DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending in this application.
IDS submitted on 11/9/2018 has been considered.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 6, 10-15, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US 2013/0080769 A1) (hereinafter, “Cha”) in view of Palekar et al. (US 2003/0226017 A1) (hereinafter, “Palekar”).


As to claim 1, Cha discloses a method for preventing Transport Layer Security session man-in-the-middle attacks, the method comprising: 
comparing a first security digest generated by an endpoint device with a second security digest received from a peer device (“As illustrated at 626, the authentication a digest uri, and the opaque. In an example embodiment, the cnonce, the nonce count, and/or the digest uri may be illustrated, by the IETF, in RFC document 2617. At 628, the BSF 604 may calculate a response and compare the values received from the UE 602 with the calculated values at the BSF 604.” –e.g. see, [0085]; herein, BSF compares its calculated digest with the received digest from UE; UE is comparable to a peer device; see also, [0088] which discloses applying a digest algorithm as part of authentication challenge-response, [0090] which discloses SIP-Digest authentication); 
determining whether a match exists between the first security digest and the second security digest based on the comparing (“At 630, the BSF 604 may send a message (e.g., a 200 OK message) to the UE 602 that confirms to the UE 602 that authentication was successful. The message at 630 may include a binding trusted identifier (B_TID) and/or a key Ks lifetime, as illustrated at 632.” –e.g. see, [0085]; herein, Bootstrap Server Function determines whether there is a match between its calculated response with the received response from UE and identifies if there is a match. An OK message is sent to the UE when there is a match); and 
responsive to determining that a match does not exist between the first security digest and the second security digest, detecting a man-in-the-middle attack (“Verification and/or recalculation of B.sub.re, may fail if performed by an MitM, because the MitM may not know how to derive an acceptable B.sub.res value, while recalculation the MitM may be detected.” –e.g. see, [0086]; herein, a mismatch is found when the response came from a MitM). 
Cha may not explicitly disclose responsive to determining that a match does not exist between the first security digest and the second security digest … terminating a network connection for a Transport Layer Security session with the peer device.
However, in an analogous art, Palekar discloses responsive to determining that a match does not exist between the first security digest and the second security digest … terminating a network connection for a Transport Layer Security session with the peer device (“If the response from the client is different from the value calculated internally by the authenticator, then the client should not be authenticated. However, the authenticator can determine, at step 710, whether the authentication that was negotiated allows for retries, and how many. If it does allow for retries, and the maximum number of retries has not been exceeded, then the authenticator sends another challenge to the peer. If no retries are allowed, or the maximum number has been reached, the connection is ended at step 712.” –e.g. see, [0079]; herein, the connection is terminated when there is a mismatch with the received digest and calculated digest).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was to modify the teaching of Cha as taught by Palekar in order to prevent any rogue interceptor from obtaining users’ sensitive information as suggested by Palekar (Spec., [0007]).

Claims 10 and 13 are rejected for similar rationale as for the rejection of claim 1. 

As to claim 2, the combination of Cha and Palekar disclose further comprising: responsive to determining that a match does exist between the first security digest and the second security digest, sending a security digest validation acknowledgement to the peer device and continuing the Transport Layer Security session with the peer device (Cha: “… the BSF 604 may send a message (e.g., a 200 OK message) to the UE 602 that confirms to the UE 602 that authentication was successful. The message at 630 may include a binding trusted identifier (B_TID) and/or a key Ks lifetime, as illustrated at 632.” –e.g. see, Cha: [0085]). 

As to claims 11 and 14, these are rejected using the similar rationale as for the rejection of claim 2.

As to claim 3, the combination of Cha and Palekar disclose comprising: receiving a request to initiate the Transport Layer Security session with the endpoint device from the peer device; performing a Transport Layer Security handshake procedure with the peer device; and establishing the network connection with the peer device for the Transport Layer Security session upon successful completion of the Transport Layer 

As to claims 12 and 15, these are rejected using the similar rationale as for the rejection of claim 3.

As to claims 5 and 17, the combination of Cha, Palekar disclose selecting a segment of Transport Layer Security data corresponding to the Transport Layer Security session; and sending information regarding selection of the selected segment of Transport Layer Security data to the peer device via the network connection (Cha: “At 618, BSF 604 may send an authentication challenge (e.g., an authentication challenge in an HTTP 401 unauthorized response) to UE 602. As illustrated at 620, the message at 618 may include private identity information, a realm, a nonce, a quality of protection (qop) value, an authentication algorithm, a domain, and/or an opaque. In an example embodiment, this information may be included in the authentication header of the message.” –e.g. see, Cha: [0085]). 

BSF 604 may send an authentication challenge (e.g., an authentication challenge in an HTTP 401 unauthorized response) to UE 602. As illustrated at 620, the message at 618 may include private identity information, a realm, a nonce, a quality of protection (qop) value, an authentication algorithm, a domain, and/or an opaque. In an example embodiment, this information may be included in the authentication header of the message.” –e.g. see, Cha: [0085]; herein, identity information or nonce have predetermined number of bytes). 

Claims 4 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Cha in view of Palekar and further in view of Drake (US 2017/0346851 A1).

