DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 2/27/2019. Claims 1-20 are pending.

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. 15237738, filed on 8/16/2016.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/11/2019, 4/10/2019, and 9/12/2019 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings are objected to because:
In Fig. 4, "Means" should be "Device". Labels for step 1 and 2 are missing. Labels for computer (100), device (115), plugin (135), browser (130), and site (140) are missing as well.

Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Objections
Claims 4, 6, 11 and 18 are objected to because of the following informalities: 
Claims 4, 11 and 18 recite “wherein the secure device queries a plugin of the browser to determine that a connection is being established with the protected website”. The expression "a connection" has already been defined previously in the claims and should therefore be referred to using a definite article.
In claim 6, “saving the list to the device” is not indented as required by 37 CFR 1.75(i).
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. 

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 5, 6, 7 and 12 of U.S. Patent No. 10284543.  Although the claims at issue are not identical, they are not patentably distinct from each other because claims of 10284543 B2 Patent contain every element of claims of the instant application. Claims of the instant application therefore are not patently distinct from the earlier application claims and as such are unpatentable over obvious-type double patenting. A later patent/application claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim.

Instant Application No. 16287170
U.S. Patent No. 10284543 B2


1 A method for secure online authentication, comprising: 
determining, by a secure device, that a connection is being established between a browser and a protected website by analyzing web requests from the browser; 



obtaining, at the secure device, information for the protected website when a request for authentication is received from the protected website; 



establishing a protected data transmission channel between the secure device and the protected website; 



receiving one or more authentication certificates from the protected website; 


verifying validity of the one or more authentication certificates; 






responsive to the one or more authentication certificates being verified, performing authentication and transmitting, from the device, authentication data stored on the device to the protected website; 

in response to successful authentication from the protected website, transmitting a new session identifier from the device to the browser for enabling access to the protected website; and 


requesting that the browser dispatch the new session identifier to the protected website in response to the connection being established via the web requests.




Similar rationale for claim 8 and 15.

1 A computer-implemented method for secure online authentication, the method comprising: 
determining, via a processor of a secure connection device, a connection being established between a browser application installed on a computer system and a protected website, wherein the computer system is distinct from the device;

obtaining, at the device, information relating to the protected website in response to a plugin of the browser application determining that the computer system has obtained a request for authentication from the protected website;

establishing a protected data transmission channel between the device and the protected website to receive, at the device, at least one certificate of the protected website;

receiving a complete tree of certificates, except a root certificate, associated with the protected website from the plugin of the browser application;

verifying validity of the complete tree of certificates based on a list of root certificates stored on the device;

when the validity of the complete tree of 

responsive to the complete tree being verified, performing authentication and transmitting, from the device, authentication data stored on the device to the protected website; and

in response to an indication of a successful authentication from the protected website, transmitting a new session identifier from the device to the plugin of the browser application for enabling access to the protected website.

12 The computer-implemented method of claim 1, further comprising: 
continuing access to the protected website using browser application after transmitting identification information to the browser application for enabling access to the protected website.

2 The method of claim 1, further comprising: 
in response to the one or more authentication certificates being not verified, disconnecting the protected transmission channel.

Similar rationale for claim 9 and 16.

1 …
when the validity of the complete tree of certificates is not verified, disconnecting the protected data transmission channel;

3 The method of claim 1, wherein the one or more authentication certificates is a tree of certificates. 



Similar rationale for claim 10 and 17.

1 …
receiving a complete tree of certificates, except a root certificate, associated with the protected website from the plugin of the browser application;

4 The method of claim 1, wherein the secure device queries a plugin of the browser to determine that a connection is being established with the protected website.










Similar rationale for claim 11 and 18.

1 …
determining, via a processor of a secure connection device, a connection being established between a browser application installed on a computer system and a protected website, wherein the computer system is distinct from the device;

obtaining, at the device, information relating to the protected website in response to a plugin of the browser application determining that the computer system has obtained a request for authentication from the protected website;

5 The method of claim 4, further comprising: 

saving a list of protected websites at the device or the plugin.


