DETAILED ACTION
This action is responsive to the Applicant’s response filed on 11/08/2021. Claims 1-20 are pending and being considered. Claims 1, 13 and 20 are independent. Claims 7, 9, 12, 16 and 18-20 are amended. Thus, the claims 1-20 are rejected.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments/Remarks
Regarding claims 1-19, the applicant’s arguments/remarks, filed on 11/08/2021, have been fully considered but they are not persuasive. 
Applicant’s Arguments/Remarks:
Regrading independent claims 1 and 13, the applicant argues that the cited prior art BOUDA; Mohammed (US 2018/0047023 A1; PCT filed on: March 3, 2016) fails to teach the limitation(s) “sending a session parameter after the device authentication is successful, the session parameter comprising a session identifier and a communication key;” and “receiving a session parameter after a device authentication is successful, the session parameter comprising a session identifier and a communication key;”, respectively. 
Examiner acknowledged Applicant’s prospective but respectfully disagrees due to the following reason(s):
In response to applicant's argument that the cited prior art BOUDA fails to disclose or does not teach “the session parameter comprising a session identifier and a communication key;”. The examiner respectfully disagrees because the cited prior art BOUDA (In Para. [0050]) disclose that the server derives 210 a mobile device transport session key (msTK) is a key (i.e., represents a as session parameter) that is generated independently on both the server and the mobile application, and is based on the server generated session identifier (ID) and the mutually established mobile device transport key (mTK; i.e., represents as a communication key).
Thus, under broadest reasonable interpretation (BRI), the cited prior art BOUDA does teach the limitation “the session parameter comprising a session identifier and a communication key;” as recited in the independent claims 1 and 13. Therefore, the independent claims 1 and 13 remain rejected under 35 U.S.C 103 for the reason(s) as mentioned above. 
Dependent claims 2-12 and 14-19 fall together accordingly, since the cited prior art BOUDA does disclose the limitation(s) as stated above.
Examiner suggests to further amend the independent claims 1 and 13 to overcome the current rejection(s) under 35 U.S.C. 103.
Regarding independent claim 20, the applicant’s arguments/remarks filed on 11/08/2021 have been fully considered and are rendered moot in view of new grounds of rejection(s) outlined below, which were necessitated by the applicant’s amendment. The arguments/remarks do not apply to the current art(s) being used. 
Regarding claim rejections - 35 U.S.C 112(b): the claims 7-9, 12, 16 and 18-19 has been amended to overcome the antecedent base rejection under 35 U.S.C 112(b). Therefore, the rejection(s) under 35 USC § 112(b) has been withdrawn.

Claim Rejections - 35 U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 6 and 9-19 are rejected under 35 U.S.C. 103 as being unpatentable over BOUDA; Mohammed (US 2018/0047023 A1; PCT Filed On: March 03, 2016), hereinafter (Bouda), in view of CAVENDISH; Dirceu et al. (US 20180292522 A1; Filed On: April 07, 2017), hereinafter (Cavendish).

