and/or password generated/determined based on device-based information such as an international mobile subscriber identity (IMSI). Additionally, the user credentials can be information associated with the user device 102 such as, a username and/or password generated/determined based on device-based information such as an international mobile equipment identity (IMEI) a media access control (MAC) address, similar information, combinations thereof, and the like. The device identifier 108 can comprise an address element 110. The address element 110 can comprise or provide an internet protocol address, a network address, a media access control (MAC) address, an Internet address, and/or the like. As an example, the address element 110 can be relied upon to establish a communication session between the user device 102 and the computing device 104 or other devices and/or networks, such as a provisioning device (e.g., provisioning device 202), an authentication device (e.g., authentication device 204), and a policy device (e.g., policy device 208), for example. As a further example, the address element 110 can be used as an identifier or locator of the user device 102. The address element 110 can be persistent for a particular network.”).

As Per Claim 3: The rejection of claim 2 is incorporated and further Cyril et al. teaches:
- the inner identity information further comprises an International Mobile Station Equipment Identity (IMEI) of the UD. 
	(Cyril et al., Paragraph [0027], “The present disclosure relates to methods and systems for using device-based credentials for wireless communication service (e.g., a mobile voice communication service, 

As Per Claim 4: The rejection of claim 2 is incorporated and further Cyril et al. teaches:
- the inner identity information further comprises information assigned to the UD by the NSP. 


As Per Claim 5: The rejection of claim 4 is incorporated and further Cyril et al. teaches:
- the information assigned to the UD by the NSP comprises an International Mobile Subscriber Identity (IMSI). 
	(Cyril et al., Paragraph [0002], “It is to be understood that both the following general description and the following detailed description are example and explanatory only and are not restrictive. Methods and systems for using device-based credentials for wireless communication service are described. In one aspect, when a user registers a user device for a wireless service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.), a device identifier can be used to generate credentials to enable the user device to access the wireless service via one or more of a plurality of access points. The device identifier can comprise a user identifier associated with a wireless communication service, such as an international mobile subscriber identity (IMSI). The device identifier can be used, for example, without an additional password, to authenticate a user on the wireless 

As Per Claim 6: The rejection of claim 4 is incorporated and further Cyril et al. does not explicitly teach the following limitation however Targali in analogous art does teach the following limitation:
- the information assigned to the UD by the NSP comprises a Mobile Station International Subscriber Directory Number (MSISDN). 
	(Targali, Paragraph [0037], “This PII may comprise an International Mobile Subscriber Identity ( IMSI), an International Mobile Equipment Identity ( IMEI), or a Mobile Subscriber International Subscriber Directory Number ( MSISDN). The IMSI may comprise a 14- or 15-digit number, which is stored on a Subscriber Identity Module (SIM) card or Universal SIM (USIM) card that is inserted into the terminal and stored in the Home Operator Database (e.g., a Home Location Register, HLR, or a Home Subscriber Server, HSS). If an attacker obtains access to view communications across the telecommunications network, then the attacker may identify a particular user based on the IMSI or other PII associated with his or her terminal. Since terminals are connected to specific physical points on the telecommunications network (e.g., a cell tower or a residential hotspot), the attacker may use this IMSI to determine, and track, where a user is physically located.”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Targali into the method of Cyril et al. as the MSISDN taught by Targali is an obvious interchangeable variation of standard mobile device identification readily implemented with expectations of success.

As Per Claim 7: The rejection of claim 1 is incorporated and further Cyril et al. teaches:
- the password comprises a hash value generated using one or more credential variables representing device information, device identity and service information. 
	(Cyril et al., Paragraph [0003], “In another aspect, a connection profile can be generated that comprises a username that is set to the device identifier, and a password generated by inputting the device identifier into a predefined function, such as a one way hash function. The connection profile can be transmitted to the user device. The connection profile can comprise network identifier information (e.g., service set identifier (SSID) information, network access point identification information, etc.) that can be used by the user device to establish a communication session with an authentication device (e.g., server). As such, the connection profile can also comprise an authentication identifier. A service provider is later able to apply a specific type of authentication for devices that provide the authentication identifier as part (e.g., in an outer identifier of an extensible authentication protocol message) of an authentication process.”).

