DETAILED ACTION
This action is in response to the initial claims filed 3/26/2019.  Claims 1-20 are pending.  Independent claims 1, 9 and 16, and corresponding dependent claims are directed towards a method, non-transitory computer-readable medium and apparatus for encryption techniques for cookie security.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Specification
The disclosure is objected to because of the following informalities: [0033] l.9 “second key” should be “first key”.	Appropriate correction is required.
Claim Objections
Claim 5 is objected to because of the following informalities, shown with suggested amendments:  Claim 5 l. 2 “a unique device identifier and associating [[it]] the unique device identifier”.  Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. § 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims16-20 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter.
As to claim 16, the claimed invention is drawn to an “apparatus” comprising “one or more processors”.  Which can be broadly interpreted as various types of software (software modules, virtualized hardware, data, programming code, etc.).  Thus, it is not clear whether the claimed elements of the “apparatus” are tangibly-embodied structural 
Claims 17-20 further fail to recite any positive structural limitations to overcome the 35 U.S.C. §101 issues of claim 16 discussed above, and are also rejected.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5, 7-10, 12-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mary et al. (US 2015/0373015 A1), published Dec. 24, 2015, in view of Lin et al. (US 2020/0092090 A1), published Mar. 19, 2020.
As to claim 1, Mary substantially discloses a method (Mary [Abstract]), comprising:	receiving, by a server computing system (Mary [0035] security module and protected resource on same server), a request from a user device (Mary [0032] request from client to protected resource; [0062] request made after token has been setup), wherein the request includes encrypted cookie data (Mary [0033] token stored in cookie that travels with each client request; [0099] token encrypted within cookie; [0094] transport layer security (TLS) protocol – uses symmetrical key for session with server to encrypt all traffic between client and server) and device identification information that is encrypted (Mary [0050] request triggers device validation in which device information is retrieved from client; [0094] TLS protocol all information passed between client/server is encrypted then decrypted);	decrypting, by the server system, the cookie data using a server encryption key used to encrypt the cookie data (Mary [0034] use token to lookup session information; [0094] TLS protocol establishes symmetrical encryption/decryption that uses the same key – accessing encrypted token requires decryption);	retrieving, by the server system, previously-stored device identification information for the user device based on the decrypted cookie data (Mary [0034] information in token in cookie used to retrieve session information from policy server that includes device information);	decrypting, by the server system, the device identification information from the request (Mary [0050] request triggers device validation in which device information is retrieved from client; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted) and comparing the decryption result with the previously-stored device identification information (Mary [0054] comparison is made between device information retrieved from client and device information stored in policy store); and	determining, by the server system based on the comparison, whether to use the cookie data for the request (Mary [0054] permit access to resource if token is still valid).	Mary fails to explicitly disclose encrypting the device identification information encrypt device fingerprint with public key from root server which decrypts the fingerprint with the private key of the root server).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the asymmetric key pair of Lin with the encryption of the device information of Mary, such that the encryption of the device information is asymmetric, as it would advantageously allow for greater security of the current device information given that, due to longer key length, asymmetric encryption is more secure than symmetric encryption.
As to claim 2, Mary and Lin disclose the invention as claimed as described in claim 1, including further comprising:	in response to receiving a previous request that includes device identification information from the user device, the server computing system generating cookie data for the user device (Mary [0058]-[0061] generation of authorization token having device information during initial authentication includes retrieval of device information from client; [0023] HTTP cookie issued to client with authorization token);	generating, by the server system, the key pair for the device, wherein the key TLS protocol has key pair for server; Lin [0019] root server has key pair of private and public keys);	receiving device identification information from the user device and associating the received information with the cookie data (Mary [0058]-[0061] generation of authorization token having device information during initial authentication includes retrieval of device information from client; [0023] HTTP cookie issued to client with authorization token);	storing the device identification information and the second key (Mary [0061] device information is stored also in a policy store on server; Mary [0094] TLS protocol has key pair for server requiring retention of private key at server; Lin [0019] root server has private key);	encrypting the cookie data using a server encryption key (Mary [0099] authentication token is encrypted in cookie; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted); and	transmitting the encrypted cookie data (Mary [0023] issue cookie to user) and the first key to the user device (Lin [0019] public key retrieved from server by user computer).
As to claim 4, Mary and Lin disclose the invention as claimed as described in claim 1, including further comprising:	verifying that the device identification information received for the request was encrypted using the first key based on a format of the decrypted device identification information (Lin [0019] only decryption of public key encrypted device information using the correct private key will result in access to the device information).
