DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/25/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 14-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 14 recites “An authentication server… comprising…a database… and a timer.” A database and a timer can be interpreted as software elements, therefore, the claim is considered as software per se and appropriately rejected under 35 U.S.C. 101. Dependent claims 15-17 do not remedy the deficiency of claim 14 and are rejected under the same rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick et al. (“Software Techniques to Combat Drift in PUF-based Authentication Systems”; hereinafter “Kirkpatrick”) in view of Hwan et al. (KR20140142951A; hereinafter “Hwan”).
As per claim 1, Kirkpatrick discloses: a method of operating an authentication server based on a Physical Unclonable Function (PUF), comprising: 
transmitting a Challenge-Response Pair (CRP) update request message to a user device when a CRP update event occurs (Kirkpatrick, section VI and Fig. 3, server S sends a request to PUF-enabled client P (i.e., user device) to update the challenge-response pairs, the request comprising two sets of challenges T and T’, section IV ¶1, the request is triggered when drift is detected (i.e., CRP update event)); 
receiving a CRP update response message from the user device in response to the CRP update request message (Kirkpatrick, section VI and Fig. 3, server S receives message Eotk (i.e., CRP update response message) from client P); 
generating a secret key corresponding to the CRP update request message (Kirkpatrick, section VI subsection A and section VIII TABLE I, server S computes a symmetric key); 

While Kirkpatrick teaches updating CRPs (Kirkpatrick, section VI subsection A), Kirkpatrick does not explicitly disclose, however, Hwan teaches or suggests: updating a CRP corresponding to the secret key in a database using the decrypted CRP update response message (Hwan, [0069] and [0033], challenge-response values (C1, R1) are updated in the CRP tables (i.e., database) managed by the authentication server, wherein the challenge-response values (C1, R1) corresponds to the secret key which is the previous response value (R0) for the particular CRP (see [0059])).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Kirkpatrick to include updating a CRP corresponding to the secret key in a database using the decrypted CRP update response message as taught by Hwan for the benefit of providing an efficient way to manage the CRP table (Hwan, [0033]).

As per claim 2, claim 1 is incorporated and the modified Kirkpatrick discloses: generating the CRP update request message when the CRP update event occurs (Kirkpatrick, section I, “prevent drift from affecting the authentication mechanism by continuously updating the PUF commitment. That is, the lifetime of each challenge-response pair is so short that the device simply cannot age sufficiently to affect the PUF response,” wherein the update event is the short lifetime of each challenge-response pair).

As per claim 3, claim 2 is incorporated and the modified Kirkpatrick discloses: triggering the CRP update event when a timeout occurs based on a CRP expiration time field of the user device in the database (Kirkpatrick, section I, “prevent drift from affecting the authentication mechanism by continuously updating the PUF commitment. That is, the lifetime of each challenge-response pair is so short that the device simply cannot age sufficiently to affect the PUF response,” wherein the update event is the short lifetime of each challenge-response pair, section I ¶10 and section VII subsection A, server S initiates continuous updating based on the limited short lifetime of each CRP, thus, server S knows the lifetime of each CRP).

As per claim 4, claim 1 is incorporated and the modified Kirkpatrick discloses: wherein generating the CRP update request message comprises: 
generating the CRP update request message including a first challenge value and a second challenge value (Kirkpatrick, section VI and Fig. 3, server S sends a request to PUF-enabled client P (i.e., user device) to update the challenge-response pairs, the request comprising two sets of challenges T and T’ corresponding to a first challenge and a second challenge value respectively), 
wherein: 
the first challenge value is a part of the CRP of the user device stored in the database (Kirkpatrick, section VI, first challenge value T is a part of the CRP (Ci, R2i) of the client P stored on the server), and 
otk includes second challenge value C’1 and second response value R’12 corresponding to the second challenge value).

As per claim 5, claim 4 is incorporated and the modified Kirkpatrick discloses: wherein the second response value is encrypted with a device secret key generated using a first response value corresponding to the first challenge value (Kirkpatrick, section VI, Eotk which includes the second response value R’12 is encrypted using the first response value y as a symmetric key).

