DETAILED ACTION
Acknowledgements
This office action is in response to the claims filed 02/02/2021.
Claims 1, 3, 6, 8, 10, 12, and 14 are amended.
Claims 7 and 15 are cancelled.
Claims 16 and 17 are new.
Claims 1-6, 8-14, 16 and 17 are pending.
Claims 1-6, 8-14, 16 and 17 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Objections
Claim 10 is objected to because of the following informalities:  claim 10 recites “previously amended” but claim 10 currently contains new amendments and should have been correctly labelled as “currently amended”.  Appropriate correction is required.

Response to Arguments
Applicant's arguments filed 02/02/2021 have been fully considered but they are not persuasive. 
112
Due to Applicant’s amendments, the prior 112 rejections are withdrawn.
103
Applicant has amended the independent claims to include the phrase “end user's portable communication device”, claiming this new device cannot be the same as the issuer of Holdsworth. Examiner respectfully disagrees.  
In prior iterations of the claim limitations the initiating and decrypting steps were not performed by the “device”. Given BRI, they could have been performed by remote entities. Applicant’s amendments change and further limit this previous scope of these limitations. Holdsworth teaches the issuer server performing the claimed limitations and the combination of Holdsworth and Ross teach the issuer device being an “end user's portable communication device”. The user being the issuer. 
Holdsworth states - System 300 comprises a merchant server 304 interface with a user terminal 302. System 300 also comprises an issuer authority 306, a directory 312, and a acquirer authority 308. (Column 8, line 37-42)


    PNG
    media_image1.png
    536
    624
    media_image1.png
    Greyscale


Ross states- in one embodiment, issuer 210 and/or trusted server 250 may be implemented as a server, a personal computer (PC), a smart phone, personal digital assistant (PDA), laptop computer, and/or other types of computing devices capable of transmitting and/or receiving data, such as an iPad™ from Apple™… (¶ 71, 74)
The combination of Holdsworth and Ross teach the new amendments. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 8, 10-12, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Holdsworth (7,437,757) (“Holdsworth”), and in view of in view of Ross (2013/0138570) (“Ross”).
Regarding claims 1 and 10, Holdsworth discloses  receiving, by the end user's communication device, a password input by a user, wherein the password is not stored on the end user's portable communication device prior to receiving the password 
Holdsworth states - the user can be prompted to input a personal identifier, such as a PIN. In general, the personal identifier is some type of password or secret number that is associated with the user, but may include additional factors such as biometric parameters or a graphical PIN…Because the registration entries are deleted, there is nothing stored on terminal 302 that can be accessed, e.g., by a “hacker, and used to fraudulently gain access to the user's account or account information. Not only does the issuer no longer need to worry that an issued token will be stolen or lost in the mail, there is also no longer any need to send a password or PIN, i.e., a personal identifier, to the user. This is because the user can create their personal identifier during enrollment. Therefore, the issuer also does not need to worry about the user's personal identifier ending up in the wrong hands. As a result, issuance is made simpler, less risky, and less burdensome for both the issuer and the user. (column 11, line 22-30, column 18, line 64-66)


generating, by the end user's communication device, an encryption key as a function of the user-input password (column 8, line 29-36, column 13, line 5-19, column 16, line 9-20, column 18, line 64-67, column 19, line 1-8); 
Holdsworth states - a transactional unique session key is generated in step 812 and used to encrypt the information in step 814.The term transactional unique 

decrypting, by the end user's communication device, an encrypted token using the encryption key (column 13, line 57-67, column 14, line 6-8, 55-62, column 16, line 21-27); 
Holdsworth states - The token serial number, random data, message key, and PIN co-ordinates can then be concatenated and encrypted with the three equal keys to form a cipher. Once the session key has been derived, issuer authority 306 can attempt to decrypt the cipher. If the cipher can be decrypted, the enrollment information can, for example, be assumed valid…Further, once the information is decrypted, issuer authority 306 can be in possession of the enrollment information, e.g., token serial number, random data, message key, and the PIN… The encrypted information is then sent to issuer authority 306 in step 816. Issuer authority can then decrypt the received information, using the session key, in step 818. Once the information is decrypted, it is validated in step 820 to verify that token 106 is present  (column 14, line 6-8, 55-62, column 16, line 21-27)
 
verifying, by the end user's communication device, whether the token was properly decrypted (column 14, line 6-8, 55-62, column 16, line 21-27, column 19, line 40-64); 
Holdsworth states - Further, once the information is decrypted, issuer authority 306 can be in possession of the enrollment information, e.g., token serial number, random data, message key, and the PIN. Issuer authority 306 can be configured to then determine if the enrollment information comprises the correct format. If the format is correct, then issuer authority 306 can be configured to store the enrollment information in a user profile… Once the information is decrypted, it is validated in step 820 to verify that token 106 is present and that the user is who they say they are.  (column 14, 55-62, column 16, line 21-27) 

in response to verification that the token was properly decrypted, 
decrypting, by the end user's communication device, a credential using the encryption key; and (column 5, line 1-8, column 16, line 28-55, column 18, line 31-41, column 20, line 4-27); 
Holdsworth states - It should also be noted that the cryptogram should include at least one personal identifier to establish the presence of the person, and at least one unique element to establish the presence of the token. …The cryptogram can be partially decrypted using the session key as shown in step 988. The special format results can be compared in step 990. If they equate in step 992, then the authentication is complete and the validation is established...Once the cryptogram is received, then authentication authority 306 can validate the biometric information. For instance, by decrypting the cryptogram, extracting the biometric information, and verifying it. (column 18, line 35-38, column 20, line 4-27)

Holds does not teach the issuer having a portable communication device  and initiating, by the end user's portable communication device, a near-field communication transaction with a reader using the decrypted credential.  

