DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.  This Final Office Action is in response to amendment filed on 01/02/2022.
	Claims 1, 6-8, 13-15 and 19-20 have been amended. Claims 1-20 remain pending in the application. 

Response to Amendment

The amendment filed 01/02/2022 has been entered. Claims 1, 6-8, 13-15 and 19-20 have been amended. Claims 1-20 remain pending in the application. 

Applicant amendment to the claims have overcome the objections previously set forth in the Non-Final Office Action mailed on 11/09/2021. The objection has been withdrawn in view of the amended Claims.

Applicant amendment to the claims have overcome the 35 USC § 112 rejection previously set forth in the Non-Final Office Action mailed on 11/09/2021. The rejection has been withdrawn in view of the amended Claims.
Response to Arguments

Regarding Applicant’s arguments, on page 10-12 of the remark filed on 01/02/2022, on the newly added limitations of claims 1, 8 and 15: “decrypting the first message by hashing a plurality of timestamps that are within the range of the current time with the session identifier and using a hash from the hashing of the plurality of timestamps that matches a hash of the token to decrypt the first message;” , arguments are persuasive.
Therefore, the 35 U.S.C. 103 rejection Teng et al. (U.S Pub. No. 20200034521) in further view of Meembat et al. (U.S No. 9525897), has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made under 35 U.S.C. § 103 in view of the following prior art: Agarwal et. al. (U.S Pub. No. 20190289017), in conjunction with Teng et al. (U.S Pub. No. 20200034521) and Meembat et al. (U.S No. 9525897),). Please refer to the 35 U.S.C. 103 section below for a detailed explanation.
	For the reasons stated above and the new ground(s) of rejection under 35 U.S.C. 103 below, Examiner respectfully disagrees with Applicant’s argument, see Applicant’s Remarks Pages 10-12, regarding allowance of the application. Examiner asserts that claims 1-20 are rejected for the reasons stated above in conjunction with the new ground(s) of rejection under 35 U.S.C. 103 below.
	Conclusion: Teng-Meembat-Agarwal teach the aforementioned limitations of independent claims 1, 8, and 15 rendering the claim limitations obvious before the effective date of the claimed invention.


Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 6, 13 and 19 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant) regards as the invention. 

In regards to Claims 6, 13 and 19, the applicant recites the limitation “an insertable content item”, this is unclear because an insertable content item was already previously recited in the independent claims. This creates confusion as to which insertable content item the applicant is referring to. If it is the same insertable content item recited earlier in the claims or a new embodiment of an insertable content item. The specification states on Par. (0024) “These insertable content items may be regular insertable content items for which a user cannot respond to with an action, or may be actionable insertable content items for which a user can respond to with an action. The content system 150 may store these insertable content items in separate databases, such as the insertable content database (DB) 152 and the actionable content DB 154. Each insertable content item may be stored with various metadata, such as its publisher, duration, and various characteristics that may be used to match the insertable content item to particular users,” Therefore it will be broadly and reasonable interpreted that an insertable content item is referring to the same insertable content item recited in the independent claims. Examiner suggest amending the claim by using the phrase “the” in front of insertable content item to recite consistent claim language and to eliminate confusion.



Claim Rejections - 35 USC § 103


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-3, 8-10, and 15-16, is/are rejected under 35 U.S.C. 103 as being unpatentable over Teng et al. (U.S Pub. No. 20200034521, hereinafter referred to as “Teng”) and Meembat et al. (U.S No. 9525897, hereinafter referred to as “Meembat”) in further view of Agarwal et al. (U.S Pub. No. 20190289017, hereinafter referred to as “Agarwal”)

