DETAILED ACTION
This is an office action on the merits in response to the communication filed on 11/09/2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims’ Status
Claims 2-3, 6-7, 10-11 and 18 are canceled.  Claims 1, 5 and 9 have been amended.  Claims 1, 4-5, 8-9 and 12-17 are pending and are considered in this office action.


Response to Arguments/Comments
103 Rejection
Applicant contends, on pg.12 of the Arguments/Remarks, that Sugimura does not disclose biological information being acquired by the user terminal and then sent to the service terminal.  Examiner respectfully disagrees.  In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Sugimura 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. 	Determining the scope and contents of the prior art.
2. 	Ascertaining the differences between the prior art and the claims at issue.
3. 	Resolving the level of ordinary skill in the pertinent art.
4. 	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 5, 9, 13, 15 and 17 are rejected under 35 U.S.C 103 as being obvious over Karlov et al. (US20140143155A1; hereinafter: “Karlov”), and further in view of Sugimura et al. (US20030115473A1; hereinafter: “Sugimura”).
With respect to claim 1
Karlov teaches the limitations of:
Receiving, by the user terminal, an authentication request sent from a service terminal (claim 1, acquiring payment information at the authentication device for paying a seller identified by a seller identifier; see claim 6, said seller identifier is acquired by the authentication device by receiving it within a message from the communication device);
Sending, from the user terminal, first encrypted information to the service terminal, wherein the service terminal forwards the first encrypted information to an authentication server, and the authentication server parses and authenticates the first encrypted information ([0020], encrypting, within the authentication device, at least one of said payment information, authentication device identifier and user authentication data by means of the first cryptographic key so as to generate a secured payment request; transmitting the secured payment request to the communication device, transmitting, from the communication device, a message comprising a seller identifier and the secured payment request to the authorization server, decrypting the secured payment request with the second cryptographic key at the authorization server, checking if the decrypted authentication device identifier is stored in the database and if so, comparing the decrypted user authentication data with the device holder authentication data associated to the authentication device identifier and if the comparison indicates a match,); 

receiving, by the user terminal, second encrypted information fed back by the authentication server ([0069], the authorization server could prepare an answerback message 38 intended to the authentication device; [0070], the authentication device has to acquire the answerback message 38, preferably in a secured manner. To this end the authorization server sends the message through the communication device 20; Preferably, the answerback message is a secured message for ensuring the integrity and/or the confidentiality of its content. This can be achieved in a well known manner by means of a symmetric or asymmetric encryption scheme and/or by using a signature and a digital certificate.);
wherein the second encrypted information is generated by the authentication server after authenticating the first encrypted information to be valid  ([0046], the authorization server 30 is provided with a cryptographic unit 35 for performing cryptographic operations, namely at least decrypting messages sent from the authentication device 10 via the communication device 10. Preferably the cryptographic operations also comprise encrypting answerback messages 38 which have to be sent at least to the authentication device 10 via the communication device 20 in reply to the messages received from the authentication device);
parsing and authenticating, by the user terminal, the second encrypted information ([0072], Once the authentication device has been reached by the answerback message 38, this authentication device decrypts the message (if it has been previously encrypted by the authorization server) within the crypto-processor 15 by using the first key K1 (shared key) stored in the memory 14. Then, the authentication device restitutes the content of this message (in full or in part) in clear form to the user.)

Transmitting, from the user terminal, the biological identifier to the service terminal for authentication, to enable the service terminal to provide service to the user after the biological identifier is authenticated successfully ([0021-0028], acquiring payment information at the authentication device for paying a seller identifier by a seller identifier, inputting user authentication data (biological identifier), encrypting, within the authentication device (user terminal), at least one of said payment information, authentication device identifier and user authentication data by means of the first cryptographic key so as to generate a secured payment request, transmitting the secured payment request to the communication device (service terminal),….)
Examiner’s Note (Intended Use):  The portion of the limitation which recites “…..for authentication….” is associated with the “transmitting, from the user terminal,…” method step””, and is merely a recited intended use of the said method step.  This portion is given little to no patentable weight because the 

