Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

The communication received on 8/19/21 has been entered.

NOTE: The examiner attempted to contact Deborah Ku on 12/13/21 to expedite the prosecution.  The examiner left a voice mail but no response has been received.  

Response to Arguments/Amendments

Claims 6, 28 and 50 were rejected because of the limitation requiring that the second key being a function and claims 7, 29 and 51 rejected because the limitation required the function being the same as the key.  The amended claims 6, 28 and 50 addressed the rejected issues clarifying that the second key is generated based on the first key and the amended claims 7, 29 and 51 clarified that while the second key is the hash of the first key, which is the symmetric key and not the same as the first key.  As such, the amended claims addressed the issue of how the key can be a function and/or how an object of one value is the same as object of another value.  However, the issue of verifying a key signing a message with the hash of the key, as 
Applicant’s arguments are directed towards the independent claims 1, 13, 23, 35, 45 and 57 include a subset of claims 5, 19, 27, 41, 49 and 63 and they are addressed in the rejection below.

Claims 1-66 are pending.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claim Rejections - 35 USC § 112
Claims 6-7, 28-29 and 50-51 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention..
Claim rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Specifically, the amended claims 6-7 require first key being a symmetric key and the second key being generated based on the symmetric key (e.g. claim 6).  Claim 7 
Claims 28-29 and 50-51 being essentially similar, are similarly rejected.
Appropriate correction/clarification is required.

