DETAILED ACTION
This Office Action is in response to the application 16/710,313 filed on 12/11/2019.
Claims 1-20 have been examined and are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Action is made Non-FINAL.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 10-13, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Dean et al. (“Dean,” US 20200314644, filed July 11, 2017) in view of Sau et al. (“Sau,” US 20210385653, filed July 24, 2019). 
Regarding claim 1, Dean discloses a method, comprising: 
providing, by a first node of a plurality of nodes, a master authentication key to a second node of the plurality of nodes (Dean FIGs. 1, 6, [0122]-[0123], [0136]. Process 600 can be divided into two parts — the first part relates to the LUK [limited use key] generation ( blocks 602 to 614 ) , which may be performed by a processing network , token platform , or host system; and the second part relates to the transaction cryptogram generation ( blocks 616-620 ) , which may be performed by a portable communication device. In some embodiments, the first encryption key 602 may be a master derivation key ( MDK ) associated with the issuer of the account associated with the account information 604 , and the first encryption key 602 can be maintained at the processing network or the host system. In the cloud - based payments techniques described herein , contactless interface 908 can be accessed by the mobile OS 914 without requiring the user of a secure element); 
receiving, by the first node, from a third node of the plurality of nodes, a temporary child authentication key derived from the master authentication key by the second node (Dean FIGs. 1, 6, [0046],  [0123], [0126]. The set of one or more limited - use thresholds may include at least one of a time - to - live indicating the duration of time for which the LUK is valid. Process 600 may begin by encrypting account information 604 with a first encryption key 602 using an encryption function 606 to generate a second encryption key 608. In some embodiments , the first encryption key 602 may be a master derivation key ( MDK ). Process 600 may continue by encrypting key index information 610 with the second encryption key 608 using an encryption function 612 to generate the limited - use key ( LUK ) 614.); and 
providing, by the first node, the third node access to the portion of the resource (Dean [0062] – [0063]. For example, if issuer / host system 172 does not have the capability to verify the transaction cryptogram , the processing network 194 or issuer / host system 172 may forward the transaction crypto gram to token platform 180 for verification. [Note that the cryptogram can be generated with a LUK key, see [0128].] After the issuer / host system 172 decides if the transaction is authorized or not , it generates an authorization response message to indicate if the current transaction is authorized or not.). 
Dean does not explicitly disclose: processing, by the first node, the temporary child authentication key to determine which portion of a resource to allow the third node to access. 
However, in an analogous art, Sau discloses a method comprising the step of processing, by the first node, the temporary child authentication key to determine which portion of a resource to allow the third node to access (Sau FIG. 9, [0099]. Following with the example of FIG . 9 , once initial authentication has been completed at 910 , the user is granted access at 912 , and the STSM key has been established at 914 , the device 902 and network application 905 will establish a short - term symmetric advertising key at 916 , denoted again here as STSA - 1. Once a STSA key has been established, the device 902 will again periodically compute and advertise an authentication code , shown as steps 918 , based at least in part on the active STSA key . Such routine advertisement will allow the application 905 to confirm the maintained presence of the authenticated user and device within its vicinity and thus maintain the granted access to the resource 906 at 920 until the STSA key expires.).   
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Sau and Dean to include the step of: processing, by the first node, the temporary child authentication key to determine which portion of a resource to allow the third node to See Sau [0099].)
Regarding claim 2, Dean and Sau disclose the method of claim 1. Sau further discloses further comprising authenticating the second node with the first node; and wherein providing, by the first node, the master authentication key to the second node comprises providing, by the first node, the master authentication key to the second node after authenticating the second node with the first node (Sau [0096]. In this particular example , the device 902 and application 905 will execute a prescribed security protocol , for example , using public key cryptography and certificates , to establish a secure connection there-between. For example , in session resumption , after an initial successful authentication , a symmetric key ( “ master secret ” or “ master key " , noted herein as short term symmetric master ( STSM ) key ) can be used for subsequent authentication to reduce subsequent authentication latency by removing the need to send certificates over the network and the need to perform public key operations ( which are more computationally - intensive than symmetric key operations ) .). 
