DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 1/23/2020. Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/23/2020 and 1/30/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Examiner's Notes
Claims 1-10 reciting “A computer program product for establishing a secure communication channel with a client, the computer program product comprising one or more computer readable storage mediums…”are directed to statutory subject matter. Specification discloses in [0107] that “A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.”
Claims recite both “hash value” and “hash code”; therefore, examiner assumes these two terms are interchangeable.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A 

Claims 1-8 and 11-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-5 of U.S. Patent No. 10757225 and claims 1-10 of U.S. Patent No. 10587732.  Although the claims at issue are not identical, they are not patentably distinct from each other because claims of 10757225 B2 and 10587732 B2 Patent contain every element of claims of the instant application. Claims of the instant application therefore are not patently distinct from the earlier application claims and as such are unpatentable over obvious-type double patenting. A later patent/application claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim.

Instant Application No. 16750915
U.S. Patent No. 10757225
U.S. Patent No. 10587732



1 A computer program product for establishing a secure communication channel with a client, the computer program product comprising one or more computer readable storage mediums having program code embodied therewith, the program code comprising the programming instructions for: 

receiving a request from the client to establish a secure communication channel, wherein the client request is a request for a server to issue an access token within an authorization protocol;

















receiving a client-side credential containing a hash code and a cookie containing a server-side credential from the client over the secure communication channel in response to establishing the secure communication channel, wherein the client-side credential is contained in an authorization header, wherein the server-side credential is subjected to a one-way function to create the hash code;

validating the access token;
triggering an authentication component to perform an additional check based on the cookie in response to the access token containing a hash value, wherein the additional check comprises checking if a cookie with a random value exists;
reapplying the one-way function to the random value to obtain a new hash value in response to the cookie with the random value existing;
comparing the new hash value with the hash value received from the client; and
indicating the access token valid in response to the new hash value matching the hash value received from the client.






11 A system, comprising: 
a memory for storing a computer program for establishing a secure communication channel with a client; and
a processor connected to the memory, wherein the processor is configured to execute the program instructions of the computer program comprising: 


















receiving a client-side credential containing a hash code and a cookie containing a server-side credential from the client over the secure communication channel in response to establishing the secure communication channel, wherein the client-side credential is contained in an authorization header, wherein the server-side credential is subjected to a one-way function to create the hash code;

validating the access token;
triggering an authentication component to perform an additional check based on the cookie in response to the access token containing a hash value, wherein the additional check comprises checking if a cookie with a random value exists;
reapplying the one-way function to the random value to obtain a new hash value in response to the cookie with the random value existing;
comparing the new hash value with the hash value received from the client; and
indicating the access token valid in response to the new hash value matching the hash value received from the client.
1 A client-server connection method performed by a server to establish a secure communication channel with a client, the method comprising: 




receiving a request from the client to establish a secure communication channel, wherein the client request is a request for the server to issue an access token within an authorization protocol; 
generating a client-side credential in response to receiving the request from the client, wherein the client-side credential comprises the access token used for establishing security on the communication channel; 

containing the server-side credential in a cookie of a type that cannot be accessed by the client; 
containing the hash code in the client-side credential; 
transmitting the client-side credential and the cookie to the client; 
receiving the client-side credential containing the hash code and the cookie containing the server-side credential from the client over the secure communication channel, wherein the client-side credential is contained in an authorization header; 





validating the access token; 
triggering an authentication component to perform an additional check based on the cookie in response to the access token containing a hash value, wherein the additional check comprises checking if a cookie with a random value exists; 
reapplying the one-way function to the random value to obtain a new hash value in response to the cookie with the random value existing;  
comparing the new hash value with the hash value contained in the access token; and 
indicating the access token valid in response to the new hash value matching the hash value contained in the access token.
1 A computer program product for establishing a secure communication channel with a client, the computer program product comprising a computer readable storage medium having program code embodied therewith, the program code comprising the programming instructions for: 

receiving a request from the client to establish a secure communication channel, wherein the client request is a request for the server to issue an access token within an authorization protocol; 
generating a client-side credential in response to receiving the request from the client, wherein the client-side credential comprises the access token used for establishing security on the communication channel; 

