Acknowledgements
This communication is in response to applicant’s response filed on 08/16/2021.
Claims 1, 21, 23-24, 28, 30-31, and 35-36 have been amended. Claims 2, 4-6, and 9-20 are cancelled. 
Claims 1, 3, 7-8, and 21-36 are pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/16/2021 has been entered.
 
Response to Arguments
Regarding applicant’s arguments:
Regarding applicant’s arguments under Claim Rejections - 35 USC § 103 that the combination of Rahat (US 8904195 B1) in view of Deliwala (US 20170061272) in further view of Beltramino (US 20170032370) does not teach “the second module matching the obtained target user information with user information in a logged-in state on the second module, and verifying that the target user information is in the logged-in state on the second module when the obtained target user information matches with the user information in the logged-in state on the second module; and after verifying that the first module is the trusted module and the target user information is in the logged-in state on the second module, the second module generating graphic code information and transmitting the graphic code information to the first module through the interface module,” in amended claim 1, and examiner respectfully argues that applicant’s arguments are moot in light of the new grounds of rejection necessitated by the amendments to claim 1. Applicant makes similar arguments for claims 24 and 31 as claim 1, and examiner respectfully argues applicant’s arguments are moot for the same reasons provided for claim 1 above.


Priority
Acknowledgment is made of applicant's claim for priority based on PCT Application No. PCT/CN2017/092449 filed on 07/11/2017. Acknowledgment is made of applicant's claim for foreign priority based on People’s Republic of China Application No. CN201610566676.6 filed on 07/18/2016.

Claim Interpretation 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting 
a second module sending an encrypted session key to a first module; the second module receiving the encrypted target user information, decrypting the encrypted target user information with the session key, and in response to that the decryption is successful, the second module determining that the first module is a trusted module and obtaining the target user information; the second module matching the obtained target user information with user information in a logged-in state on the second module, and verifying that the target user information is in the logged-in state on the second module when the obtained target user information matches the user information in the logged-in state on the second module; and after determining that the first module is the trusted module and the target user information is in the logged-in state on the second module, the second module generating graphic code information and transmitting the graphic code information to the first module through the interface module in claims 1, 24, and 31; This element is interpreted under 112(f) as third-party payment application (Paragraphs 0129-0130).
the first module decrypting the encrypted session key, and in response to that the first module successfully completes the decryption and obtains the session key, the first module transmitting the session key to an interface moduleSMRH:4841-3214-2299.1-4-50GL-279138Application No.: 16/247,346 in claims 1, 24, and 31; This element is interpreted under 112(f) as terminal payment application (Paragraphs 0136-0137).

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 8, 21, 24-25, 27-28, 31-32, and 34-35 are rejected under 35 U.S.C. 103 as being unpatentable over Rahat (US 8904195 B1) in view of Deliwala (US 20170061272) in further view of Richards (US 20170286956).