The motivation is the same as that of claim 1 above. 
Regarding claim 3, Dean and Sau disclose the method of claim 1. Dean further discloses wherein the temporary child authentication key is derived by the second node from the master authentication key using a child key function (Dean FIGs. 1, 6, [0046],  [0123], [0126]. The set of one or more limited - use thresholds may include at least one of a time - to - live indicating the duration of time for which the LUK is valid. Process 600 may begin by encrypting account information 604 with a first encryption key 602 using an encryption function 606 to generate a second encryption key 608. In some embodiments , the first encryption key 602 may be a master derivation key ( MDK ). Process 600 may continue by encrypting key index information 610 with the second encryption key 608 using an encryption function 612 to generate the limited - use key ( LUK ) 614.). 
Regarding claim 4, Dean and Sau disclose the method of claim 3. Dean discloses further comprising sharing, between the first node and the second node, the child key function (Dean FIGs. 1, 6, [0122], [0123], [0126]. Process 600 can be divided into two parts — the first part relates to the LUK generation ( blocks 602 to 614 ) , which may be performed by a processing network , token platform , or host system ; and the second part relates to the transaction cryptogram generation ( blocks 616-620 ) , which may be performed by a portable communication device [note the payment system can be implemented in cloud, see [0136].] Process 600 may begin by encrypting account information 604 with a first encryption key 602 using an encryption function 606 to generate a second encryption key 608. In some embodiments , the first encryption key 602 may be a master derivation key ( MDK ). Process 600 may continue by encrypting key index information 610 with the second encryption key 608 using an encryption function 612 to generate the limited - use key ( LUK ) 614.). 
Regarding claim 10, claim 10 is directed to a computer-readable storage medium corresponding to the method of claim 1. Claim 10 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 11, claim 11 is directed to a computer-readable storage medium corresponding to the method of claim 2. Claim 11 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 12, claim 12 is directed to a computer-readable storage medium corresponding to the method of claim 3. Claim 12 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 13, claim 13 is directed to a computer-readable storage medium corresponding to the method of claim 4. Claim 13 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Regarding claim 18, claim 18 is directed to a system corresponding to the method of claim 1. Claim 18 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 19, claim 19 is directed to a system corresponding to the method of claim 2. Claim 19 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Claims 5-6, 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Dean et al. (“Dean,” US 20200314644, filed July 11, 2017) in view of Sau et al. (“Sau,” US 20210385653, filed July 24, 2019) and Gluck et al. (“Gluck,” US 20200076827, filed Sep. 4, 2018). 
Regarding claim 5, Dean and Sau disclose the method of claim 4. Dean and Sau do not explicitly disclose: wherein the master authentication key comprises a main key field and a temporary key field; wherein the main key field comprises a main key string; and wherein the temporary key field comprises a child key value. 
However, in an analogous art, Gluck discloses a method comprising the step of: wherein the master authentication key comprises a main key field and a temporary key field; wherein the main key field comprises a main key string; and wherein the temporary key field comprises a child key value (Gluck FIG. 14, [0149].  At 1402, an index 1404 that hasn't been used with a master public key 1318 is selected. For example, the master public key 1318 may be the master - block master public key 1318a of FIG. 13. . The index 1404 is a value used to distinguish overrides generated from the master public key 1318 and may, for example, be an integer or some other suitable value. In some embodiments, an index counter is maintained for the master public key 1318 across invocations of the dynamic override - generation process and the current value of the index counter is used as the index 1404. [Note FIG. 14 for using the master key and index/counter as a basis for generating child keys.]). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Gluck with the teachings of Dean and Sau to include the step of: wherein the master authentication key comprises a main key field and a temporary key field; wherein the main key field comprises a main key string; and wherein the temporary key field comprises a child key value, to provide users with a means for using an assigned index and a master key string as a basis for generating child keys. (See Gluck [0149].
