DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Status of Claims
This action is in reply to the amendment and response to office action filed 11/25/2020.
Claim 17 is cancelled.
Claims 1-16 and 18-20 are currently pending and have been examined.

Response to Amendment/Arguments
103
Applicant contends the cited portions of Royyuru do not describe a non-permanent cryptographic key. Examiner respectfully disagrees. Page 9 of Royyuru describes the Institution Key Card Variant (IKCV) as “a variant of the IK derived by combining the IK with digits from the PAN …”. A PAN is non-permanent as it may change. Therefore, the IKCV is also non-permanent.
Applicant also contends the cited portions of Chen describe a key that is not used for encryption. Examiner respectfully disagrees. Chen para 23 states “A mobile device 104 is generally configured to access or receive encryption/decryption keys maintained by key server …”. Chen para 73 states “A transmitted key may be, for example … an encryption key, or the like”. Chen para 78 states “In other words, the mobile device may be configured to obtain an encryption key (rather than a decryption key) from a key server”.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b): 

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards his invention.

Claim 18 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Lack of Antecedent Basis
Claim 18 recites "wherein the component that generates the first non-permanent cryptographic key and second non-permanent cryptographic key …" without proper antecedent basis. Appropriate correction is needed.

The following is a quotation of 35 U.S.C. 112(d): 

(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 8, 18 and 20 are rejected under 35 U.S.C. 112(d) as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  

Claim 8 recites “The method of claim 2, wherein generating the first non-permanent cryptographic key and second non-permanent cryptographic key comprises generating ...”. However, this limitations fail to further limit the subject matter of the claim upon which it depends, claim 2, because the limitation “generating the first non-permanent cryptographic key and second non-permanent cryptographic key” is not recited in claim 2. 
Claim 18 recites “The system of claim 12, wherein the component that generates the first non-permanent cryptographic key and second non-permanent cryptographic key generates …”. However, this limitations fail to further limit the subject matter of the claim upon which it depends, claim 12, because the limitation “the component that generates the first non-permanent cryptographic key and second non-permanent cryptographic key” is not recited in claim 12.
Claim 20 recites “The system of claim 1 …”. However, this limitations fail to further limit the subject matter of the claim upon which it depends, claim 1, because a system is not recited in claim 1.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements. “When examining a dependent claim, the examiner should determine whether the claim complies with 35 U.S.C. 112(d), which requires that dependent claims contain a reference to a previous claim in the same application, specify a further limitation of the subject matter claimed, and include all the limitations of the previous claim.” See MPEP 608.01(n) III.


Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action: 

A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-4, 6-8, 11-14, 16 and 18 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Royyuru (US 2010/0185545 A1) in view of Chen (US 2007/0297610 A1).

Claims 1 and 11:
Royyuru teaches:
at a mobile device, executing an application in an operating system of the mobile device, the application generating [generates a] response cryptograms (“The dynamic PAN ... can be considered a dynamic ... cryptogram...” para 47) using data associated with an account that has an associated digital credential without accessing a permanent cryptographic key (“card-level key” “Generating the dynamic PAN can be based on the real PAN, an [IKCV] stored on the device.” para 33) [issued] for the digital credential and sending the response cryptograms over a first communications channel (paras 7, 32-33, 35, 51,53)
the application ... the account..., ... the account (paras 32, 37, 51)
locally storing [stores] the first non-permanent cryptographic key at the mobile device as a local cryptographic key (“Institution key” page 8, para 57, “KEY-ID” “How it is generated” “… when a new IK is requested” page 9 para 57) associated with the account (para 51)
sending information to a [of a] point-of-sale (POS) terminal from the mobile device (para 51), wherein sending information to the POS terminal comprises
generating [generates], by the application, a response cryptogram (“dynamic PAN” paras 33, 54) using the local cryptographic key for encryption (paras 7, 33, 54)
sending [sends] a device response communication from the mobile device to an electronic reader (Fig.3 items 325 and 335) through the first communications channel (paras 35, 47, 51), the device response communication comprising an application data protocol unit containing the response cryptogram and an account identifier for the account (paras 7, 32-33, 51, 53)
a mobile device (Fig.3 item 304; para 46) comprising:
a wireless interface to connect to a wireless network that is separate from a communications channel over which communications are received by the mobile device (Fig.3 item 305; paras 21, 46)
a processor (Fig.3 item 320)
a non-transitory computer readable storage medium accessible by the processor, the computer readable storage medium storing an application executable in an operating system of the mobile device, the application including: a component that … ; a component that … ; a component that … ; and a component that … (Fig.3 item 310; para 51)
Royyuru does not teach:
receiving [receives] by... over a wireless network from a remote computer system, a first set of data associated with..., the first set of data comprising a first non-permanent cryptographic key associated with ...
Chen teaches:
receiving by [receives]... over a wireless network from a remote computer system, a first set of data associated with..., the first set of data comprising a first non-permanent cryptographic key associated with ... (paras 23, 25, 39, 73-74, 76, 78)
locally storing [stores] the first non-permanent cryptographic key at... as a local cryptographic key associated with... (paras 35, 73-74, 78)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru with the receiving and storing keys taught by Chen because this would help to leverage encryption technology to protect information stored on a mobile device (Chen para 4).


