DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable Venkataraman et al. (US 2015/0244711 A1) in view of Kommireddy et al. (US 2017/0041151 A1.
Regarding claim 1, Venkataraman teaches an electronic device, i.e. an electronic device (Fig. 1, el. 101), comprising: 
a communicator, i.e. a communication interface (Fig. 1, el. 160), configured to communicate with an authentication device, e.g. a server (Fig. 1, el. 106); a Mobile Device Management (MDM) server at an enterprise network (Fig. 3B, el. 330b; Para. 116); an authentication server (Para. 156), e.g. the communication interface may provide communication between the electronic device and the server (Para. 77); 
a storage configured to store data, i.e. memory (Fig. 1, el. 130); and 
a processor, i.e. a processor (Fig. 1, el. 120), configured to: 
encrypt first authentication data by causing the authentication device to sign identification information on the electronic device and unique data of the authentication device to generate second authentication data, e.g. the electronic device may transmit the public key and a Certificate Signing Request (CSR) to the server at the Enterprise Network (Para. 119); the server may sign the CSR—using unique data of the authentication device, and store the client certificate (Para. 120); the signed certificate—first authentication data, is sent to and installed at the electronic device, wherein the installing includes signing the certificate with the electronic device’s private key, wrapping the certificate, and storing the signed certificate—second authentication data (Para. 88, 112, 121, 122, 125); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Para. 84, 106, 213);
store the generated second authentication data in the storage, e.g. the signed certificate is sent to and installed at the electronic device, wherein the installing includes signing the certificate with the electronic device’s private key and storing the signed certificate (Para. 88, 112, 121, 122, 125), and 
transmit the stored second authentication data to the authentication device to request authentication of the electronic device, e.g. sending the certificate signed by the device and authenticating the device using the combination of the enterprise signed certificate and the device key (Para. 113, 114, 124, 125, 195); using the client credentials to access the Enterprise Network (Para. 160, 189, 217).
Venkataraman does not clearly teach the authentication device to encrypt identification information on the electronic device and unique data of the authentication device.
Kommireddy teaches installing first authentication data by causing an authentication device, i.e. computing environment (Fig. 1, el. 103), wherein the computing environment may be a server (Para. 10), to encrypt identification information on an electronic device, i.e. a client device (Fig. 1, el. 106), and unique data of the authentication device to generate second authentication data, e.g. a management component of the client device generates a CSR, wherein the CSR includes a unique device identifier—identification information (Para. 26, 51); the CSR is encrypted, signed, and sent to the management service of the computing environment (Para. 57, 58); the management service decrypts and validates the CSR (Para. 59, 60); the management service encrypts, signs with the signing key—unique data, and sends a user certificate—first authentication data, to the management component (Para. 62, 63); the management component decrypts and installs the user certificate—second authentication data (Para. 64); wherein the user certificate certifies that a public key identified in the certificate belongs to the client device—identification information (Para. 16).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Venkataraman to include encrypting first authentication data by causing the authentication device to encrypt identification information on the electronic device and unique data of the authentication device to generate second authentication data, using the known method of encrypting a user certificate with the public key of the client device, signing the certificate with the signing key of the management service, sending the certificate to the client device, and decrypting and installing the certificate at the client device, as taught by Kommireddy, in combination with the authentication system of Venkataraman, for the purpose of allowing certificates to be requested and installed in a manner that prevents malicious third-parties from analyzing the network traffic to covertly obtain unauthorized access to certificates (Kommireddy-Para. 8).

Regarding claim 2, Venkataraman in view of Kommireddy teaches wherein the processor is configured to encrypt the identification information on the electronic device and transmit the encrypted identification information to the authentication device, e.g. the device may sign a default certificate using the device’s private key and send the signed certificate to the server (Venkataraman-Para. 156, 157); signing the certificate with the electronic device’s private key (Venkataraman-Para. 88, 112, 121, 122, 125); wherein the certificate may include a device ID, such as an IMEI or MAC address (Venkataraman-Para. 84, 106, 213); sending the certificate signed to the server and authenticating the device using the combination of the enterprise signed certificate and the device key (Venkataraman-Para. 113, 114, 124, 125, 195); wrapping the client certificate with identification information of the device (Venkataraman-Para. 193); a management component of the client device generates a CSR, wherein the CSR includes a unique device identifier—identification information (Kommireddy-Para. 26, 51); the CSR is encrypted, signed, and sent to the management service of the computing environment (Kommireddy-Para. 57, 58).