As Per Claim 8: The rejection of claim 1 is incorporated and further Shah et al. and Targali do not explicitly teach the following limitation:
- the password comprises a hash value generated using one or more a mobile equipment identifier (MEID) and a Media Access Control address (MAC address) of the UD. 
	However Examiner is giving official notice that a MEID is just an obvious interchangeable variation of the IMEI taught by Cyril et al. that can be readily be used with expectations of success. MEID and IMEI are just corresponding terminal hardware identifiers used by different mobile network service providers. 
	The use of a MEID would be the same as the use of IMEI by Cyril et al.
	(Cyril et al., Paragraph [0035], “The device identifier 108 can be, can comprise, and or be associated with user credentials. For example, the user credentials can be information associated with the user device 102 such as, a username and/or password generated/determined based on device-based 

As Per Claim 9: The rejection of claim 8 is incorporated and further Cyril et al. teaches:
- the hash value is generated using an International Mobile Station Equipment Identity (IMEI) of the UD. 
	(Cyril et al., Paragraph [0027], “The present disclosure relates to methods and systems for using device-based credentials for wireless communication service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.) authentication. As part of signing up for a wireless communication service a user can purchase a user device. When the user device is purchased, or at any other time, information associated with the user device can be accessed and/or generated and added to a data store for devices participating in the wireless communication service. The information associated with the user device can be stored in a database, such as a database accessible to a provisioning server, policy server, and similar devices, to enable the user device to access one or more networks (e.g., Wi-Fi data network, cellular data network, wide-area network, etc.) associated with the 

As Per Claim 10: The rejection of claim 9 is incorporated and further Cyril et al. teaches:
- the hash value is generated using information assigned to the UD by the NSP. 
	(Cyril et al., Paragraph [0027], “The present disclosure relates to methods and systems for using device-based credentials for wireless communication service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.) authentication. As part of signing up for a wireless communication service a user can purchase a user device. When the user device is purchased, or at any other time, information associated with the user device can be accessed and/or generated and added to a data store for devices participating in the wireless communication service. The information associated with the user device can be stored in a database, such as a database accessible to a provisioning server, policy server, and similar devices, to enable the user device to access one or more 

As Per Claim 11: The rejection of claim 10 is incorporated and further Cyril et al. teaches:
- the information assigned to the UD by the NSP comprises an International Mobile Subscriber Identity (IMSI). 
	(Cyril et al., Paragraph [0002], “It is to be understood that both the following general description and the following detailed description are example and explanatory only and are not restrictive. Methods and systems for using device-based credentials for wireless communication service are described. In one aspect, when a user registers a user device for a wireless service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.), a device identifier can be used to generate credentials to enable the user device to access the wireless service via one or more 

As Per Claim 12: The rejection of claim 10 is incorporated and further Shah et al. does not explicitly teach the following limitation however Targali in analogous art does teach the following limitation:
- the information assigned to the UD by the NSP comprises a Mobile Station International Subscriber Directory Number (MSISDN). 
	(Targali, Paragraph [0037], “This PII may comprise an International Mobile Subscriber Identity ( IMSI), an International Mobile Equipment Identity ( IMEI), or a Mobile Subscriber International Subscriber Directory Number ( MSISDN). The IMSI may comprise a 14- or 15-digit number, which is stored on a Subscriber Identity Module (SIM) card or Universal SIM (USIM) card that is inserted into the terminal and stored in the Home Operator Database (e.g., a Home Location Register, HLR, or a Home Subscriber Server, HSS). If an attacker obtains access to view communications across the telecommunications network, then the attacker may identify a particular user based on the IMSI or other PII associated with his or her terminal. Since terminals are connected to specific physical points on the telecommunications network (e.g., a cell tower or a residential hotspot), the attacker may use this IMSI to determine, and track, where a user is physically located.”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Targali into the method of Cyril et al. as the MSISDN taught by Targali is an obvious interchangeable variation of standard mobile device identification readily implemented with expectations of success.

As Per Claim 13: The rejection of claim 1 is incorporated and further Cyril et al. teaches:
- the authenticator comprises one of an access point and a gateway in communication with said UD. 
	(Cyril et al., Paragraph [0002], “It is to be understood that both the following general description and the following detailed description are example and explanatory only and are not restrictive. Methods and systems for using device-based credentials for wireless communication service are described. In one aspect, when a user registers a user device for a wireless service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.), a device identifier can be used to generate credentials to enable the user device to access the wireless service via one or more of a plurality of access points. The device identifier can comprise a user identifier associated with a wireless communication service, such as an international mobile subscriber identity (IMSI). The device identifier can be used, for example, without an additional password, to authenticate a user on the wireless communication service, such as whenever the user device is initially turned on, boots-up, and/or activated.”).
	(Cyril et al., Paragraph [0027], “The present disclosure relates to methods and systems for using device-based credentials for wireless communication service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.) authentication. As part of signing up for a wireless communication service a user can purchase a user device. When the user device is purchased, or at any other time, information associated with the user device can be accessed and/or generated and added to a data store for devices participating in the wireless communication service. The information associated with the user device can be stored in a database, such as a database accessible to a provisioning server, policy server, and similar devices, to enable the user device to access one or more networks (e.g., Wi-Fi data network, cellular data network, wide-area network, etc.) associated with the wireless communication service. User credentials for accessing the wireless communication service can 