Regarding claim 1, Bouda teaches a method comprising: receiving a data request; performing a device authentication based on the data request (Bouda, Para. [0006], discloses a method of processing secure transactions using a mobile device, the method comprising an authentication and a transaction of a requested ); 
sending a session parameter after the device authentication is successful (Bouda, Para. [0019 and 0045], discloses that the server checks and verifies to see if the activation code or user identifier received from the mobile device is valid. If it is valid then [...] the server generates a mobile device session transport key (msTK; hereinafter represents as a session parameter) based on the transaction session identifier and the mobile device transport key (mTK; hereinafter represents as a communication key), and sending the mobile device session transport key (msTK) to the mobile device), the session parameter comprising a session identifier and a communication key (Bouda, Para. [0050]), disclose that the server derives 210 a mobile device transport session key (msTK) is a key that is generated independently on both the server and the mobile application, and is based on the server generated session identifier (ID) and the mutually established mobile device transport key (mTK)); 
establishing a Bouda, Para. [0006 and/or 0017], discloses that the mobile device receives and validates the session identifier with the activation session identifier (i.e., in order to establish a connection between the server and mobile device)); 
receiving encrypted data through the persistent connection (Bouda, Para. [0018 and/or 0051], discloses that the mobile device extracts the mobile device session transport key (msTK), and encrypts the transaction data using the mobile device session transport key ((msTK); wherein msTK includes a session identifier and a ); and 
parsing the encrypted data based on the communication key (Bouda, Para. [0018 and/or 0052], discloses that the server decrypts the received encrypted transaction data using the mobile device transport session key ((msTK); wherein msTK is a key that is based on the server generated session identifier (ID) and the mutually established mobile device transport key (mTK), as disclosed in Para. [0050]), and verifies the decrypted transaction data).  
Bouda fails to explicitly disclose but Cavendish teaches establishing a persistent connection based on the session identifier (Cavendish, Para. [0051], discloses to establish a connection between initiator and responder devices, and to further ensure that the initiator and responder devices remain awake (i.e., persistent) for the remaining exchange, and/or see also Para. [0054], discloses that the generation and transmission of the TM Request message 210 and/or of the ACK message 220 are, in some embodiments, optional, and generally used to establish which of the devices is the initiator and which is the responder, as well as to configure the devices to be in active mode and to expect (and thus respond to) messages from their counterpart device);
Bouda and Cavendish are analogous arts and are in the same field of endeavor as they both pertain and directed to provide/establish secure communication between one or more devices (mobile devices/smartphones) and one or more service providers (servers).

	
Regarding claim 2, Bouda as modified by Cavendish teaches the method of claim 1, wherein Bouda further teaches the performing the device authentication based on the data request comprises (Bouda, Para. [0044-0045], discloses to perform the mobile device authentication): obtaining a device signature from the data request (Bouda, Para. [0047], discloses that the server… verifies the contained digital signature); 
However Bouda fails to teach but Cavendish further teaches calculating a first verification signature based on the data request; and determining that the device authentication is not successful in response to determining that the calculated first verification signature is not consistent with the obtained device signature (Cavendish, Para. [0072], discloses that if the expected and computed resultant hash values (e.g., in some embodiments, application of a hash function to the received payload, a valid signature portion (that was generated using a legitimate secret key by the sending device), and a corresponding cryptographic key, would result in an expected value of `0`, TRUE, or some other pre-determined expected value) corresponding to the received signed acknowledgement message do not match, the ).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to calculate a first verification signature based on the data request; and determining that the device authentication is not successful in response to determining that the calculated first verification signature is not consistent with the obtained device signature, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device; Cavendish, Para. [0044 and 0047].

Regarding claim 3, Bouda as modified by Cavendish teaches the method of claim 1, wherein the performing the device authentication based on the data request comprises (Bouda, Para. [0044-0045], discloses to perform the mobile device authentication): obtaining a device signature from the data request (Bouda, Para. [0047], discloses that the server… verifies the contained digital signature); 
Bouda fails to teach but Cavendish further teaches calculating a first verification signature based on the data request; and determining that the device authentication is successful in response to determining that the calculated first verification signature is consistent with the obtained device signature (Cavendish, Para. [0072], discloses that if the resultant received hash value matches an expected hash value (e.g., in some embodiments, application of a hash function to the received payload, a valid signature portion (that was generated using a legitimate secret key by the sending device), and a corresponding cryptographic key, would result in an expected value of `0`, TRUE, or some other pre-determined expected value), the signed acknowledgement message is deemed to be valid, and the responder device can continue the message exchange with the initiator device).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to calculate a first verification signature based on the data request; and determining that the device authentication is successful in response to determining that the calculated first verification signature is consistent with the obtained device signature, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device; Cavendish, Para. [0044 and 0047].