As to claim 5, Mary and Lin disclose the invention as claimed as described in claim 1, including further comprising:	generating, by the server system, a unique device identifier and associating the unique device identifier with the device identification information (Mary [0094] server calculates device ID’s via private secure store; [0086]-[0087] associate sessions (with device information) with unique device ID);	encrypting the unique device identifier using the server encryption key (Mary [0023] HTTP cookie issued to client with authorization token; [0049] token is device-bound authorization token; [0088] device binder property includes device ID; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted);	transmitting, to the user device from the server system, the encrypted unique device identifier (Mary [0023] HTTP cookie issued to client with authorization token; [0049] token is device-bound authorization token; [0088] device binder property includes device ID; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted – Device IDs being sent encrypted);	receiving, by the server system from the user device, the encrypted unique device identifier with the request from the user device (Mary [0033] token stored in cookie that travels with each client request; [0049] token is device-bound authorization token; [0088] device binder property includes device ID; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted); and	decrypting, by the server system, the unique device identifier (Mary [0094] TLS protocol - all information passed between client/server is encrypted then decrypted) and retrieving the previously-stored device identification information based on the decrypted unique device identifier (Mary [0034] information from token used to lookup session information (including device information) for the session; [0049] token is device-bound authorization token; [0088] device binder property includes device ID).
As to claim 7, Mary and Lin disclose the invention as claimed as described in claim 1, including wherein the first key of the key pair is a public key and the second key is a private key (Lin [0019] encrypt device fingerprint with public key from root server which decrypts the fingerprint with the private key of the root server).
As to claim 8, Mary and Lin disclose the invention as claimed as described in claim 1, including wherein the device identification information for the user device is a machine fingerprint that includes information specifying:	one or more characteristics of hardware included in the device (Lin [0077] MAC address); and	one or more characteristics of software installed on the device (Mary [0037]-[0038] browser context).
As to claim 9, Mary substantially discloses a non-transitory computer-readable medium having instructions stored thereon (Mary [0015]) that are executable by a user device (Mary [0017]) to perform operations comprising:	generating current device identification information and encrypting the current request triggers device validation in which device information is retrieved from client; [0094] TLS protocol all information passed between client/server is encrypted then decrypted);	sending, to the server computing system (Mary [0035] security module and protected resource on same server), a request (Mary [0032] request from client to protected resource; [0062] request made after token has been setup) that includes cookie data encrypted using a server encryption key (Mary [0033] token stored in cookie that travels with each client request; [0099] token encrypted within cookie; [0094] transport layer security (TLS) protocol – uses symmetrical key for session with server to encrypt all traffic between client and server) and the encrypted current device identification information (Mary [0050] request triggers device validation in which device information is retrieved from client; [0094] TLS protocol all information passed between client/server is encrypted then decrypted); and	receiving, from the server system, a response to the request (Mary [0054] permit access to resource if token is still valid) based on the server system performing a verification process on the encrypted cookie data and the encrypted current device identification information (Mary [0054] comparison is made between device information retrieved from client and device information stored in policy store).	Mary fails to explicitly disclose retrieving a stored first key of a key pair generated by a server computing system and encrypting the current device identification information using the retrieved first key.	Lin discloses retrieving a stored first key of a key pair generated by a server computing system and encrypting the current device identification information using the encrypt device fingerprint with public key from root server which decrypts the fingerprint with the private key of the root server).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the asymmetric key pair of Lin with the encryption of the device information of Mary, such that the encryption of the device information is asymmetric, as it would advantageously allow for greater security of the current device information given that, due to longer key length, asymmetric encryption is more secure than symmetric encryption.
As to claim 10, Mary and Lin disclose the invention as claimed as described in claim 9, including wherein the verification process includes the server system:	decrypting the encrypted cookie data using the server encryption key (Mary [0034] use token to lookup session information; [0094] TLS protocol establishes symmetrical encryption/decryption that uses the same key – accessing encrypted token requires decryption);	retrieving previously-stored device identification information based on the decrypted cookie data (Mary [0034] information in token in cookie used to retrieve session information from policy server that includes device information);	decrypting the current device identification information sent with the request (Mary [0050] request triggers device validation in which device information is retrieved from client; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted) using a second key of the key pair (Lin [0019] encrypt device fingerprint with public key from root server which decrypts the fingerprint with the private key of the root server) and comparing the decryption result with the previously-stored device identification information (Mary [0054] comparison is made between device information retrieved from client and device information stored in policy store); and	determining, based on the comparing, whether to use the cookie data for the request (Mary [0054] permit access to resource if token is still valid).
As to claim 12, Mary and Lin disclose the invention as claimed as described in claim 10, including wherein the first key is a public key of a public-private key pair (Lin [0019] encrypt device fingerprint with public key from root server which decrypts the fingerprint with the private key of the root server).