As per claim 7, claim 4 is incorporated and the modified Kirkpatrick discloses: wherein decrypting the CRP update response message comprises: decrypting the CRP update response message with the secret key in order to acquire the second challenge value and the second response value (Kirkpatrick, section VI subsection A, “S may need to attempt the decryption twice” using the symmetric key in order to receive the updated CRP which includes the second challenge value C’1 and second response value R’12).

As per claim 18, Kirkpatrick discloses: a user device (Kirkpatrick, section VI, PUF-enabled client P), comprising: 

receive a message for requesting to update a Challenge-Response Pair (CRP) from an authentication server, the message including first and second challenge values (Kirkpatrick, section VI, “this new protocol requires sending two sets of challenges T and T’,” in other words, server S sends client P a request to update a CRP, the request including first challenge value T and second challenge value T’ where T comprises a set of challenges C1, C2, . . . , Cm and T’ comprises a set of challenges C’1, C’2, . . . , C’m (see ¶2 of section VI)); 
generate a first response value, corresponding to the first challenge value (Kirkpatrick, section VI, “P will compute y just as in Figure 2,” where y corresponds to the first response value), and a second response value, corresponding to the second challenge value, through the PUF circuit (Kirkpatrick, section VI A., “the new pairings (Ci’: Ri’2 ),” where Ri’2 corresponds to the second response value and all computations are done through the PUF circuit); 
generate a device secret key corresponding to the first response value (Kirkpatrick, section VI, “P uses y2 as a seed to create a one-time use symmetric encryption key,” where y corresponds to the first response value); 
generate a CRP update response message by encrypting the second challenge value and the second response value with the device secret key (Kirkpatrick, section VI, “We use Eotk(m) to indicate message m encrypted under this one-time key. In this case, the message is the new pairings (Ci’:Ri’2),” in other words, a CRP update i’ and the second response value Ri’2, resulting in encrypted message Eotk(C1’:R1’2, …, Cm’:Rm’2)); and 
transmit the CRP update response message to the authentication server (Kirkpatrick, section VI Fig. 3, message Eotk is transmitted to the server S).
Kirkpatrick dose not explicitly disclose, however, Hwan teaches or suggests: the user device comprising a processor and a memory (Hwan, [0079], processor, [0083], memory).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Kirkpatrick to include a processor and a memory on the user device as taught by Hwan because a person of ordinary skill in the art would know to combine prior art elements according to known methods to yield predictable results (KSR).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick in view of Hwan and further in view of Shokrollahi et al. (US 20120030270 A1; hereinafter “Shokrollahi”).
As per claim 6, claim 4 is incorporated and while the modified Kirkpatrick discloses retrieving the CRP of the user device from the database and generating a secret key using a first response value (Kirkpatrick, section VI), Kirkpatrick does not disclose, however, Shokrollahi teaches or suggest: generating the secret key for decrypting the CRP update response message using the first challenge value and a first response value of the retrieved CRP (Shokrollahi, [0011], the entire challenge-response 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include using the entire challenge-response pair to generate the secret key as taught by Shokrollahi for the benefit of increasing the difficulty of generating the secret key.

Claims 8-9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick in view of Hwan and further in view of Ketharaju et al. (US 10735414 B1; hereinafter “Ketharaju”).
As per claim 8, claim 1 is incorporated and the modified Kirkpatrick does not disclose, however, Ketharaju teaches or suggests: registering the user device in the database through a mediator device (Ketharaju, col. 8 lines 20-36, IOT device 104 is registered via user’s smart phone (i.e., mediator device)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include registering the user device in the database through a mediator device as taught by Ketharaju for the benefit of allowing a user to identify IOT devices the user wants to use for authentication with ease as the user just needs to move to close proximity of the selected IOT device, establish short-term communication, and have the serial number of the selected IOT device transferred of the user’s smart phone to be transferred to the application server (Ketharaju, col. 8 lines 20-36).