Regarding Claims 1, 24, and 31, Rahat teaches the second module sending an encrypted session key to the first module (Col. 6, lines 14-33, teaches a user's action may initiate the communication between the mobile application (i.e., second module) and the secure element (i.e., comprises first module); in order to initiate the communication, the user may enter his password and/or PIN on the mobile application, and entry of the user's password and/or PIN may trigger the communication with the secure element; the mobile application may create a request string for the applet in the secure element consisting of the session key, a request payload, and the application hash and encrypt the request with the user's public key; the mobile application may send the encrypted request to the applet in the secure element); the first module decrypting the encrypted session key, and in response to that the first module successfully completes the decryption and obtains the session key, (Col. 6, lines 34-39, teaches the applet (i.e., first module) in the secure element may receive and decrypt the encrypted request with the user's private key that was securely stored in the applet in the secure element using the TSM; the applet may then retrieve the session key from the decrypted request and perform the requested operation); the first module using the session key to encrypt target user information, and transmitting the encrypted target user information to the second module (Col. 6, lines 39-46, teaches assume, for example, the task requested of the secure element is to check whether or not the password entered by the user is correct; thus, when the applet in the secure element determines that the password is correct, the applet may encrypt an affirmative response using the session key that was received in the request and send the response to the mobile application); the second module receiving the encrypted target user information, decrypting the encrypted target user information with the session key, and in response to that the decryption is successful, the second module determining that the first module is a trusted module and obtaining the target user information (Col. 6, lines 54-62, teaches upon receiving the encrypted response, the mobile application may decrypt the response with the session key that was previously stored on the mobile application; after decrypting the response, the mobile application has the affirmative response from the applet in the secure element in the clear and allowing the user’s log-on request).
However, Rahat does not explicitly teach the first module decrypting the encrypted session key, and in response to that the first module successfully completes the decryption and obtains the session key, the first module transmitting the session key to the interface module; and the interface module using the session key to encrypt target user information that is pre-associated with the interface module, and transmitting the encrypted target user information.
Deliwala from same or similar field of endeavor teaches the first module decrypting the encrypted session key, and in response to that the first module successfully completes the decryption and obtains the session key, the first module transmitting the session key to the interface module (Paragraphs 0024-0025 and 0030 teach a wallet provider application may interact with a wallet provider framework layer to provide functionality described in an API interface configured to communicate with a point-of-sale terminal external to mobile device, as well as a network SDK (i.e., interface module) and a network trusted app (i.e., first module); the network SDK may be provided by a transaction account network to serve as an interface between the network trusted app and wallet provider framework layer; in addition, the network SDK provides interface tools to interact with network trusted app and request decryption and/or encryption services; a mobile device may decrypt the session key and/or account data; the decryption may be carried out using the network trusted app, which may include a secure hardware element such as a TEE; the session key and account data may be returned by network trusted app and used by mobile device to authorize a subsequent transaction); and the interface module using the session key to encrypt target user information that is pre-associated with the interface module, and transmitting the encrypted target user information (Paragraphs 0032-0033 teach the mobile device may broadcast track 1 and/or track 2 data with a dynamically generated value; for example, a card security code (CSC) field may be used to transmit the dynamically generated value; the card security code field may be used to transmit a dynamically generated value generated from the session key rather than an actual CSC from a physical, plastic card or other account identification; the dynamically generated value may be a numeric, alphanumeric, or character based value based on a session key and may be generated remotely and downloaded to mobile device along with the session keys).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in Rahat, which teaches the second module receiving the encrypted target user information, decrypting the encrypted target user information with the session key, and in response to that the decryption is successful, the second module determining that the first module is a trusted module to incorporate the teachings of Deliwala for the first module to decrypt the encrypted session key, and in response to that the first module successfully completes the decryption and obtains the session key, the first module transmitting the session key to the interface module; and the interface module using the session key to encrypt target user information that is pre-associated with the interface module, and transmitting the encrypted target user information.
There is motivation to combine Deliwala into Rahat because session keys are faster, more efficient, and more conducive to real-time collaboration than their asymmetric (public-key cryptography, or PKC) alternatives. In addition, session keys offer added protection because the key is temporary and is discarded after it has been used to establish a secure communication channel.