Claims 6-7, 28-29 and 50-51 are  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Specifically, the amended claims 6-7 require first key being a symmetric key and the second key being generated based on the symmetric key (e.g. claim 6).  Claim 7 clarifies that the second key is a hash value resulting from hashing the first key. However, claim 1, on which claims 6-7 depend on, requires the security token being signed using a first key and verifying the modified (signed) security token using the second key.  It is not clear how the signed security token with one value (first key) can be verified with the hash of the value.  Given the fact that this defies the principles of digital signatures the examiner attempted to find clarification in the specification but the specification are limited to repeating the claim language.  Thus, either there is problem with the drafted claim or essential steps (reciting how the 
Note that once understood, the claims may be the subject to rejection based on failing to comply with the enablement requirement.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103
Claim(s) 1, 8, 23, 30, 45 and 52 are rejected under 35 U.S.C. 103 as obvious over Hito (USPUB 20110219427) in view of Tschofenig (USPUB 20170359338) and further in view of Cheng (USPUB 20130104215) or, in the alternative Sowatskey (USPUB 20130007867).
Hito teaches a method for a secure transaction with a network resource, the method comprising: receiving, at a computing device corresponding to the network resource from a first client device, a request for a security token to authenticate a transaction session corresponding to a user account administered by the network resource, wherein the first client device is associated with the user account (whenever the user wants to access a secured resource (web server) the authentication provider presents an authentication request, para 25-26 and 35); in response to the request: The set
Although Hito teaches storing the registered second key as associated with the second client device and the user account (e.g. para 67-75), Hito does not teach receiving, prior to receiving the request from the first client device, a registration message from the second client device, the registration message including the second key and information authenticating the second client device.  However, Tschofenig suggests such solution (the authentication device creates a public/private key pair and provides the public key to the service provider for storage at the service provider enabling the following connection establishment enabling communication capabilities/data transfer, para 89).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solutions as taught by Tschofenig into Hito’s invention given the predicable benefit of key exchange. 
Note that in the above interpretation, the examiner considers the fact that communicating computing devices exchange information (device addresses in order for the packet to identify the sender and the recipient) and, as a result, the registration message includes the second key and the client information.  However, even if considering this information to be authentication information Hito/Tshcofenig does not teach verifying the information.  However, Cheng or, in the alternative Sowatskey teaches verifying such authentication information (Sowatskey’s para 27: authentication of a client device is based on evaluating the client IP address, or Cheng’s para 14: authenticated network device identified according to MAC address).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solution as taught Cheng or 
Hito teaches sending the particular security token to the first client device comprises sending, along with the particular security token, information indicating a validity time period for the particular security token (time stamp TS, para 54), and wherein verifying the modified security token comprises: determining whether the validity time period has expired; and conditioned on determining that the validity time period has not expired, verifying the signature using the second key (verify that the authentication request has not already expired by comparing the time stamp TS with the current data/time and ensuring that less than a predetermined time, X, has passed, followed verifying the signature using the public key, para 68-76).
Note that the examiner asserted based on the numbered sequence presented by Hito, that verifying the signature is conditioned based on determining the validity time period has not expired.  As such, it would make sense to perusing next steps of handling the request given the potential issue of security.
However, even if, somehow Hito would entertained the solution other than asserted by the examiner, it is noted that there would have been only three obvious variants of the order of steps of the modified security token: determining validity period at the same time as verifying the signature, or one (determining or verifying) before another, any of these choices been merely an obvious variant merely amounting to a design choice while not affecting the functionality of the invention and offering the predictable benefit of customization.  Furthermore, [Official Notice is taken that] rejecting actions based on requests in case the validity time period expired would 
Claims 2, 4, 24, 26, 46 and 48 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig and Cheng/Sowatskey and further in view of Canavor (USPN 8904506).
Hito teaches the request that results in generating the particular security token as discussed above.
As per claims 2, 24 and 46, Hito as modified does not expressly teach the request including information identifying the first client device and determining based on examining the information identifying the first client device whether the first client device is authorized to host the transaction session.  However, in the related art Canavor suggest such solution (IP address with the request may be inspected to determine if it is authorized address, e.g. including IP addresses of known hackers, known attackers, etc., col. 10 lines 4- 25 and col. 22 lines 42-59, for example). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Canavor’s teaching into Hito’s as modified invention given the benefit of increased security.
Proceeding to the next step, that is generating the particular security token conditioned on determining that the first client device is authorized to host the transaction session would have been implicit.  Enabling transaction to authorized devices would be security risk as noted Canavor (col. 24 lines 5-9, for example) suggesting the interaction being terminated in case the client is unauthorized.
Given no specific limiting definition of the claimed error condition, the limitation of claims 4, 26 and 48 would have been inherent.  The computers work based on computer instruction/signals and determining whether the device is unauthorized/ authorized resulting in generating a signal triggering a particular action (e.g. denial/permission to proceed) would satisfy the limitation of generating an error (or success) condition.
Claims 3, 25 and 47 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and further in view of Canavor (USPN 8904506) or, in the alternative Drokov (USPUB 20080307515).
Hito as modified teaching has been discussed above.
Hito does not, but in the related art, Canavor or, in the alternative, Drokov teaches the information identifying the first client device includes one or more of a network address of the first client device, a location of the first client device, or a time of the request, and wherein determining whether the first client device is authorized to host the transaction session comprises at least one of: determining that an association of the network address with the user account is registered with the network resource, determining that the transaction session is permitted at the location of the first client device, or determining that the transaction session is permitted at the time of the request (see Canavor’s col. 10 lines 4- 41 or Drokov’s Fig. 8 with the associated text).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solution as taught by Canavor or Drokov into Hito as modified invention given the predictable benefit of increased security.