containing the server-side credential in a cookie of a type that cannot be accessed by the client; 
containing the hash code in the client-side credential; 
transmitting the client-side credential and the cookie to the client; 
receiving the client-side credential containing the hash code and the cookie containing the server-side credential from the client over the secure communication channel, wherein the client-side credential is contained in an authorization header; 





validating the access token; 
triggering an authentication component to perform an additional check based on the cookie in response to the access token containing a hash value, wherein the additional check comprises checking if a cookie with a random value exists;   
reapplying the one-way function to the random value to obtain a new hash value in response to the cookie with the random value existing; 
comparing the new hash value with the hash value received from the client; and 
indicating the access token valid in response to the new hash value matching the hash value received from the client.






6 A system, comprising: 
a memory for storing a computer program for establishing a secure communication channel with a client; and 
a processor connected to said memory, wherein said processor is configured to execute the program instructions of the computer program comprising: 

generating a client-side credential in response to receiving the request from the client, wherein the client-side credential comprises the access token used for establishing security on the communication channel;  
generating a server-side credential and subjecting the server-side credential to a one-way function to create a hash code; 
containing the server-side credential in a cookie of a type that cannot be accessed by the client; 
containing the hash code in the client-side credential; 
transmitting the client-side credential and the cookie to the client; 
receiving the client-side credential containing the hash code and the cookie containing the server-side credential from the client over the secure communication channel, wherein the client-side credential is contained in an authorization header, 





validating the access token; 
triggering an authentication component to perform an additional check based on the cookie in response to the access token containing a hash value, wherein the additional check comprises checking if a cookie with a random value exists; 
reapplying the one-way function to the random value to obtain a new hash value in response to the cookie with the random value existing, 
comparing the new hash value with the hash value received from the client; and 
indicating the access token valid in response to the new hash value matching the hash value received from the client.
2 The computer program product as recited in claim 1, wherein the program code further comprises the programming instructions for: 



12 The system as recited in claim 11, wherein the program instructions of the computer program further comprise: 
generating the client-side credential in response to receiving the request from the client, wherein the client-side credential comprises the access token used for establishing security on the communication channel.
1 …




1 …






6 …



generating a client-side credential in response to receiving the request from the client, wherein the client-side credential comprises the access token used for establishing security on the communication channel;
3 The computer program product as recited in claim 1, 
wherein the cookie is a cookie of a type that cannot be accessed by the client.


13 The system as recited in claim 11, 
wherein the cookie is a cookie of a type that cannot be accessed by the client.
1 …

containing the server-side credential in a cookie of a type that cannot be accessed by the client;
1 …

containing the server-side credential in a cookie of a type that cannot be accessed by the client;


6 …

containing the server-side credential in a cookie of a type that cannot be accessed by the client;
4 The computer program product as recited in claim 1, wherein the program code further comprises the programming instructions for: 
transmitting the client-side credential and the cookie to the client.


14 The system as recited in claim 11, wherein the program instructions of the computer program further comprise: 
transmitting the client-side credential and the cookie to the client.
1 …



transmitting the client-side credential and the cookie to the client; 

1 …



transmitting the client-side credential and the cookie to the client; 


6 …



transmitting the client-side credential and the cookie to the client; 
5 The computer program product as recited in claim 1, wherein the cookie is an HTTPOnly cookie.


15 The system as recited in claim 11, wherein the cookie is an HTTPOnly cookie.
2 The method as recited in claim 1, wherein the cookie is an HTTPOnly cookie.
2 The computer program product as recited in claim 1, wherein the cookie is an HTTPOnly cookie.


7 The system as recited in claim 6, wherein the cookie is an HTTPOnly cookie.
6 The computer program product as recited in claim 1, wherein the server-side credential is the random value computed by a random value generator that cannot be accessed by the client.


16 The system as recited in claim 11, wherein the server-side credential is the random value computed by a random value generator that cannot be accessed by the client.
3 The method as recited in claim 1, wherein the server-side credential is the random value computed by a random value generator that cannot be accessed by the client.
3 The computer program product as recited in claim 1, wherein the server-side credential is the random value computed by a random value generator that cannot be accessed by the client.


