DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see pages 8-10, filed 28 December 2021, with respect to the rejection(s) of claim(s) 1-8, 11-12, 15, 18-19, and 21-27 under 35 U.S.C. 103 have been fully considered in light of the new claim amendments and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Hogan et al. (US 2010/0106927 A1).
Hogan teaches a system wherein a hint for a key/Security Identifier (SID) is created, wherein the hint is generated by removing bits from one or more positions of a key/SID.  The key/SID is produced by obtaining the hint, an indication of the position(s) of removed bits, and the number of removed bits at each position (Para. 51, 53, 63, 64, 79, 80).
Combining the references brings about a system that includes an identification of the number of bits of cryptographic information removed.  Therefore, the aforementioned limitation is taught by the combination of the cited references.

Claim Objections
Claims 1, 12, 15, and 19 are objected to because of the following informalities:  
egarding claim 1, line 12—“the number of bits” lacks sufficient antecedent basis for the claim.  This objection may be overcome by amending the claim to state --a number of bits--, for example.
Claims 12, 15, and 19 include similar limitations and are similarly analyzed.
Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8, 11, 12, and 21-27 are rejected under 35 U.S.C. 103 as being unpatentable over Nanopoulos et al. (US 2005/0166263 A1) in view of Dotan et al. (US 9,154,304 B1) and further in view of Hogan et al. (US 2010/0106927 A1).
Regarding claim 1, Nanopoulos teaches a computer-implemented method comprising: 
generating, in response to a request from an access device, i.e. an agent (Fig. 1, el. 102), an intermediary set of cryptographic information from an initial set of cryptographic information, wherein the intermediary set of cryptographic information comprises a portion of the initial set of cryptographic information and is temporally-limited in accordance with at least one predetermined unit of time, e.g. communicating, by the agent, with a server for authentication with the server (Para. 25); downloading verification records from the server, wherein the records can each correspond to a given time interval for the token; the time period covered by the record batch may correspond to the length of a single user session (Para. 26, 30, 33, 85, 120, 121); downloading intermediate seed values so that the records may be generated by the verifier itself, wherein the seed values have limited lifetimes (Para. 24, 29, 36, 119); 
modifying the intermediary set of cryptographic information, wherein modifying the intermediary set of cryptographic information comprises removing one or more items of the cryptographic information from the intermediary set, e.g. not including the pepper values in the downloaded records (Para. 38); splitting each salt value into two portions (Para. 64, 67); including part of the pepper value in the record, such as 60 bits of an 80-bit long pepper value (Para. 95); and 
transmitting, over a network connection, i.e. a network (Fig. 1, el. 106), the modified intermediary set of cryptographic information to the access device for use in a subsequent offline authentication request, e.g. downloading verification records from the server for use in authentication when the agent is disconnected/offline, wherein the records can each correspond to a given time interval for the token; the time period covered by the record batch may correspond to the length of a single user session (Para. 26, 30, 33, 85, 120, 121); downloading intermediate seed values so that the records may be generated by the verifier itself, wherein the seed values have limited lifetimes (Para. 24, 29, 36, 119);  
wherein the method is performed by at least one processing device comprising a processor coupled to a memory, e.g. a processor in the server (Claim 63).
Nanopoulos does not clearly teach modifying the intermediary set of cryptographic information based at least in part on data pertaining to the access device and one or more security parameters; and transmitting…and an identification of the number of bits of cryptographic information removed.
Dotan teaches a computer-implemented method comprising: 
generating, in response to a request from an access device, i.e. a client-side computing device (Fig. 1, el. 110), an intermediary set of cryptographic information from an initial set of cryptographic information, wherein the intermediary set of cryptographic information comprises a portion of the initial set of cryptographic information and is temporally-limited in accordance with at least one predetermined unit of time, e.g. communicating with a server to obtain a new set of day files, wherein a day file refers to a support file holding an arbitrary number of elements depending on the token type and any relevant policy; asking for a certain number of days of support (Col. 6, lines 5-35); sending, by the server, the day file(s) in stages and/or portions (Col. 11, lines 28-39);
modifying the intermediary set of cryptographic information based at least in part on data pertaining to the access device and one or more security parameters, wherein modifying the intermediary set of cryptographic information comprises removing one or more items of the cryptographic information from the intermediary set, e.g. assessing the CPU strength of the mobile device for the purpose of determining the correct pepper value size/strength to use and to determine the number of files generated for downloading; defining a policy associated with the pepper value, wherein the policy defines content permitted on the user device and represents an assurance level of the device (Col. 9, lines 24-54; Col. 10, lines 21-35; Col. 12, lines 42-54); wherein the pepper value is a random number generated by the system creating the day files (Col. 10, lines 21-35); and 
transmitting, over a network connection, i.e. a network (Fig. 1, el. 160), the modified intermediary set of cryptographic information to the access device for use in a subsequent offline authentication request, e.g. communicating with a server to obtain a new set of day files (Col. 6, lines 5-35); sending, by the server, the day file(s) in stages and/or portions (Col. 11, lines 28-39); 
wherein the method is performed by at least one processing device, i.e. a processing device/server (Fig. 1, el. 150-1 to 150-N; Fig. 11, el. 1100), comprising a processor, i.e. a processor (Fig. 11, el. 1110), coupled to a memory, i.e. memory (Fig. 11, el. 1120).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nanopoulos to include modifying the intermediary set of cryptographic information based at least in part on data pertaining to the access device and one or more security 
Nanopoulos in view of Dotan does not clearly teach transmitting…and an identification of the number of bits of cryptographic information removed.
Hogan teaches transmitting, over a network connection, the modified set of cryptographic information and an identification of the number of bits of cryptographic information removed to the access device, e.g. an adapter (Fig. 2, el. 220) or module/system software (Fig. 5, el. 530) or a GUI/API (Para. 79); e.g.  retrieving, by the adapter/module or the adapter, the hint, the position(s) of removed bits, and the number of removed bits at each position (Para. 51, 53, 63, 64), wherein the module, key manager, removed bit manager, and added bit manager may be implemented as firmware, hardware on a reconfigurable hardware, or hardware through a computing device (e.g., a server, etc.) (Para. 65-68); obtaining the hint and the number of removed bits from a person or an organization who is securely storing them via a GUI or API (Para. 79, 80). 