Regarding claim 4, Bouda as modified by Cavendish teaches the method of claim 3, wherein Bouda fails to teach but Cavendish further teaches the calculating the first verification signature based on the data request comprises (Cavendish, Para. [0072], discloses to compute resultant hash value): obtaining a device identifier and time information from the data request; using the device identifier and the time information as signature contents; obtaining a device key as a signature key; and 52calculating the first verification signature based on the signature key and the signature contents (Cavendish, Para. [0040], discloses to generate a signature with a hash function that uses the payload of the message, and a secret cryptographic key associated with the device. The payload for every exchanged message may include: a) ID of the message sender (e.g., a media access control (MAC) address), b) timing information (e.g., T1, T2, T3, and/or T4 illustrated in FIG. 2 , and/or see also Para. [0005 and/or 0073], once the payload for the message 250 is determined, the responder device 202 generates a signature portion for the message 250. For example, the responder device uses a hash function applied to the payload and the cryptographic key of the responder device to generate a hash value, constituting the signature. Wherein, the payload includes timestamp, identifiers of the device, etc.).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to calculate the first verification signature based on the signature key and the signature contents, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device; Cavendish, Para. [0044 and 0047].

Regarding claim 5, Bouda as modified by Cavendish teaches the method of claim 1, wherein Bouda further teaches the establishing the persistent connection based on the session identifier comprises (Bouda, Para. [0006 and/or 0017], discloses that the mobile device receives and validates the session identifier with the activation session identifier (in order to establish a connection between the server and mobile device)): 
However Bouda fails to teach but Cavendish further teaches receiving a session establishment message; obtaining the session identifier from the session establishment message; determining that an electronic device connection is trusted based on the session identifier (Cavendish, Para. [0058], discloses that in every message exchange or RTT protocol round between two communicating devices Herein, the sequence based nonce value represents the session identifier)); and 
establishing the persistent connection (Cavendish, Para. [0051], discloses to establish a connection between initiator and responder devices, and to further ensure that the initiator and responder devices remain awake for the remaining exchange, and/or see also Para. [0054], discloses that the generation and transmission of the TM Request message 210 and/or of the ACK message 220 are, in some embodiments, optional, and generally used to establish which of the devices is the initiator and which is the responder, as well as to configure the devices to be in active mode and to expect (and thus respond to) messages from their counterpart device).  


Regarding claim 6, Bouda as modified by Cavendish teaches the method of claim 1, wherein Bouda further teaches: the receiving the encrypted data through the persistent connection comprises receiving a communication message through the persistent connection, the communication message comprising the encrypted data (Bouda, Para. [0018 and/or 0051], discloses that the mobile device extracts the mobile device session transport key (msTK), and encrypts the transaction data using the mobile device session transport key ((msTK); wherein msTK includes a session identifier and a derived session key for the AES mobile device transport key (mTK)) and sends the encrypted data to the server); and 
the parsing the encrypted data based on the communication key comprises at least one of: decrypting the encrypted data, or validating a message signature of the communication message (Bouda, Para. [0018 and/or 0051-0052], discloses that the server decrypts the received encrypted transaction data using the mobile device transport session key ((msTK); wherein msTK includes a session identifier and a derived session key for the AES mobile device transport key (mTK)), and verifies the decrypted transaction data, and/or as disclosed in Para. [0047], the server verifies the contained digital signature).
  