However, the combination of Rahat and Deliwala does not explicitly teach the second module matching the obtained target user information with user information in a logged-in state on the second module, and verifying that the target user information is in the logged-in state on the second module when the obtained target user information matches the user information in the logged-in state on the second module; and after determining that the first module is the trusted module and the target user information is in the logged-in state on the second module, the second module generating graphic code information and transmitting the graphic code information to the first module through the interface module.
Richards from same or similar field of endeavor teaches the second module matching the obtained target user information with user information in a logged-in state on the second module, and verifying that the target user information is in the logged-in state on the second module when the obtained target user information matches the user information in the logged-in state on the second module (Paragraphs 0022, 0024, and 0033 teach a customer interacting with a retailer mobile device app (i.e., first module) initiating a purchase (i.e., a customer or user provides user information on the retailer mobile device app to initiate a check-out); the customer may then be presented with one or more payment options such as to provide authenticated payment account data via one or more banking or payment account apps that are also present on the mobile device; note that the retailer app, via interaction with an application programming interface (API) of an operating system of the mobile device may be aware of one or more banking or payment account apps that are also present on the mobile device; the API call is then received by the banking or payment app (i.e., second module) causing the banking or payment app to launch; the user will then be requested to authenticate their identity, such as by providing a user name and password or other authenticating input; once the user is authenticated, the banking or payment app will then present a representation of the payment request data received from the retailer app (i.e., target user information) and provide selectable options to approve, deny, or cancel the payment request; the banking or payment account may then receive an authorization of the payment authorization request from the payment authorization process and present a user interface on the mobile device within which the approval or denial input is received; such embodiments operate to first verify that the payment transaction is approved by the payment authorization process of the custodian of the payment account, such as a bank or credit card issuer, before providing the user an option to approve the received payment request); and after determining that the first module is the trusted module and the target user information is in the logged-in state on the second module, the second module generating graphic code information and transmitting the graphic code information to the first module through the interface module (Paragraphs 0026-0027 and 0030-0031 teach when the user provides approval input to approve the payment requested by the banking or payment app, the banking or payment app may return approved to the retailer app with payment card/account data or an abstraction thereof, such as a tokenized version of the data which may include a hashing of at least a portion of the data; the retailer app receives the approval and payment account data and processes the payment via a retailer backend system; the authorized payment output includes payment account data for processing of the payment request on a payment processing network; generating the authorized payment output includes generating a scannable barcode encoded with data to facilitate processing of the requesting payment by a source of the payment authorization request and presenting the scannable barcode on a display of the mobile device).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of Rahat and Deliwala, which teaches the first module decrypting the encrypted session key, and in response to that the first module successfully completes the decryption and obtains the session key, the first module transmitting the session key to the interface module; and the interface module using the session key to encrypt target user information that is pre-associated with the interface module, and transmitting the encrypted target user information; the second module receiving the encrypted target user information, decrypting the encrypted target user information with the session key, and in response to that the decryption is successful, the second module determining that the first module is a trusted module and obtaining target user information to incorporate the teachings of Richards for the second module to match the obtained target user information with user information in a logged-in state on the second module, and verify that the target user information is in the logged-in state on the second module when the obtained target user information matches the user information in the logged-in state on the second module; and after determining that the first module is the trusted module and the target user information is in the logged-in state on the second module, the second module generates graphic code information and transmitting the graphic code information to the first module through the interface module.
There is motivation to combine Richards into the combination of Rahat and Deliwala because the base invention is improved because a consumer is enabled to initiate a transaction via one channel and to securely provide payment data (i.e., graphic code information), such as credit or debit card data and authorization via a second channel. For example, a consumer or other payor may initiate a transaction within a first mobile device app and when payment details are to be provided, be taken automatically to a second mobile device app, such as a banking app or app of a payment card provider, to login and authorize the payment. The second mobile device app may then return payment card data to the first mobile device app which then initiates processing of the payment (Richards Paragraph 0011).

