DETAILED ACTION

Examiners Note
Examiner requires submission of ISO/IEC 9798-1 corresponding to the submitted version of ISO/IEC 9798-2

Information Disclosure Statement
The IDS filed 10/11/19 and 11/26/2019 has been considered and entered.
Drawings
The drawings filed 10/11/19 are accepted.
Specification
The specification filed 10/11/19 is accepted.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 3 is  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  For example, claim 3 recites 'a second authentication token' which was previously introduced.



 Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-21 are rejected under 35 U.S.C. 101 because 
the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) the abstract idea of a mental process.  For example limitations:
receiving a first token
generating second token
sending the second token
deriving pre-shared keys
see  MPEP 2106.04, particularly MPEP 2106.04(a)(2) III MENTAL PROCESSES (C) A claim that requires a computer may still recite a mental process

The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claim includes only includes well-understood, routine, conventional computer functions  in addition to the cited abstract idea and does not recite an inventive concept.  see  MPAP 2106.05(d)
	For example the courts have recognized the following computer functions as well understood, 
routine an conventional.
receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) (using a telephone for image transmission); OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network); but see DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1258, 113 USPQ2d 1097, 1106 (Fed. Cir. 2014) ("Unlike the claims in Ultramercial, the claims at issue here specify how interactions with the Internet are manipulated to yield a desired result‐‐a result that overrides the routine and conventional sequence of events ordinarily triggered by the click of a hyperlink." (emphasis added));

storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93;

MPEP section 2106.05 I is titled THE SEARCH FOR AN INVENTIVE CONCEPT; here, the MPEP make clear that patentability does not rest on novelty or non-obviousness alone, but that there must be an inventive concept.  

Section A provides six examples of what may constitute an inventive concept; applicants claims do not include limitation corresponding to any of the items i-vi.  

 

Claims 2-8, 10-17 and 19-21 are further rejected because they each depend on a base claim that has been rejected under 101.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims  1-2, 5-10, 13-16, and 18-19  are rejected under pre-AIA  35 U.S.C. 103 as being unpatentable over Kgil et al ( US 9386045 hereinafter Kgil) in view of ISO/IEC 9798-2 hereinafter ISO  .







As to claim 1,   
Kgil discloses a system comprising: 
a secure element Fig 2 210 and 222
of a mobile device;  C10 line 8-9 mobile device

and a network gateway device Fig 2 272 in view of  C4 lines 31-32 gateway devices
in communication C4 21-22 can communicate
with the mobile device C10 line 8-9 mobile device
via a first communication network, C4 13 network

wherein the secure element is configured to: 
receive a first authentication token Fig 3 320 trust attributes
from the network gateway device, Fig 2 272 in view of  Fig 3 372

determine whether the first authentication token is valid  Fig 3 322 in view of  C15 6-51
based on a sequence number C15 6-51 version number of operating system
included in the first authentication token, Fig 3 320 trust attributes

and responsive to determining first authentication token is valid: C16 8 highly trusted
[[generate]] a second [[authentication]] token, 
wherein the second [[authentication]] token 
[[indicates a status of an authentication operation performed by ]]
the secure element, Fig 2 210 and 222

send the 2nd  [[authentication]] token to the network gateway device, Fig 3 324

and derive a pre-shared key 
C8 38 cryptographic keys 
in view of C7 14-16 cryptographic keys
using a key derivation function, 
C8 36-41 security policies may include rules that define which 
cryptographic keys to use
wherein the pre-shared key C8 38 cryptographic keys 
is usable to establish 
C8 36-41 security policies may include rules that define which 
cryptographic keys to use for encryption
					in view of C18 29 TLS or SSL
a secure communication channel  
C18 29 secure communications channel in view of Fig 3 330
with the network gateway device. 
Fig 2 272 in view of  C4 lines 31-32 gateway devices