As per claim 9, claim 8 is incorporated and the modified Kirkpatrick does not disclose, however, Ketharaju teaches or suggests: wherein registering the user device in the database comprises: 
performing user authentication using the mediator device (Ketharaju, col. 12 lines 20-33, user performs authentication using smart phone); 
issuing an authentication token to the mediator device after the user authentication is completed (Ketharaju, col. 12 lines 38-53, server sends a token to the smart phone); and 
receiving the authentication token and a device ID from the user device (Ketharaju, col. 8 lines 12-17, token is transferred from the user’s smart phone to the IOT device 104 and then from the IOT device 104 to the IOT server computer, col. 8 lines 49-52, where the token includes the serial number corresponding to the IOT device 104 (i.e., device ID)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include registering the user device in the database through a mediator device as taught by Ketharaju for the benefit of allowing a user to identify IOT devices the user wants to use for authentication with ease as the user just needs to move to close proximity of the selected IOT device, establish short-term communication, and have the serial number of the selected IOT device transferred of the user’s smart phone to be transferred to the application server (Ketharaju, col. 8 lines 20-36).

As per claim 19, claim 18 is incorporated and the modified Kirkpatrick does not disclose, however, Ketharaju teaches or suggests: wherein the user device registers a device ID corresponding thereto in the authentication server through a mediator device and requests authentication from the authentication server using the device ID (Ketharaju, col. 8 lines 20-36, IOT device 104 registers its serial number (i.e., device ID) via user’s smart phone (i.e., mediator device), col. 8 lines 49-52, wherein the serial number can be obtained by the IOT server from the token and verify that the serial number corresponds to an IOT device registered for the user).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include registering the user device in the database through a mediator device as taught by Ketharaju for the benefit of allowing a user to identify IOT devices the user wants to use for authentication with ease as the user just needs to move to close proximity of the selected IOT device, establish short-term communication, and have the serial number of the selected IOT device transferred of the user’s smart phone to be transferred to the application server (Ketharaju, col. 8 lines 20-36).

Claims 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick in view of Hwan and further in view of Wille et al. (US 20190114115 A1; hereinafter “Wille”).
As per claim 10, claim 1 is incorporated and the modified Kirkpatrick does not disclose, however, Wille teaches or suggests: authenticating the user device in response to an authentication request message from the user device (Wille, [0010], 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include authenticating the user device in response to an authentication request message from the user device as taught by Wille for the benefit of making sure the user device is authentic to the server.

As per claim 11, claim 10 is incorporated and the modified Kirkpatrick does not disclose, however, Wille teaches or suggests: wherein authenticating the user device comprises: 
generating an authentication secret key using a CRP stored in the database (Wille, [0010], PUF challenge is used to determine/generate a restore key); 
generating a random number to be used for authentication of the user device (Wille, [0013] and [0044], random number is generated for the PUF challenge); 
generating an authentication response message by encrypting a challenge value of the CRP, a device ID of the user device, and the random number with the authentication secret key (Wille, [0013], challenge, unique device identifier, and the random number are encrypted by the restore key); 
transmitting the authentication response message to the user device (Wille, [0013], PUF challenge is sent to the user device); and 
receiving an authentication confirmation message from the user device in response to the authentication response message, wherein the authentication 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include authenticating the user device in response to an authentication request message from the user device as taught by Wille for the benefit of making sure the user device is authentic to the server.

As per claim 12, claim 11 is incorporated and the modified Kirkpatrick does not disclose, however, Wille teaches or suggests: wherein authenticating the user device further comprises: decrypting the authentication confirmation message with the authentication secret key (Wille, [0052]-[0054], host server decrypts the message with the restore key RK); and 
making a comparison so as to check whether a random number of the decrypted authentication confirmation message matches the generated random number (Wille, [0052]-[0054], host server checks that the decrypted random number is identical).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include authenticating the user device in response to an authentication request message from the user device as taught by Wille for the benefit of making sure the user device is authentic to the server.