Regarding claim 3, Venkataraman in view of Kommireddy teaches wherein the second authentication data further includes the identification information on the electronic device, e.g. wherein the certificate may include a device ID, such as an IMEI or MAC address (Venkataraman-Para. 84, 106, 213); wrapping the client certificate with identification information of the device (Venkataraman-Para. 193); wherein the user certificate certifies that a public key identified in the certificate belongs to the client device—identification information (Kommireddy-Para. 16).

Regarding claim 4, Venkataraman teaches an electronic device, i.e. an electronic device (Fig. 1, el. 101), comprising: 
a communicator, i.e. a communication interface (Fig. 1, el. 160), configured to communicate with an authentication device, e.g. a server (Fig. 1, el. 106); a Mobile Device Management (MDM) server at an enterprise network (Fig. 3B, el. 330b; Para. 116); an authentication server (Para. 156), e.g. the communication interface may provide communication between the electronic device and the server (Para. 77); 
a storage, i.e. memory (Fig. 1, el. 130), configured to store second authentication data generated by encrypting first authentication data by causing the authentication device to sign identification information on the electronic device and unique data of the authentication device, e.g. the electronic device may transmit the public key and a Certificate Signing Request (CSR) to the server at the Enterprise Network (Para. 119); the server may sign the CSR, and store the client certificate (Para. 120); the signed certificate is sent to and installed at the electronic device, wherein the installing includes signing the certificate with the electronic device’s private key and storing the signed certificate—second authentication data (Para. 88, 112, 121, 122, 125); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Para. 84, 106, 213); and 
a processor, i.e. a processor (Fig. 1, el. 120), configured to transmit the second authentication data stored in the storage to the authentication device to request authentication of the electronic device, e.g. sending the certificate signed by the device and authenticating the device using the combination of the enterprise signed certificate and the device key (Para. 113, 114, 124, 125, 195); using the client credentials to access the Enterprise Network (Para. 160, 189, 217).
Venkataraman does not clearly teach the authentication device to encrypt identification information on the electronic device and unique data of the authentication device.
Kommireddy teaches causing an authentication device, i.e. computing environment (Fig. 1, el. 103), wherein the computing environment may be a server (Para. 10), to encrypt identification information on an electronic device, i.e. a client device (Fig. 1, el. 106), and unique data of the authentication device to generate second authentication data, e.g. a management component of the client device generates a CSR, wherein the CSR includes a unique device identifier—identification information (Para. 26, 51); the CSR is encrypted, signed, and sent to the management service of the computing environment (Para. 57, 58); the management service decrypts and validates the CSR (Para. 59, 60); the management service encrypts, signs with the signing key—unique data, and sends a user certificate—first authentication data, to the management component (Para. 62, 63); the management component decrypts and installs the user certificate—second authentication data (Para. 64); wherein the user certificate certifies that a public key identified in the certificate belongs to the client device—identification information (Para. 16).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Venkataraman to include second authentication data generated by encrypting first authentication 

Regarding claim 5, Venkataraman in view of Kommireddy teaches wherein the second authentication data further includes the identification information on the electronic device, e.g. wherein the certificate may include a device ID, such as an IMEI or MAC address (Venkataraman-Para. 84, 106, 213); wrapping the client certificate with identification information of the device (Venkataraman-Para. 193); wherein the user certificate certifies that a public key identified in the certificate belongs to the client device—identification information (Kommireddy-Para. 16).

Regarding claim 6, Venkataraman teaches an authentication device, e.g. a server (Fig. 1, el. 106); a Mobile Device Management (MDM) server at an enterprise network (Fig. 3B, el. 330b; Para. 116); an authentication server (Para. 156), comprising: 
a communicator configured to communicate with an electronic device, i.e. an electronic device (Fig. 1, el. 101), e.g. the communication interface may provide communication between the electronic device and the server (Para. 77); and 
a processor configured to sign identification information on the electronic device and unique data of the authentication device to generate first authentication data and transmit the generated first authentication data to the electronic device, e.g. the electronic device may transmit the public key and a Certificate Signing Request (CSR) to the server at the Enterprise Network (Para. 119); the server may sign the CSR—using unique data of the authentication device, and store the client certificate (Para. 120); the signed certificate—first authentication data, is sent to and installed at the electronic device, wherein the installing includes signing the certificate with the electronic device’s private key and storing the signed certificate (Para. 88, 112, 121, 122, 125); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Para. 84, 106, 213).
Venkataraman does not clearly teach encrypting identification information on the electronic device and unique data of the authentication device to generate first authentication data.
an authentication device, i.e. computing environment (Fig. 1, el. 103), wherein the computing environment may be a server (Para. 10), comprising:
a processor, e.g. a processor (Para. 67), configured to encrypt identification information on an electronic device, i.e. a client device (Fig. 1, el. 106), and unique data of the authentication device to generate first authentication data, e.g. a management component of the client device generates a CSR, wherein the CSR includes a unique device identifier—identification information (Para. 26, 51); the CSR is encrypted, signed, and sent to the management service of the computing environment (Para. 57, 58); the management service decrypts and validates the CSR (Para. 59, 60); the management service encrypts, signs with the signing key—unique data, and sends a user certificate—first authentication data, to the management component (Para. 62, 63); the management component decrypts and installs the user certificate—second authentication data (Para. 64); wherein the user certificate certifies that a public key identified in the certificate belongs to the client device—identification information (Para. 16).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Venkataraman to include encrypting identification information on the electronic device and unique data of the authentication device to generate first authentication data, using the known method of encrypting a user certificate with the public key of the client device, signing the certificate with the signing key of the management 