	Kgil does not disclose
generate a second authentication token, wherein the second authentication token indicates a status of an authentication operation  performed by the secure element,  

send the 2nd  authentication token to the network gateway device,  




ISO teaches
generate page 5 (3) B generates and sends Token BA  
a second authentication token, Fig 3  Token BA
wherein the second authentication token Fig 3  Token BA
indicates a status of an authentication operation 
page 4 Section 5.2 mutual authentication means the two communicating entities are 
authenticated to each other by use of the mechanisms.
performed by the secure element,  Fig 3 B

send page 5 (3) B generates and sends Token BA to a
the second authentication token Fig 3  Token BA
to the network gateway device,  Fig 3 A


Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Kgil and ISO as elements known in the prior art combined to yield predictable results.  For example in Fig 3, Kgil discloses generating a secure communication channel by exchange of trust attributes and security policies based on the trust level established according to the trust attributes that determine keys used in the generation of the secure channel.  ISO teaches an alternate form of establishing trust on page 4 Section 5.2 as shown in Fig 3 via the exchange of cryptographic tokens.  Therefore, Kgil may incorporate the mutual authentication taught by ISO without departing from the main purpose of his invention for the purpose of establishing a secure channel as shown in Fig 3 to arrive at the claimed invention.



As to claim 2,   
Kgil discloses wherein the secure element is further configured to: 
compare C15 6-51 compared with a set of trustworthiness thresholds
the sequence number C15 6-51 version number of operating system
included in the first authentication token Fig 3 320 trust attributes
to a current value of a sequence counter 
C15 6-51 compared with a set of trustworthiness thresholds
 stored at the secure element;  C15 54-55 the information of Fig 4 can be stored in device 302

and determine, C15 57-58 the four thresholds A-D can be used to define levels of trustworthiness
based on the comparison, C15 6-51 compared with a set of trustworthiness thresholds
whether the sequence number C15 6-51 version number of operating system
is within a threshold difference Fig 4 400 thresholds A-D in view of  C15 52 -  C16 9
from the current value of the sequence counter
 C15 6-51 compared with a set of trustworthiness thresholds

 

As to claim 5,   
Kgil does not disclose wherein the network gateway device is configured to: 
generate the first authentication token to include an encrypted portion and a non- encrypted portion, wherein the encrypted portion of the first authentication token includes (i) an identity of the secure element, (ii) an identity of the network gateway device, (iii) a random number generated by the network gateway device to bind the first authentication token to the second authentication token, (iv) the sequence number, and (v) a secret value.
ISO teaches
wherein the network gateway device Fig 3 A
is configured to: 
generate Page 3 (1) A generates TokenAB
the first authentication token Fig 3 TokenAB
to include 
an encrypted portion 
Page 4   (Ta Na || B Text1) 
in view of TokenAB = Text2||eKAB (Ta Na || B Text1)
and a non- encrypted portion, 
Page 4    Text2 
in view of TokenAB = Text2||eKAB (Ta Na || B Text1)

wherein the encrypted portion Page 4    eKAB(Ta Na || B Text1)
of the first authentication token Page 4    TokenAB
includes 
(i) an identity of the secure element, Page 4 B
(ii) an identity of the network gateway device, Page 4    
 (iii) a random number Page 5  Ra    
generated by the network gateway device Page 5  (2) A generates Ra
to bind the first authentication token to the second authentication token, 
Page 5  TokenAB = f( Ra || Rb)Page 5  TokenBA = f( Rb || Ra)

(iv) the sequence number, Page 4    Na
and (v) a secret value.  Page 4    eKAB

*Note:  elements referencing Page 5 are from section 5.2.2 which is an embodiment of Three pass 
authentication whereas elements referencing Page 4 are from section 5.2.1 which is an embodiment of Mutual authentication.  It is the examiners position that one of ordinary skill in the art would find it obvious to incorporate various token generation portions of  Mutual authentication with other various token generation portions of Three pass authentication  to arrive at the claimed invention because ISO suggests that the various embodiments of authentication may be composed of parts of other embodiments.  see for example Page 4, section 5.2 NOTE e.g. Mutual authentication can be construed from two instances of the mechanism of 5.1.2.

