DETAILED ACTION
This office action is in response to applicant’s RCE submission filed on 10/25/2021, which has an effective filing date of 01/28/2019. Claims 1, 4, 9-10, 13-14, and 17 have been amended.  Claims 1-7, 9-10, and 13-19 are pending and are directed towards apparatus, method, and computer product for Determination of Weak Hashed Credentials.  This is Non-Final action.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 10/25/2021 have been fully considered.
A) Applicant’s arguments, with respect to the newly amended limitations of claim 1, that Ashley does not teach “the hash function is provided to the authentication server”, “the authentication server generates a plurality of hashed versions of commonly used credentials through application of a hash function”, and “the credentials extracted from the monitoring network activities are hashed prior to the network device applying a hashing operation on the credentials” (page 12-13 of the present response) have been fully considered but they are moot in view of the new grounds of 35 U.S.C. 103 rejections.
Claim Rejections - 35 USC § 103
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1-7, 10, 14-15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Ashley et al. (US Patent 10,051,001), hereinafter Ashley, filed on Jul. 31, 2015 in view of Todorov (US Pub. 2011/0296509) filed on May 27, 2010.
Regarding claim 1, Ashley teaches an apparatus (col. 5, line 64-67; a network device) comprising: 
a processor (col. 16, line 41-46; network device includes a processor); and 
a non-transitory computer readable medium on which is stored machine readable instructions that are to cause the processor (col. 2, line 16-18; a processor executes instructions stored on a memory) to: 
receive a hashed credential associated with a user from a device of the user (Fig. 4 and col. 16, line 9-31; network device 402 stores information for client devices, such as a hash of user password),

determine the hash function used by the device to generate the received hashed credential; 
send the determined hash function to a remote server, wherein the remote server is to apply the determined hash function to a credential
Todorov teaches wherein the device generated the hashed credential through use of a hash function (para 16, line 1-17; client-side performs a one-way hash function on a password);
determine the hash function used by the device to generate the received hashed credential (para 16, line 1-17 and para 26, line 1-14; store an indicator, such as a function name, of which hash function was used for a user); 
send the determined hash function to a remote server, wherein the remote server is to apply the determined hash function to a credential (para 16, line 1-17 and para 26, line 1-14; a server receives a hash value from a client and the server can generate a hash value of the password)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Ashley to incorporate the teachings of Todorov to provide a server receives a hash value 
Ashley teaches wherein the remote server is to apply hash function to a plurality of commonly used credentials to generate a plurality of hashed versions of the commonly used credentials and to return the plurality of commonly used credentials to the apparatus (col. 30, line 53-67 and col. 31, line 1-30; the authentication server transforms the plurality of collected user credentials by applying a hash and sends the transformed plurality of user credentials to a network device);
receive the generated plurality of hashed versions of the generated plurality of commonly used credentials from the remote server (col. 6, line 25-30 and col. 27, line 1-20; the network device receives the hashed blacklist including user credentials from the authentication server); 
determine whether the hashed credential matches a hashed version of a commonly used credential of the plurality of commonly used credentials (col. 6, line 1-11 and col. 29, line 1-10; determine if there is a match with one or more of the plurality of user credentials, such as blacklist credentials, and detected 
based on a determination that the hashed credential matches a hashed version of a commonly used credential, perform at least one of a reporting or a blocking operation (col. 6, line 1-21 and col. 29, line 1-10; alert users if their login credentials match the blacklist credentials, where credentials are hashed prior to the comparison operation).
Regarding claim 2, Ashley and Todorov teach apparatus of claim 1.
	Ashley teaches the plurality of commonly used credentials is included in a dictionary of commonly used credentials (col. 6, line 1-7; a blacklist credentials, such as weak passwords).
Regarding claim 3, Ashley and Todorov teach apparatus of claim 1.
	Ashley teaches to perform at least one of the reporting or blocking operation, the instructions are further to cause the processor to: 
output an alert (col. 6, line 5-22; alert users if their currently used credentials match one of the blacklist credentials); 
disable a user access to the device, an application, or a network; 
shut down the device; or 
quarantine the device from the network.
Regarding claim 4, Ashley and Todorov teach apparatus of claim 1.
Ashley teaches the user device is a personal computer, a laptop computer, a tablet computer, or a smartphone (col. 12, line 8-17 and col. 14, line 26-30; client being monitored for user credentials can be laptops, tablets, and smart phones).
Regarding claim 5, Ashley and Todorov teach apparatus of claim 1.
	Ashley teaches automatically and periodically access the hashed credential (col. 13, line 20-23 and col. 29, line 4-10; continue to monitor traffic for policy/rule compliance (e.g., for a predetermined period of time) and detected passwords based on network monitoring can be hashed prior to performing the comparison operation).
Regarding claim 6, Ashley and Todorov teach apparatus of claim 1.
Ashley teaches the apparatus is a personal computer, a laptop computer, a tablet computer, a smartphone, a network gateway, a network router, or a server (col. 12, line 8-15; the network device can include a gateway).
Regarding claim 7, Ashley and Todorov teach apparatus of claim 1.
	Ashley teaches the hashed credential comprises a user name, a user password, a device name, or a device password (col. 29, line 4-10; detected passwords are hashed).
Regarding claim 10, Ashley teaches a method comprising: 
receiving, by a processor, a hashed credential associated with a user from a device of the user (Fig. 4 and col. 16, line 9-46; network device 402, including a network processor, stores information for client devices, such as a hash of user password),
Ashley does not teach wherein the device generated the hashed credential through use of a hash function;
determining, by the processor, the hash function used by the device to generate the received hashed credential; 
sending, by the processor, the determined hash function to a remote server, wherein the remote server is to apply the determined hash function to a credential
Todorov teaches wherein the device generated the hashed credential through use of a hash function (para 16, line 1-17; client-side performs a one-way hash function on a password);
determining, by the processor, the hash function used by the device to generate the received hashed credential (para 16, line 1-17 and para 26, line 1-14; store an indicator, such as a function name, of which hash function was used for a user); 
a credential (para 16, line 1-17 and para 26, line 1-14; a server receives a hash value from a client and the server can generate a hash value of the password)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Ashley to incorporate the teachings of Todorov to provide a server receives a hash value from a client and the server can generate a hash value of the password.  Doing so would allow for a password security system based on matching hashed value for the password data, as recognized by Todorov.
Ashley teaches wherein the remote server is to apply hash function to a plurality of commonly used credentials to generate a plurality of hashed versions of the commonly used credentials and to return the plurality of commonly used credentials to the processor (col. 30, line 53-67 and col. 31, line 1-30; the authentication server transforms the plurality of collected user credentials by applying a hash and sends the transformed plurality of user credentials to a network device);
receiving, by the processor, the generated plurality of hashed entries of the commonly used credentials from the remote server (col. 6, line 25-30 and col. 27, 
determining, by the processor, whether the hashed credential matches a hashed entry of the received plurality of hashed entries, wherein a plurality of entries corresponding to the plurality of hashed entries are included in a dictionary of commonly used credentials (col. 6, line 1-11 and col. 29, line 1-10; determine if there is a match with one or more of the plurality of user credentials, such as blacklist credentials, and detected password and extracted passwords are hashed prior to performing the comparison operation); and 
based on a determination that the hashed credential matches a hashed entry of the received plurality of hashed entries, by the processor: 
outputting an alert (col. 6, line 1-21 and col. 29, line 1-10; alert users if their login credentials match the blacklist credentials, where credentials are hashed prior to the comparison operation); 
disabling access by the user to the device, an application, or a network; 
shutting down the device; or 
quarantining the device from the network.
Regarding claim 14, Ashley and Todorov teach method of claim 10.