As to claim 13, Mary and Lin disclose the invention as claimed as described in claim 9, including wherein the operations further comprise:	prior to sending the request that includes cookie data, sending, by the user device to the server system, a previous request that includes device identification information generated by the user device (Mary [0058]-[0061] generation of authorization token having device information during initial authentication includes retrieval of device information from client; [0023] HTTP cookie issued to client with authorization token);	receiving, by the user device from the server system, the first key of the key pair (Lin [0019] public key retrieved from server by user computer) and the cookie data encrypted using the server encryption key (Mary [0023] issue cookie to user; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted); token stored in cookie that travels with each client request – requires storing of cookie by client) and the first key (Lin [0019] use of public key retrieved from server by user computer – requires storage of public key).
As to claim 14, Mary and Lin disclose the invention as claimed as described in claim 9, including wherein the operations further comprise:	receiving, by the user device from the server system, an encrypted unique device identifier (Mary [0023] HTTP cookie issued to client with authorization token; [0049] token is device-bound authorization token; [0088] device binder property includes device ID; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted – Device IDs being sent encrypted); and	sending to the server system, in conjunction with the request, the encrypted unique device identifier (Mary [0033] token stored in cookie that travels with each client request; [0049] token is device-bound authorization token; [0088] device binder property includes device ID; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted).
As to claim 15, Mary and Lin disclose the invention as claimed as described in claim 9, including the device identification information for the user device is a machine fingerprint that includes information specifying:	one or more characteristics of hardware included in the device (Lin [0077] MAC address); and	one or more characteristics of software installed on the device (Mary [0037]-[0038] browser context).
As to claim 16, Mary substantially discloses an apparatus (Mary Fig. 1 item 60a Client), comprising:	one or more processors (Mary [0018] processor) configured to:		generate current device identification information and encrypting the device identification information (Mary [0050] request triggers device validation in which device information is retrieved from client; [0094] TLS protocol all information passed between client/server is encrypted then decrypted);		send, to the server computing system (Mary [0035] security module and protected resource on same server), a request (Mary [0032] request from client to protected resource; [0062] request made after token has been setup) that includes cookie data encrypted using a server encryption key (Mary [0033] token stored in cookie that travels with each client request; [0099] token encrypted within cookie; [0094] transport layer security (TLS) protocol – uses symmetrical key for session with server to encrypt all traffic between client and server) and the encrypted device identification information (Mary [0050] request triggers device validation in which device information is retrieved from client; [0094] TLS protocol all information passed between client/server is encrypted then decrypted); and		receive, from the server system, a response to the request (Mary [0054] permit access to resource if token is still valid) based on the server system performing a comparison is made between device information retrieved from client and device information stored in policy store).	Mary fails to explicitly disclose retrieving a stored first key of a key pair generated by a server computing system and encrypting the device identification information using the retrieved first key.	Lin discloses retrieving a stored first key of a key pair generated by a server computing system and encrypting the device identification information using the retrieved first key (Lin [0019] encrypt device fingerprint with public key from root server which decrypts the fingerprint with the private key of the root server).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the asymmetric key pair of Lin with the encryption of the device information of Mary, such that the encryption of the device information is asymmetric, as it would advantageously allow for greater security of the current device information given that, due to longer key length, asymmetric encryption is more secure than symmetric encryption.
As to claim 18, Mary and Lin disclose the invention as claimed as described in claim 16, including wherein the apparatus is further configured to:	send, to the server system prior to sending the request that includes cookie data, a previous request that includes device identification information (Mary [0058]-[0061] generation of authorization token having device information during initial authentication includes retrieval of device information from client; [0023] HTTP cookie issued to client with authorization token);	receive the first key of the key pair (Lin [0019] public key retrieved from server by user computer) and the cookie data encrypted using the server encryption key (Mary [0023] issue cookie to user; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted); and	store the encrypted cookie data (Mary [0033] token stored in cookie that travels with each client request – requires storing of cookie by client) and the first key (Lin [0019] use of public key retrieved from server by user computer – requires storage of public key).
As to claim 19, Mary and Lin disclose the invention as claimed as described in claim 16, including wherein the apparatus is further configured to:	receive, from the server system, an encrypted unique device identifier  (Mary [0023] HTTP cookie issued to client with authorization token; [0049] token is device-bound authorization token; [0088] device binder property includes device ID; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted – Device IDs being sent encrypted); and	send to the server system, in conjunction with the request, the encrypted unique device identifier (Mary [0033] token stored in cookie that travels with each client request; [0049] token is device-bound authorization token; [0088] device binder property includes device ID; [0094] TLS protocol - all information passed between client/server is encrypted then decrypted
As to claim 20, Mary and Lin disclose the invention as claimed as described in claim 16, including wherein the device identification information is a machine fingerprint that includes information specifying:	one or more characteristics of hardware included in the device (Lin [0077] MAC address); and	one or more characteristics of software installed on the device (Mary [0037]-[0038] browser context).