Claims 2 and 12: 
Royyuru teaches:
the application... the account..., the account (paras 37, 51)
the account... the account [… the account] (paras 37, 51)
Royyuru does not teach:
receiving [receive] by... over the wireless network from the remote computer system, a second set of data associated with..., the second set of data comprising a second nonpermanent cryptographic key associated with...
storing [store] the received second non-permanent cryptographic key as the local cryptographic key associated with [to change the local cryptographic key associated with]
Chen teaches:
receiving [receive] by... over the wireless network from the remote computer system, a second set of data associated with..., the second set of data comprising a second nonpermanent cryptographic key associated with... (paras 22-23, 25, 39, 73-74, 76, 78)
storing [store] the received second non-permanent cryptographic key as the local cryptographic key associated with [to change the local cryptographic key associated with] (paras 35, 73-74)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru with the receiving and storing keys taught by Chen because this would help to leverage encryption technology to protect information stored on a mobile device (Chen, para 4).

Claims 3 and 13:
Royyuru teaches:
generating, by the application, another response cryptogram (“The dynamic PAN ... can be considered a dynamic ... cryptogram...” para 47) using the second non-permanent cryptographic key (“card-level key” “Generating the dynamic PAN can be based on the real PAN, an [IKCV] stored on the device.” para 33)
the account... the account (para 51)
the application includes a component to … (para 51)
Royyuru does not teach:
wherein the first non-permanent cryptographic key associated with... is different from the second non-permanent cryptographic key associated with … [change the local cryptographic key associated with … between interrogations]
Chen teaches:
wherein the first non-permanent cryptographic key associated with... is different from the second non-permanent cryptographic key associated with … [change the local cryptographic key associated with … between interrogations] (para 74)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru with the local keys taught by Chen because this would help to leverage encryption technology to protect information stored on a mobile device (Chen, para 4).

Claims 4 and 14:
Royyuru teaches:
the application... the account..., the account (paras 37, 51)
wherein the mobile device is an NFC emulating device (para 51)
wherein the first communications channel is an NFC communications channel (para 51) ... the account... the account... a data connection over the internet (paras 37, 51)
Royyuru does not teach
receiving [receive] by... over the wireless network from the remote computer system, a second set of data associated with..., the second set of data comprising a second nonpermanent cryptographic key associated with...
and the first set of data associated with... and the second set of data associated with... are received [request and receive] via... [to the remote computer system] 
Chen teaches
receiving [receive] by... over the wireless network from the remote computer system, a second set of data associated with..., the second set of data comprising a second nonpermanent cryptographic key associated with... (paras 22-23, 25, 39, 73-74, 76, 78)
and the first set of data associated with... and the second set of data associated with... are received [request and receive] via... [to the remote computer system] (paras 22, 23, 73-74)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru with the receiving and storing keys taught by Chen because this would help to leverage encryption technology to protect information stored on a mobile device (Chen, para 4).

Claims 6 and 16:
Royyuru teaches:
generating the response cryptogram using a set of inputs of a card specification (paras 33, 54)

Claim 7:
Royyuru teaches:
a remote payment authorization process (paras 48, 50)
Royyuru does not teach:
wherein the first non-permanent cryptographic key and second non-permanent cryptographic key are associated with ... 
Chen teaches:
wherein the first non-permanent cryptographic key and second non-permanent cryptographic key are associated with ... (paras 40-41,73-74)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru with the shared keys taught by Chen because this would help to leverage encryption technology to protect information stored on a mobile device (Chen, para 4).

