DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claims Status
Claims 1-5, 7-19 and 21 are pending; Claims 6 and 20 are cancelled; no new claim is added, Claims 1, 7, 12, 14, 16 and 21 are amended per Applicant’s amendment filled on May 10, 2021.

Response to Arguments
Objection to Claim 12 has been withdrawn in view of Applicant’s amendment filled on May 10, 2021, see pages 11-12, Last and first Paragraph, respectively. Minor informalities has been corrected.
Applicant's arguments filed Applicant’s amendment filled on May 10, 2021regarding USC 35 103 have been fully considered but they are not persuasive. Applicant argues  “Applicant pointed out that the cited art does not appear to teach or suggest the use of a key, such as KTRUST, to provide evidence of a trust relationship established based on registration of a client to a server, as now recited by the claims as amended herewith. Also, there appears to be no teaching or suggestion of a client sending a message that contains an authentication request which is encrypted using KTRUST, or of a server verifying that the client is trusted by confirming that the message is encrypted using KTRUST. Therefore, the claims provided 
Hayton teaches an authentication device (server) issuing cryptographic key (Ktrust) to a client device based on validating authentication credentials of the client device (workstation), See Fig. 5 steps 502 – 505.  [Col 1, lines 57-59] discloses the server receiving from a client device its authentication credentials and request for access to an enterprise resources.  Then the authenticating device validates the received device credentials to determine whether a device is granted access to enterprise resources.  Therefore, in order for the authentication device to validate a client a device the client device has to be registered and established a relationship with the authentication device.    
Furthermore, [Col 20, lines 38-40] Hayton discloses an access token may include a cryptographic key (Ktrust) (e.g., an encryption or decryption key) generated by the authentication device (server) and transmitted to the client device (workstation) once the client device is authenticated based on prior established relationship between the client device and the authentication device.
Therefore, Applicant fail to clearly point out where Hayton failed to teach the claimed limitation.
With respect to secondary reference Oberheide used in the non-final rejection for 35 USC 103 rejection to independent claims 1, 14, and 16, it is noted that the “trust relationship established between the workstation and the server apparatus prior to receiving the Oberheide is no longer used in the current rejection. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1 – 21 are rejected under 35 U.S.C. 102 (a) (1) as being clearly anticipated by Hayton et al. US 9098687 B2, hereinafter, Hayton).
Regarding to claim 1 (Currently amended), Hayton teaches a method, comprising: issuing a key, KTRUST, by a server to a workstation, the key reflecting a trust relationship established between the server and the workstation during a registration of the workstation to the server; (Fig. 5, step 505 discloses authentication device (server) transmitting an access token to Client device (workstation). [Col 20, lines 38-40] an access token may include a cryptographic key (Ktrust) (e.g., an encryption or decryption key) generated by the authentication device. ; (Fig 5, Step 502 discloses authentication device (server) validating the Client device (workstation) prior to issuing access token (comprising Ktrust) based on authentication credentials stored in the server.   // Examiner remark: The client device access 
receiving, by the the 
the authentication request provided in a message encrypted using KTRUST and ([Col 1, lines 65-67; Col 2, lines 1-2] For future resource access requests (authentication request) from the client device, the client device may transmit the access token, and the authentication device may retrieve and decrypt the validation data (i.e. message encrypted using encryption key (Ktrust)) wherein the authentication device (server) must decrypt) using the access token received from the client device.)
including an identifier of a personal authentication tag (PAT), the PAT being a portable object that provides the PAT identifier in a machine-readable format; ([Col. 18, lines 43 -45] The access gateway 360 may support various additional authentication techniques, such as password-based, token-based (e.g., smart cards, magnetic strip cards) (i.e. PAT))
in response to receiving the authentication request, determining that the workstation is trusted by the server, based at least in part on confirming that the message is encrypted using KTRUST
in response to determining that the workstation is trusted by the server, providing the workstation with access over the computer network to a set of applications of the server using a credential associated with the PAT identifier received with the authentication request.   ([Col. 19, lines 6 - 9] After the user's credentials have been successfully validated in step 502, the user may be logged in to the enterprise system and may be granted access to resources 304 or services 308 within the enterprise system)

Regarding to claims to 14 and 16 (Currently amended), they are  rejected on same rational as claim 1 (Currently amended).