determining which of the hashed credentials matches a hashed entry of the plurality of hashed entries (col. 6, line 1-11 and col. 29, line 1-10; determine if there is a match with one or more of the plurality of user credentials, such as blacklist credentials, and detected password and extracted passwords are hashed prior to performing the comparison operation); 
maintaining a log of the devices from which hashed credentials matching the hashed entries were accessed (col. 16, line 20-31; storage 510 stores tables that include associated host IP addresses and a bloom filter generated based on user credentials for monitored credentials enforcement); 
determining in which of the devices from which the hashed credentials matching the hashed entries were accessed have been changed to have values that do not match a hashed entry of the plurality of hashed entries; and updating the log with an indication of the devices where the hashed credentials have been changed to have values that do not match a hashed  entry of the plurality of hashed entries (col. 16, line 20-31 and col. 21, line 1-9; storage 510 stores tables 
Regarding claim 15, Ashley and Todorov teach method of claim 10.
Ashley teaches determining whether the processor is to determine whether the hashed credential matches a hashed entry of the plurality of hashed entries; and based on a determination that the processor is to determine whether the hashed credential matches a hashed entry of the plurality of hashed entries, determine whether the hashed credential matches a hashed entry of the plurality of hashed entries (col. 5, line 64-67 and col. 6, line 1-3 and col. 29, line 1-10; the network device performs monitoring of network traffic to determine if there is a match with one or more of the plurality of user credentials and detected password and extracted passwords are hashed prior to performing the comparison operation).
Regarding claim 17, Ashley teaches a computer readable medium on which is stored machine readable instructions that when executed by a processor (col. 2, line 16-18; a processor executes instructions stored on a memory), cause the processor to: 

Ashley does not teach wherein the device generated the hashed credential through use of a hash function;
determine the hash function used by the device to generate the received hashed credential; 
send the determined hash function to a remote server, wherein the remote server is to apply the determined hash function to a credential
Todorov teaches wherein the device generated the hashed credential through use of a hash function (para 16, line 1-17; client-side performs a one-way hash function on a password);
determine the hash function used by the device to generate the received hashed credential (para 16, line 1-17 and para 26, line 1-14; store an indicator, such as a function name, of which hash function was used for a user); 
send the determined hash function to a remote server, wherein the remote server is to apply the determined hash function to a credential (para 16, line 1-17 and para 26, line 1-14; a server receives a hash value from a client and the server can generate a hash value of the password)