 

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Kgil and ISO as elements known in the prior art combined to yield predictable results.  For example in Fig 3, Kgil discloses generating a secure communication channel by exchange of trust attributes and security policies based on the trust level established according to the trust attributes that determine keys used in the generation of the secure channel.  ISO teaches an alternate form of establishing trust on page 4 Section 5.2 as shown in Fig 3 via the exchange of cryptographic tokens.  Therefore, Kgil may incorporate the mutual authentication taught by ISO without departing from the main purpose of his invention for the purpose of establishing a secure channel as shown in Fig 3 to arrive at the claimed invention.


As to claim 6,   
Kgil does not disclose  wherein the network gateway device is configured to:
generate the first authentication token to include a first text field and a second text field, the first text field included in the encrypted portion of the first authentication token, and the second text field included in the non-encrypted portion of the first authentication token.  

ISO teaches
wherein the network gateway device Fig 3 A
is configured to:
generate the first authentication token Fig 3 TokenAB
to include a first text field Page 4 Section 5.2.1 Text 1
and a second text field, Page 4 Section 5.2.1 Text 2

the first text field included in the encrypted portion of the first authentication token, 
Page 4 Section 5.2.1 TokenAB = Text2||eKAB (Ta Na || B Text1)
and the second text field included in the non-encrypted portion of the first authentication token.  
		Page 4 Section 5.2.1 TokenAB = Text2||eKAB (Ta Na || B Text1)

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Kgil and ISO as elements known in the prior art combined to yield predictable results.  For example in Fig 3, Kgil discloses generating a secure communication channel by exchange of trust attributes and security policies based on the trust level established according to the trust attributes that determine keys used in the generation of the secure channel.  ISO teaches an alternate form of establishing trust on page 4 Section 5.2 as shown in Fig 3 via the exchange of cryptographic tokens.  Therefore, Kgil may incorporate the mutual authentication taught by ISO without departing from the main purpose of his invention for the purpose of establishing a secure channel as shown in Fig 3 to arrive at the claimed invention.

As to claim 7,   
Kgil does not disclose  wherein the first text field in the encrypted portion of the First authentication token 
includes (i) the identity of the network gateway device, (ii) the sequence number, and (iii) the secret value.

ISO teaches
wherein the first text field Page 4 Section 5.2.1 Text 1
in the encrypted portion Page 4 Section 5.2.1  eKAB(Ta Na || B Text1)
of the first authentication token Fig 3 TokenAB
includes Page 4 Section 5.2.1 TokenAB = Text2||eKAB (Ta Na || B Text1)
(i) the identity of the network gateway device, 
	Page 7 section 6.1 Four pass authentication:
 TokenAB = Text 6|| f (A, Text2, B, Text5)
(ii) the sequence number, Page 4 Section 5.2.1    Na
and (iii) the secret value. Page 4  Section 5.2.1    eKAB

*Note:  elements referencing Page 7 are from section 6.1 which is an embodiment of Four pass 
authentication whereas elements referencing Page 4 are from section 5.2.1 which is an embodiment of Mutual authentication.  It is the examiners position that one of ordinary skill in the art would find it obvious to incorporate various token generation portions of  Mutual authentication with other various token generation portions of Four pass authentication  to arrive at the claimed invention because ISO suggests that the various embodiments of authentication may be composed of parts of other embodiments.  see for example:
Page 4, section 5.2 NOTE e.g. Mutual authentication can be construed from two instances of the mechanism of 5.1.2

 Page 6, section 6 this is an adaptation of the mechanisms described in 5.2.1 and 5.2.2
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Kgil and ISO as elements known in the prior art combined to yield predictable results.  For example in Fig 3, Kgil discloses generating a secure communication channel by exchange of trust attributes and security policies based on the trust level established according to the trust attributes that determine keys used in the generation of the secure channel.  ISO teaches an alternate form of establishing trust on page 4 Section 5.2 as shown in Fig 3 via the exchange of cryptographic tokens.  Therefore, Kgil may incorporate the mutual authentication taught by ISO without departing from the main purpose of his invention for the purpose of establishing a secure channel as shown in Fig 3 to arrive at the claimed invention.