As Per Claim 14: The rejection of claim 13 is incorporated and further Cyril et al. and Targali do not explicitly teach the following limitation:
- the device management server comprises at least one of a Device Information Database (DID), Operations Support System (OSS) and Business Support System (BSS). 
	However Examiner is giving official notice that a DID, OSS, and BSS are just standard systems used by operators to manage their communications networks and provide service. The use of at least one of DID, OSS, and BSS would be an obvious interchangeable variation to one of ordinary skill in the art before the effective filing date of the claimed invention on the method of Cyril et al. and Targali readily implemented with expectations of success. 
	Also the use would be an expected part an operator providing this type of service.


As Per Claim 16: The rejection of claim 5 is incorporated and further Cyril et al. teaches:
- the EAP profile stored at the UD comprises information provided by the NSP. Via one or more of an application and a sideloading 
	(Cyril et al., Paragraph [0062], “The network information can comprise first connection information for a first service, such as a first wireless communication service (e.g., first mobile voice communication service, first mobile telephony service, first Wi-Fi data service, first cellular data service, etc.). The first wireless communication service can comprise a public wireless hotspot, a wireless network managed by a service provider (e.g., wide area wireless network), and/or a wireless communication network accessible using user credentials. For example, a plurality of access points (e.g., the gateway device 213, the network device 116) can be located across a geographic area (e.g., building, region, state, country). One or more (or each) of the plurality of access points can be configured to provide access to the first wireless communication service (e.g., based on the first service identifier). One or more (or each) of the plurality access points can be configured to transmit (e.g., broadcast) and/or receive the first service identifier (e.g., as part of providing access to the first wireless communication service, as part of advertising the first wireless communication service, as part of authenticating for the first wireless communication service, combinations thereof, and of the like. The first connection information can comprise additional information associated with (e.g., stored with, associated via a data structure such as a database) the first service identifier. The additional information can comprise encryption keys, encryption type, certificates, service provider information, service information, service set identifier (SSID) information, combinations thereof, and the like. The network information can comprise second connection information for a second wireless communication service (e.g., second mobile voice 
	(Cyril et al., Paragraph [0123], “For purposes of example, application programs and other executable program components such as the operating system 805 are shown herein as discrete blocks, although it is recognized that such programs and components reside at various times in different storage components of the computer 801, and are executed by the one or more processors 803 of the computer. An implementation of the connection software 806 can be stored on or transmitted across some form of computer readable media. Any of the disclosed methods can be performed by computer readable instructions embodied on computer readable media. Computer readable media can be any available media that can be accessed by a computer. By way of example and not meant to be limiting, computer readable media can comprise "computer storage media" and "communications media." "Computer storage media" comprise volatile and non-volatile, removable and non-removable media implemented in any methods or technology for storage of information such as computer readable instructions, data structures, program modules, or other data. Example computer storage media comprises, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other 

As Per Claim 17: Claim 17 is substantially a restatement of the method of claim 1 as an apparatus and is rejected under substantially the same reasoning.

As Per Claim 18: The rejection of claim 17 is incorporated and further Cyril et al. teaches:
- the apparatus comprises one of an access point (AP), a gateway and an Authentication, Authorization, and Accounting (AAA) server. 
	(Cyril et al., Paragraph [0002], “It is to be understood that both the following general description and the following detailed description are example and explanatory only and are not restrictive. Methods and systems for using device-based credentials for wireless communication service are described. In one aspect, when a user registers a user device for a wireless service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.), a device identifier can be used to generate credentials to enable the user device to access the wireless service via one or more of a plurality of access points. The device identifier can comprise a user identifier associated with a wireless communication service, such as an international mobile subscriber identity (IMSI). The device identifier can be used, for example, without an additional password, to authenticate a user on the wireless communication service, such as whenever the user device is initially turned on, boots-up, and/or activated.”).
	(Cyril et al., Paragraph [0027], “The present disclosure relates to methods and systems for using device-based credentials for wireless communication service (e.g., a mobile voice communication service, a mobile telephony service, Wi-Fi data service, cellular data service, etc.) authentication. As part of signing up for a wireless communication service a user can purchase a user device. When the user device is 

As Per Claim 19: The rejection of claim 17 is incorporated and further claim 19 is substantially a restatement of the method of claim 7 as an apparatus and is rejected under substantially the same reasoning.

As Per Claim 20: Claim 20 is substantially a restatement of the method of claim 1 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170.  The examiner can normally be reached on 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/BENJAMIN A KAPLAN/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434