As per claim 20, claim 18 is incorporated and the modified Kirkpatrick does not disclose, however Wille teaches or suggests: wherein, when requesting authentication, the user device receives a random number encrypted with an authentication secret key corresponding to the CRP from the authentication server (Wille, [0013], challenge, unique device identifier, and the random number are encrypted by the restore key and sent to the user device), acquires the random number by decrypting the encrypted random number with a device secret key corresponding to the CRP (Wille, [0052]-[0054], device acquires random number), generates an authentication confirmation message by encrypting the acquired random number with the device secret key (Wille, [0052]-[0054], device encrypts the random number with restore key RK), and transmits the authentication confirmation message to the authentication server (Wille, [0052]-[0054], host server receives the message from user device which includes the random number encrypted with the restore key RK).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include authenticating the user device in response to an authentication request message from the user device as taught by Wille for the benefit of making sure the user device is authentic to the server.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick in view of Hwan and further in view of Roshandel et al. (EP 3334087 A1; hereinafter “Roshandel”).
As per claim 13, claim 1 is incorporated and the modified Kirkpatrick does not disclose, however, Roshandel teaches or suggests: performing authentication for the user device when a timeout occurs based on an authentication expiration time field or a CRP expiration time field during an authentication session (Roshandel, [0044]-[0047], device 200 is authenticated after a predetermined lifetime is reached for the CRP).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include re-authenticating a user device after a predetermined lifetime is reached for the CRP as taught by Roshandel for the benefit improving the security of the authentication by assigning a predetermined lifetime to each CRP, thus preventing the use of a potentially compromised CRP which has been stored in the database for too long (Roshandel, [0047]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick in view of Roshandel.
As per claim 14, Kirkpatrick discloses: an authentication server based on a Physical Unclonable Function (PUF), comprising: 
a database for storing a Challenge-Response Pair (CRP) of at least one user device (Kirkpatrick, section VI, server S stores CRP values); and 
wherein, when the timeout occurs based on the CRP expiration time field or the authentication completion time field, a CRP update request message is transmitted to a corresponding user device and a CRP update response message is received from the user device in response to the CRP update request message (Kirkpatrick, section I, 
While Kirkpatrick teaches determining whether a timeout occurs based on a CRP expiration time field pertaining to the CRP or an authentication completion time field, Kirkpatrick does not explicitly disclose, however, Roshandel teaches or suggests: a timer (Roshandel, [0017], authentication module (i.e., timer) assigns a predetermined lifetime to every challenge-response pair in the database ad is configured to not use the challenge-response pair for authentication after the predetermined lifetime has expired).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Kirkpatrick to include a timer that determines whether a timeout occurs based on a CRP expiration time as taught by Roshandel for the benefit of determining when it is time to update a CRP to improve the security of the authentication by preventing the use of a potentially compromised CRP which has been stored in the database for too long (Roshandel, [0047]).

Claims 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick in view of Roshandel and further in view of Strongin (US 20030028781 A1).
As per claim 15, claim 14 is incorporated and the modified Kirkpatrick does not disclose, however, Strongin teaches or suggests: wherein a static authentication operation of the user device is performed in a boot process when the user device is powered on, and then device continuous authentication for the user device is performed (Strongin, [0314], a device is authenticated during boot process and subsequently continuous authentication occurs based on a timer).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include a static authentication operation of the user device during a boot process and then device continuous authentication as taught by Strongin for the benefit of maintaining a secure and authenticated connection with the device (Strongin, [0314]).

As per claim 16, claim 14 is incorporated and modified Kirkpatrick does not disclose, however, Strongin teaches or suggests: wherein a time corresponding to the timeout is set in an aperiodic manner (Strongin, [0313], set/predetermined value of timer varies according to a predetermined algorithm, in other words, the time corresponding to the timeout may vary (i.e., aperiodic manner)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include setting a timer corresponding to a timeout in an aperiodic manner as taught by Strongin for the benefit of maintaining a secure and authenticated connection with the device in an unpredictable manner (Strongin, [0314]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Kirkpatrick in view of Roshandel and further in view of Joo (US 20160173495 A1).
As per claim 17, claim 14 is incorporated and the modified Kirkpatrick does not disclose, however, Joo teaches or suggests: wherein, when an event alarm is raised through device state monitoring or abnormal behavior detection, an authentication operation for the user device is performed (Joo, [0063]-[0064], determine malicious behavior on the terminal device and re-authentication of the terminal is performed).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Kirkpatrick to include performing a re-authentication when a malicious behavior is detected as taught by Joo because the loss of IoT service activation attributable to the blocking of malicious behavior can be minimized by clearly determining an attack behavior and the erroneous operation of a device itself by differently applying commands for actual IoT device control when a malicious behavior is determined (Joo, [0072]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.

US 20160110571 A1 – discloses updating a challenge-response pair continuously such that a server does not need to suffer a considerable amount of load for storing a large number of challenge-response pairs ([0020]).	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552. The examiner can normally be reached M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 

ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437                                                                                                                                                                                                        
/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437