wherein a private key signature of the user terminal is carried in the first encrypted information  ([0021-0025], encrypting, within the authentication device, at least one of said payment information, authentication device identifier and user authentication data by means of the first cryptographic key so as to generate a secured paym”autent request.), and the private key signature of the user terminal carried in the first encrypted information is configured to enable the authentication server to determine whether the first encrypted information is valid (see [0059-0060])
wherein a public key signature of the service terminal is carried in the second encrypted information, and the step of parsing and authenticating the second encrypted information comprises: parsing the second encrypted information to acquire the public key signature of the service terminal carried in the second encrypted information; authenticating the public key signature of the service terminal; determining that the second encrypted information is valid, when that the public key signature of the service terminal is authenticated successfully; and determining that the second encrypted information is invalid, when the public key signature of the service terminal is not authenticated successfully ([0079-0085], transmitting, to the authentication device 10, the answerback message 38, the signature and a digital certificate provided by a certification authority for authenticating a public key belonging the authorization server 30, obtaining a public key pertaining to the certification authority for authenticating 
This particular limitation (determining that the second encrypted information is invalid, when the public key signature of the service terminal is not authenticated successfully) is not germane to patentability because it is not required to be performed under the broadest reasonable interpretation.   See Schulhauser (MPEP 2111.04 (II)).   By performing “determines that the second encrypted information is valid, when the public key signature of the service terminal is authenticated successfully”, it is implicitly known that the contrary limitation “determines that the second encrypted information is invalid, when the public key signature of the service terminal is not authenticated successfully” will also be met.  

Karlov does not explicitly disclose, but Sugimura teaches:
Acquiring, by the user terminal, a biological identifier of a user when the second encrypted information is authenticated to be valid ([0037], Biometrics data (biological information) of a user may be obtained at any of the following timings: biometrics data is obtained after a user is authenticated by the first authenticating part.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Sugimura with the teaching of Karlov as they relate to authentication system.  The claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Karlov offers the embodiment of securely conducting electronic transactions involving multiple devices.  

With respect to claim 5
Karlov teaches the limitations of:
Sending, from the service terminal, an authentication request to a user terminal (claim 1, acquiring payment information at the authentication device for paying a seller identified by a seller identifier; see claim 6, said seller identifier is acquired by the authentication device by receiving it within a message from the communication device);
Receiving, by the service terminal, first encrypted information fed back by the user terminal in response to the authentication request, forwarding, from the service terminal, the first encrypted information to an authentication server to enable the authentication server to parse and authenticate the first encrypted information  ([0020];  encrypting, within the authentication device, at least one of said payment information, authentication device identifier and user authentication data by means of the first cryptographic key so as to generate a secured payment request; transmitting the secured payment request to the communication device, transmitting, from the communication device, a message comprising a seller identifier and the secured payment request to the authorization server, decrypting the secured payment request with the second cryptographic key at the authorization server, checking if the decrypted authentication device identifier is stored in the database and if so, comparing the decrypted user authentication data with the device holder authentication data associated to the authentication device identifier and if the comparison indicates a match,); 
Receiving, by the second terminal, second encrypted information transmitted by the authentication server; forwarding, from the service terminal, the second encrypted information to the user terminal ([0069], the authorization server could prepare an answerback message 38 intended to the authentication device; [0070], the authentication device has to acquire the answerback message 38, preferably in a secured manner. To this end the authorization server sends the message through the communication device 20; Preferably, the answerback message is a secured message for ensuring the integrity and/or the confidentiality of its content. This can be achieved in a well known manner by means of a symmetric or asymmetric encryption scheme and/or by using a signature and a digital certificate.);