Regarding Claims 3, 25, and 32, the combination of Rahat, Deliwala, and Richards teaches all the limitations of claims 1, 24, and 31 above; and Rahat further teaches further comprising the second module generating the session key (Col. 6, lines 23-27, teaches the mobile application may generate and temporarily store a random 128-bit number in volatile memory of the mobile device for use as a session key for encryption of communications from the secure element), and encrypting the session key before sending the encrypted session key to the first module (Col. 6, lines 27-33, teaches the mobile application may create a request string for the applet in the secure element consisting of the session key, a request payload, and the application hash and encrypt the request with the user's public key; thereafter, the mobile application may send the encrypted request to the applet in the secure element).

Regarding Claims 8, 27, and 34, the combination of Rahat, Deliwala, and Richards teaches all the limitations of claims 1, 24, and 31 above; and Rahat further teaches wherein the target user information is pre-associated with the interface module by: the second module sending user identity authorization information, which is in a logged-in state, to the first module through the interface module (Col. 6, lines 14-22 teaches a user's action may initiate the communication between the mobile application and the secure element; for example, a user may wish to log into an application or run an application using his or her mobile application and the secure element; in order to initiate the communication, the user may enter his password and/or PIN on the mobile application, and entry of the user's password and/or PIN may trigger the communication with the secure element); the first module sending the user identity authorization information, a public key preset in a Trusted Execution Environment (TEE), and a preset unique device identifier of the device to a second server corresponding to the second module through a first server corresponding to the first module (Col. 5, lines 26-55 and Col. 6, lines 23-33, teach a private key may be stored on the secure element using a trusted service manager (TSM); the TSM may be a server that functions as a secure communication hub between the secure element and a third party, such as a financial institution; thus, if the financial institution wishes to install anything securely in the vault referred to as the secure element, the financial institution may communicate with the TSM which may, in turn, communicate with the secure element on a secure channel; the financial institution may communicate with the TSM, whereupon the TSM may open the secure channel with the secure element and store the keys in the secure element; unique private and public keys of a key pair may be generated for each user in advance of deployment, and the mobile application for a particular user may be packaged with the user's public key; the mobile application may create a request string for the applet in the secure element consisting of the session key, a request payload, and the application hash and encrypt the request with the user's public key; thereafter, the mobile application may send the encrypted request to the applet in the secure element); and the first module receiving the target user information and transmitting the target user information to the interface module, wherein the target user information is transmitted by the second server corresponding to the second module through the first server corresponding to the first module after the second server corresponding to the second module verifies the user identity authorization information to be correct (Col. 6, lines 34-46 teaches the applet in the secure element may receive and decrypt the encrypted request with the user's private key that was securely stored in the applet in the secure element using the TSM; the applet may then retrieve the session key from the decrypted request and perform the requested operation; assume, for example, the task requested of the secure element is to check whether or not the password entered by the user is correct; thus, when the applet in the secure element determines that the password is correct, the applet may encrypt an affirmative response using the session key that was received in the request and send the response to the mobile application).
However, the combination does not explicitly teach wherein the target user information is pre-associated with the interface module by: the first module initiating an association request to the second module through the interface moduleSMRH:4841-3214-2299.1-5-.
Deliwala from same or similar field of endeavor teaches wherein the target user information is pre-associated with the interface module by: the first module initiating an association request to the second module through the interface module (Paragraphs 0019 and 0024 teach the mobile device may contains and/or run a network software development kit (SDK) and a network trusted app configured to interface with an account provider network; the network allows other applications to interface with the issuer network; a wallet provider framework layer may provide functionality described in an API interface configured to communicate with a point-of-sale terminal external to mobile device, as well as a network SDK and a network trusted app; the network SDK may be provided by a transaction account network to serve as an interface between the network trusted app and wallet provider framework layer).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of Rahat, Deliwala, and Richards to incorporate the further teachings of Deliwala for the first module to initiate an association request to the second module through the interface module.
There is motivation to combine Deliwala into the combination of Rahat, Deliwala, and Richards because of the same reasons listed above for claims 1, 24, and 31.

Regarding Claims 21, 28, and 35, the combination of Rahat, Deliwala, and Richards teaches all the limitations of claims 1, 24, and 31 above; and Rahat further teaches the second module encrypting the session key with a public key of the first module (Col. 6, lines 23-31, teaches the mobile application may create a request string for the applet in the secure element consisting of the session key, a request payload, and the application hash and encrypt the request with the user's public key); and wherein the first module decrypting the encrypted session key comprises the first module decrypting the encrypted session key with the private key of the first module (Col. 6, lines 34-37, teaches the applet in the secure element may receive and decrypt the encrypted request with the user's private key that was securely stored in the applet in the secure element).

Claims 7, 26, and 33 are rejected under 35 U.S.C. 103 as being unpatentable over Rahat (US 8904195 B1) in view of Deliwala (US 20170061272) in further view of Richards (US 20170286956) in further view of Beltramino (US 20170032370).