As to claims 4 and 16, neither Cha nor Palekar explicitly disclose selecting a CAPTCHA puzzle to send to the peer device; and sending the CAPTCHA puzzle to the peer device via the network connection. However, in an analogous art, Drake discloses selecting a CAPTCHA puzzle to send to the peer device; and sending the CAPTCHA puzzle to the peer device via the network connection (Drake: “The custom security agent in the user's access device accepts the incoming photo-identifier, and uses its local symmetric session key (usually the one from a web browser in the device) along supplied photo-identifier to locate (locally or by safe remote means such as MitM-resistant cryptography) the selected random photo for display to the user.” –e.g. see, Drake: [0032], see also, [0333], [0358]; herein, supporting CAPTCHA style anti-robot protection).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was to modify the teaching of Cha and Palekar as taught by Drake in order to provide strong protection against phishing, malware, active man-in-the-middle attacks, and many other threats, yet is designed to keep ordinary people safe, even if they are unsophisticated or unmotivated. It is well suited to replace legacy two-factor-authentication (2FA) and/or multifactor authentication (MFA) as suggested by Drake (Spec. [0004]).

Claims 7, 8, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Cha in view of Palekar and further in view of Todorov (US 2011/0296509 A1).

As to claims 7 and 19, Cha discloses generating the first security digest based on a hash of … the selected segment of Transport Layer Security data corresponding to the Transport Layer Security session (Cha: “As illustrated at 626, the authentication request may include the private identity information, the realm, the nonce, a cnonce, the qop value, a nonce count, an authentication algorithm, a digest uri, and the opaque. In the BSF 604 may calculate a response and compare the values received from the UE 602 with the calculated values at the BSF 604.” –e.g. see, Cha: [0085]; herein, BSF compares its calculated digest with the received digest from UE; UE is comparable to a peer device; see also, [0088] which discloses applying a digest algorithm as part of authentication challenge-response, [0090] which discloses SIP-Digest authentication). 
Neither Cha nor Palekar explicitly disclose comprising: generating the first security digest based on a hash of a retrieved correct answer to a CAPTCHA puzzle. However, in an analogous art, Todorov discloses generating the first security digest based on a hash of a retrieved correct answer to a CAPTCHA puzzle (“At block 517, the system determines whether a server hash value matches the hash value received from the client. The system can compare a server hash value for a combination of the password with the CAPTCHA answer to the client hash value. Alternatively or in addition to, the system can compare a server hash value for a combination of the password hash with the CAPTCHA answer to the client hash value.” –e.g. see, Todorov: [0042]).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was to modify the teaching of Cha and Palekar as taught by Todorov in order to prevent an attacker from easily eavesdrop on an insecure HTTP connection, intercept a hash value and/or impersonate a user by reusing the hash value to login to a server as suggested by Todorov (Spec, para 3).

As to claims 8 and 20, the combination of Cha, Palekar and Todorov disclose wherein the second security digest is generated based on a hash of a user inputted answer to the CAPTCHA puzzle (Todorov: (“At block 517, the system determines whether a server hash value matches the hash value received from the client. The system can compare a server hash value for a combination of the password with the CAPTCHA answer to the client hash value. Alternatively or in addition to, the system can compare a server hash value for a combination of the password hash with the CAPTCHA answer to the client hash value.” –e.g. see, Todorov: [0042]) and the selected segment of Transport Layer Security data corresponding to the information regarding the selection received from the endpoint device by the peer device (Cha: “As illustrated at 626, the authentication request may include the private identity information, the realm, the nonce, a cnonce, the qop value, a nonce count, an authentication algorithm, a digest uri, and the opaque. In an example embodiment, the cnonce, the nonce count, and/or the digest uri may be illustrated, by the IETF, in RFC document 2617. At 628, the BSF 604 may calculate a response and compare the values received from the UE 602 with the calculated values at the BSF 604.” –e.g. see, Cha: [0085]; herein, BSF compares its calculated digest with the received digest from UE; UE is comparable to a peer device; see also, [0088] which discloses applying a digest algorithm as part of authentication challenge-response, [0090] which discloses SIP-Digest authentication). 

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Cha in view of Palekar and further in view of Lawrence et al. (US 2014/0108800 A1) (hereinafter, “Lawrence”).


As to claim 9, neither Cha nor Palekar explicitly disclose determining whether the second security digest was received from the peer device within a defined period of time; responsive to determining that the second security digest was not received from the peer device within the defined period of time, terminating the network connection for the Transport Layer Security session with the peer device; and responsive to determining that the second security digest was received from the peer device within the defined period of time, comparing the first security digest generated by the endpoint device with the second security digest received from the peer device. 
However, in an analogous art, Lawrence discloses determining whether the second security digest was received from the peer device within a defined period of time; responsive to determining that the second security digest was not received from the peer device within the defined period of time, terminating the network connection for the Transport Layer Security session with the peer device; and responsive to determining that the second security digest was received from the peer device within the defined period of time, comparing the first security digest generated by the endpoint device with the second security digest received from the peer device (Lawrence: “The validity of time and/or the location 122 of the client device 108 is deduced by at least an estimated transmission signal client receiving time (t.sub.2est) by the client device 108 based on the alleged transmission signal data from at least one transmission source such as the satellite 102-106, the time difference 322 is below a defined time threshold, the calculated hash value 336 is the same as the received hash value 152 transmitted from the client device 108 to the authentication processor 300, and the authentication message 144 based on processing the contents of the alleged transmission signal data from the client receiver that is received at the client device 108 from at least one transmission source.” –e.g. see, Lawrence: [0094]). 
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was to modify the teaching of Cha and Palekar as taught by Lawrence in order to provide an authentication system that greatly reduces an opportunity for a spoofer to take advantage of a time delay that is typically experienced between a client device collecting digital samples of transmissions from a transmission source and an authentication processor receiving collected digital samples from the client device as suggested by Lawrence (Spec, [0005]).



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495                                                                                                                                                                                                        

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495