Ross teaches the end user's portable communication device and initiating, by the end user's portable communication device, a near-field communication transaction with a reader using the decrypted credential (¶ 71, 74).  
Claim Interpretation-  According to the disclosure(¶ 61), “If properly decrypted, the device 50 may determine that the user entered the correct password and may then use the key to decrypt an encrypted credential stored by the device 50 for use in an NFC transaction.” For the purpose of claim interpretation, the decrypted credential is not used for the NFC communication between the end user's portable communication device and the reader.
Ross- in one embodiment, issuer 210 and/or trusted server 250 may be implemented as a server, a personal computer (PC), a smart phone, personal digital assistant (PDA), laptop computer, and/or other types of computing devices capable of transmitting and/or receiving data, such as an iPad™ from Apple™… Credential interface 220 may be a card reader, a USB port, an SD interface, or other interface configured to establish a communication link, which may be a wired or wireless (e.g., Bluetooth, RFID, NFC) communication link, between issuer 210 and credential 230. (¶ 71, 74)


Regarding claims 2 and 11, Ross teaches wherein generating the encryption key is additionally a function of one or more device-specific values (¶ 57, 66). 
Regarding claims 3 and 12, Holdsworth discloses wherein generating the encryption key is additionally a function of one or more key generation parameters selected from a group comprising: user biometric data, a slider value, an iteration counter value, an initialization vector, and a salt (column 18, line 64-67, column 19, line 1-8).  
Regarding claim 4, Holdsworth discloses encrypting a token using the encryption key to form the encrypted token (column 14, line 6-8).  
Regarding claim 8, Holdsworth discloses wherein generating the encryption key is additionally a function of one or more key generation parameters selected from a group comprising: user biometric data, a slider value, an iteration counter value, an initialization vector, and a salt (column 18, line 64-67, column 19, line 1-8). 
Regarding claims 16 and 17, Ross teaches wherein the near-field communication transaction comprises a secure payment transaction at a point of sale (Abstract; Table 1, 2; ¶ 43, 46, 48, 63, 74, 81, 86).
s 5, 6, 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Holdsworth (7,437,757) (“Holdsworth”), in view of Ross (2013/0138570) (“Ross”) and further in view of Johnson et al. (2006/0140401) (“Johnson”).
Regarding claims 5 and 13, neither Holdsworth nor Ross teach creating the token by rotating a N. times. M matrix of data bytes, where N and M are non-zero positive integers; applying exclusive or to every byte in the rotated N. times. M matrix; and converting the rotated the XOR'd N. times. M matrix into an array.   Johnson teaches creating the token by rotating a N. times. M matrix of data bytes, where N and M are non-zero positive integers; applying exclusive or to every byte in the rotated N. times. M matrix; and converting the rotated the XOR'd N. times. M matrix into an array (Figure 5; ¶ 143-146, 199, 569, 570). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Holdsworth (column 1, line 27-44, column 2, line 28-58), which teaches authentication of card reader transactions, Ross (¶ 6), which teaches “Electronic fraud can also take place on the business or service provider end, and a large number of users can be defrauded in a short amount of time if the business Supplying the transaction system is not trustworthy”, and Johnson (¶ 2) which teaches protecting certain information in order to prevent information from being obtained and understood by others  (Johnson; ¶ 2-8).
Regarding claims 6 and 14, Holdsworth discloses using one or more self-validation techniques selected from the second group comprising a cyclic redundancy check, a LUHN check, and short cryptogram (column 19, line 9-29). Neither Holdsworth nor Ross teach validating the NxM matrix of data bytes. Johnson teaches validating the .
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Holdsworth (7,437,757) (“Holdsworth”), in view of Ross (2013/0138570) (“Ross”) and further in view of Ahn et al. (2006/0271281) (“Ahn”).
Regarding claim 9, neither Holdsworth nor Ross teach wherein the slider value is generated by applying a windowing function at a predetermined position of a site key. Ahn teaches wherein the slider value is generated by applying a windowing function at a predetermined position of a site key (¶ 25, 105, 120). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Holdsworth (column 1, line 27-44, column 2, line 28-58), which teaches authentication of card reader transactions, Ross (¶ 6), which teaches “Electronic fraud can also take place on the business or service provider end, and a large number of users can be defrauded in a short amount of time if the business Supplying the transaction system is not trustworthy”, and Ahn (¶ 2) which teaches 
Claim interpretation – According to the specification (¶ 70)– “The slider may be a substring derived from a site key selected during wallet registration. For example, the key generator 712 may apply a windowing function to select a predetermined portion of the site key (e.g., having an original index offset and window length).” For purposes of claim interpretation, the slider value is a substring. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Haggerty et. al. (2014/0222688) teaches generating encryption keys and NFC transactions.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ISIDORA I IMMANUEL whose telephone number is (469)295-9094.  The examiner can normally be reached on Monday-Friday 9:00 am to 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEHA PATEL can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.