Regarding claim 2, Nanopoulos in view of Dotan in view of Hogan teaches wherein the access device comprises a hardware token, e.g. an authentication token; a virtual software token that is implemented within the verifier (Nanopoulos-Fig. 1, el. 108; Para. 25); 
See also:  Dotan discloses a security token generator (Dotan-Fig. 1, el. 130).

Regarding claim 3, Nanopoulos in view of Dotan in view of Hogan teaches wherein the data pertaining to the access device comprises a serial number of the access device, e.g. the token serial number and/or an identifier for the verifier (Nanopoulos-Para. 113); 
See also:  Dotan discloses the phone’s IMEI and/or cell phone number (Dotan-Col. 11, lines 40-50).

Regarding claim 4, Nanopoulos in view of Dotan in view of Hogan teaches wherein the data pertaining to the access device comprises computational power of the access device, e.g. assessing the CPU strength of the mobile device for the purpose of determining the correct pepper value size/strength to use and to determine the number of files generated for downloading (Dotan-Col. 9, lines 24-54; Col. 10, lines 21-35; Col. 12, lines 42-54);.

Regarding claim 5, Nanopoulos in view of Dotan in view of Hogan teaches wherein the one or more security parameters comprise one or more risk tolerance parameters, e.g. defining a policy associated with the pepper value, wherein the policy defines content permitted on the user device and represents an assurance level of the device; local authentication is permitted for low-risk applications, but authentication with the server is required for high-risk applications (Dotan-Col. 6, lines 36-54; Col. 7, lines 9-14; Col. 9, lines 24-54; Col. 12, lines 42-54).

Regarding claim 6, Nanopoulos in view of Dotan in view of Hogan teaches further comprising: encrypting the modified intermediary set of cryptographic information using a mechanism local to the access device, e.g. the records include encrypted data (Nanopoulos-Para. 33); hashing the token, salt, and pepper (Nanopoulos-Para. 43, 46, 113); utilizing an SSL/TLS session; utilizing a secure, server-authenticated channel (Nanopoulos-Para. 125, 135).

Regarding claim 7, Nanopoulos in view of Dotan in view of Hogan teaches wherein transmitting the modified intermediary set of cryptographic information to the access device is in response to an authentication of the access device, e.g. communicating, by the agent, with a server for authentication with the server (Nanopoulos-Para. 25); downloading verification records from the server in response to authentication with the server (Nanopoulos-Para. 26, 30, 33, 85, 120, 121); downloading intermediate seed values so that the records may be generated by the verifier itself (Nanopoulos-Para. 24, 29, 36, 119).

Regarding claim 8, Nanopoulos in view of Dotan in view of Hogan teaches wherein transmitting the modified intermediary set of cryptographic information to the access device comprises implementing an online encryption protocol, e.g. the records include encrypted data (Nanopoulos-Para. 33); hashing the token, salt, and pepper (Nanopoulos-Para. 43, 46, 113); utilizing an SSL/TLS session; utilizing a secure, server-authenticated channel (Nanopoulos-Para. 125, 135).

Regarding claim 11, Nanopoulos in view of Dotan in view of Hogan teaches a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by the at least one processing device causes the at least one processing device to carry out the steps of the method of claim 1, e.g. a processor in the server (Nanopoulos-Claim 63); 
See also: Dotan discloses a processing device/server (Dotan-Fig. 1, el. 150-1 to 150-N; Fig. 11, el. 1100), a processor (Dotan-Fig. 11, el. 1110), memory (Dotan-Fig. 11, el. 1120).

Regarding claim 12, the claim is analyzed with respect to claim 1.

