Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. 

Priority
No priority is claimed.

Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 07/10/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.





Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 7-16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kantorovskiy et al. (US 2018/0212965 A1, hereinafter Kantorovskiy), in view of Matsukawa et al. (US 2010/0268948 A1, Matsukawa hereinafter).
For claim 1, Kantorovskiy teaches a method comprising: receiving, by a computer system as part of a primary session with a client device (Fig. 2, 5; para 0026, 0031), a first request to access information on a primary domain associated with the computer system (Fig. 5; para 0045 - first request for first domain), wherein the first request includes a first authentication key (para 0045 - one or more types of authentication data or keys required for authentication); 
receiving, by the computer system as part of a sub-session with the client device, a second request to access information on a secondary domain associated with the computer system (para 0048 - as part of a sub-session, a redirection to the associated subdomain takes place as a second request to another domain or sub-domain), wherein the second request includes a second authentication key that includes: a session identifier of the primary session; and a second payload generated using the session key and an indicator of the secondary domain (para 
granting, by the computer system, the first and second requests using the first and second authentication keys, respectively (Fig. 5; para 0047, 0051-0056 - successful opening of both sessions based on authentication parameters and keys provided by the first session and received and utilized by the second session).
Although inclusion of various factors associated with connection sessions such as source/destination devices, session parameters etc. is commonly known in the art for connection authorization and validation of one or more associated connections, Kantorovskiy does not explicitly teach, whereas Matsukawa teaches request includes an authentication key that was generated using a session key (para 0022-0023, 0032-0034 - authentication key generation involves or includes session key corresponding to the concerned session). Based on Kantorovskiy in view of Matsukawa, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Matsukawa in the system of Kantorovskiy, in order to incorporate associated connection session parameters in the generated authentication factors such as keys, to be used for connection authentication/authorization, thereby securing system connections by restricting the connections to authorized entities and for authorized purposes or destinations.

For claim 2, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches the first authentication key produces a payload generated with a session key and an indicator of the primary domain (Fig. 5; para 0045 - first request for first domain i.e. indicating the request to a specific first domain; para 0046-0047 - an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request, and comprises of key and session identifier; Fig. 5-7; para 0047-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload). Kantorovskiy does not explicitly teach, whereas Matsukawa teaches the first authentication key includes a payload generated using a session key wherein the first authentication key includes: the session identifier (para 0022-0023, 0032-0034 - authentication key generation involves or includes session key corresponding to the concerned session wherein the authentication key also comprises data or payload generated based on parameters).

For claim 3, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein granting the second request using the second authentication key includes: using the session identifier to look up the session key, generating an authentication payload using the session key and an indicator of the secondary domain, and matching the received second payload to the authentication payload (para 0046-0047 - the second request includes and utilizes an assertion created owing to the first request, wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain, and wherein the session_id and PDKEY are used to retrieve the session specific protection data in order to navigate to the second domain; Fig. 5-7; para 0047-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval).

For claim 4, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the second payload is generated using the session key, the indicator of the secondary domain, and a refresh token (Fig. 5-7; para 0045-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval. wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain, and wherein the session_id and PDKEY are used to retrieve the session specific protection data including application token in order to navigate to the second domain).

For claim 7, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein granting the second request includes determining that the primary session has not expired (para 0045-0050 - primary domain remains active as if it was logged out, the secondary connection would not be possible as that would be logged out as well).

For claim 8, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein granting the second request includes determining that the second request is permitted in the secondary domain (Fig. 5-7; para 0045-0050, 0054 - assertion or keys are verified for the second domain before granting the second domain connection).

For claim 9, Kantorovskiy teaches a non-transitory computer readable medium having program instructions stored thereon that are capable of causing a computer system to perform operations (para 0077) comprising: receiving, as part of a primary session with a client device (Fig. 2, 5; para 0026, 0031), a first request to access information on a primary domain associated with the computer system (Fig. 5; para 0045 - first request for first domain), wherein the first request includes a first authentication key (para 0045 - one or more types of authentication data or keys required for authentication); 
receiving, as part of a sub-session with the client device, a second request to access information on a secondary domain associated with the computer system (para 0048 - as part of a sub-session, a redirection to the associated subdomain takes place as a second request to another domain or sub-domain), wherein the second request includes a second authentication key that includes: a session identifier of the primary session; and a second payload generated using the session key and an indicator of the secondary domain (para 0046-0047 - the second request includes and utilizes an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request, wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain; Fig. 5-7; para 0047-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval); and 
determining whether to authenticate the client device in the primary session and the sub-session using the first and second authentication keys, respectively (Fig. 5; para 0047, 0051-0056 - successful opening of both sessions based on authentication parameters and keys provided by the first session and received and utilized by the second session).
Although inclusion of various factors associated with connection sessions such as source/destination devices, session parameters etc. is commonly known in the art for connection authorization and validation of one or more associated connections, Kantorovskiy does not explicitly teach, whereas Matsukawa teaches request includes an authentication key that was generated using a session key (para 0022-0023, 0032-0034 - authentication key generation involves or includes session key corresponding to the concerned session). Based on Kantorovskiy in view of Matsukawa, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Matsukawa in the system of Kantorovskiy, in order to incorporate associated connection session parameters in the generated authentication factors such as keys, to be used for connection authentication/authorization, thereby securing system connections by restricting the connections to authorized entities and for authorized purposes or destinations.