Similar rationale for claim 12.

5 The computer-implemented method of claim 4, further comprising 
storing, on the device, the list of addresses of protected websites accessed by the computer system and encrypted data relating to the protected websites.

6 The method of claim 5, further comprising: 
downloading the list of protected websites when the secure device is connected to a computer system where the browser is installed; and 
saving the list to the device.

Similar rationale for claim 13 and 19.

5 The computer-implemented method of claim 4, further comprising 
storing, on the device, the list of addresses of protected websites accessed by the computer system and encrypted data relating to the protected websites.

7 The method of claim 1, further comprising: 
obtaining headers or a list of downloaded scripts when establishing the protected data transmission channel; 
calculating a hash sum of the headers or the list of downloaded scripts; 
comparing the hash sum with hash sums stored on the secure device; 
in response to nonmatching hash sums, disconnecting the protected data transmission channel.














Similar rationale for claim 14 and 20.

6 The computer-implemented method of claim 1, wherein the information relating to the protected website comprise: a URL address, information relating to the at least one certificate of the protected website, WHOIS information about a domain of the protected website, a list of headers obtained from a reply to a request at the URL address, information relating to downloaded scripts in the form of convolutions or hash sums.

7. The computer-implemented method of claim 1, further comprising:
checking a validity of the protected website based on obtained information relating to the protected website, the information comprising obtained headers or list of downloaded scripts when establishing the connection.

1 …
when the validity of the complete tree of certificates is not verified, disconnecting the protected data transmission channel;



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8-10 and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Eldar (US 20140173709 A1) in view of Jayaraman (US 20110321139 A1).

Regarding claim 1, Eldar teaches a method for secure online authentication, comprising: ([Abstract] Secure authentication to a remote application operating on a remote server)
determining, by a secure device, that a connection is being established between a browser and a protected website by analyzing web requests from the browser; (Fig 3, Browser application opens website login page associated with remote application and remote server (310); Browser application detects remote application requiring login (312))
obtaining, at the secure device, information for the protected website when a request for authentication is received from the protected website; (Fig 3, Browser application sends login request associated with remote application/remote server to security engine (314); Security engine searches secure memory storage to identify confidential information associated with the remote application and/or remote Server (316))
establishing a protected data transmission channel between the secure device and the protected website; (Fig 3, Secure network module opens secure channel with the remote application/remote server (e.g., HTTPS) (320))
performing authentication and transmitting, from the device, authentication data stored on the device to the protected website; (Fig 3, Security engine sends populated request message with confidential data to remote application/remote server (322))
in response to successful authentication from the protected website, transmitting a new session identifier from the device to the browser for enabling access to the protected website; and 
requesting that the browser dispatch the new session identifier to the protected website in response to the connection being established via the web requests. ([0034] The browser application may then update the cookie information with the provided session cookie (operation 328) and completes processing of the HTTP response (operation 330). The browser application is thus logged-in to the remote application/remote server and the user may continue browsing normally as an authenticated user (operation 332).) In summary, Eldar discloses if the login information (including the confidential information) is valid, the web application grants access to the client platform and the browser application resumes control as an authenticated user (¶9).