s 9, 31 and 53 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and further in view of Danneels (USPUB 20020161591).
Hito as modified teaches sending the particular security token to the first client device comprises sending, along with the particular security token, information uniquely identifying the particular security token, identifying the receive particular token, using the information uniquely identifying the particular security token and verifying the signature using the second key (see para 32-76; various elements could meet the information uniquely identifying the security token, e.g. ID uniquely identifying the provisioning request).
Hito as modified does not teach determining, using the information uniquely identifying the particular security token, whether the modified security token has been used before.  However, in the related art, Danneels suggests determining, using the information uniquely identifying the particular security token, whether the modified security token has been used before (para 26) in addition to verifying the signature.  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Danneels teaching into Hito’s as modified invention in order to preventing receiving repeat benefits.
Although the claimed limitations additionally require a specific order of verification/validation: “conditioned on determining the token has not be used, verifying the signature”, the examiner points out that there while Danneels teaches both of these being checked, there are only three obvious variants, one of the variants being checking both of them at the same time and the other two consisting .
Claims 10, 32 and 54 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and further in view of Balfanz (USPN 8256664).
Hito as modified teaches sending information to the first device for enabling, by the computing device, the transaction session corresponding to the user account, as discussed above.
Hito as modified does not expressly teach the information to provide a portal and enabling transactions corresponding to the user account through the portal provided on the first client device. However, such solution would have been old and well known in the art of computing as illustrated by Balfanz (request for the web page from client device utilizing QR code scanned by device 160 enabling the receipt of the web page by the client device 170 as seen in Fig. 3-4, 6 and 7 with the associated text) motivating one of ordinary skill in the art before the effective filling date of the invention given the benefit of usability and the predictable benefit of data access control.
Claims 11, 33 and 55 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and further in view of Grange (USPUB 20170171755).
Hito as modified teaches obtaining, by the second client device using an application executed by the second client device, a representation of the security token presented on the first client device; proceeding with signing the security token and controlling a trusted hardware component coupled to the second client device to generate the modified security token by signing the security token using the first key stored in the trusted hardware component; and sending, by the second client device to the computing device, the modified security token (the set of hardware elements of the mobile device that securely stores keys securely, signs the decided token with the private key to be verified by the authentication provider with the public key associated with the user name UN located in its internal user database as noted in para 29, 44-65 and 67-79 meets the limitation of the “trusted component”).
Hito as modified does not teach upon obtaining requesting, by the second client device, confirmation to sign the security token; in response to the request, receiving an input confirming proceeding with signing the security token; authenticating the input and upon successfully authenticating the input, controlling a trusted hardware component coupled to the second client device to generate the modified security token by signing the security token.  However, in the related art, Grange teaches such solution (the dynamic variable based on transaction data may indicate the user’s approval of the data and be referred to as signature or message authentication code, e.g. the authentication device cryptographically combine a cryptographic secret with a transaction data to generate dynamic credentials comprising an electronic signature over the transaction data… In some embodiments the authentication device may capture an approval (or rejection) by to generate and/or return a dynamic credential.  The authentication device may present data to the user and may capture an approval of the presented data to be used by the authentication device in the generation of a dynamic credentials … may verify the captured or received PIN and/or password or a biometric of the user that has been taken by a biometric sensor on the authentication device.  The authentication device generate the dynamic credential only if PIN, password or a biometric measurement have been successfully verified, para 49, 134-136 and 139, for example). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Grange’s teaching into Hito’s as modified invention given the benefit of increased security.
Claims 12, 34 and 56 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and further in view of Polehn (USPN 10123202)
Hito’s as modified invention has been discussed above.
Hito as modified does not teach the network resource being a cryptoasset custodial system, and the user account being a custodial account administered by the cryptoasset custodial system (vSIM platform 130 includes a blockchain manager and a digial rights manager, wherein a blockchain manager authorizes access for vSIMs manage vSIM user accounts and provide administrative functions, such as tracking vSIM activity  and a digital rights manager verifies authentication whenever a client device or user attempts to create a vSIM user account, obtain a vSIM, and/or transfer a vSIM, col. 6 lines 38-44 and col. 7 lines 53-56, for example).  It would have been obvious to one of ordinary skill in the art before the effective filling date of 
Additionally, it is noted that, as cited in the claim, the particular network resource and user account, amount merely to descriptive materials and having including any particular resources/user accounts within Hiko’s as modifed concept would not affect the functionality of the invention, thus would not distinguish the claimed invention from the prior art in the terms of patentability.  Thus, this descriptive material does not distinguish the claimed invention from the prior art in the terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401,404 (Fed.Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994).
Claims 13, 16-18, 20, 35, 38-40, 42, 57, 60-62 and 64 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and further in view of Grange (USPUB 20170171755).
As per claim 13, 35 and 57, Hito as modified teaches a method performed by a first client device for a secure transaction with a network resource, the method comprising: receiving, at the first client device, an input to access an application associated with the network resource;  in response to the input, executing the application; obtaining, using the application, a representation of a security token presented on a second client device, the security token associated with the secure transaction, wherein the security token is generated by a computing device the set of hardware elements of the mobile device that securely stores keys securely, signs the decided token with the private key to be verified by the authentication provider as noted in para 26, 29, 44-65 and 67-79 meets the limitation of the “trusted component”), and wherein a second key corresponding to the first key is registered with the network resource, and sending, by the first client device to the computing device, the modified security token (authentication provider verifies the signature with the public key associated with the user name UN located in its internal user database, 67-79), and a skilled in the art would readily appreciate that the computing devices functionalities are offered by the computing processors executing instructions stored on the non-transitory media. 