8 The system as recited in claim 6, wherein the server-side credential is the random value computed by a random value generator that cannot be accessed by the client.
7 The computer program product as recited in claim 1, wherein the access token comprises a JavaScript Object Notation (JSON) web token.


17 The system as recited in claim 11, wherein the access token comprises a JavaScript Object Notation (JSON) web token.
4 The method as recited in claim 1, wherein the access token comprises a JavaScript Object Notation (JSON) web token.
4 The computer program product as recited in claim 1, wherein the access token comprises a JavaScript Object Notation (JSON) web token.


9 The system as recited in claim 6, wherein the access token comprises a JavaScript Object Notation (JSON) web token.
8 The computer program product as recited in claim 1, wherein the authorization protocol comprises an OAuth authorization protocol.


18 The system as recited in claim 11, wherein the authorization protocol comprises an OAuth authorization protocol.
5 The method as recited in claim 1, wherein the authorization protocol comprises an OAuth authorization protocol.
5 The computer program product as recited in claim 1, wherein the authorization protocol comprises an OAuth authorization protocol.


10 The system as recited in claim 6, wherein the authorization protocol comprises an OAuth authorization protocol.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 1 and 11 recite "…validating the access token;… in response to the access token containing a hash value,… indicating the access token valid in response to…"; however, claims only recite “receiving a client-side credential containing a hash code and a cookie containing a server-side credential from the client …”. It is not clear how this “access token” is received and validated. In addition, claims 9 and 10 recite “verifying that a hash code in an incoming token matches …” Please clarify relationship among these claim limitations, and refer to terms previously defined using a definite article.
Claims 1 and 11 recite "receiving a client-side credential containing a hash code and a cookie…; triggering an authentication component to perform an additional check based on the cookie in response to the access token containing a hash value, wherein the additional check comprises checking if a cookie with a random value exists;”. It is not clear that the “cookie” used in checking existence of random value is the same cookie received from client or a different cookie from server.

The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies.  Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Allowable Subject Matter
Claims 1-20 are allowable over prior art; however, claims are not in condition of allowance because they are rejected under double patenting as well as 35 U.S.C. 112(b) set forth in this Office action. Examiner reached out to the applicant's representative Mr. Robert Voigt on 2/16/2021 regarding possible terminal disclaimer and claim amendments to overcome rejections, but Mr. Voigt elected to have non-final office action maintaining the double patenting and 35 U.S.C. 112(b) rejections at this moment.

The following is an examiner's statement of reasons for allowance: Independent Claim 1 and 11 define the distinct features, receiving a request from the client to establish a secure communication channel; receiving a client-side credential containing a hash code and a cookie containing a server-side credential from the client over the secure communication channel; validating the access token; triggering an authentication component to perform an additional check based on the cookie; reapplying the one-way function to the random value to obtain a new hash value; comparing the new hash value with the hash value received from the client; and indicating the access token valid. The closest prior art, Fu (US 20170338951 A1), proposes establishing a secure communication channel between a client and a server. During operation, the client generates a service request comprising a first dynamic message, transmits the first service request to the server, which authenticates the client based on the first dynamic message, and receives a second dynamic message from the server in response to the first dynamic message. The client authenticates the server based on the second dynamic message, and negotiates, via a quantum-key-distribution process, a secret key shared between the client and the server. The client and server then establish a secure communication channel based on at least a first 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US10587732 B2 and US 10757225 B2, "Secure client-server communication", by Burckhardt, teaches a secure client-server connection method compatible with RESTful APIs that is resistant to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The server generates a token for the client and a random value which it pairs with the token. The random value is hashed. The hash value is transmitted to the client contained in the token and the random value is transmitted to the client contained in an HTTPOnly cookie. Even if an attacker steals the token and/or the hash, security is maintained, since the server verifies communications from the client by validating the token on the basis of its hash value. Validation is performed by the server hashing the random value contained in the HTTPOnly cookie paired with the token to obtain a further hash value, and checking that this further hash value matches the token's hash value.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.Y./Examiner, Art Unit 2493


/Kevin Bechtel/Primary Examiner, Art Unit 2491