	Regarding Independent Claim 1 (Currently Amended), Teng teaches a computer-implemented method comprising: 
receiving a session identifier from a streaming system, the session identifier identifying a user session with the streaming system; (Par. (0010) “the authentication server receives a request from the client to initiate a session for a user, the server creates the session and sends a token containing session-identifying information (“session ID”) back to the client along with a request for authentication. The client then broadcasts an audio transmission containing the token to the mobile device over an audio channel using a data-over-sound transmission. That is, the client plays the audio message encoded with the token via a multimedia speaker.”; receives a session identifier (sends [..] session ID) from a streaming system (audio channel/ audio transmission) identifying a user session (session for a user)), (Par. (0020) “In various embodiments, such an audio watermark algorithm can be used to embed the message repeatedly into the audio transmission from the client 101 to the mobile device 102. To do this, the watermark algorithm can be instructed to embed the message in the streaming system (audio stream)), (Par.  (0015) “the server 103 also sends a session token containing a session identifier (session ID) so that responses to the request can be associated with the corresponding session based on the token.”; receiving a session identifier (sends a session token containing session identifier))
receiving a first message from the streaming system, the first message based on a token that is generated based on a combination of the session identifier………… (Par. (0016) “the server 103 can encrypt the contents of the request of authentication message that is sent to the client 101 (e.g., using the server's 103 private key)”), (Par. (0015) “the server 103 also sends a session token containing a session identifier (session ID) so that responses to the request can be associated with the corresponding session based on the token. For security reasons, the server 103 can also include an expiration time period in the token (e.g. 10 minutes) such that authentication attempts into the session after expiration of the set time period are rejected. The server 103 also sends [..] when messages are transmitted back to the server 103.”; first message based on a token that is generated based on a combination of the session identifier (message corresponding to session identifier with expiration time period))
the timestamp being a point of time within a range of a current time; (Par. (0015) “the corresponding session based on the token. For security reasons, the server 103 can also include an expiration time period in the token (e.g. 10 minutes)”; timestamp (time period) within a range of a current time (10 min.)), (Par. (0030) “the token is valid, e.g., that the timeframe provided in the token is not past its expiration, and the server the timestamp being a point of time ( expiry/expiration time of token within timeframe))
determining an identifier ….. ….. based on the decrypted message; and (Par. (0030) “also decrypts the session token and verifies that the token is valid, e.g., that the timeframe provided in the token is not past its expiration, and the server 103 identifies the corresponding session that was created for the user based on the session ID in the token. If everything is verified successfully, then the server 103 authenticates the user, permits the login into the session”; based on the decrypted message (after decrypting session token that was in message) determining an identifier (identifies the corresponding session [..] based on session ID))
transmitting a second message to an enabling system, the second message including instructions for execution by the enabling system to execute one or more operations ….. (Par. (0029-0030) “This request is sent from the mobile device 102 to the server 103 over a secure connection such as SSL. [..]  The server 103 receives the mobile device's 102 request message over the secure channel and reads it. From the message, the server 103 obtains the user's login credentials and verifies them. The server also obtains the mobile device 102 ID from the request message and verifies that the mobile device 102 is an approved mobile device for purposes of authentication  [..] then the server 103 authenticates the user, permits the login into the session, and notifies the client 101 accordingly”; transmitting a second message (mobile device sends request message) to an enabling system (server) including instruction for execution (verifies mobile device is an approved mobile device for purposes of authentication) by enabling system to execute one or more operations (permits the login)), (Par. (0044) “for executing instructions that can be stored in a storage medium component. The storage medium can include many types of memory, persistent data storage, or non-transitory computer-readable storage media. For example, the storage medium may take the form of random access memory (RAM) 401 storing program instructions for execution by the processor(s)”; including instructions for execution))
However Teng does not include and a timestamp at which an insertable content item was presented to the user in a content stream by the streaming system; using a plurality of timestamps of the insertable content item with the identified insertable content item, decrypting the first message by hashing a plurality of timestamps that are within the range of the current time with the session identifier and using a hash from the hashing of the plurality of timestamps that matches a hash of the token to decrypt the first message;
Wherein Meembat teaches and a timestamp at which an insertable content item was presented to the user in a content stream by the streaming system; (Col. 3 lines 12-25 “ the timing cue being comprised in the following list: a silent period in the media stream and a predefined content sequence in the media stream, and insert a predetermined content item into the media stream starting from or ending in a point in the media stream corresponding to the timing cue, to at least in part replace content originally in the media stream responsive to the timing cue being determined and to refrain from inserting the predetermined content ite”; a timestamp (timing) at which an insertable content item (insert a predetermined content item) was presented)), insertable content item corresponding to streaming system (audio broadcast stream)), (Col. 4 lines 63-67 and Col. 5 lines 1-8 “ a user or consumer device, such as for example a digital radio, smartphone, tablet or laptop computer or other device capable of receiving a media stream, such as for example a digital media stream. A media stream may comprise, for example, the contents of a frequency modulated signal. A media stream may comprise, for example, a digitally encoded media stream. Device 110 is communicatively coupled, via air interface 121, to base station 120.”; user in the content stream ( user corresponding to media stream)), (Col. 8 lines 22-35 “ the contents of the metadata signal may be cryptographically signed with a private key, where device 110 is in possession of a corresponding public key. The signed part may comprise a timestamp to prevent copying of metadata signals, device 110 being configured to discard metadata signals with a timestamp not substantially matching a current time.”; metadata corresponding to timestamp)), (Col. 6 lines 25-45 “ A metadata signal may comprise information on a length of a section of the media stream, such as for example a silent period or an advertisement, that is suitable for being overwritten by inserting the content item. Device 110 may use this information when selecting a content item from among the at least one insertable content item available in device 110 for insertion. A metadata signal may be comprised in the media stream, or it may be delivered to device 110 separately from the timestamp with metadata corresponding to media stream/insertable content item))