Regarding Claims 7, 26, and 33, the combination of Rahat, Deliwala, and Richards teaches all the limitations of claims 1, 24, and 31 above; however, the combination does not explicitly teach wherein the second module generating and transmitting the graphic code information to the first module through the interface module comprises: the second module using the session key to encrypt the graphic code information and transmitting the encrypted graphic code information to the interface module; and the interface module receiving the encrypted graphic code information, decrypting the encrypted graphic code information with the session key obtained from the first module, and transmitting the decrypted graphic code information to the first module.
Beltramino from same or similar field of endeavor teaches wherein the second module generating and transmitting the graphic code information to the first module through the interface module comprises: the second module using the session key to encrypt the graphic code information and transmitting the encrypted graphic code information to the interface module (Paragraph 0032 teaches a secure storage component or memory of a consumer's mobile device to illustrate some software aspects according to embodiments; the consumer downloads a secure mobile wallet application (i.e., second module) and provisions the mobile wallet application so that it contains personal financial data; as is known, such a mobile wallet application can be used by the consumer to conduct electronic payment transactions with a merchant, for example, by selecting a payment card account from the application and then providing identification data (such as a Mobile PIN) that authenticates the consumer to the payment network (see FIG. 2); the secure storage component may also include a secure transaction database for storing one or more single use keys and transaction identifiers (W_SUKs and Tx IDs) received from a Mobile Wallet server computer, and a QR Code generator application; such a QR code generator may utilize encrypted wallet session key (W_SK) and encrypted transaction data to generate a QR code for a single transaction); and the interface module receiving the encrypted graphic code information, decrypting the encrypted graphic code information with the session key obtained from the first module, and transmitting the decrypted graphic code information to the first module (Paragraphs 0038-0039 teaches after the transaction data is encrypted, in some implementations, the secure mobile wallet application causes a QR code generator to generate the QR code (which is a machine readable code) and then causes the mobile device processor to display the QR code on a display screen of the consumer's mobile device, and the process then ends; the QR code is displayed for a predetermined amount of time, after which time expires the QR code disappears from the display screen (for security purposes); when the QR code is displayed on the screen, the consumer then presents the display screen of his or her mobile device to a scanner or QR code reader connected to a merchant's POS terminal so that the QR code can be scanned; the merchant's scanner reads the QR Code and passes the encoded data containing the Tx ID, the timestamp and encrypted data to the Merchant System, which passes the encoded data and additional transaction information to the Wallet Server computer; the Wallet Server computer then decodes and/or decrypts the transaction data and also verifies and/or validates the transaction data; the Wallet Server computer looks up the W_SK using the Tx ID, and then uses the W_SK to decrypt the transaction data and to retrieve the Tx ID, the timestamp, the Wallet ID and the payment card ID; next, the Wallet Server compares the stored Tx ID and the timestamp with the Tx ID and the timestamp passed from the QR Code; if the values match, then the purchase transaction proceeds).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Rahat, Deliwala, and Richards to incorporate the teachings of Beltramino for the second module to generate and transmit the graphic code information to the first module through the interface module comprises: the second module using the session key to encrypt the graphic code information and transmitting the encrypted graphic code information to the interface module; and the interface module receiving the encrypted graphic code information, decrypting the encrypted graphic code information with the session key obtained from the first module, and transmitting the decrypted graphic code information to the first module.
There is motivation to combine Beltramino into the combination of Rahat, Deliwala, and Richards because the base invention is improved because a consumer is permitted to securely conduct a purchase transaction using the graphic code information because the process for providing graphic code information is secure, which prevents the graphic code information from being stolen or intercepted by a fraudulent party.

Claims 22-23, 29-30, and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Rahat (US 8904195 B1) in view of Deliwala (US 20170061272) in further view of Richards (US 20170286956) in further view of Wary (US 20160080338).

Regarding Claims 22 and 29, the combination of Rahat, Deliwala, and Richards teaches all the limitations of claims 1 and 24 above; and Rahat further teaches the second module encrypting the session key with a public key of the first module (Col. 6, lines 23-31, teaches the mobile application may create a request string for the applet in the secure element consisting of the session key, a request payload, and the application hash and encrypt the request with the user's public key).
However, the combination does not explicitly teach the second module encrypting the random number and the session key.
Wary from same or similar field of endeavor teaches the second module generating a random number, wherein the second module sending the encrypted session key to the first module comprises: the second module encrypting the random number and the session key (Paragraphs 0057 and 0064 teach a cryptographic material is generated by the supervision program, for the current request for execution comprising a random value G, a crypto-system C and a session key Ksess; the crypto-system C comprises at least one cryptographic encryption function; execution of the third application triggers a request to the user to input a service PIN code on a man-machine interface of the mobile terminal; the third application calculates an authentication value for the attention of the secure application by means of the previously mentioned cryptographic material). 
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Rahat, Deliwala, and Richards to incorporate the teachings of Wary for the second module to encrypt the random number and the session key.
There is motivation to combine Wary into the combination of Rahat, Deliwala, and Richards because the choice of the cryptographic functions intended to generate the crypto-system C can be directed by the random value G, and therefore vary at each implementation of the method. The choice of the functions of which the crypto-system is composed is then random. Featuring among these cryptographic functions are symmetric cryptographic algorithms parametrized by a secret key, for example AES, “DES” (“Data Encryption Standard”), 3DES. Linear feedback shift registers (“LFSRs”) may also be used to produce strings of pseudo-random numbers (Paragraph 0067).