Regarding to claim 2, the method of claim 1, Hayton teaches further comprising, in response to determining that the workstation is trusted by the server, (i) obtaining, by the server, the credential associated with the PAT identifier, and  ([Col. 2, lines 57 - 65] ([Col. 2, lines 57 - 65] According to certain aspects, an authentication device (server) may receive user authentication credentials, including a password (or token), from a client device (obtaining 
(ii) transmitting the credential to the workstation.  ([Col. 2, lines 57 - 65]  and the access token (Credential) may be transmitted to the client device)

Regarding to claim 3, (Original) the method of claim 2, Hayton teaches wherein determining that the workstation is trusted by the server includes performing an operation configured to produce one of a first result and a second result, the first result produced in response to the server confirming that workstation is trusted by the server,  (Fig 5, Step 502 discloses authentication device (server) validating the Client device (workstation) prior to issuing access token (including cryptographic key/Ktrust) based on authentication credentials stored in the server.   // Examiner remark: The client device validation request and subsequently issuing of cryptographic key is a reflection of established relationship between the Client device ( workstation) and the authentication device (Server).)
the second result produced otherwise, wherein the server stores the credential in encrypted form, with the credential encrypted using an encryption key, KPAT, ([Col 20, lines 31-49] The authentication device  (server)358 may then create validation data (credential), to be stored by the enterprise system (e.g., within the authentication device 358, access gateway 360, or elsewhere within the enterprise system. … The authentication device 358 in this example also 
wherein KPAT is derived from the PAT identifier, and  ([Col, 15, lines 51-53]  Key derivation functions may operate such that keys generated from the user password use KDFs (key derivation functions, notably PBKDF2) 
wherein the method further comprises, in response to the operation producing the first result and prior to transmitting the credential to the workstation, decrypting the credential as encrypted using KPAT ([Col 1, line 67, Col. 2  lines 1 and 2]  the authentication device may retrieve and decrypt the validation data using the access token received from the client device.)

Regarding to claim 4, the method of claim 3,  Hayton teaches wherein the server is configured to fail the authentication request in response to the operation producing the second result, which indicates an untrusted workstation.   (Col 18, lines 58-63] As illustrated in FIG. 3, an access gateway 360 may receive the login request from the mobile device 302 and forward the login request to an authentication service 358 which verifies the user's credentials and grants the user access to the set of enterprise resources or services for which the user is authorized.  //Examiner remark:  It's inherent that system will not grant access (fail) unless the authentication is validated.))

Regarding to claim 5, the method of claim 3,  Hayton teaches wherein performing the operation includes confirming that the workstation is identified on a device white list (DWL) .  ([Col. 9, lines 36 - 47] The enterprise may choose to implement policies to manage the mobile device 302. The policies may be implemented through a firewall or gateway in such a way that the mobile device may be identified, secured or security verified, and provided selective (i.e. blocking access to set of applications) or full access to the enterprise resources. The policies may be mobile device management policies, mobile application management policies, mobile data management policies, or some combination of mobile device, application, and data management policies. A mobile device 302 that is managed through the application of mobile device management policies may be referred to as an enrolled device.//examiner remark: this is implementing a DWL using enrollment and policy to manage access applications.))

Regarding to claim 7 (Currently amended), the method of claim 3 [Hayton teaches further comprising providing the workstation with a new instance of KTRUST upon a boot-up of the workstation, the server thereby limiting access to the set of applications using a stolen instance of KTRUST.  ([Col. 7, lines 7 - 10] Applications, as used herein, are programs that execute after an instance of an operating system (and, optionally, also the desktop) has been loaded. ([Col. 15, lines 65 - 68; Col. 16, lines 1 -4] Another feature may relate to sensitive data in memory, which may be kept in memory (and not in disk) only when it's needed. For example, login credentials may be wiped from memory after login, and encryption keys and other data inside objective-C instance variables are not stored, as they may be easily 

Regarding to claim 8, the method of claim 3. Hayton teaches wherein obtaining the credential associated with the PAT identifier includes:   accessing a PAT database to identify a user identifier that the PAT database associates with the PAT identifier; and accessing a credential database to identify the credential associated with the user identifier.  ([Col. 2, lines 12 -20] According to further aspects, after validating a user with a first set of authentication credentials (i.e. obtaining the credential associated with PAT identifier), one or more additional sets of authentication credentials may be retrieved (i.e. accessing credential associated with the user identifier) for the first user and stored at an access gateway or other storage in an enterprise system.)