Regarding claim 9, Bouda as modified by Cavendish teaches the method of claim 6, wherein Bouda as modified by Cavendish further teaches the decrypting the encrypted data comprises: decrypting by using the communication key in accordance with a decryption algorithm to obtain corresponding data (Bouda, Para. [0018 and/or 0051-0052], discloses that the server decrypts the received encrypted transaction data using the mobile device transport session key ((msTK); wherein msTK includes a session identifier and a derived session key for the AES mobile device transport key (mTK)), and verifies the decrypted transaction data, and as disclosed in Cavendish, Para. [0088], the sending device may use a public key associated with the destination (receiving) device to encrypt the data, to thus allow only the receiving device to be able to decrypt the encrypted data (using the private key stored at the receiving device)).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to perform decryption by using the communication key in accordance with a decryption algorithm to obtain the corresponding data, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 10, Bouda as modified by Cavendish teaches the method of claim 6, wherein Bouda as modified by Cavendish further teaches the validating the message signature of the communication message comprises (Bouda, Para. [0047], discloses that the server… verifies the contained digital signature): 
obtaining the message signature from the communication message (Bouda, Para. [0047], discloses that the server… verifies the contained digital signature); 
calculating a second verification signature based on the communication message (Cavendish, Fig. 2 and Para. [0073], discloses that the responder device 202 is configured to generate a second signed message 250 (denoted as STM_2) based on the received verifiable acknowledgement message 240 from the initiator device 204); 
determining whether the calculated second verification signature is consistent with the obtained message signature (Cavendish, Para. [0074], discloses to authenticate the second signed message 250); determining that the message signature validation is successful in response to determining that the calculated second verification signature is consistent with the obtained message signature (Cavendish, Para. [0072], discloses that if the resultant received hash value matches an expected hash value (e.g., in some embodiments, application of a hash function to the received payload, a valid signature portion (that was generated using a legitimate secret key by the sending device), and a corresponding cryptographic key, would result in an expected value of `0`, TRUE, or some other pre-determined expected value), the signed acknowledgement message is deemed to be valid, and the responder device can continue the message exchange with the initiator device); and 
determining that the message signature validation is not successful in response to determining that the calculated second verification signature is not consistent with the obtained message signature (Cavendish, Para. [0072], discloses (e.g., in some embodiments, application of a hash function to the received payload, a valid signature portion (that was generated using a legitimate secret key by the sending device), and a corresponding cryptographic key, would result in an expected value of `0`, TRUE, or some other pre-determined expected value) corresponding to the received signed acknowledgement message do not match, the signed acknowledgement message is deemed to be invalid (the responder device may then terminate the message exchange process with the initiator device)).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to determine whether the calculated second verification signature is consistent with the obtained message signature, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 11, Bouda as modified by Cavendish teaches the method of claim 10, wherein Bouda fails to teach but Cavendish further teaches the calculating the second verification signature based on the communication message comprises (Cavendish, Fig. 2 and Para. [0073], discloses that the responder device 202 is configured to generate a second signed message 250 (denoted as STM_2) based on the received verifiable acknowledgement message 240 from the initiator device 204): obtaining a communication parameter and the time information from the communication message; using the communication parameter and the time information as the signature contents; obtaining the communication key as the signature key; and calculating the second verification signature based on the signature key and the signature contents (Cavendish, Para. [0073], once the payload for the message 250 is determined (extracted/obtained), the responder device 202 generates a signature portion for the message 250. For example, the responder device uses a hash function (which may be the same as, or different from the hash function used for the first signed message 230) applied to the determined payload and the cryptographic key of the responder device to generate a hash value, constituting the signature. Wherein, the determined payload may include timestamp, identifiers of the device and/or a nonce value, etc., and as disclosed in Para. [0005], the payload may further include a first signed message).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to calculate the second verification signature based on the signature key and the signature contents, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 12, Bouda as modified by Cavendish teaches the method of claim 1, further comprising: wherein Bouda as modified by Cavendish further teaches encrypting the data in accordance with an encryption algorithm (Cavendish, Para. [0088], discloses that the sending device may use a public key associated with the destination (receiving) device to encrypt the data, to thus allow only the receiving device ); and using the encrypted data and a message signature to form a communication message (Cavendish, Para. [0088], discloses that at least some of the payload included in the second signed messages (and/or in any of the other messages exchanged between the devices) may be encrypted (independently of the cryptographic generation of the signatures).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to form the communication message using the encrypted data and the message, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 13, Bouda teaches an apparatus comprising (Bouda, Para. [0001], discloses an apparatus): one or more processors; and one or more memories storing computer readable instructions that, executable by the one or more processors, cause the one or more processors to perform acts comprising (Bouda, Para. [0064-0065], discloses that the “storage” type media may include any or all of the memory comprising (a transitory and/or non-transitory) computer/machine readable medium carrying one or more sequences of one or more instructions to a processor for execution): 
sending a request for device authentication (Bouda, Para. [0044-0045], discloses that the server 22 authenticates, activates and/or registers a mobile device 12, in response to a received user request to register the mobile device 12); 
receiving a session parameter after a device authentication is successful (Bouda, Para. [0019 and 0045], discloses that the server checks and verifies to see if the activation code or user identifier received from the mobile device is valid. If it is valid then [...] the server generates a mobile device session transport key (msTK; hereinafter represents as a session parameter) based on the transaction session identifier and the mobile device transport key (mTK; hereinafter represents as a communication key), and sending the mobile device session transport key (msTK) to the mobile device), the session parameter comprising a session identifier and a communication key (Bouda, Para. [0050]), disclose that the server derives 210 a mobile device transport session key (msTK) is a key that is generated independently on both the server and the mobile application, and is based on the server generated session identifier (ID) and the mutually established mobile device transport key (mTK)); 
establishing a Bouda, Para. [0006 and/or 0017], discloses that the mobile device receives and validates the session identifier with the activation session identifier (in order to establish a connection between the server and mobile device)); and 