For claim 10, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the operations further comprise: generating, by the computer system, the session identifier; and sending, from the computer system to the client device, the session identifier as part of the primary session (Fig. 5-7; para 0045 - first request for first domain i.e. indicating the request to a specific first domain; para 0046-0047 - an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request or the primary session, and comprises of key and session identifier; Fig. 5-7; para 0047-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload).

For claim 11, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the operations further comprise: generating, by the computer system, the session key; and sending, from the computer system to the client device, the session key as part of the primary session; wherein the session key is not sufficient to authenticate the client device in the sub-session (para 0046-0047 - the second request includes and utilizes an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request, wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain; Fig. 5-7; para 0045 - first request for first domain i.e. indicating the request to a specific first domain; para 0046-0047 - an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request or the primary session, and comprises of key and session identifier, wherein the session key or protection data key is required along with other verifications such as user and password).

For claim 12, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the primary session expires after a period of time; and wherein the sub-session remains valid as long as the primary session is valid (para 0045-0050 - primary domain remains active as if it was logged out, the secondary connection would not be possible as that would be logged out as well).

For claim 13, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the operations further comprise: receiving, from the client device, a third request to access information on the primary domain, wherein the third request includes an invalid authentication key that includes: the session identifier; and a third payload generated using the session key and an indicator of the secondary domain; and rejecting the third request based on the invalid authentication key (Fig. 4; para 0045-0050, 0071 - plurality of request wherein if the user verification fails even with proper session parameters, the access request is denied).

For claim 14, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the operations further comprise: storing, at the computer system, the session identifier and the session key; and in response to determining that the primary session has ended, deleting, by the computer system, the session identifier and the session key (para 0036, 0045-0050, 0055, 0070, 0073 - primary domain remains active as if it was logged out, the secondary connection would not be possible as that would be logged out as well, and deletion of assertion including session parameters such as identifiers and protection data keys).

For claim 15, Kantorovskiy teaches a non-transitory computer readable medium having program instructions stored thereon that are capable of causing a client device to perform operations (para 0077) comprising: receiving, as part of a primary session with a remote computer system device (Fig. 2, 5; para 0026, 0031),  a session identifier (Fig. 5-7; para 0045 - first request for first domain i.e. indicating the request to a specific first domain; para 0046-0047 - an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request or the primary session, and comprises of key and session identifier; Fig. 5-7; para 0047-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload), wherein the primary session corresponds to a primary domain associated with the remote computer system (Fig. 5; para 0045 - first request for first domain);
generating a sub-session authentication key for a sub-session with the remote computer system using a session identifier of the primary session, the session key, and an indicator of a secondary domain associated with the remote computer system (para 0046-0047 - the second request includes and utilizes an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request, wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain; Fig. 5-7; para 0047-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval); and 
sending, from the client device to the remote computer system, a request to access information on the secondary domain, wherein the request includes the sub-session authentication key (Fig. 5-7; para 0045 - first request for first domain i.e. indicating the request to a specific first domain; para 0046-0047 - an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request or the primary session, and comprises of key and session identifier; para 0048 - as part of a sub-session, a redirection to the associated subdomain takes place as a second request to another domain or sub-domain).
Although inclusion of various factors associated with connection sessions such as source/destination devices, session parameters etc. is commonly known in the art for connection authorization and validation of one or more associated connections, Kantorovskiy does not explicitly teach, whereas Matsukawa teaches receiving, as part of a primary session a  session key corresponding to the primary session (para 0022-0023, 0032-0034 - authentication key generation involves or includes session key corresponding to the concerned session). Based on Kantorovskiy in view of Matsukawa, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Matsukawa in the system of Kantorovskiy, in order to incorporate associated connection session parameters in the generated authentication factors, to be used for connection authentication/authorization, thereby securing system connections by restricting the connections to authorized entities and for authorized sessions or destinations.

For claim 16, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches a first request with the corresponding first authentication key to access information on a primary domain associated with the computer system (Fig. 5; para 0045 - first request for first domain).
Kantorovskiy does not explicitly teach, whereas Matsukawa teaches generating, with the client device, a primary session authentication key for the primary session with the remote computer system using the session identifier, the session key (para 0021-0023, 0032-0034 - authentication key generation involves or includes session key corresponding to the concerned session); and
sending, from the client device to the remote computer system, a request to access information on the primary domain, wherein the request includes the primary session authentication key (Fig. 5; para 0045 - first request for first domain; para 0045 - one or more types of authentication data or keys required for authentication).

For claim 20, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the session key is not sufficient to authenticate the client device in the sub-session (para 0046-0047 - the second request includes and utilizes an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request, wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain; Fig. 5-7; para 0045 - first request for first domain i.e. indicating the request to a specific first domain; para 0046-0047 - an assertion (key with authentication factors such as user_id and PDKEY) created owing to the first request or the primary session, and comprises of key and session identifier, wherein the session key or protection data key is required along with other verifications such as user and password).