Regarding claim 6, Dean, Sau and Gluck disclose the method of claim 5. Dean further discloses wherein the temporary child authentication key comprises a prefix and an output; and wherein the prefix identifies the temporary child authentication key to the first node (Dean FIG. 6, [0126]. The key index information 610 may be derived from a key index that includes information pertaining to the generation of the LUK 614 , and that may be used as a seed to generate LUK 614. For example , the key index may include time information indicating when the LUK 614 is being generated . In some embodiments , the time information can be represented as the numeric string ‘ YHHHH '. In some embodiments, the key index may also include a replenishment counter value indicating the number of times that the LUK 614 has been renewed or replenished in a predetermined time period ( e.g. , number of times LUK 614 has been generated in each hour ) . For example, the replenishment counter value can be represented as the numeric string ‘CC ' ( 00-99 ) . At the beginning of each hour, ‘ CC ' starts at 00 and is incremented by 1 each time LUK 614 is generated.).
Regarding claim 14, claim 14 is directed to a computer-readable storage medium corresponding to the method of claim 5. Claim 14 is similar in scope to claim 5 and is therefore rejected under similar rationale. 
Regarding claim 15, claim 15 is directed to a computer-readable storage medium corresponding to the method of claim 6. Claim 15 is similar in scope to claim 6 and is therefore rejected under similar rationale. 

Claims 7-9, 16-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dean et al. (“Dean,” US 20200314644, filed July 11, 2017) in view of Sau et al. (“Sau,” 
Regarding claim 7, Dean, Sau and Gluck disclose the method of claim 6. Dean further discloses determining, by the first node, based upon the prefix of the temporary child authentication key, that the second node provided the temporary child authentication key to the third node (Dean [0114]. For example, a computer in the processing network 330 may retrieve a key index indicating when the current LUK was generated from a data storage in the processing network 330, or from the authorization request message if it was transmitted from the portable communication device 410 to the access device 420 in step S406 . It may also compare this data to other variable data such as current counters or timestamps to determine if a new LUK is to be issued . For example , if a key index indicates that the current LUK was generated at 12:00 p.m. on Jan. 1 , 2017 , the current transaction time and date is 11:50 a.m. on Jan. 7 , 2017 , and the current LUK has a lifetime of one week , then the processing network 430 may automatically determine that a new LUK can be issued [Note that in par. [0126], key index can be a pre-fix on the LUK key].). 
Dean, Sau and Gluck do not explicitly disclose: wherein processing, by the first node, the temporary child authentication key to determine the portion of the resource to allow the third node to access comprises reversing, by the first node, the child key function to determine the portion of the resource to allow the third node to access.
However, in an analogous art, Smith discloses a system comprising the step of wherein processing, by the first node, the temporary child authentication key to determine the portion of the resource to allow the third node to access comprises reversing, by the Smith FIG. 2, [0050]. The set top box 400 may receive a key in encrypted form from, for example, an external source 420. Alternatively, an encrypted key may be transmitted from the signal provider in the broadcast stream and received at the receiver 112 of the set top box 400. The Root Key may be used to decrypt the encrypted keys (which are “sub keys”, i.e. at lower levels in the key ladder). The sub keys can then be stored in the key memory 110 in accordance with the rules stored in the rules RAM 416 as described below. The subkeys [i.e., Content Keys 0, 1, 2, 3 in FIG. 2, each corresponding to certain designated content] may then be used for decrypting audio or video content received via the receiver 112 or for decrypting further keys independence on the rules of the key ladder.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Smith with the teachings of Dean, Sau and Gluck to include the step of: wherein processing, by the first node, the temporary child authentication key to determine the portion of the resource to allow the third node to access comprises reversing, by the first node, the child key function to determine the portion of the resource to allow the third node to access, to provide users with a means for granting content access based on the availability of decrypted content keys. (See Smith [0050].)
Regarding claim 8, Dean, Sau, Gluck and Smith disclose the method of claim 7. Dean further discloses wherein the resource comprises a hardware resource, a software resource, or a combination of hardware and software resources (Dean [0063]. After the issuer / host system 172 decides if the transaction is authorized or not, it generates an authorization response message to indicate if the current transaction is authorized or not . The authorization response message is then sent back to processing network 194 by the issuer / host system 172. Processing network 194 then sends the autho rization response message back to the transport computer 174. In some embodiments , processing network 194 may decline the transaction even if issuer / host system 172 has authorized the transaction ( e.g. , if a fraud risk score is too high or if limited - use account parameters are exceeded ) . Transport computer 174 then sends the authorization response message to the merchant computer and / or access device 160.). 