Eldar teaches secure online authentication, but does not explicitly teach receiving one or more authentication certificates from the protected website; verifying validity of the one or more authentication certificates; responsive to the one or more authentication certificates being verified, performing authentication and transmitting, from the device, authentication data stored on the device to the protected website. This aspect of the claim is identified as a difference.
However, Jayaraman in an analogous art explicitly teaches 
receiving one or more authentication certificates from the protected website; verifying validity of the one or more authentication certificates; ([0058] The computer implemented method disclosed herein provides one or more databases that store certificates of multiple validated online portals in the online environment. The client application protects the databases from tampering by 
responsive to the one or more authentication certificates being verified, performing authentication and transmitting, from the device, authentication data stored on the device to the protected website; ([0136] Fig. 6B, The client application 203 checks 614 the validity of the website certificate and the root certificate of the requested online portal. If the certificates are valid, the client application 203 notifies 616 the user 401 that the online banking website can be trusted.) Here reference Jayaraman discloses performing certain action responsive to the certificates being verified. Reference Eldar discloses this action being performing authentication and transmitting authentication data to the protected website. Therefore Eldar in view of Jayaraman discloses the whole limitation.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “secure attestation and authentication to remote server” concept of Eldar, and the “online protection of information and resources” approach of Jayaraman, to protect the databases that store certificates from tampering and ensure that the verification procedure is not compromised by unauthorized entities (Jayaraman [0058]).

Regarding claim 2, Eldar in view of Jayaraman teaches all the features with respect to claim 1, as outlined above. The combination further teaches in response to the one or more authentication certificates being not verified, disconnecting the protected transmission channel. ([Jayaraman 0136] Fig. 6B, The client application 203 checks 614 the validity of the website certificate and the root certificate of the requested online portal. If the certificates are invalid, the client application 203 blocks 615 the invalid website or the fraudulent banking website and notifies the user 401 that the fraudulent 

Regarding claim 3, Eldar in view of Jayaraman teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the one or more authentication certificates is a tree of certificates. ([Jayaraman 0015] typical web browsers maintain lists of trusted root certificates to verify a certificate of a transaction website and identify the transaction website to the user.)

Regarding claims 8-10 and 15-17, the scope of the claims are similar to that of claims 1-3, respectively. Accordingly, the claims are rejected using a similar rationale.

Claims 4-6, 11-13 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Eldar (US 20140173709 A1) in view of Jayaraman (US 20110321139 A1) and Fox Ivey (US 20150281227 A1).

Regarding claim 4, Eldar in view of Jayaraman teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the secure device queries a plugin of the browser to determine that a connection is being established with the protected website. This aspect of the claim is identified as a difference.
However, Fox Ivey in an analogous art explicitly teaches wherein the secure device queries a plugin of the browser to determine that a connection is being established with the protected website. ([0060] the browser extension 106 provides a range of capabilities including: an algorithm for the detection of web login and account sign-up forms.) Here reference Eldar discloses that a connection is being established with the protected website can be determined through browser application opening 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “secure attestation and authentication to remote server” concept of Eldar, and the “browser extension” approach of Fox Ivey, so the browser extended functionality is defined and available to the end-user. This way, benefits provided by browser extension, such as fast access, intuitive controls, cross-platform and adaptation for any browser, can be fully utilized (Fox Ivey [0060]).

Regarding claim 5, Eldar in view of Jayaraman and Fox Ivey teaches all the features with respect to claim 4, as outlined above. The combination further teaches saving a list of protected websites at the device or the plugin. ([Eldar 0026] the security engine 56 may search the secure memory storage 38 for the user's confidential data associated with the remote application 20 and/or remote server 22 (e.g., using the web-site URL). The secure memory storage 38 may include one or more user-profile databases which each associate a user's confidential data with the remote application 20 and/or remote server 22 (e.g., web-site URL).)

Regarding claim 6, Eldar in view of Jayaraman and Fox Ivey teaches all the features with respect to claim 5, as outlined above. The combination further teaches downloading the list of protected websites when the secure device is connected to a computer system where the browser is installed; and saving the list to the device. ([Fox Ivey 0018- 0019] When browsing the Internet on an enabled computer the solution automatically detects login forms. When entering user names and passwords in a transmits credentials through a secure server to a paired mobile device application which encrypts and stores them. When revisiting a site for which a login has been stored, the solution detects the login form, checks to see if a login has been stored for the URL.)