Hito as modified does not teach upon obtaining requesting, by the second client device, confirmation to sign the security token; in response to the request, receiving an input confirming proceeding with signing the security token; authenticating the input and upon successfully authenticating the input, controlling a trusted hardware component coupled to the second client device to generate the modified security token by signing the security token.  However, in the related art, Grange teaches 
As per claims 20, 42 and 64, Hito as modified teaches obtaining the representation of the security token comprises obtaining, along with the representation of the security token, information indicating a validity time period for the security token, and wherein requesting the confirmation for proceeding with the secure transaction comprises: determining whether the validity time period has expired (verify that the authentication request has not already expired by comparing the time stamp TS with 
In addition to Hito as modified teaching determining the validity time period expiration, Hito as modified teaches requesting the confirmation as discussed above, and although the claimed limitations additionally require a specific order of confirmation: “conditioned on determining that the validity time period has not expired, requesting the confirmation”, the examiner points out that there are only three obvious variants, either requesting confirmation at the same time as determining validity period or one before another, any of these choices been merely an obvious variant merely amounting to a design choice while not affecting the functionality of the invention and offering the predictable benefit of customization.  
Furthermore, [Official Notice is taken that] rejecting actions based on requests in case the validity time period expired would have been old and well known in the art before the effective filling date (Kerberos, digital certificates, etc.) offering the predictable benefit of increased security (e.g. replay attack prevention).
Claims 14, 36 and 58 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and Grange, and further in view of Durand (USPUB 20140222981).
Although, Hito teaches obtaining information identifying the second client device along with the representation of the security token (the unique device ID, para 55) Hito does not teach the information identifying the second client device includes one or more of a network address of the second client device, or a location of the second client device.  
However, information identifying the device including one or more of a network address of the second client device, or a location of the second client device would have been obvious to one of ordinary skill in the art before the effective filling date of the invention as illustrated by Durand (see Durand’s claim 21) providing the benefit of customization and unique identification. 
Claims 15, 37 and 59 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and Grange, and further in view of Durand (USPUB 20140222981) and Gilbert (USPUB 20070039039) or, in the alternative Fukui (USPUB 20110072501).
Hito as modified teaches obtaining information identifying the second client device that is one or more of the network address of the second client device, or the location of the second client device and the processing the secure transaction associated with the second client device.
Hito as modified does not teach displaying the information of the second client device and requesting conformation.  However, in the related art, Giblert and Fukui suggest such solution (see Giblert’s para 41 or Fukui’s para 88).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solution as taught by Giblert or Fukui into Hito’s as modified invention given the benefit of customization and security.
Claims 21, 43 and 65 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and Grange, and further in view of Danneels (USPUB 20020161591) or, in the alternative, Thorwith (USPN 10045093).
Hito as modified teaches requesting the confirmation for proceeding with the secure transaction as discussed above, and teaches obtaining, along with the representation of the security token, information uniquely identifying the security token (see para 32-76; various elements could meet the information uniquely identifying the security token, e.g. ID uniquely identifying the provisioning request). 
Hito as modified does not teach determining, using the information uniquely identifying the particular security token, whether the modified security token has been used before.  However, in the related art, Danneels and Thorwith suggests determining, using the information uniquely identifying the particular security token, whether the modified security token has been used before (see Danneels’ para 26 or Thorwith’s col. 15 lines 49-50.  Note that the prior art expressly teaches rejecting the previously used token).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Danneels’s or Thorwith’s teaching into Hito’s as modified invention in order to preventing receiving repeat benefits and replay attacks.  Hito as modified teaches requesting the confirmation and Hito as modified teaches determining whether the modified security token has been used before as discussed above.  Although the claimed limitations additionally require a specific order of determination/confirmation: “determining that the security token has not been used before, requesting the confirmation”, there are only three obvious variants: performing determination/requesting confirmation at the same time or one before another, any of these choices been merely an obvious variant merely amounting to a design choice.   
s 22, 44 and 66 are rejected under 35 U.S.C. 103 as being unpatentable over Hito in view of Tschofenig, Cheng/Sowatskey and Grange, and further in view of Polehn (USPN 10123202).
Hito’s as modified invention has been discussed above.
Hito as modified does not teach the network resource being a cryptoasset custodial system, and the user account being a custodial account administered by the cryptoasset custodial system (vSIM platform 130 includes a blockchain manager and a digial rights manager, wherein a blockchain manager authorizes access for vSIMs manage vSIM user accounts and provide administrative functions, such as tracking vSIM activity  and a digital rights manager verifies authentication whenever a client device or user attempts to create a vSIM user account, obtain a vSIM, and/or transfer a vSIM, col. 6 lines 38-44 and col. 7 lines 53-56, for example).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Hiko’s as modified teaching into known environment as taught by Polehn given the benefit of security.  Similarly, it would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Polehn’s teaching in Hiko’s as modified security environment given the benefit of scalability and customization. 
Additionally, it is noted that, as cited in the claim, the particular network resource and user account, amount merely to descriptive materials and having including any particular resources/user accounts within Hiko’s as modified concept would not affect the functionality of the invention, thus would not distinguish the claimed invention from the prior art in the terms of patentability.  Thus, this descriptive .

Conclusion

Claims 5-7, 19, 27-29, 41, 49-51 and 63 overcame the art of record.
However, claims 6-7, 28-29 and 50-51 are subject to the 112 paragraphs rejection.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 



If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/PIOTR POLTORAK/Primary Examiner, Art Unit 2433