wherein a private key signature of the user terminal is carried in the first encrypted information ([0049], preferably, the communication device 102 signs the sending of the encrypted data thanks to its own private key.), and the private key signature of the user terminal carried in the first encrypted information is configured to enable the authentication server to determine whether the first encrypted information is valid ([0050], the communication device 101 decodes the data received from the communication device 102 thanks to its own private key…….Preferably, the communication device 101 checks the authenticity of the received and decoded data, by checking the validity of the signature of the received data, thanks to the public key of the communication device 102; [0051], In a following step 407, the communication device 101 acknowledges the received data. Preferably, the acknowledgement transmitted to the communication device 102 is signed by the communication device 101 thanks to its own private key.); 
wherein a public key signature of the service terminal is carried in the second encrypted information  ([0079-0085], transmitting, to the authentication device 10, the answerback message 38, the signature and a digital certificate provided by a certification authority for authenticating a public key belonging the 

Karlov does not explicitly disclose, but Sugimura teaches:
Receiving, by the service terminal, a biological identifier of a user transmitted by the user terminal ([0037], Biometrics data (biological information) of a user may be obtained at any of the following timings: biometrics data is obtained after a user is authenticated by the first authenticating part.)
Authenticating, by the service terminal, the biological identifier, and providing, by the service terminal, the user with a service after the biological identifier is authenticated successfully ([0014], a biometrics data registering part for registering and storing biometrics data on the user; a second authenticating part for conducting biometrics authentication; [0050], The selection information receiving part 32 receives information indicating which authentication system is used by a user.  the user can select either one of an authentication system using only the first authenticating part 2, an authentication system using only the second authenticating part 5, or an authenticating system using both the authenticating parts.)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Sugimura with the teaching of Karlov as they relate to authentication system.  The claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  

With respect to claim 13 & 15
The combination of Sugimura and Karlov teaches the limitations of claim 1 & 5 respectively.  Karlov further teaches:  one or more hardware processors and a storage medium in which computer-readable operational instructions are stored, wherein when the computer-readable operational instructions in the storage medium are run, the one or more hardware processors execute the identity information authentication method according to claim 1 & 5 respectively (see [0043].)

With respect to claim 9
Karlov teaches the limitations of:
Receiving, by the authentication server, first encrypted information forwarded by a service terminal ([0020], encrypting, within the authentication device, at least one of said payment information, authentication device identifier and user authentication data by means of the first cryptographic key so as to generate a secured payment request; transmitting the secured payment request to the communication device, transmitting, from the communication device, a message comprising a seller identifier and the secured payment request to the authorization server); 
parsing and authenticating, by the authentication server, the first encrypted information ([0020], decrypting the secured payment request with the second cryptographic key at the authorization server, checking if the decrypted authentication device identifier is stored in the database and if so, comparing 
generating, by the authentication server, second encrypted information, when the first encrypted information is authenticated to be valid ([0046], the authorization server 30 is provided with a cryptographic unit 35 for performing cryptographic operations, namely at least decrypting messages sent from the authentication device 10 via the communication device 10. Preferably the cryptographic operations also comprise encrypting answerback messages 38 which have to be sent at least to the authentication device 10 via the communication device 20 in reply to the messages received from the authentication device);
transmitting, from the authentication server the second encrypted information to the service terminal, to enable the service terminal to forward the second encrypted information to a user terminal, enable the user terminal to parse and authenticate the second encrypted information ([0069], the authorization server could prepare an answerback message 38 intended to the authentication device; [0070], the authentication device has to acquire the answerback message 38, preferably in a secured manner. To this end the authorization server sends the message through the communication device 20; Preferably, the answerback message is a secured message for ensuring the integrity and/or the confidentiality of its content. This can be achieved in a well known manner by means of a symmetric or asymmetric encryption scheme and/or by using a signature and a digital certificate; [0072], Once the authentication device has been reached by the answerback message 38, this authentication device decrypts the message (if it has been previously encrypted by the authorization server) within the crypto-processor 15 by using the first key K1 (shared key) stored in the memory 14. Then, the authentication device restitutes the content of this message (in full or in part) in clear form to the user.)