using a plurality of timestamps (Col. 4 lines 53-60 “ Using a plurality of timing cues may improve the accuracy of insertion of content items into a stream of media content, such as for example personal messages or advertisements into an audio broadcast stream.”; plurality of timestamps (plurality of timing cues)), (Col. 2 lines 20-45 “metadata signal determining whether a timing cue can be determined, the timing cue being comprised in the following list: a silent period in the media stream and a predefined content sequence in the media stream, and inserting a predetermined content item into the media stream starting from or ending in a point in the media stream corresponding to the timing cue”; timing cues corresponding to two times (silent period and predefined sequence)), (Col. 8 lines 1-22 “the timing cue has been determined 24 milliseconds, ms, after the metadata signal, the search window may extend from 10 ms before metadata signal 240 to 30 ms after metadata signal 240. In general the search window may be characterized by two time parameters, t1 and t2. Parameter t1 may denote how long the search window is in the direction before arrival of metadata signal 240, and parameter t2 may denote how long the search window is in the direction after arrival of metadata signal 240. The case t1=t2 corresponds to a search window that is symmetrically arranged around metadata signal 240.”; plurality of timestamps ( timing cue corresponding to two times t1, t2/ two time parameters))
of the insertable content item ((Col. 4 lines 53-65 “insertion of content items into a stream of media content, such as for example personal messages or insertable content item corresponding to streaming system (audio broadcast stream)), (Col. 6 lines 25-45 “ A metadata signal may comprise information on a length of a section of the media stream, such as for example a silent period or an advertisement, that is suitable for being overwritten by inserting the content item. Device 110 may use this information when selecting a content item from among the at least one insertable content item available in device 110 for insertion. A metadata signal may be comprised in the media stream, or it may be delivered to device 110 separately from the media stream”; metadata corresponding to media stream/insertable content item)), (Col. 8 lines 53-67 “metadata signal 240 may comprise at least one of an identifier of the media stream, an identifier of device 110, and identifier of a user of the device 110 and an identifier of a subscription associated with device 110. An identifier of the media stream may comprise, for example, a hash of a file of the media stream or an identifier of the media stream within a naming convention of a node originating the media stream”; metadata corresponding to insertable content item includes an identifier))
with the identified insertable content item. ((Col. 4 lines 53-65 “insertion of content items into a stream of media content, such as for example personal messages or advertisements into an audio broadcast stream. Accurately inserted content items may produce a resulting stream that is free of gaps and has no overwritten content parts.”; insertable content item corresponding to streaming system (audio broadcast stream)), (Col. 6 lines 25-45 “ A metadata signal may comprise information metadata corresponding to media stream/insertable content item)), (Col. 6 lines 25-45 “at least one insertable content item and receives the media stream, device 110 may determine a location in the media stream, where to begin inserting one of the at least one insertable content item. Device 110 may be configured to determine the location based on timing cues, for example a metadata signal may be received in device 110 to mark the location where insertion may begin, so that a user of device 110 can perceive a continuous media stream where the transition in playback from the received media stream to the inserted content item is smooth and as imperceptible as possible”; identified insertable content item (insertable content item corresponding to determining where the insertion may begin))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Meembat within the teachings of Teng to include and a timestamp at which an insertable content item was presented to the user in a content stream by the streaming system with a plurality of timestamps and the insertable content item because of the analogous concept of real-time audio processing using tokens and identifiers to enable secure digital audio streams. Meembat includes a process of a timestamp at which an insertable content item was presented by the streaming system as well as a plurality of timestamps used to identify the insertable 
The motivation to combine these references is because Internet services save and store personal identifiable information all the time, and the likelihood becomes higher that the user’s confidential data will be compromised or altered as well as extracted. By implementing time into the session the user can be assured with high confidence and credibility that their personal information will not be at harm. This maintains and promotes high integrity in the system. 
	However Teng and Meembat do not explicitly teach decrypting the first message by hashing a plurality of timestamps that are within the range of the current time with the session identifier and using a hash from the hashing of the plurality of timestamps that matches a hash of the token to decrypt the first message;
	Wherein Agarwal teaches decrypting the first message by hashing a plurality of timestamps that are within the range of the current time with the session identifier (Par. (0073) “in messages to the mobile device, for example in an encoded encrypted ciphertext, and the mobile computing device 64 may decrypt t”; decrypting the first message (messages corresponding to decryption)), (Par. (0019-0020) “by generating a OTP based on a time stamp of the current time and a shared secret value. TOTP is based on a HMAC (hash-based message authentication code) based one-time password HOTP. A cryptographic hash function may be implemented to generate the one-time password by generating a cryptographic hash of the current time and a shared secret value [..] allowing for passwords generated in close time proximity with the same shared secret value to be equal. [..] the server may accept one-time passwords generated from timestamps that differ by ±1 time interval from the client's timestamp). A single shared secret value, to be used for all subsequent authentication sessions,”; hashing a plurality of timestamps (generating a OTP based on a time stamp of the current time that is hashed; timestamps)) within range of a current time (close time proximity) with the session identifier (shared secret value corresponding to a session)), (Par. (0053) “The value received from devices 12 or 14 at server 52 may include a user identifier, a user password (or other credential), a TLOTP, and a session identifier by exchanges the server 52 matches networked exchanges with the device 12 to networked exchanges with the device”; with a session identifier (shared secret value corresponding to session identifier)) (Par. (0061) “authentication token corresponds to a valid authenticated session, such as one that is not be expired, [..] may receive a cryptographic hash value calculated based on an authentication token [..] by a private key corresponding to the session held by the browser 66”; encryption key corresponding to session ID (session token) and hash associated with timestamp (hash value based on token with expiration time)), (Par. (0070) “these values are a value that is cryptographically signed with a private encryption key of the authorization server and corresponding to a public encryption key stored in memory of the native application, or a value that is otherwise secret.”; values that are decrypted corresponding to encryption key)), (Par. (0043) “authentication tokens, i.e. one-time passwords, may be expired by the application servers 16 and cease to be honored, for instance after a given session ends or after a threshold amount of time has elapsed,”; authentication token that is hashed associated with timestamp (amount of time)), (Par. (0019) “hash of [..] a shared secret value [..] the time stamp is often quantized into 30 second intervals, [..] close time proximity with the same shared secret value”; encryption key (secret value) is hashed with timestamp)), (Par. (0038) “key that serves as the shared secret is exchanged),”; secret value corresponding to encryption key))
and using a hash from the hashing of the plurality of timestamps that matches a hash of the token to decrypt the first message; (Par. (0020) “o authenticate the user, the server may determine whether a received hash value matches a locally created hash value.”; using a hash from the plurality of timestamps (hash corresponding to timestamp of OTP) that matches a hash of the token (received hash matches hash value of token)), (Par. (0045) “a cryptographic hash of a user credential may be sent instead of the user credential itself in plain text form, and some embodiments may determine whether a cryptographic hash value stored in memory of the authentication system 18 and a user profile matches the received cryptographic hash value. In another example, a value may be cryptographically signed based upon the user credential,”; matches a hash of the token ( matches received cryptographic hash value associated with user profile/credential)), (Par. (0073) “in messages to the mobile device, for example in an encoded encrypted ciphertext, and the mobile computing device 64 may decrypt these values with a previously exchanged encryption key from the authorization server 70.”; to decrypt the first message (messages with values corresponding to decryption)), Par. (0061) “authentication token corresponds to a valid authenticated session, such as one that is not be expired, [..] may receive a cryptographic hash value calculated based on an authentication token [..] by a private key corresponding to the session held by the browser 66”; encryption key corresponding to session ID (session token) and hash associated with timestamp (hash value based on token with expiration time)), (Par. (0070) “these values are a value that is cryptographically signed with a private encryption key of the authorization server and corresponding to a public encryption key stored in memory of the native application, or a value that is otherwise secret.”; values that are decrypted corresponding to encryption key)), (Par. (0043) “authentication tokens, i.e. one-time passwords, may be expired by the application servers 16 and cease to be honored, for instance after a given session ends or after a threshold amount of time has elapsed,”; authentication token that is hashed associated with timestamp (amount of time)), (Par. (0019) “hash of [..] a shared secret value [..] the time stamp is often quantized into 30 second intervals, [..] close time proximity with the same shared secret value”; encryption key (secret value) is hashed with timestamp)), (Par. (0038) “key that serves as the shared secret is exchanged),”; secret value corresponding to encryption key)) (Examiner’s Note: Examiner broadly and reasonably interprets that hashing a plurality of timestamps corresponds to a single hash with multiple timestamps or multiple hashes based on one or more timestamps.))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Agarwal within the teachings of Teng and Meembat to include decrypting the first message by hashing a plurality of timestamps that are within the range of the current time with the session identifier and using a hash from the hashing of the plurality of timestamps that matches a hash of the token to decrypt the first message because of the analogous concept of network communication using a session token or identifier associated with time to securely protect transmission over internet services. Agarwal includes a process in which the decryption of a message is performed first by hashing multiple timestamps that are in proximity or range of the session identifier and current time. This is important because by implementing a current time such as 5 or 10 minutes the system as a whole can be securely protected from compromise, forgery or modification because the corresponding hash must match the session ID or token at the given timestamp otherwise it will provide an indication to the user that an invalid or unauthorized entity is attempting to gain access. By using the hash of the timestamps as a form of comparison the likelihood of personal identifiable information used on web browsers such as banking, medical records, etc. can be safe from malicious users gathering information. This in return allows each session by the user to isolated and difficult from malicious attackers to glean or infer any information used on Internet services. Thus protecting the authenticity of the messages transmitted and assuring high confidence and credibility for the system.
Regarding Dependent Claim 2 (Original), Teng does not explicitly teach the method of claim 1, wherein the one or more operations are associated with an action performed by a user in response to being presented with the insertable content item.
Wherein Meembat teaches the method of claim 1, wherein the one or more operations are associated with an action performed by a user in response to being presented with the insertable content item. (Col. 6 lines 9-35 “Server 150 may be configured to provide to provide to device 110 at least one insertable content item. The at least one insertable content item may be delivered from server 150 to device via connection [..]  device 110 stores the at least one insertable content item and receives the media stream, device 110 may determine a location in the media stream, where to begin inserting one of the at least one insertable content item. Device 110 may be configured to determine the location based on timing cues, for example a metadata signal may be received in device 110 to mark the location where insertion may begin, so that a user of device 110 can perceive a continuous media stream where the transition in playback from the received media stream to the inserted content item is smooth and as imperceptible as possible”; in response to being presented with the insertable content item (server to provide to device one insertable content item), one or more operations are associated with an action performed by a user (device may determine a location in the media stream))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Meembat within the teachings of Teng and Agarwal for the reasons stated in independent claim 1 discussed above. 