As to claim 8,   
Kgil does not disclose  an authentication server in communication with the network gateway device via a second communication network, the authentication server configured to: generate the first authentication token; and send the first authentication token to the network gateway device.

ISO teaches
an authentication server Fig 5 TP
in communication with the network gateway device Fig 5 (1) and (2)
via a second communication network, Fig 5 (1) and (2)  vs Fig 5 (4) and (6)  

the authentication server Fig 5 TP 
configured to: 
generate the first authentication token; Page 6 TokenTA includes TokenAB
and send the first authentication token to the network gateway device.
Fig 5 (2)  


*Note:  elements referencing Page 7 are from section 6.1 which is an embodiment of Four pass 
authentication whereas elements referencing Page 4 are from section 5.2.1 which is an embodiment of Mutual authentication.  It is the examiners position that one of ordinary skill in the art would find it obvious to incorporate various token generation portions of  Mutual authentication with other various token generation portions of Four pass authentication  to arrive at the claimed invention because ISO suggests that the various embodiments of authentication may be composed of parts of other embodiments.  see for example:
Page 4, section 5.2 NOTE e.g. Mutual authentication can be construed from two instances of the mechanism of 5.1.2

 Page 6, section 6 this is an adaptation of the mechanisms described in 5.2.1 and 5.2.2

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Kgil and ISO as elements known in the prior art combined to yield predictable results.  For example in Fig 3, Kgil discloses generating a secure communication channel by exchange of trust attributes and security policies based on the trust level established according to the trust attributes that determine keys used in the generation of the secure channel.  ISO teaches an alternate form of establishing trust on page 4 Section 5.2 as shown in Fig 3 via the exchange of cryptographic tokens.  Therefore, Kgil may incorporate the mutual authentication taught by ISO without departing from the main purpose of his invention for the purpose of establishing a secure channel as shown in Fig 3 to arrive at the claimed invention.


Claim 9 is rejected on the basis previously presented in the rejection of claim 1.
Claim 10 is rejected on the basis previously presented in the rejection of claim 2.
Claim 13 is rejected on the basis previously presented in the rejection of claim 5.
Claim 14 is rejected on the basis previously presented in the rejection of claim 5.
Claim 15 is rejected on the basis previously presented in the rejection of claim 6.
Claim 16 is rejected on the basis previously presented in the rejection of claim 7.
Claim 18 is rejected on the basis previously presented in the rejection of claim 1.
Claim 19 is rejected on the basis previously presented in the rejection of claim 2.
Claims  3, 11, 17, and 20 are rejected under pre-AIA  35 U.S.C. 103  as being unpatentable over Kgil in view of  ISO  in further view of  Patel et al ( US 2009/0061820 hereinafter Patel).
As to claim 3, Kgil in view of  ISO  teach all the subject matter pointed out in the above 103 rejection of parent claim 1.
As to claim 3,   
Kgil discloses   
determining, based on the sequence number, that the first authentication token is invalid: 
C15 65 high risk device

Kgil does not disclose
responsive to determining, based on the sequence number, that the first authentication token is invalid: generate a new sequence number, 
and25PATEN"T 2167020019W0 send a second authentication token to the network gateway device, the second authentication token including the new sequence number.
ISO teaches
[[responsive to determining, based on the sequence number, that the first authentication token is invalid: ]]
generate a new sequence number, page 4 section 5.2.1 generating sequence numbers
and25PATEN"T 2167020019W0 send a second authentication token Fig 3  Token BA
to the network gateway device, Fig 3 A
the second authentication token Fig 3  Token BA
including the new sequence number. page 4 section 5.2.1  Nb

Neither Kgil nor ISO teach
responsive to determining, based on the sequence number, that the first authentication token is invalid: 
generate a new sequence number, 
and25PATEN"T 2167020019W0 send a second authentication token to the network gateway device, the second authentication token including the new sequence number.