Regarding claim 9, Dean, Sau, Gluck and Smith disclose the method of claim 8. Sau further discloses wherein the portion comprises a sector of the resource; and further comprising sectorizing, by the first node, a plurality of resources comprising the resource into a plurality of sectors comprising the sector (Sau [0083]. Accordingly , and as will be detailed below with reference to certain illustrative embodiments , each end user ( User A , B , and C ) may be attributed one or more customer access privileges or authorizations ( e.g. to Resource X , Y and / or Z ) to be implemented via their respective UAD 602 . To do so , respective digital certificates may be issued to accommodate such diversified access privileges ; namely User A may seek to enrol a user - specific certificate to access Resource X ( e.g. certificate ( A , X ) 620 ) ).). 
The motivation is the same as that of claim 8 above. 
Regarding claim 16, claim 16 is directed to a computer-readable storage medium corresponding to the method of claim 7. Claim 16 is similar in scope to claim 7 and is therefore rejected under similar rationale. 
Regarding claim 17, Dean, Sau, Gluck and Smith disclose the computer-readable storage medium of claim 16. Dean further discloses wherein the resource comprises a hardware resource, a software resource, or a combination of hardware and software resources (Dean [0063]. After the issuer / host system 172 decides if the transaction is authorized or not, it generates an authorization response message to indicate if the current transaction is authorized or not . The authorization response message is then sent back to processing network 194 by the issuer / host system 172. Processing network 194 then sends the authorization response message back to the transport computer 174. In some embodiments, processing network 194 may decline the transaction even if issuer / host system 172 has authorized the transaction ( e.g. , if a fraud risk score is too high or if limited - use account parameters are exceeded ) . Transport computer 174 then sends the authorization response message to the merchant computer and / or access device 160.). 
Sau further discloses wherein the portion comprises a sector of the resource; and further comprising sectorizing, by the first node, a plurality of resources comprising the resource into a plurality of sectors comprising the sector (Sau [0083]. Accordingly , and as will be detailed below with reference to certain illustrative embodiments , each end user ( User A , B , and C ) may be attributed one or more customer access privileges or authorizations ( e.g. to Resource X , Y and / or Z ) to be implemented via their respective UAD 602 . To do so , respective digital certificates may be issued to accommodate such diversified access privileges ; namely User A may seek to enrol a user - specific certificate to access Resource X ( e.g. certificate ( A , X ) 620 ) ).). 
The motivation is the same as that of claim 16 above. 
Regarding claim 20, Dean and Sau disclose the system of claim 19. Dean further discloses: 
wherein the operations further comprise sharing, between the first node and the second node, a child key function (Dean FIGs. 1, 6, [0122], [0123], [0126]. Process 600 can be divided into two parts — the first part relates to the LUK generation ( blocks 602 to 614 ) , which may be performed by a processing network , token platform , or host system ; and the second part relates to the transaction cryptogram generation ( blocks 616-620 ) , which may be performed by a portable communication device [note the payment system can be implemented in cloud, see [0136].] Process 600 may begin by encrypting account information 604 with a first encryption key 602 using an encryption function 606 to generate a second encryption key 608. In some embodiments , the first encryption key 602 may be a master derivation key ( MDK ). Process 600 may continue by encrypting key index information 610 with the second encryption key 608 using an encryption function 612 to generate the limited - use key ( LUK ) 614.); 
wherein the temporary child authentication key is derived by the second node from the master authentication key using the child key function (Dean FIGs. 1, 6, [0046],  [0123], [0126]. The set of one or more limited - use thresholds may include at least one of a time - to - live indicating the duration of time for which the LUK is valid. Process 600 may begin by encrypting account information 604 with a first encryption key 602 using an encryption function 606 to generate a second encryption key 608. In some embodiments , the first encryption key 602 may be a master derivation key ( MDK ). Process 600 may continue by encrypting key index information 610 with the second encryption key 608 using an encryption function 612 to generate the limited - use key ( LUK ) 614.); 