Regarding to claim 9, the method of claim 8.  Hayton teaches wherein the PAT database and the credential database are hosted by respective services running on respective computers of the server. ([Col. 3, lines 64 - 67; Col. 4, lines 1 -19] discloses computers and servers architecture related to the applications and services supporting databases related to user credentials.  [Col. 4, lines 19 - 21] (18) Servers and applications may be combined on the same physical machines, and retain separate virtual or logical addresses, or may reside on separate physical machines) 

Regarding to claim 10, the method of claim 9,  Hayton teaches further comprising, in response to (i) the operation producing the first result and (ii) the credential database not storing a credential associated with the user identifier: directing the workstation to prompt a user to enter a user credential; ([Col. 19, line 66 - 67; Col. 20, lines 1 -2] In this example, the authentication device 358 may first determine if a user secret has previously been set for client device 302, and if not, may prompt the user to input a user secret.)
receiving the user credential from the workstation; ([Col. 20, lines 21 - 22] In step 504, the authentication device 358 in the enterprise system may receive the user secret from the client device 302)
encrypting the user credential using KPAT; ([Col. 20, lines 31 -32] The authentication device 358 may then create validation data)
and storing the encrypted user credential in connection with the user identifier in the credential database.  ([Col. 20. lines 32 - 35] to be stored by the enterprise system (e.g., within the authentication device 358, access gateway 360, or elsewhere within the enterprise system))

Regarding to claim 11, the method of claim 10,  Hayton teaches further comprising, after receiving the user credential: contacting an identity provider (IDP) that stores enterprise credentials and associated user identifiers of multiple users; performing a verification operation configured to (i) generate a successful result in response to the IDP associating the user identifier of the user with a credential that matches the user credential and (ii) generate an 

Regarding to claim 12 (Currently amended), the method of claim 3,  Hayton teaches wherein, when receiving the PAT PIN derived from additional entropy associated with the user.  ([Col. 21, lines 3 - 5] as shown in FIG. 7A, the validation data 710 may be generated by encrypting a key identifier 701, password 702, and user secret 703 (i.e. entropy associated with the user.) Examiner remark: the term “PAD” interpreted to mean “PAT”.)

Regarding to claim 13, the method of claim 12, Hayton teaches wherein the additional entropy is a user PIN (Personal Identification Number).  ([Col 19, lines 22 -23] A "user secret" 
Regarding to claim 15, the server apparatus of claim 14, Hayton teaches wherein the server apparatus stores the credential in encrypted form, with the credential encrypted using an encryption key, KPAT, and   wherein KPAT is derived at least in part by encrypting the PAT identifier with a user PIN and processing the PIN-encrypted PAT identifier to generate KPAT.  ([Col. 21, lines 3 - 5] As shown in FIG. 7A, the validation data 710 may be generated by encrypting a key identifier 701, password 702, and user secret 703 (i.e. entropy associated with the user.); [Col 19, lines 22 -23] A "user secret" may be a personal identification number (PIN))

Regarding to claim 17, it is rejected on same rational as claim  3.

Regarding to claim 18, the computer program product of claim 17, Hayton teaches wherein KPAT is derived at least in part by encrypting the PAT identifier with a user PIN and processing the PIN- encrypted PAT identifier to generate KPAT.  ([Col. 21, lines 3 - 5] As shown in FIG. 7A, the validation data 710 may be generated by encrypting a key identifier 701, password 702, and user secret 703 (i.e. entropy associated with the user.); [Col 19, lines 22 -23] A "user secret" may be a personal identification number (PIN).)

Regarding to claim 19, it is rejected on same rational as claim 5.

Regarding to claim 21 (Currently amended), it is rejected on same rational as claim 7.


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 6834795 B1 - Secure User Authentication To Computing Resource Via Smart Card.
US 10021088 B2 - Fast Smart Card Logon
US 8479011 B2 - Method And Apparatus For Using Cryptographic Mechanisms To Provide Access To A Portable Device Using Integrated Authentication Using Another Portable Device



Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS 

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild, can be reached at telephone number (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).



Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

/SOLOMON AREGA/Examiner, Art Unit 4164      
                                                                                                                                                                                                                                                                                                                                                                    /LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431