transmitting, through the persistent connection, data encrypted by using the communication key (Bouda, Para. [0018 and/or 0051], discloses that the mobile device extracts the mobile device session transport key (msTK), and encrypts the transaction data using the mobile device session transport key ((msTK); wherein msTK includes a session identifier and a derived session key for the AES mobile device transport key (mTK)) and sends the encrypted data to the server).  
establishing a persistent connection based on the session identifier (Cavendish, Para. [0051], discloses to establish a connection between initiator and responder devices, and to further ensure that the initiator and responder devices remain awake for the remaining exchange, and/or see also Para. [0054], discloses that the generation and transmission of the TM Request message 210 and/or of the ACK message 220 are, in some embodiments, optional, and generally used to establish which of the devices is the initiator and which is the responder, as well as to configure the devices to be in active mode and to expect (and thus respond to) messages from their counterpart device);
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to establish a persistent connection based on the session identifier, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 14, Bouda as modified by Cavendish teaches the apparatus of claim 13, wherein Bouda fails to teach but Cavendish teaches the acts further comprise generating the request for device authentication, wherein the generating the request for device authentication comprises (Cavendish, Para. [0055], discloses to generate a signed message's signature block (denoted as STM_1 message 230) is configured to authenticate the responder device 202 as the device from which the message was originated): 
determining a device key as a signature key; determining a device identifier and time information as signature contents; calculating a device signature based on the signature key and the signature contents (Cavendish, Para. [0040], discloses to generate a signature with a hash function that uses the payload of the message, and a secret cryptographic key associated with the device. The payload for every exchanged message may include: a) ID of the message sender (e.g., a media access control (MAC) address), b) timing information (e.g., T1, T2, T3, and/or T4 illustrated in FIG. 2 below), and/or c) a nonce, and/or see also Para. [0005 and/or 0073], once the payload for the message 250 is determined, the responder device 202 generates a signature portion for the message 250. For example, the responder device uses a hash function applied to the payload and the cryptographic key of the responder device to generate a hash value, constituting the signature. Wherein, the payload includes timestamp, identifiers of the device, etc.); 
using the device signature and the signature contents to form request parameters (Cavendish, Para. [0055], discloses that the signature block may be generated by using a secret cryptographic key (also referred to as K.sub.au) when applying a hash function (e.g., SHA-128, SHA-256, or any other type of hash function) to a payload of the message 230. The signed message 230 thus includes a non-signature portion, including a payload (i.e., device identifier and time information), and a signature portion corresponding to a hash value produced via a selected hash function that uses the payload of the message 230 and the secret cryptographic key associated with the signing device (in such embodiments, a dedicated hash function is realized that ); and 
generating the request for device authentication (Cavendish, Para. [0055], discloses to generate a signed message's signature block (denoted as STM_1 message 230) is configured to authenticate the responder device 202 as the device from which the message was originated).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to generate the request for device authentication, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 15, Bouda as modified by Cavendish teaches the apparatus of claim 13, wherein Bouda as modified by Cavendish further teaches the establishing the persistent connection based on the session identifier comprises (Bouda, Para. [0006 and/or 0017], discloses that the mobile device receives and validates the session identifier with the activation session identifier, and as disclosed in Cavendish, Para. [0051], to establish a connection between initiator and responder devices, and to further ensure that the initiator and responder devices remain awake for the remaining exchange): 
generating a session establishment message based on the session identifier; and sending the session establishment message to verify that a session is trusted (Cavendish, Para. [0058], discloses that in every message ) and establish the corresponding persistent connection (Cavendish, Para. [0054], discloses that the generation and transmission of the TM Request message 210 and/or of the ACK message 220 are, in some embodiments, optional, and generally used to establish which of the devices is the initiator and which is the responder, as well as to configure the devices to be in active mode and to expect (and thus respond to) messages from their counterpart device).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to send the session establishment message to verify that a session is trusted and establish the corresponding persistent connection, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 16, Bouda as modified by Cavendish teaches the apparatus of claim 13, wherein Bouda further teaches the transmitting, through the persistent connection, the data encrypted by using the communication key comprises (Bouda, Para. [0018 and/or 0051], discloses that the mobile device extracts the mobile device session transport key (msTK), and encrypts the transaction data using the mobile device session transport key ((msTK); wherein msTK includes a session identifier and a derived session key for the AES mobile device transport key (mTK)) and sends the encrypted data to the server): 
However Bouda fails to disclose but Cavendish further teaches determining a corresponding message signature based on a communication parameter of the data and the communication key (Cavendish, Para. [0055], discloses to determine a signed message 230 that includes a non-signature portion, including a payload, and a signature portion corresponding to a hash value produced via a selected hash function that uses the payload of the message 230 and the secret cryptographic key associated with the signing device (in such embodiments, a dedicated hash function is realized that takes as input the payload of the message and the secret cryptographic key to produce the resultant hash value constituting the signature)); 
encrypting the data in accordance with an encryption algorithm (Cavendish, Para. [0088], discloses that the sending device may use a public key associated with the destination (receiving) device to encrypt the data, to thus allow only the receiving device to be able to decrypt the encrypted data (using the private key stored at the receiving device)); 55using the encrypted data and the corresponding message signature to form a communication message; and transmitting the communication message through the persistent connection (Cavendish, Para. [0088], discloses that at least some of the payload included in the second signed messages (and/or in any of the other messages exchanged between the devices) may ).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to transmit the communication message through the persistent connection, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 17, Bouda as modified by Cavendish teaches the apparatus of claim 16, wherein Bouda fails to disclose but Cavendish further teaches the determining the corresponding message signature based on the communication parameter of the data and the communication key comprises: using the communication parameter and the time information of the data as the signature contents; using the communication key as the signature key; and calculating the corresponding message signature based on the signature key and the signature contents (Cavendish, Para. [0055], discloses that the signed message’s signature block (denoted as STM_1 message 230) may be generated by using a secret cryptographic key (also referred to as K.sub.au) when applying a hash function (e.g., SHA-128, SHA-256, or any other type of hash function) to a payload of the message ).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to calculate the corresponding message signature based on the signature key and the signature contents, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