Regarding Dependent Claim 3 (Original),, the combination of Teng, Meembat and Agarwal teach the method of claim 1, Teng further teaches the method of claim 2, wherein the user session is initiated by a voice enabled device, and wherein the action is performed by the user using the voice enabled device. (Par. (0022) “before or during the audio transmission by the client 101 (e.g., the audio stream containing the watermark embedded message) over the speaker, a notification can be produced to let the user know that the client 101 is attempting to communicate with the mobile device 102 [..] A message containing any of this information can also be conveyed by audio (e.g., a recording of a voice reciting the message can be played to the user).”; user session is initiated ( before or during audio transmission [..] let the user know that the client is attempting to communicate) by a voice enabled device (over a speaker/ recording of a voice)); the action is performed by the user using the voice enabled device )recording of a voice reciting the message)), (Par. (0026) “the mobile authentication application on the mobile device 102 accesses the microphone of the mobile device 102, records and captures the audio transmission (e.g., the watermarked audio signal),”; action is performed by the user using voice enabled device (microphone of the mobile device records and captures the audio transmission))


Regarding Independent Claims 8 and 15 (Currently Amended), claims 8 and 15 are system and non-transitory computer readable storage medium claims that recite similar limitations to independent claim 1 and the teachings of Teng, Meembat and 

Regarding Dependent Claims 9 and 16 (Original), claims 9 and 16 recite similar limitations to claim 2 and the teachings of Teng, Meembat and Agarwal address all the limitations discussed in claim 2 and are thereby rejected under the same grounds.  