Regarding claim 21, the claim is analyzed with respect to claim 2.

Regarding claim 22, the claim is analyzed with respect to claim 3.

Regarding claim 23, the claim is analyzed with respect to claim 4.

Regarding claim 24, the claim is analyzed with respect to claim 5.

Regarding claim 25, the claim is analyzed with respect to claim 6.

Regarding claim 26, the claim is analyzed with respect to claim 7.

Regarding claim 27, the claim is analyzed with respect to claim 8.

Claims 15, 18, and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Nanopoulos in view of Hogan.
Regarding claim 15, a computer-implemented method comprising: 
transmitting a request, to an authentication server, i.e. a server (Fig. 1, el. 104), over a network connection, i.e. a network (Fig. 1, el. 106), for a set of cryptographic information, wherein the set of cryptographic information comprises a temporally-limited partial subset of an initial set of cryptographic information, e.g. communicating, by the agent, with a server for authentication with the server (Para. 25); downloading verification records from the server, wherein the records can each correspond to a given time interval for the token; the time period covered by the record batch may correspond to the length of a single user session (Para. 26, 30, 33, 85, 120, 121); downloading intermediate seed values so that the records may be generated by the verifier itself, wherein the seed values have limited lifetimes (Para. 24, 29, 36, 119); 
wherein one or more items of cryptographic information have been removed from the temporally-limited subset, e.g. not including the pepper values in the downloaded records (Para. 38); splitting each salt value into two portions (Para. 64, 67); including part of the pepper value in the record, such as 60 bits of an 80-bit long pepper value (Para. 95); 
receiving, in response to a successful authentication associated with the transmitted request, the set of cryptographic information, e.g. downloading the verification records from the server in response to authentication with the server (Para. 26, 30, 33, 85, 120, 121); downloading intermediate seed values so that the records may be generated by the verifier itself (Para. 24, 29, 36, 119); 
generating a complete version of the set of cryptographic information by computing the one or more items of cryptographic information that had been removed from the temporally-limited subset, e.g. computing the pepper value at the device (Para. 38, 76, 88, 95); and 
implementing the complete version of the set of cryptographic information in connection with an offline authentication request to access a protected resource, e.g. performing disconnected authentication at the device (Para. 21, 24); comparing, at the device, the hash function results to the stored record and, if they match, gaining access to the computer (Para. 24, 39, 43, 58); decrypting files or other data on the verifier (Para. 48, 50, 54); 
wherein the method is performed by at least one processing device comprising a processor, i.e. a processor (Claim 70), coupled to a memory, i.e. memory (Claim 70).
Nanopoulos does not clearly teach receiving…and an identification of the number of bits of cryptographic information removed.
Hogan teaches receiving the set of cryptographic information and an identification of the number of bits of cryptographic information removed, e.g.  retrieving, by the adapter/module or the adapter, the hint, the position(s) of removed bits, and the number of removed bits at each position (Para. 51, 53, 63, 64), wherein the module, key manager, removed bit manager, and added bit manager may be implemented as firmware, hardware on a reconfigurable hardware, or hardware through a computing device (e.g., a server, etc.) (Para. 65-68); obtaining the hint and the number of removed bits from a person or an organization who is securely storing them via a GUI or API (Para. 79, 80). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nanopoulos to include receiving, in response to a successful authentication associated with the transmitted request, the set of cryptographic information and an identification of the number of bits of cryptographic information removed, using the known method of retrieving the hint, the position(s) of removed bits, and the number of removed bits at each position, as taught by Hogan, in combination with the record modification method of Nanopoulos, for the purpose of providing a more secure method of generating cryptographic information by providing the access device with the positions of the removed bits and the number of removed bits at each position.  A further benefit would be to enable the recovering of a security identifier or a key when it has been lost or was corrupted (Hogan-Para. 2).

Regarding claim 18, Nanopoulos in view of Hogan teaches a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device to carry out the steps of the method of claim 15, e.g. a processor (Nanopoulos-Claim 70), memory (Nanopoulos-Claim 70).

Regarding claim 19, the claim is analyzed with respect to claims 15 and 18.

Relevant Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sivaradjane et al. (US 2007/0157300 A1)—Sivaradjane discloses enabling a client to identify missing bits of a random value sent by a server (Para. 8).

Oberheide et al. (US 2016/0352516 A1)—Oberheide discloses dynamically adjusting key generation based on device capabilities and security (Para. 11, 24).

Tamai et al. (US 2013/0185778 A1)—Tamai discloses offline authentication using one-time passwords and authentication information received from a server (Figs. 3, 4).

Shah et al. (US 2017/0374070 A1)—Shah discloses utilizing the authentication capabilities of the client device along with authentication factor attributes to develop an authentication policy (Para. 40).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643. The examiner can normally be reached Monday - Friday, 7:00 AM - 3:00 PM (ET).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




23 February 2022
/Jeremy S Duffield/Primary Examiner, Art Unit 2498