Regarding Claims 23 and 30, the combination of Rahat, Deliwala, and Richards teaches all the limitations of claims 22 and 29 above; and Rahat further teaches wherein the first module decrypting the encrypted session key comprises: the first module decrypting the encrypted session key with the private key of the first module (Col. 6, lines 34-37, teaches the applet in the secure element may receive and decrypt the encrypted request with the user's private key that was securely stored in the applet in the secure element using the TSM).
However, the combination does not explicitly teach the first module decrypting the encrypted random number and the encrypted random session key.
Wary from same or similar field of endeavor teaches the first module decrypting the encrypted random number and the encrypted random session key (Paragraph 0065 teaches the supervision program decrypts the authentication value transmitted in the second request for execution by the third application by applying the crypto-system C parametrized by the session key Ksess; if the decrypted authentication value is correct (“ok” branch in FIG. 1), this signifies that the service PIN code obtained by decryption of this value is correct; this service PIN code then allows the execution of the secure application; the decryption of the authentication value constitutes an implicit authentication of the third application by the security element; indeed, if the decryption is performed correctly, then this signifies that the security element and the third application share the same session key Ksess and the same crypto-system C).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Rahat, Deliwala, and Richards to incorporate the teachings of Wary for the first module to decrypt the encrypted random number and the encrypted random session key.
There is motivation to combine Wary into the combination of Rahat, Deliwala, and Richards because of the same reasons listed above for claims 22 and 29.

Regarding Claim 36, the combination of Rahat, Deliwala, and Richards teaches all the limitations of claim 31 above; and Rahat further teaches the second module encrypting the session key with a public key of the first module (Col. 6, lines 23-31, teaches the mobile application may create a request string for the applet in the secure element consisting of the session key, a request payload, and the application hash and encrypt the request with the user's public key); and wherein the first module decrypting the encrypted session key comprises: the first module decrypting the encrypted session key with the private key of the first module (Col. 6, lines 34-37, teaches the applet in the secure element may receive and decrypt the encrypted request with the user's private key that was securely stored in the applet in the secure element using the TSM).
However, the combination does not explicitly teach the second module generating a random number, wherein the second module sending the encrypted session key to the first module comprises: the second module encrypting the random number and the session key; and the first module decrypting the encrypted random number and the encrypted random session key.
Wary from same or similar field of endeavor teaches the second module generating a random number, wherein the second module sending the encrypted session key to the first module comprises: the second module encrypting the random number and the session key (Paragraphs 0057 and 0064 teach a cryptographic material is generated by the supervision program, for the current request for execution comprising a random value G, a crypto-system C and a session key Ksess; the crypto-system C comprises at least one cryptographic encryption function; execution of the third application triggers a request to the user to input a service PIN code on a man-machine interface of the mobile terminal; the third application calculates an authentication value for the attention of the secure application by means of the previously mentioned cryptographic material); and the first module decrypting the encrypted random number and the encrypted random session key (Paragraph 0065 teaches the supervision program decrypts the authentication value transmitted in the second request for execution by the third application by applying the crypto-system C parametrized by the session key Ksess; if the decrypted authentication value is correct (“ok” branch in FIG. 1), this signifies that the service PIN code obtained by decryption of this value is correct; this service PIN code then allows the execution of the secure application; the decryption of the authentication value constitutes an implicit authentication of the third application by the security element; indeed, if the decryption is performed correctly, then this signifies that the security element and the third application share the same session key Ksess and the same crypto-system C).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Rahat, Deliwala, and Richards to incorporate the teachings of Wary for the second module to encrypt the random number and the session key; and the first module to decrypt the encrypted random number and the encrypted random session key.
There is motivation to combine Wary into the combination of Rahat, Deliwala, and Richards because of the same reasons listed above for claims 22 and 29.
	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wu (US 20180330362) teaches a payment processing method and method and an intelligent device are provided. The method may include: intercepting a payment request in a target application program (application, APP) in the intelligent device, the payment request including a payment parameter; obtaining attribute information of the target application program by using a preset executable file; generating a graphic code according to the payment request; outputting the graphic code, so that a terminal device submits the payment parameter to a payment server by scanning the graphic code and reports account information to the payment server, and the payment server performs payment processing according to the payment parameter and the account information and returns a payment result; and feeding back the payment result to the target application program according to the attribute information of the target application program. The method can simplify a payment process and improve the payment efficiency.
Arumugam (US 10453050 B1) teaches systems and methods for flexible checkout. A customer conducting a payment or purchase transaction with a financial account or payment card may obtain a bar code, QR code or other symbol (associated with the financial account or payment card) to be scanned by a POS reader/scanner rather than swiping the payment card or even possessing any physical card. According to some embodiments, the customer may choose from at least two checkout options, for example, based on the type of merchant involved in the transaction. For checkout at a physical store, a single-use code or symbol may be generated and scanned by POS equipment in lieu of swiping a payment card. For e-commerce checkout, the customer may be directed to a one-click payment process wherein a one-time token is submitted to the online merchant in lieu of real payment card account data.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:00 pm CST (M-F).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/COURTNEY P JONES/Examiner, Art Unit 3685