Regarding claim 7, Venkataraman in view of Kommireddy teaches wherein the processor is configured to receive the identification information on the electronic device from the electronic device, e.g. the device may sign a default certificate using the device’s private key and send the signed certificate to the server (Venkataraman-Para. 156, 157); signing the certificate with the electronic device’s private key (Venkataraman-Para. 88, 112, 121, 122, 125); wherein the certificate may include a device ID, such as an IMEI or MAC address (Venkataraman-Para. 84, 106, 213); sending the certificate signed to the server and authenticating the device using the combination of the enterprise signed certificate and the device key (Venkataraman-Para. 113, 114, 124, 125, 195); wrapping the client certificate with identification information of the device (Venkataraman-Para. 193); wherein the CSR includes a unique device identifier—identification information (Kommireddy-Para. 26, 51).

Regarding claim 13, the claim is analyzed with respect to claim 1.



Regarding claim 15, the claim is analyzed with respect to claim 3.

Claims 8-12 are rejected under 35 U.S.C. 103 as being unpatentable over Venkataraman in view of Kim (US 2017/0201383 A1).
Regarding claim 8, Venkataraman teaches an authentication device, e.g. a server (Fig. 1, el. 106); a Mobile Device Management (MDM) server at an enterprise network (Fig. 3B, el. 330b; Para. 116); an authentication server (Para. 156), comprising: 
a communicator configured to communicate with an electronic device, i.e. an electronic device (Fig. 1, el. 101), e.g. the communication interface may provide communication between the electronic device and the server (Para. 77); and 
a processor configured to: receive an authentication request of the electronic device and second authentication data from the electronic device, e.g. receiving a request to access the enterprise network and a signed certificate from the electronic device (Para. 112-114, 156, 165, 193, 201),
process the received second authentication data to obtain identification information on the electronic device and unique data of the authentication device, and authenticate the electronic device based on the obtained identification information and unique data, e.g. validating the electronic device by using the public key to confirm that the certificate was signed by the private key (Para. 114, 125); performing authentication using the client certificate, client private key, and/or the corresponding public key (Para. 193-195); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Para. 84, 106, 213);
Venkataraman does not clearly teach decrypting the received second authentication data to obtain identification information on the electronic device and unique data of the authentication device.
Kim teaches receiving an authentication request of an electronic device, i.e. an end entity (Fig. 1A, el. 110), and second authentication data from the electronic device, e.g. receiving a certificate including cryptographically-obscured identifier(s) associated with the end entity, wherein the identifiers may include a device identifier such as a MAC address or IMEI (Para. 53, 95),
decrypting the received second authentication data to obtain identification information on the electronic device and unique data of the authentication device, e.g. decrypting the certificate and identifier(s) using the service node private key, wherein the certificate and identifier(s) were encrypted using the service node public key (Para. 23, 54, 96); wherein the certificate also includes the secure key associated with the service identifier for the mail server (service node) (Para. 100, 101, 103), and 
authenticate the electronic device based on the obtained identification information and unique data, e.g. matching the decrypted identifier from the certificate; using the keyed hash algorithm, secure key, and/or a private key related to the secure key to validate the identifier (Para. 97, 98, 100, 101, 103).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Venkataraman to include decrypting the received second authentication data to obtain identification information on the electronic device and unique data of the authentication device, using the known method of decrypting the certificate and identifier(s) using the service node private key, wherein the certificate and identifier(s) were encrypted using the service node public key, wherein the certificate also includes the secure key associated with the service identifier for the mail server (service node), and matching the decrypted identifier from the certificate; using the keyed hash algorithm, secure key, and/or a private key related to the secure key to validate the identifier, as taught by Kim, in combination with the authentication system of Venkataraman, for the purpose of aiding in the prevention of unauthorized access to protected resources (Kim-Para. 3, 19).