wherein a private key signature of the user terminal is carried in the first encrypted information ([0049], preferably, the communication device 102 signs the sending of the encrypted data thanks to its own private key.), and the step of parsing and authenticating the first encrypted information comprises: parsing the first encrypted information to acquire the private key signature of the user terminal carried in the first encrypted information ([0050], the communication device 101 decodes the data received from the communication device 102 thanks to its own private key.); authenticating the private key signature of the user terminal; determining that the first encrypted information is valid, when the private key signature of the user terminal is authenticated successfully ([0050], Preferably, the communication device 101 checks the authenticity of the received and decoded data, by checking the validity of the signature of the received data, thanks to the public key of the communication device 102; [0051], In a following step 407, the communication device 101 acknowledges the received data. Preferably, the acknowledgement transmitted to the communication device 102 is signed by the communication device 101 thanks to its own private key.); and
determining that the first encrypted information is invalid, when the private key signature of the user terminal is not authenticated successfully. 
This particular limitation (determining that the first encrypted information is invalid, when the private key signature of the user terminal is not authenticated successfully) is not germane to patentability because it is not required to be performed under the broadest reasonable interpretation.   See Schulhauser (MPEP 2111.04 (II)).   By performing “determining that the first encrypted information is valid, when the signature of the user terminal is authenticated successfully”, it is implicitly known that the contrary limitation “determining that the first encrypted information is invalid, when the signature of the user terminal is not authenticated successfully” will also be met.

Wherein a public key signature of the service terminal is carried in the second encrypted information ([0025], The key server device 103 stores information on matching between on the one hand public keys and on the other hand authentication information derived from the public keys.), 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Sugimura with the teaching of Karlov as they relate to  authentication system.  The claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Karlov offers the embodiment of securely conducting electronic transactions involving multiple devices.  One of ordinary skill in the art at the time the invention was made would have recognized the utilization of multiple devices to securely conduct electronic transactions  as disclosed by Karlov to the method of incorporating biometric authentication as taught by Sugimura for the predicated result of improved systems and methods of a secured multi-device authentication.

With respect to claim 17
Karlov teaches the limitations of claim 9.  Karlov further teaches:  one or more hardware processors and a storage medium in which computer-readable operational instructions are stored, wherein when the computer-readable operational instructions in the storage medium are run, the one or more hardware processors execute the identity information authentication method according to claim 9 respectively (see [0043].)


Claims 4 & 8 are rejected under 35 U.S.C 103 as being obvious over Karlov et al. (US20140143155A1; hereinafter: “Karlov”) in view of Sugimura et al. (US20030115473A1; hereinafter: “Sugimura”), and further in view of Omori et al. (US20060155992A1; hereinafter: “Omori”).
With respect to claim 4 & 8
The combination of Sugimura and Karlov teaches the limitations of claim 1 & 5 respectively.  The combination does not explicitly disclose, but Omori teaches: wherein the first encryption information is encrypted according to a first encryption algorithm preset by the user terminal and the authentication server together, and the authentication server parses the first encrypted information according to a first decryption algorithm preset by the user terminal and the authentication server together ([0079], the authentication units 311 and 331 uses the first authentication key data 321 and 341 and perform encryption respectively and decryption of predetermined data based on a first encryption algorithm and a first decryption algorithm corresponding to the first encryption algorithm, and the authentication is performed.);
the second encryption information is encrypted according to a second encryption algorithm preset by the user terminal and the authentication server together, and the user terminal parses the second encrypted information according to a second decryption algorithm preset by the user terminal and the authentication server together ([0084], The encryption unit 312 of the data processing device 302 uses the encryption key data 322 and encrypts predetermined data with a second encryption algorithm; [0011], the second data processing device decrypts the encrypted data encrypted based on a second encryption algorithm based on a second decryption algorithm corresponding to the second encryption algorithm.),
wherein the first encryption algorithm is different from the second encryption algorithm, and the first decryption algorithm is different from the second decryption algorithm ([0096], according to the data processing system 301, due to using a different encryption/decryption algorithm between the mutual authentication and the generation of the encrypted data, even when the first encryption/decryption 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Omori with the teaching of Sugimura/Karlov as they relate to a system/method of data processing among multiple devices.  The claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Motivation to do so would have been to improve security by incorporating different encryption/decryption algorithms. 