Ashley teaches wherein the remote server is to apply hash function to a plurality of commonly used credentials to generate a plurality of hashed versions of the commonly used credentials and to return the plurality of commonly used credentials to the processor (col. 30, line 53-67 and col. 31, line 1-30; the authentication server transforms the plurality of collected user credentials by applying a hash and sends the transformed plurality of user credentials to a network device);
receive the generated plurality of hashed versions of the generated plurality of commonly used credentials from the remote server (col. 6, line 25-30 and col. 27, line 1-20; the network device receives the hashed blacklist including credentials from the authentication server);
determine whether the hashed credential matches a hashed version of a commonly used credential of the received plurality of commonly used credentials 
based on a determination that the hashed credential matches a hashed version of a commonly used credential, perform at least one of a reporting or a blocking operation (col. 6, line 1-21 and col. 29, line 1-10; alert users if their login credentials match the blacklist credentials, where credentials are hashed prior to the comparison operation).
Regarding claim 18, Ashley and Todorov teach computer product of claim 17.
Ashley teaches at least one of the reporting or blocking operation, the instructions are further to cause the processor to: 
output an alert (col. 6, line 5-22; alert users if their currently used credentials match one of the blacklist credentials); 
disable a user access to the device, an application, or a network; 
shut down the device; or 
quarantine the device from the network.
Regarding claim 19, Ashley and Todorov teach computer product of claim 17.
Ashley teaches automatically and periodically access the hashed credential (col. 13, line 20-23 and col. 29, line 4-10; continue to monitor traffic for policy/rule compliance (e.g., for a predetermined period of time) and detected passwords based on network monitoring can be hashed prior to performing the comparison operation).
4.	Claims 9 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Ashley in view of Todorov and Estehghari et al. (US Pub. 2015/0304315), hereinafter Estehghari, filed on Apr. 17, 2014.
Regarding claim 9, Ashley and Todorov teach apparatus of claim 1.
	Ashley teaches a salt value is used in the hashing of the hashed credential, and wherein the instructions are further to cause the processor to add the salt value to the commonly used credentials and to apply the hash function to the commonly used credentials with the added salt value to generate the hashed versions of the commonly used credentials (col. 6, line 4-10 and col. 20, line 41-47 and col. 29, line 4-10; passwords, such as weak passwords or blacklist credentials, may be hashed using different salts prior to performing the comparison operation).

	Estehghari teaches send the salt value to the remote server (para 83, line 1-8 and para 85, line 1-3; client device sends the UID to the server, which is a component of a salt S1)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Ashley and Todorov to incorporate the teachings of Estehghari to provide client device sends the UID to the server, which is a component of a salt S1.  Doing so would allow for providing shared access to an associated database using user authentication including a hashed password and a salt, as recognized by Estehghari.
Regarding claim 13, Ashley and Todorov teach method of claim 10.
Ashley teaches determining the salt value; and wherein the remote server is to add the determined salt value to the plurality of entries to generate entries with salt values and to generate the plurality of hashed entries of commonly used credentials with the salt values (col. 6, line 4-10 and col. 20, line 41-47 and col. 29, line 4-10; passwords, such as weak passwords or blacklist credentials, may be hashed using different salts prior to performing the comparison operation).

	Estehghari teaches send the determined salt value to the remote server (para 83, line 1-8 and para 85, line 1-3; client device sends the UID to the server, which is a component of a salt S1)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Ashley and Todorov to incorporate the teachings of Estehghari to provide client device sends the UID to the server, which is a component of a salt S1.  Doing so would allow for providing shared access to an associated database using user authentication including a hashed password and a salt, as recognized by Estehghari.
5.	Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Ashley in view of Todorov and Grady et al. (US Pub. 2018/0007087), hereinafter Grady, filed on Jun. 30, 2016.
Regarding claim 16, Ashley and Todorov teach method of claim 15.
Ashley and Todorov do not teach based on a determination that the processor is not to determine whether the hashed credential matches a hashed entry of the plurality of hashed entries, send the accessed hashed credential to a 
	Grady teaches based on a determination that the processor is not to determine whether the hashed credential matches a hashed entry of the plurality of hashed entries, send the accessed hashed credential to a remote server for the remote server to determine whether the hashed credential matches a hashed entry of the plurality of hashed entries (para 24, line 1-7 and line 20-24 and para 51, line 1-15; SDC 140 operating on the authentication server 130 monitors authentication traffic to determine whether the credentials are vulnerable to an attack and SDC 140 may check hashed credentials such as passwords).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Ashley and Todorov to incorporate the teachings of Grady to provide an authentication server to monitor authentication traffic by checking hashed credentials.  Doing so would allow for the monitoring of login attempts based on knowledge of compromised credentials and monitored credentials, as recognized by Grady.
Conclusion
6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NHAN HUU NGUYEN/Examiner, Art Unit 2492

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492