Regarding Dependent Claim 10 (Original), claim 10 recite similar limitations to claim 3 and the teachings of Teng, Meembat and Agarwal address all the limitations discussed in claim 3 and are thereby rejected under the same grounds.  




Claims 4, 11 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Teng et al. (U.S Pub. No. 20200034521, hereinafter referred to as “Teng”), Meembat et al. (U.S No. 9525897, hereinafter referred to as “Meembat”) and Agarwal et al. (U.S Pub. No. 20190289017, hereinafter referred to as “Agarwal”) in further view of Gallo et al. (U.S Pub. No. 20120146773, hereinafter referred to as “Gallo”)

Regarding Dependent Claim 4 (Original), the combination of Teng, Meembat and Agarwal do not explicitly teach the method of claim 1, wherein the session identifier 
Wherein Gallo teaches the method of claim 1, wherein the session identifier is a randomly generated value that is generated in response to each new user session and discarded after the termination of the user session. (Par. (0016) “the typical prior-art Random-ID code is a session related ID for smartcard 10 which is regenerated anytime that smartcard 10 is newly introduced to card reader system 100 and deleted at the end of the interaction with card reader system 100. Therefore, the typical prior-art Random-ID code is typically stored in RAM (volatile memory). However, in accordance with the invention, the Random-ID code, "PseudoFixedRandomUID", is fixed over multiple communication sessions with different card reader systems 100 (e.g. at different locations) until the user initiates the generation of a new Random-ID code, "PseudoFixedRandomUID"”; session identifier is a randomly generated value (random-ID code is a session related ID [..] Random ID code fixed over multiple communication sessions) is generated in response to each new user session (generation of a new Random ID code) and discarded after termination of the user session (and deleted at the end of the interaction))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Gallo within the teachings of Teng, Meembat and Agarwal top include the session identifier being a randomly generated value that is generated in response to each new user session and discarded after the termination of the user session because of the analogous concept of secure protection of a session on Internet services and applications. Gallo includes a session identifier 

Regarding Dependent Claims 11 and 17 (Original), claims 11 and 17 recite similar limitations to claim 4 and the teachings of Teng, Meembat, Agarwal and Gallo address all the limitations discussed in claim 4 and are thereby rejected under the same grounds.  

Claims 5, 12 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Teng et al. (U.S Pub. No. 20200034521, hereinafter referred to as “Teng”), Meembat et al. (U.S No. 9525897, hereinafter referred to as “Meembat”) and Agarwal et al. (U.S Pub. No. 20190289017, hereinafter referred to as “Agarwal”) in further view of Tippett et al. (U.S Pub. No. 20120054491, hereinafter referred to as “Tippett”)

Regarding Dependent Claim 5 (Original), the combination of Teng, Meembat and Agarwal does not explicitly teach the method of claim 1, wherein the token is generated by using a hashing function on the session identifier concatenated with the timestamp.
Wherein Tippett teaches the method of claim 1, wherein the token is generated by using a hashing function on the session identifier concatenated with the timestamp. (Par. (0024) “a creation time of the token and duration of validity of the token.”; token is generated (creation time of token)), (Par. (0037) “to generate new tokens.”; token is generated (generate new tokens)), (Par. (0038) “a composite key is generated by one-way cryptographic hashing of a user key and a master key using a Secure Hash Algorithm (SHA-256). At 504, a payload is constructed using the user identifier and a validity parameter. In this embodiment, the validity parameter includes a creation time of the token, duration of validity of the token, a session identifier, a list of hostnames, and a list of Internet Protocol addresses. The payload is constructed by combining the user identifier, the creation time, the duration, the session identifier, the hostnames, and the IP addresses.”; using a hashing function (using a Secure Hash Algorithm) on the session identifier concatenated with the time stamp ( combining the creation time [..] session identifier))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Tippett within the teachings of Teng, Meembat and Agarwal to include a token is generated by using a hashing function on the session identifier concatenated with the timestamp because of the analogous concept of data security using digital signatures during a session using a validity of time. 

Regarding Dependent Claims 12 and 18 (Original), claims 12 and 18 recite similar limitations to claim 5 and the teachings of Teng, Meembat Agarwal and Tippett address all the limitations discussed in claim 5 and are thereby rejected under the same grounds.  



Claims 6, 13 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Teng et al. (U.S Pub. No. 20200034521, hereinafter referred to as “Teng”), Meembat et al. (U.S No. 9525897, hereinafter referred to as “Meembat”) and Agarwal et al. (U.S hereinafter referred to as “Agarwal”) in further view of Yin et al. (U.S Pub. No. 20150067328, hereinafter referred to as “Yin”)

	Regarding Dependent Claim 6 (Currently Amended), the combination of Teng, Meembat and Agarwal teach the method of claim 1, Teng further teaches the method of claim 1, wherein the  first message includes the token, and wherein the method further comprises: (Par. (0016) “the server 103 can encrypt the contents of the request of authentication message that is sent to the client 101 (e.g., using the server's 103 private key)”; sending a first message  that is sent to the client from the server)), (Par. (0015) “the server 103 also sends a session token containing a session identifier (session ID) so that responses to the request can be associated with the corresponding session based on the token. For security reasons, the server 103 can also include an expiration time period in the token (e.g. 10 minutes) such that authentication attempts into the session after expiration of the set time period are rejected. The server 103 also sends [..] when messages are transmitted back to the server 103.”; message includes a token (message corresponding to session identifier)), (Par. (0026) “the audio transmission (e.g., the watermarked audio signal), decodes the signal, and extracts the information in the message (e.g., the session token and server information).”; session corresponding to token))
session identifier. (Par. (0015) “the server 103 also sends a session token containing a session identifier (session ID) so that responses to the request can be associated with the corresponding session based on the token.”; session identifier))