Claims 8 and 18:
Royyuru teaches:
an issuer master key (“The decryption module 360 of the payment processor system 350 can decrypt the dynamic PAN 326 using the institution key for the issuer of the instrument... para 48)
Royyuru does not teach:
generating [generates] the first non-permanent cryptographic key and the second non-permanent cryptographic key based on... 
Chen teaches:
generating [generates] the first non-permanent cryptographic key and the second non-permanent cryptographic key based on... (paras 73-74)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru with the master key associated keys taught by Chen because this would help to leverage encryption technology to protect information stored on a mobile device (Chen, para 4).

Claims 5 and 15 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Royyuru in view of Chen and further in view of Candelore (US 2002/0073315 A1).

Claims 5 and 15:
Royyuru in view of Chen does not teach:
generating [generates] a hash comprising encrypted data that cannot be unencrypted
Candelore teaches:
generating [generates] a hash comprising encrypted data that cannot be unencrypted (paras 37, 39)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru in view of Chen with generating a hash comprising encrypted data that cannot be unencrypted taught by Candelore because doing so would be the simple substitution of one encryption method (Royyuru, 47) for another (Candelore, 37, 39), resulting in the predictable result of generating a hash comprising encrypted data that cannot be unencrypted.

Claims 9 and 19 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Royyuru in view of Chen and further in view of Ginter (US 5,892,900).

Claims 9 and 19:
Royyuru teaches:
... the mobile device sending the response cryptogram to the POS terminal (para 51)
... the account (para 51)
... the mobile device... (para 51)
... the mobile device sending the response cryptogram to the POS terminal (para 51)
... the account (para 51)
... the mobile device... (para 51)
Royyuru does not teach: 
at the remote computing system: prior to... [configured to]
generating [generate] the first non-permanent cryptographic key[s] [with]
associating the first non-permanent cryptographic key with...
sending [send] the first non-permanent cryptographic key[s] [associated with …] and the account identifier to... over the wireless network
subsequent to...
generating a second non-permanent cryptographic key
associating the second non-permanent cryptographic key with...
sending the second non-permanent cryptographic key and the account identifier to... over the wireless network
Chen teaches:
at the remote computing system: prior to... [configured to] (para 73-74)
generating [generate] the first non-permanent cryptographic key[s] [with] (paras 73-74, 78)
associating the first non-permanent cryptographic key with... (paras 39, 43, 73-74)
sending [send] the first non-permanent cryptographic key[s] [associated with …] ... to... over the wireless network (paras 22, 73-74)
subsequent to... (paras 73-74)
generating a second non-permanent cryptographic key (paras 73-74, 78)
associating the second non-permanent cryptographic key with... (paras 39, 43, 73-74)
sending the second non-permanent cryptographic key... to... over the wireless network (paras 22, 73-74)
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru with the nonpermanent cryptographic keys taught by Chen because this would help to leverage encryption technology to protect information stored on a mobile device (Chen, para 4).
Royyuru in view of Chen does not teach: 
... and the account identifier... and the account identifier.... 
Ginter teaches:
... and the account identifier... and the account identifier... (col. 135, L20-34; col. 159, L12-15, L30-31, L40-41; col. 215, L31-60; col. 216, L25-32).
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru in view of Chen with the account identifier taught by Ginter because this would help to support low-cost, efficient, and effective security architectures for transaction control (Ginter, col. 21, L60-61).

Claims 10 and 20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Royyuru in view of Chen and further in view of Mendel (US 8,549,586 B2).

Claims 10 and 20:
Royyuru in view of Chen does not teach: 
wherein the digital credential comprises a [the] secure element representation maintained at the remote computer system [wherein the remote computer system comprises]
Ginter teaches:
wherein the digital credential comprises a [the] secure element representation maintained at the remote computer system [wherein the remote computer system comprises] (7:12-25).
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to modify the method taught by Royyuru in view of Chen with the wherein the digital credential comprises a secure element representation maintained at the remote computer system taught by Mendel in order to improve system security (Mendel 1:34 to 2:10).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Arastoo (Ari) Shahabi whose telephone number is (571)272-2565.  The examiner can normally be reached on M-F: 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W Hayes can be reached on 571-272-6708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Arastoo (Ari) Shahabi/Examiner, Art Unit 3685 

/JOHN W HAYES/Supervisory Patent Examiner, Art Unit 3685