Claims 5-6, 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kantorovskiy et al. (US 2018/0212965 A1, hereinafter Kantorovskiy), in view of Matsukawa et al. (US 2010/0268948 A1, Matsukawa hereinafter), and further in view of Gammel et al. (US 2014/0169557 A1, Gammel hereinafter).
For claim 5, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the second payload is generated using the session key, the indicator of the secondary domain, and a refresh token (Fig. 5-7; para 0045-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval. wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain, and wherein the session_id and PDKEY are used to retrieve the session specific protection data including application token in order to navigate to the second domain). Although use of temporary tokens such as one-time passwords and nonce are commonly known in the art as factors that may be obvious choices to strengthen the security in key generation, Kantorovskiy and Matsukawa do not teach, however Gammel teaches wherein the second payload is generated using a time-based one-time password (TOTP) token, wherein the TOTP token is generated by the client device using the session key as a seed (para 0008, 0037, 0041, 0045, 0050, 0083 - random number generated at a specific time to be used one-time for session key generation). Based on Kantorovskiy in view of Matsukawa and Gammel, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Gammel in the system of Kantorovskiy and Matsukawa, in order to use numbers that are temporary or randomly generated with one-time use, thereby strengthening the process of key generation by preventing the re-use of such key generation elements and thus preventing illegal reproduction of keys and securing the system.

For claim 6, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the second authentication key includes the session identifier concatenated with the second payload, and wherein the second payload is encrypted (Fig. 5-7; para 0045-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval. wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain, and wherein the session_id and PDKEY are used to retrieve the session specific protection data including application token in order to navigate to the second domain; para 0047, 0053 - payload encryption). Although Kantorovskiy does not appear to explicitly disclose hashing, the techniques of hashing are widely known in the art of cryptography. Kantorovskiy and Matsukawa do not teach, however Gammel teaches wherein the payload or data is a one-way hash generated using the session key (para 0129-0132).

For claim 17, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein generating the sub-session authentication key includes using the session identifier, the session key, the indicator of the secondary domain, and the refresh token (Fig. 5-7; para 0045-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval. wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain, and wherein the session_id and PDKEY are used to retrieve the session specific protection data including application token in order to navigate to the second domain). Although use of temporary tokens such as one-time passwords and nonce are commonly known in the art as factors that may be obvious choices to strengthen the security in key generation, Kantorovskiy and Matsukawa do not teach, however Gammel teaches wherein the operations further comprise: receiving, at the client device, a refresh token (para 0008, 0037, 0041, 0045, 0050, 0083 - random number generated at a specific time to be used one-time for session key generation). Based on Kantorovskiy in view of Matsukawa and Gammel, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Gammel in the system of Kantorovskiy and Matsukawa, in order to use numbers that are temporary or randomly generated with one-time use, thereby strengthening the process of key generation by preventing the re-use of such key generation elements and thus preventing illegal reproduction of keys and securing the system.

For claim 18, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the second payload is generated using the session key, the indicator of the secondary domain, and a refresh token (Fig. 5-7; para 0045-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval. wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain, and wherein the session_id and PDKEY are used to retrieve the session specific protection data including application token in order to navigate to the second domain). Although use of temporary tokens such as one-time passwords and nonce are commonly known in the art as factors that may be obvious choices to strengthen the security in key generation, Kantorovskiy and Matsukawa do not teach, however Gammel teaches generating, with the client device, a time-based one-time password (TOTP) token using the session key as a seed; wherein generating the sub-session authentication key includes using the session identifier, the session key, and the TOTP token (para 0008, 0037, 0041, 0045, 0050, 0083 - random number generated at a specific time to be used one-time for session key generation). Based on Kantorovskiy in view of Matsukawa and Gammel, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Gammel in the system of Kantorovskiy and Matsukawa, in order to use numbers that are temporary or randomly generated with one-time use, thereby strengthening the process of key generation by preventing the re-use of such key generation elements and thus preventing illegal reproduction of keys and securing the system.

For claim 19, Kantorovskiy in view of Matsukawa teaches the claimed subject matter as discussed above. Kantorovskiy further teaches wherein the second authentication key includes the session identifier concatenated with the second payload and the indicator of the secondary domain, and wherein the second payload is encrypted (Fig. 5-7; para 0045-0054 - second request has corresponding parameters referenced via the second authentication mechanism using assertion (key) as payload which further comprises session id key and authentication parameters for protection data retrieval. wherein the assertion includes session identifier supplied by the primary session and used to create an authenticated session with the second domain or subdomain, and wherein the session_id and PDKEY are used to retrieve the session specific protection data including application token in order to navigate to the second domain; para 0047, 0053 - payload encryption). Although Kantorovskiy does not appear to explicitly disclose hashing, the techniques of hashing are widely known in the art of cryptography. Kantorovskiy and Matsukawa do not teach, however Gammel teaches wherein the payload or data is a one-way hash generated using the session key (para 0129-0132).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433