Regarding claim 9, Venkataraman in view of Kim further comprising: a storage configured to store the identification information on the electronic device, wherein the processor is configured to compare the obtained identification information with the identification information on the electronic device stored in the storage to authenticate the electronic device, e.g. validating the electronic device by using the public key to confirm that the certificate was signed by the private key (Venkataraman-Para. 114, 125); performing authentication using the client certificate, client private key, and/or the corresponding public key (Venkataraman-Para. 193-195); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Venkataraman-Para. 84, 106, 213); storing the client certificate at the Enterprise Network server (Venkataraman-Para. 120, 194, 208); sending the reference identifier from the end entity to the service node (Kim-Para. 40, 76, 80, 97); retrieving the reference identifier from the management server (Kim-Para. 41); extracting the identifier(s) from the certificate and comparing the identifier(s) to the reference identifier(s) (Kim-Para. 78, 80, 81, 97).

Regarding claim 10, Venkataraman in view of Kim further comprising: a storage configured to store the identification information on the electronic device and unique data corresponding to the identification information, wherein the processor is configured to compare the obtained identification information and unique data with the identification information on the electronic device and the unique data stored in the storage to authenticate the electronic device, e.g. validating the electronic device by using the public key to confirm that the certificate was signed by the private key (Venkataraman-Para. 114, 125); performing authentication using the client certificate, client private key, and/or the corresponding public key (Venkataraman-Para. 193-195); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Venkataraman-Para. 84, 106, 213); storing the client certificate at the Enterprise Network server (Venkataraman-Para. 120, 194, 208); sending the reference identifier from the end entity to the service node (Kim-Para. 40, 76, 80, 97); retrieving the reference identifier from the management server (Kim-Para. 41); extracting the identifier(s) from the certificate and comparing the identifier(s) to the reference identifier(s) (Kim-Para. 78, 80, 81, 97); wherein the certificate also includes the secure key associated with the service identifier for the mail server (service node) and uses the keyed hash algorithm, secure key, and/or a private key related to the secure key to validate the identifier (Para. 100, 101, 103).

Regarding claim 11, Venkataraman in view of Kim teaches further comprising: a storage is configured to store data, wherein the second authentication data further includes the identification information on the electronic device, and the processor is configured to store the identification information on the electronic device included in the second authentication data in the storage when the electronic device is successfully authenticated, e.g. validating the electronic device by using the public key to confirm that the certificate was signed by the private key (Venkataraman-Para. 114, 125); performing authentication using the client certificate, client private key, and/or the corresponding public key (Venkataraman-Para. 193-195); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Venkataraman-Para. 84, 106, 213); storing the client certificate at the Enterprise Network server (Venkataraman-Para. 120, 194, 208); retrieving the reference identifier from the management server (Kim-Para. 41); extracting the identifier(s) from the certificate and comparing the identifier(s) to the reference identifier(s) (Kim-Para. 78, 80, 81, 97).

Regarding claim 12, Venkataraman in view of Kim teaches wherein the processor is configured to obtain the identification information on the electronic device from the second authentication data, and compare the obtained identification information on the electronic device with the identification information on the electronic device stored in the storage to authenticate the electronic device, e.g. validating the electronic device by using the public key to confirm that the certificate was signed by the private key (Venkataraman-Para. 114, 125); performing authentication using the client certificate, client private key, and/or the corresponding public key (Venkataraman-Para. 193-195); wherein the certificate may include a device ID, such as an IMEI or MAC address—identification information of the electronic device (Venkataraman-Para. 84, 106, 213); storing the client certificate at the Enterprise Network server (Venkataraman-Para. 120, 194, 208); sending the reference identifier from the end entity to the service node (Kim-Para. 40, 76, 80, 97); retrieving the reference identifier from the management server (Kim-Para. 41); extracting the identifier(s) from the certificate and comparing the identifier(s) to the reference identifier(s) (Kim-Para. 78, 80, 81, 97).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hoggan (US 2013/0311771 A1)—Hoggan discloses receiving and installing a certificate in response to submitting a certificate request, wherein the certificate includes a public and private key, a MAC address of the device, information regarding the entity issuing the certificate (Para. 21, 22).

Cilfone et al. (US 2013/0086377 A1)—Cilfone discloses generating and issuing a CSR, wherein the certificate includes an issuer name, an issuer UUID, a subject UUID, and a public key (Para. 142, 149).


Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643.  The examiner can normally be reached on Monday - Friday, 7:00 AM - 3:00 PM (ET).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





10 September 2021
/Jeremy S Duffield/Primary Examiner, Art Unit 2498