Regarding claim 18, Bouda as modified by Cavendish teaches the apparatus of claim 16, wherein Bouda as modified by Cavendish further teaches: the encrypting the data in accordance with an encryption algorithm comprises encrypting the data by using the communication key in accordance with the encryption algorithm to obtain encrypted service data (Bouda, Para. [0018 and/or 0051], discloses that the mobile device extracts the mobile device session transport key (msTK), and encrypts the transaction data using the mobile device session transport key ((msTK); wherein msTK includes a session identifier and a derived session key for the AES mobile device transport key (mTK)), and as disclosed in Cavendish, Para. [0088], the sending device may use a public key associated with the destination (receiving) device to encrypt the data, to thus allow only the receiving device to be able to decrypt the encrypted data (using the private key stored at the receiving device)); and the using the encrypted data and the corresponding message signature to form the communication message comprises: adding the encrypted data to the communication message (Cavendish, Para. [0088], discloses that at least some of the payload included in the second signed messages (and/or in any of the other messages exchanged between the devices) may be encrypted (independently of the cryptographic generation of the signatures); and adding the message signature, the communication parameter, and the time information to a payload of the communication message (Cavendish, Para. [0055], discloses that the signed message 230 thus includes a non-signature portion, including a payload (i.e., timestamp), and a signature portion corresponding to a hash value produced via a selected hash function that uses the payload of the message 230 and the secret cryptographic key associated with the signing device (in such embodiments, a dedicated hash function is realized that takes as input the payload of the message and the secret cryptographic key to produce the resultant hash value constituting the signature)).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to add the message signature, the communication parameter, and the time information to a payload of the communication message, as taught by Cavendish, in order to securely control and transmit data 