Claims 3, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Mary et al. (US 2015/0373015 A1), published Dec. 24, 2015, in view of Lin et al. (US 2020/0092090 A1), published Mar. 19, 2020, in view of Collins et al. (US 2016/0036894 A1), published Feb. 4, 2016.
As to claim 3, Mary and Lin substantially disclose the invention as claimed as described in claim 1, including wherein the determining whether to use the cookie data is based on:	decrypting a the device information and verifying that the device information was encrypted using the first key of the key pair based on a format of the decrypted device information (Lin [0019] only decryption of public key encrypted device information using the correct private key will result in access to the device information).	Mary and Lin fail to explicitly disclose wherein the device information includes a timestamp.	Collins describes server based communications between sandboxed device fingerprint can include a timestamp).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the timestamp of Collins with the device information/fingerprint of Mary and Lin, such that the device information includes a timestamp, as it would advantageously prevent the use of stale device information in a replay attack.
As to claim 11, Mary and Lin substantially disclose the invention as claimed as described in claim 10, including further comprising:	encrypting the device information and transmitting, to the server system, the encrypted the device information in conjunction with the encrypted cookie data (see above rejection of claims 9 and 10).	Mary and Lin fail to explicitly disclose wherein the device information includes a timestamp.	Collins discloses wherein the device information includes a timestamp (Collins [0045] device fingerprint can include a timestamp).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the timestamp of Collins with the device information/fingerprint of Mary and Lin, such that the device information includes a timestamp, as it would advantageously prevent the use of stale device information in a 
As to claim 17, Mary and Lin substantially disclose the invention as claimed as described in claim 16, including wherein the apparatus is further configured to:	encrypt the device information and transmit, to the server system, the encrypted device information in conjunction with the encrypted cookie data (see above rejection of claim 16).	Mary and Lin fail to explicitly disclose wherein the device information includes a timestamp.	Collins discloses wherein the device information includes a timestamp (Collins [0045] device fingerprint can include a timestamp).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the timestamp of Collins with the device information/fingerprint of Mary and Lin, such that the device information includes a timestamp, as it would advantageously prevent the use of stale device information in a replay attack.
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Mary et al. (US 2015/0373015 A1), published Dec. 24, 2015, in view of Lin et al. (US 2020/0092090 A1), published Mar. 19, 2020, in view of Gurevich et al. (US 9,165,124 B1), issued Oct. 20, 2015.
As to claim 6, Mary and Lin substantially disclose the invention as claimed as described in claim 1, including wherein the comparing the decryption result with the previously-stored device identification information further includes:	wherein the determining whether to use the cookie for the request is based on a similarity (Mary [0054] same and/or similar properties are accessed in device information retrieval process – indicating the properties are not required to be exact).	Mary and Lin fail to explicitly disclose generating a similarity value, and determining whether the similarity value meets a threshold value.	Gurevich describes a method for identifying a returning web client.	With this in mind, Gurevich discloses generating a similarity value, and determining whether the similarity value meets a threshold value (Gurevich col. 3 ll. 4-21 device fingerprints are matched within a desired degree of similarity).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the device fingerprint similarity comparison of Gurevich with the device information comparison of Mary and Lin, such that the device fingerprints do not have to be an exact match, as it would advantageously allow for small shift in configuration of a client that can occur over time.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Richards et al. (US 8,959,650 B1) is related to association of device fingerprint and cookies.
Hayat (US 2014/0026196 A1) is related to device fingerprinting.
Modalavalasa et al. (US 10,708,281 B1) is related to fingerprint cookie validation with a unique ID.
Gutzmann (US 9,705,895 B1) is related to client validation using cookies and fingerprints.
Johannsen (US 2014/0025791 A1) is related to incremental device fingerprinting.
Shaikh (US 2015/0006384 A1) is related to associating a session with a device fingerprint.
Horadan eta l. (US 2011/0288940 A1) is related to correlation of multiple cookies originating from the same device.
Yi et al. (US 2020/0213855 A1) is related to transmitting a device fingerprint encrypted.
Guo et al. (US 2017/0289139 A1) is related to device verification.
Viola (US 2019/0012664 A1) is related to device fingerprinting.
Mortensen et al. (US 9,430,624 B1) is related to efficient logon that includes device fingerprinting.
Lord et al. (US 11,184,766 B1) is related to binding user identity to device fingerprint.
Yarvis et al. (US 2012/0011538 A1) is related to encryption of a timestamp using a public key.
Sethuraman et al. (US 2019/0281132 A1) is related to encryption of a timestamp.
Saavedra et al. (US 2019/0273609 A1) is related to encryption of a timestamp with a public key.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654.  The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Eric W Shepperd/Primary Examiner, Art Unit 2492