Regarding claims 11-13 and 18-19, the scope of the claims are similar to that of claims 4-6, respectively. Accordingly, the claims are rejected using a similar rationale.

Claims 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Eldar (US 20140173709 A1) in view of Jayaraman (US 20110321139 A1) and Shraim (US 20060069697 A1).

Regarding claim 7, Eldar in view of Jayaraman teaches all the features with respect to claim 1, as outlined above. But the combination does not teach obtaining headers or a list of downloaded scripts when establishing the protected data transmission channel; calculating a hash sum of the headers or the list of downloaded scripts; comparing the hash sum with hash sums stored on the secure device; in response to nonmatching hash sums, disconnecting the protected data transmission channel. This aspect of the claim is identified as a difference.
However, Shraim in an analogous art explicitly teaches 
obtaining headers or a list of downloaded scripts when establishing the protected data transmission channel; ([0134] it can be useful to provide an efficient way to compare URLs and/or web sites from a plurality of investigations.) Here, Shraim discloses portable code (such as a Java applet, a JavaScript, a CGI application, etc.) and a hash algorithm being applied (¶158, analogous to claim limitation “downloaded scripts”); as well as message header and corresponding checksums/hashes comparison (¶206).
calculating a hash sum of the headers or the list of downloaded scripts; ([0134] the method 560 can include generating and/or storing (e.g., in a database, file system, etc.) a checksum and/or hash value associated with the URL and/or page(s) referenced by the URL (e.g., the page directly referenced by the URL and/or the pages crawled in block 580) (block 590). Merely by way of example, a hashing algorithm may be used to calculate a value for the URL string and/or for the contents of the referenced page(s). Alternatively, a checksum value may be calculated for the contents of these page(s). Either (or both) of these procedures may be used to provide an efficient “snapshot” of a URL, web page and/or web site. (In some cases, a discrete checksum/hash may be generated for a URL, an entire site and/or individual pages from that site).)
comparing the hash sum with hash sums stored on the secure device; ([0134] The checksum/hash value(s) may then be compared against other such values (which may be stored, as described above, in a database, file system, etc.) calculated for URLs/web sites investigated previously (block 592).)
in response to nonmatching hash sums, disconnecting the protected data transmission channel. ([0134] If the checksum/hash value matches the value for a web site previously found to be fraudulent, the odds are good that the present site is fraudulent as well.) Similarly, checksum/hash value can be used to match the value for a web site previously found to be trustworthy. Reference Jayaraman discloses “blocking invalid website and notifying user” after mismatches (Fig. 6B, 615), which is analogous to claim limitation “disconnecting the protected data transmission channel”.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “secure attestation and authentication to remote server” concept of Eldar, and the “analyzing data related to online fraud” approach of Shraim, to provide an efficient way to compare URLs and/or web sites to detect and prosecute scammer for fraudulent web site (Shraim [0134]).

Regarding claims 14 and 20, the scope of the claims are similar to that of claim 7. Accordingly, the claims are rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 9473516 B1, "Detecting network attacks based on a hash", by Jezorek, teaches using a hash request to detect a change associated with accessing a network-based resource. Determine a portion of a network-based document for hashing; access a client hash of the portion of the network-based document generated based at least in part on a client device access; access a provider hash of the portion of the network-based document generated based at least in part on a trusted version of the portion of the network-based document; detect an issue with the client device access based at least in part on comparing the client hash and the provider hash. For example, the browser or application can look for certain fields, such as login, header, footer, or some other fields of the web page that may be static and may not be change in association with presenting the web page at different client devices.
US 20180124106 A1, "Detecting "man-in-the-middle' attacks", by Edwards, teaches a method for detecting a man-in-the-middle attack against communications between a client device and a specific remote end point over a network, the method using probe software installed on the client device, the method comprising the probe software sending a connection initiation request from the client device over the network, .

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer 

/H.Y./Examiner, Art Unit 2493


/Kevin Bechtel/Primary Examiner, Art Unit 2491