Claim 14 & 16 are rejected under 35 U.S.C 103 as being obvious over Karlov et al. (US20140143155A1; hereinafter: “Karlov”) in view of Sugimura et al. (US20030115473A1; hereinafter: “Sugimura”).
With respect to claim 14
The combination of Sugimura and Karlov teaches the limitations of claim 13.  Sugimura further teaches: the biological identifier of the user is a fingerprint feature and/or a retinal feature of the user ([0007], the biometrics authentication refers to a system for conducting the authentication of an individual based on physical feature portions of a user: biological information such as a fingerprint, an iris, and so on.); and the user terminal is a mobile device having a fingerprint collector and/or a retina collector ([0031], reference numeral 1 denotes an authentication information input part for inputting information to be required for authenticating a user. The authentication information input part includes, for example, not only input media such as a keyboard and a mouse, but also input equipment of biometrics data such as a camera and a fingerprint scanner, and a driver, a program, and the like for controlling these pieces of equipment.)

With respect to claim 16
The combination of Sugimura and Karlov teaches the limitations of claim 15.  Sugimura further teaches: the service terminal is a teller machine ([0004], The most widespread individual authentication system in a computer system is a password system, which is implemented in various fields such as access to an intra-company network and service at an automatic teller machine (ATM) of the bank.)


Claims 12 are rejected under 35 U.S.C 103 as being obvious over Ran et al. (US 20130198518 A1; hereinafter: “Ran”) in view of Karlov et al. (US20140143155A1; hereinafter: “Karlov”), and further in view of Omori et al. (US20060155992A1; hereinafter: “Omori”).
With respect to claim 12
The combination of Ran and Karlov teaches the limitations of claim 9.  The combination does not explicitly disclose, but Omori teaches: wherein the first encryption information is encrypted according to a first encryption algorithm preset by the user terminal and the authentication server together, and the authentication server parses the first encrypted information according to a first decryption algorithm preset by the user terminal and the authentication server together ([0079], the authentication units 311 and 331 uses the first authentication key data 321 and 341 and perform encryption respectively and decryption of predetermined data based on a first encryption algorithm and a first decryption algorithm corresponding to the first encryption algorithm, and the authentication is performed.);
the second encryption information is encrypted according to a second encryption algorithm preset by the user terminal and the authentication server together, and the user terminal parses the second encrypted information according to a second decryption algorithm preset by the user terminal and the authentication server together ([0084], The encryption unit 312 of the data processing device 302 uses ,

wherein the first encryption algorithm is different from the second encryption algorithm, and the first decryption algorithm is different from the second decryption algorithm ([0096], according to the data processing system 301, due to using a different encryption/decryption algorithm between the mutual authentication and the generation of the encrypted data, even when the first encryption/decryption algorithm used for the mutual authentication is leaked to the third party, since the encrypted data is encrypted by a second encryption algorithm, the third party cannot decipher it.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Omori with the teaching of Ran/Karlov as they relate to a system/method of data processing among multiple devices.  The claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Motivation to do so would have been to improve security by incorporating different encryption/decryption algorithms. 

Conclusion
THIS ACTION IS MADE FINAL, necessitated by amendments.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YIN Y CHOI whose telephone number is (571)272-1094 or yin.choi@uspto.gov.  The examiner can normally be reached on M-F 7:30 - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/YIN CHOI/           Examiner, Art Unit 3685                                                                                                                                                           	1/21/2022
/NEHA PATEL/               Supervisory Patent Examiner, Art Unit 3685