	Patel teaches
responsive to determining, based on the sequence number, that the first authentication token is invalid: see Fig 6B upper left decision box No path
generate a new sequence number, Fig 6B top right calculation step
and25PATEN"T 2167020019W0 send a second authentication token to the network gateway device, the second authentication token including the new sequence number. 
Fig 6B bottom right transmission step

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Kgil and ISO with those of Patel as elements known in the prior art combined to yield predictable results.  For example on page 1: section 1 titled  'Scope', Kgil discloses that time variant parameters such as sequence numbers prevent valid authentication from being accepted at a later time or used more than once.  However, ISO provided by applicant is silent on steps responsive to invalid sequence numbers.  
Section 5.1.1 on page 3 of ISO refers to ISO/IEC 9798-1 annex B for security mechanisms associated with sequence numbers.  Applicant should provide ISO/IEC 9798-1 in the next action.
Patel cures Kgil' s deficiency by calculation of new sequence number and transmitting the new number with a cryptographic  MAC to insure security to thereby  arrive at the claimed invention. 
Claim 11 is rejected on the basis previously presented in the rejection of claim 3.
Claim 17 is rejected on the basis previously presented in the rejection of claim 3 
in view of  Fig 3  Token BA = f ( e(Na) )
Claim 20 is rejected on the basis previously presented in the rejection of claim 3.
Claims  4, 12, and 21 are rejected under pre-AIA  35 U.S.C. 103  as being unpatentable over Kgil in view of  ISO  in further view of  LEHTOVIRTA et al ( US 2017/0195877 hereinafter Leht).

As to claim 4, Kgil in view of  ISO  teach all the subject matter pointed out in the above 103 rejection of parent claim 1.


As to claim 4,   
Kgil discloses wherein the secure element is further configured to: 
derive the pre-shared key C8 38 cryptographic keys 
[[based on ]]
a secret value 
[[included in ]]
the first authentication token, Fig 3 320 trust attributes
[[an identity of the secure element, 
and an identity of the network gateway device. ]]

	ISO teaches
an identity of the secure element,   Fig 3 B
and an identity of the network gateway device Fig 3 A

Neither Kgil nor ISO teaches
derive the pre-shared key based on a secret value included in the first authentication token, 
an identity of the secure element, and an identity of the network gateway device. 
	
Leht teaches
[0152] retrieving a session shared key based on [0152] identity of the UE and [0151] the device indicates its own identity and a [0151] B-TID shared secret

therefore  Kgil combined with ISO and Leht teach
derive the pre-shared key based on a secret value included in the first authentication token, 
an identity of the secure element, and an identity of the network gateway device. 

because
Kgil teaches cryptographic keys but is silent on how they are derived.  ISO teaches transmitting secret keys and identities within tokens.  And Leht teaches that a shared session key may be determined using the identifies of the device and UI and a common shared secret.

as such
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Kgil and ISO and Leht as elements known in the prior art combined to yield predictable results.  For example Kgil teaches cryptographic keys but is silent on how they are derived.  ISO teaches transmitting secret keys and identities within tokens.  And Leht teaches that a shared session key may be determined using the identifies of the device and UI and a common shared secret.  The these teachings (1) use of a shared key to secure a network (2) transference of key generation material within a token and (3) the use of respective identities and a shared secret to generate a shared key may be combined to arrive at and yield the claimed subject matter.


Claim 12 is rejected on the basis previously presented in the rejection of claim 4.
Claim 21 is rejected on the basis previously presented in the rejection of claim 4.


		
		

Conclusion

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/RICHARD A MCCOY/Examiner, Art Unit 2431