Wherein Meembat teaches determining an insertable content item associated with the matching timestamp based on received information that associates identifiers of insertable content items with timestamps at which the insertable content item was presented to a user associated with the … identifier. (Col. 2 lines 38-50 “the media stream is obtained as output from a media stream decoder the metadata signal comprises at least one of an identifier of the media stream, an identifier of the apparatus, and identifier of a user of the apparatus and an identifier of a subscription associated with the apparatus the at least one processing core is further configured to select a value for the threshold length of time the at least one processing core is configured to select the value for the threshold length of time at least in part in dependence of at least one of the following: stored information concerning a time span between metadata and insertion locations in the media stream in the past,”; insertable content item (insertion locations in media stream) corresponding to timestamp (threshold length of time) associated with identifiers (identifier of the media stream)), (Col. 8 lines 22-40 “the metadata signal comprises a valid cryptographic token from server 150 or another party and select a length [..} comprise a timestamp to prevent copying of metadata signals, device 110 being configured to discard metadata signals with a timestamp not substantially matching a current time. In case device 110 can confirm a cryptographic token is valid, device 110 may search the determining an insertable content item associated with the matching timestamp (metadata corresponding to insertable content item matches a current time and determines an extended time)), (Col. 7 lines 28-40 “the arrival of metadata signal 240, and device 110 may begin inserting the insertable content item from the start of section 220, triggered by the timing cue that occurs at the start of sections 220. In this case, device 110 will find the timing cue from data comprised in the media stream that is stored in the buffer in device 110 at the time metadata signal 240 arrives, and device 110 can cause the insertion of the insertable content item to begin in time”; at which the insertable content item was presented to a user (arrival of metadata  corresponding to insertable content item and time)), (Col. 8 lines 53-67 “an identifier of the media stream, an identifier of device 110, and identifier of a user of the device 110 and an identifier of a subscription associated with device 110. An identifier of the media stream may comprise, for example, a hash of a file of the media stream or an identifier of the media stream within a naming convention of a node originating the media stream. An identifier of device 110 may comprise, for example, an international mobile station equipment identity, IMEI, where device 110 comprises cellular mobile capability, or a serial number. An identifier of a user may comprise a name or social security number”; user associated with an identifier))

The motivation to combine these references is because Internet services save and store personal identifiable information all the time, and the likelihood becomes 
However Teng, Meembat and Agarwal do not explicitly teach generating a plurality of hashes based on the session identifier combined with each of the plurality of timestamps, each of the plurality of hashes generated using a hashing function that is identical to the hashing function used to generate the token; identifying a matching hash from the plurality of hashes that matches the token; determining a matching timestamp of the plurality of timestamps that was used to generate the matching hash;
Wherein Yin teaches generating a plurality of hashes based on the session identifier combined with each of the plurality of timestamps, each of the plurality of hashes generated using a hashing function that is identical to the hashing function used to generate the token; (Par. (0051) “user device 210 may perform hash value generation function 430 to generate a hash value of security input 415. For example, user device 210 may generate the hash value using the selected key, corresponding to the key ID, and using a hash generation algorithm. In some implementations, user device 210 may generate the hash value within the time period corresponding to the idle expiry time period in key ID response 425. In some implementations, user device 210 may provide session token request 435 to platform server 270 to request a session token from platform server 270 based on generating the hash value. In some implementations, session token request 435 may include the hash value,”; plurality of hashes based on a session identifier with each plurality of timestamps (generating multiple hash values corresponding to session token, key ID and time period)), (Claim 1: “generate a first hash value of the security input using a key corresponding to a key identifier (ID); receiving, by the first device, the key ID and the first hash value from the second device; generating, by the first device, a second hash value using the key corresponding to the key ID; determining, by the first device, that the first hash value matches the second hash value;”; plurality of hashes (first and second hash values)), (Par. (0041) “session token 405 may include a session identifier, an expiry timestamp, idle expiry time period, an encrypted session key,”; based on the session identifier (session identifier included in session token) with each of the plurality of timestamps (expiry timestamp and idle expiry time period)), (Par. (0044) “may calculate the value based on input parameters (e.g., the session identifier, expiry timestamp, session key, and/or some other parameter) associated with session token 405 and an algorithm. In some implementations, the algorithm used to calculate the value may be based on a cryptographic hash function, an HMAC-MD5, an HMAC-SHA1, and/or some other type of algorithm.”; plurality of hashes generated using a hashing function identical to the hashing function used to generate token ( session token and calculated hash value using same cryptographic hash function algorithm HMAC-MD5/ HMAC-SHA1))
identifying a matching hash from the plurality of hashes that matches the token; determining a matching timestamp of the plurality of timestamps that was used to generate the matching hash; (Par.  (0045) “may compare the calculated value with the value stored by the secure storage, and authenticate session token 405 based on identifying that the calculated value matches the value stored by the secure identifying a matching hash matches the token ( session token corresponding to identifying that the calculated value matches)), (Par. (0058) “the hash value, included in session token request 435, matches the hash value generated by platform server 270, platform server 270 may perform session token generation function 465 to generate session token 470 (e.g., a session token having similar information as session token 405, including an expiration time period)”; matching the hash values corresponding to session token)), (Par. (0043) “Additionally or alternatively, platform server 270 may determine whether session token 405 is expired by comparing a time period in which session token 405 was last received by platform server 270 with the idle expiry time period associated with session token 405. For example, assume that session token 405 was received on 1/1/01 at 13:00:00 and on 1/1/01 at 13:05:00. Platform server 270 may determine a time period of 5 minutes and compare the determined time period with the idle expiry time period and identify whether the determined time period exceeds the idle expiry time period.”; determining matching timestamps of plurality of timestamps (compare a time period associated with session token to determine idle expiry time period)), (Par. (0051-0052) “generate the hash value within the time period corresponding to the idle expiry time period in key ID response 425. In some implementations, user device 210 may provide session token request 435 to platform server 270 to request a session token from platform server 270 based on generating the hash value. In some implementations, session token request 435 may include the hash value [..] platform server 270 may determine whether the key is expired or unexpired based on an expiry time period of the key. If platform server 270 is not storing a key corresponding to the hash corresponding to time period is determined whether the time is expired or unexpired)), (Par. (0066) “identifying a time period in which a session token, associated with the corresponding session identifier, will expire based on inactivity of the session token. For example, as shown in FIG. 5, the idle expiry time period associated with the session token with the session identifier "1234" is 15 minutes. Platform server 270 may identify whether the idle expiry time period has been exceeded based on information associated with previous receipt time field 530 and idle expiry time period field 540. For example, assume that platform server 270 receives the session token associated with session identifier "1234" on 1/1/01 at 15:31:00. Based on information associated with previous receipt time field 530 (e.g., 1/1/01, 15:15:00)”; session token with hash value is used to identify is a time period has exceeded the time))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Yin within the teachings of Teng, Meembat and Agarwal to include generating a plurality of hashes based on the session identifier combined with each of the plurality of timestamps, each of the plurality of hashes generated using a hashing function that is identical to the hashing function used to generate the token; identifying a matching hash from the plurality of hashes that matches the token; determining a matching timestamp of the plurality of timestamps that was used to generate the matching hash because of the analogous concept of video/audio streaming services and using session token and hash values used to securely protect communication. Yin includes a process of a plurality of hashes based on the session identifier with a plurality of timestamps, a hashing function that is 