wherein the temporary child authentication key comprises a prefix and an output; wherein the prefix identifies the temporary child authentication key to the first node (Dean FIG. 6, [0126]. The key index information 610 may be derived from a key index that includes information pertaining to the generation of the LUK 614 , and that may be used as a seed to generate LUK 614. For example , the key index may include time information indicating when the LUK 614 is being generated . In some embodiments , the time information can be represented as the numeric string ‘ YHHHH '. In some embodiments, the key index may also include a replenishment counter value indicating the number of times that the LUK 614 has been renewed or replenished in a predetermined time period ( e.g. , number of times LUK 614 has been generated in each hour ) . For example, the replenishment counter value can be represented as the numeric string ‘CC ' ( 00-99 ) . At the beginning of each hour, ‘ CC ' starts at 00 and is incremented by 1 each time LUK 614 is generated.);
wherein the resource comprises a hardware resource, a software resource, or a combination of hardware and software 39Attorney Docket No.: 2019-0648/27.6072US01 resources (Dean [0063]. After the issuer / host system 172 decides if the transaction is authorized or not, it generates an authorization response message to indicate if the current transaction is authorized or not . The authorization response message is then sent back to processing network 194 by the issuer / host system 172. Processing network 194 then sends the authorization response message back to the transport computer 174. In some embodiments, processing network 194 may decline the transaction even if issuer / host system 172 has authorized the transaction ( e.g. , if a fraud risk score is too high or if limited - use account parameters are exceeded ) . Transport computer 174 then sends the authorization response message to the merchant computer and / or access device 160.).  
Sau further discloses wherein the portion comprises a sector of the resource; and wherein the operations further comprise sectorizing a plurality of resources comprising the resource into a plurality of sectors comprising the sector (Sau [0083]. Accordingly , and as will be detailed below with reference to certain illustrative embodiments , each end user ( User A , B , and C ) may be attributed one or more customer access privileges or authorizations ( e.g. to Resource X , Y and / or Z ) to be implemented via their respective UAD 602 . To do so , respective digital certificates may be issued to accommodate such diversified access privileges ; namely User A may seek to enrol a user - specific certificate to access Resource X ( e.g. certificate ( A , X ) 620 ) ).). 
Gluck further discloses wherein the master authentication key comprises a main key field and a temporary key field; wherein the main key field comprises a main key string; wherein the temporary key field comprises a child key value (Gluck FIG. 14, [0149].  At 1402, an index 1404 that hasn't been used with a master public key 1318 is selected. For example, the master public key 1318 may be the master - block master public key 1318a of FIG. 13. The index 1404 is a value used to distinguish overrides generated from the master public key 1318 and may, for example, be an integer or some other suitable value . In some embodiments, an index counter is maintained for the master public key 1318 across invocations of the dynamic override - generation process and the current value of the index counter is used as the index 1404. [Note FIG. 14 for using the master key and index/counter as a basis for generating child keys.]). 
See Gluck [0149].)
Smith further discloses wherein processing the temporary child authentication key to determine the portion of the resource to allow the third node to access comprises reversing the child key function to determine the portion of the resource to allow the third node to access (Smith FIG. 2, [0050]. The set top box 400 may receive a key in encrypted form from, for example, an external source 420. Alternatively, an encrypted key may be transmitted from the signal provider in the broadcast stream and received at the receiver 112 of the set top box 400. The Root Key may be used to decrypt the encrypted keys (which are “sub keys”, i.e. at lower levels in the key ladder). The sub keys can then be stored in the key memory 110 in accordance with the rules stored in the rules RAM 416 as described below. The subkeys [i.e., Content Keys 0, 1, 2, 3 in FIG. 2, each corresponding to certain designated content] may then be used for decrypting audio or video content received via the receiver 112 or for decrypting further keys independence on the rules of the key ladder.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Smith with the teachings of Dean, Sau and Gluck to include: wherein processing, by the See Smith [0050].)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6  PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 



/EDWARD LONG/
Examiner, Art Unit 2439


/LUU T PHAM/            Supervisory Patent Examiner, Art Unit 2439