Regarding Dependent Claims 13 and 19 (Currently Amended), claims 13 and 19 recite similar limitations to claim 6 and the teachings of Teng, Meembat, Agarwal and Yin address all the limitations discussed in claim 6 and are thereby rejected under the same grounds.  

Claims 7, 14 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Teng et al. (U.S Pub. No. 20200034521, hereinafter referred to as “Teng”), Meembat et al. (U.S No. 9525897, hereinafter referred to as “Meembat”), Agarwal et al. (U.S Pub. hereinafter referred to as “Agarwal”) and Yin et al. (U.S Pub. No. 20150067328, hereinafter referred to as “Yin”) in further view of Jakobsson et al. (U.S No. 10880322, hereinafter referred to as “Jakobsson”)


	Regarding Dependent Claim 7 (Currently Amended), the combination of Teng Meembat and Agarwal teach the method of claim 1, Teng further teaches the method of claim 1, wherein the first message includes an identifier of the content item that is encrypted using the token, and wherein the method further comprises: (Par. (0015) “the server 103 also sends a session token containing a session identifier (session ID) so that responses to the request can be associated with the corresponding session based on the token.”; session token corresponding to identifier)), (Par. (0029) “the session token in encrypted form on the client 101 and the mobile device 102 can prevent tampering with the token and its contents (e.g., the session ID) on the client 101 and on the mobile device 102.”; session identifier (session ID in session token) is encrypted (encrypted form) using the token (session token)), (Par. (0041) “The client interface 311 generates a message requesting the mobile device 300 to provide its login credentials to the server 320, the message including the encrypted session token for identifying the session and server information (IP address or FQDN) for identifying and locating the server 320. [..] The audio watermark encoder 313 encodes the message and passes the encoded audio transmission data to an audio watermark player 312, which plays the audio transmission containing the audio message request for user credentials via a speaker of the client 310 to be received by a microphone on message corresponding to encryption using the token; encoded message))
	However Teng, Meembat and Agarwal do not explicitly teach generating a plurality of hashes based on the session identifier combined with each of the plurality of timestamps, each of the plurality of hashes generated using a hashing function that is identical to the hashing function used to generate the token;  
	Wherein Yin teaches generating a plurality of hashes based on the session identifier combined with each of the plurality of timestamps, each of the plurality of hashes generated using a hashing function that is identical to the hashing function used to generate the token;  (Par. (0051) “user device 210 may perform hash value generation function 430 to generate a hash value of security input 415. For example, user device 210 may generate the hash value using the selected key, corresponding to the key ID, and using a hash generation algorithm. In some implementations, user device 210 may generate the hash value within the time period corresponding to the idle expiry time period in key ID response 425. In some implementations, user device 210 may provide session token request 435 to platform server 270 to request a session token from platform server 270 based on generating the hash value. In some implementations, session token request 435 may include the hash value,”; plurality of hashes based on a session identifier with each plurality of timestamps (generating multiple hash values corresponding to session token, key ID and time period)), (Claim 1: “generate a first hash value of the security input using a key corresponding to a key identifier (ID); receiving, by the first device, the key ID and the first hash value from the second device; generating, by the first device, a plurality of hashes (first and second hash values)), (Par. (0041) “session token 405 may include a session identifier, an expiry timestamp, idle expiry time period, an encrypted session key,”; based on the session identifier (session identifier included in session token) with each of the plurality of timestamps (expiry timestamp and idle expiry time period)), (Par. (0044) “may calculate the value based on input parameters (e.g., the session identifier, expiry timestamp, session key, and/or some other parameter) associated with session token 405 and an algorithm. In some implementations, the algorithm used to calculate the value may be based on a cryptographic hash function, an HMAC-MD5, an HMAC-SHA1, and/or some other type of algorithm.”; plurality of hashes generated using a hashing function identical to the hashing function used to generate token ( session token and calculated hash value using same cryptographic hash function algorithm HMAC-MD5/ HMAC-SHA1))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Yin within the teachings of Teng, Meembat and Agarwal to include generating a plurality of hashes based on the session identifier combined with each of the plurality of timestamps, each of the plurality of hashes generated using a hashing function that is identical to the hashing function used to generate the token because of the analogous concept of video/audio streaming services and using session token and hash values used to securely protect communication. Yin includes a process of a plurality of hashes based on the session identifier with a plurality of timestamps, a hashing function that is identical to the 
However Teng, Meembat, Agarwal and Yin do not explicitly teach identifying a matching hash of one of the plurality of hashes, that when used to decrypt the message, generates a result in an expected format; extracting the identifier of the insertable content item from the decrypted message.
Wherein Jakobsson teaches 32 32936/46086/FW/11409621.2identifying a matching hash of one of the plurality of hashes, that when used to decrypt the message, generates a result in an expected format;  (Col. 24 lines 29-40 “to store information relating to Mail User Agent (MUA) signatures associated with messages. This is preferably done by encoding a set of MUA elements, such as the content descriptor; the S/MIME version; the time zone;”; plurality of hashes (signatures)), (Col. 13 lines 30- 65 and Col. 14 lines 1-29 “determining whether any of the files match an AV signature, determining whether any of the files has executable code segments in it, and more. [..] after having been identifying a matching hash (matching the signature can be detected [..] compare with the new signature, a match is made) that when used to decrypt the message (after having been decrypted; decryption of messages)), (Col. 38 lines 29-45 “at least a portion of the alternative resource identifier is decrypted to obtain the original resource identifier and/or the context information. For example, the alternative resource identifier may directly include an encrypted version of the original resource identifier and/or the context information.”; generates a result in an expected format (decryption to obtain an identifier)), (Examiner Notes: In the instant application in Par. (0030) the specification states that an expected format is an identifier of an insertable content item, therefore it will be broadly and reasonably interpreted as such))
extracting the identifier of the insertable content item from the decrypted message. (Col. 33 lines 29-45 “can be later extracted from the alternative resource identifier and used to obtain the corresponding original resource identifier and context information by decrypting.”; extracting an identifier by decrypting)), (Col. 3 lines 45-60 “a message is able to configure a URL or an attachment of the message to be insertable content item (advertiser’s marketing email with linked/attached content) corresponding to message)), 
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Jakobsson within the teachings of Teng Meembat, Agarwal and Yin to include identifying a matching hash of one of the plurality of hashes, that when used to decrypt the message, generates a result in an expected format; extracting the identifier of the insertable content item from the decrypted message because of the analogous concept of insertable content item and verifying messages in a session using hashes and an identifier. Jakobsson includes a process of identifying a matching hash that when used to decrypt a message generates a result in an expected format as well as extracting an identifier of the insertable content item from the decrypted message. This is significant because it allows the user to identify whether or not the identifier has a specific code, prefix or altered in any way. This provides an indication no the user that unless the hash is a correct match it will not be decrypted properly as well as for the session token to know the hash is not correct. By extracting the identifier after it is determined that the hash is corrected the insertable content item can be linked to the session ID. This leads to preventing attacks by malicious entities 


Regarding Dependent Claims 14 and 20 (Currently Amended), claims 14 and 20 recite similar limitations to claim 7 and the teachings of Teng, Meembat, Agarwal Yin and Jakobsson address all the limitations discussed in claim 7 and are thereby rejected under the same grounds.  


Relevant Prior Art

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Nieuwenhuys; Bruno (U.S No. 10248378) “Dynamically Inserting Additional Content Items Targeting A Variable Duration For A Real-time Content Stream”. Considered this reference because it had a similar Inventor and 

Kuang; Randy (U.S Pub. No. 20210211271) “METHODS AND SYSTEMS FOR SECURE DATA COMMUNICATION”. Considered this application because it relates to messages containing a hash or signature as well an identifier that are both compared and extracted in an expected format after decryption much like the dependent claims of the instant application. 

Suresh; Viswanath (U.S Pub.  No. 20200195439) “METHOD FOR SECURING THE RENDEZVOUS CONNECTION IN A CLOUD SERVICE USING ROUTING TOKENS”. Considered this application because it addressed the use of tokens and session identifiers in the realm of streaming video content.



Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  



Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN A HUSSEIN whose telephone number is (571)272-3554. The examiner can normally be reached on 7:30am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.A.H./           Examiner, Art Unit 2497                                                                                                                                                                                             
/Jeremy S Duffield/           Primary Examiner, Art Unit 2498