Regarding claim 19, Bouda as modified by Cavendish teaches the apparatus of claim 13, wherein the acts further comprise: receiving a communication message through the persistent connection; verifying a message signature of the communication message based on the communication key (Cavendish, Para. [0055], discloses that a destination device receiving the signed message can verify the received message (e.g., verify that the hash value was in fact produced by the peer device using the data in the payload and using the correct secret cryptographic key)); and decrypting the communication message by using the communication key after the message signature verification is successful (Cavendish, Para. [0055-0056], discloses to further decrypt the received message by using the secret cryptographic key and/or an asymmetric key, in response to the received signed message is deemed to have been authenticated).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Cavendish’ into the teachings of ‘Bouda’, with a motivation to verifying the message signature of the communication message based on the communication key and decrypting the communication message by using the communication key after the message signature verification is successful, as taught by Cavendish, in order to securely control and transmit data between devices such as between server and mobile device, and further avoid/inhibit a possible attack; Cavendish, Para. [0044 & 0078].

s 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over BOUDA in view of Cavendish, as applied above, and further in view of Birrell, Andrew D. et al. (US 2005/0210258 A1), hereinafter (Birrell).

Regarding claim 7, Bouda as modified by Cavendish teaches the method of claim 6, further comprising: wherein Bouda as modified by Cavendish fails to disclose but Birrell teaches validating whether the communication message is a received message based on time information (Birrell, Para. [0010], discloses a timestamp based authentication check for the received digital object(s) whether the received digital object(s) are legitimate or not, and as disclosed in Para. [0012], wherein the digital object is an electronic mail message); 
discarding the communication message in response to determining that the communication message is the received message (Birrell, Abstract, discloses that if the identifier already appears in the database, the received message can be automatically removed from the recipient's computer, and/or see also Para. [0010], discloses that if the identifier is not unique, then it may already appear in the database, and the received object can be automatically removed from the recipient's computer); and 
updating a corresponding validation set in response to determining that the communication message is not the received message (Birrell, Para. [0037], the cancellation server 222 then adds the unique identifier and timestamp to the database 224 to prevent future messages from using the particular puzzle, after the cancellation server 222 verifies that the recipient's unique identifier does not exist in the database 224).  

Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Birrell’ into the teachings of ‘Bouda’ as modified by ‘Cavendish’, with a motivation to validating whether the communication message is a received message based on the time information, as taught by Birrell, in order to reduce unwanted behavior, such as sending unsolicited electronic messages, over a computer network, such as the Internet; Birrell, Para. [0001].

Regarding claim 8, Bouda as modified by Cavendish in view of Birrell teaches the method of claim 7, wherein Bouda as modified by Cavendish fails to disclose but Birrell further teaches the validating whether the communication message is the received message based on the time information comprises (Birrell, Para. [0010], discloses a timestamp based authentication check for the received digital object(s) whether the received digital object(s) are legitimate or not, and as disclosed in Para. [0012], wherein the digital object is an electronic mail message): 
obtaining the time information from the communication message (Birrell, Para. [0012], discloses the step of receiving the timestamp associated with the recipient's puzzle); 
calculating a hash value corresponding to the time information (Birrell, Para. [0012], discloses information derived from the timestamps, and/or see also Para. ); 
determining whether the hash value is in a validation set (Birrell, Para. [0012], discloses to check/verify whether the timestamp or information derived from the timestamp exists in the database 224); 
determining that the communication message is the received message in response to determining that the hash value is in the validation set (BIrrell, Para. [0010], discloses that if the identifier is not unique, then it may already appear in the database, and the received object can be automatically removed from the recipient's computer, and/or see also Para. [0013], discloses that the puzzle checker further executes the steps of confirming whether the timestamp (or information derived from the timestamp) is within a threshold range, and removing the digital object if the timestamp is outside the threshold range); and  
53determining that the communication message is not the received message in response to determining that the hash value is not in the validation set (Birrell, Para. [0012], wherein the entry to be stored in the at least one database if the query fails further comprises the timestamp or information derived from the timestamp).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Birrell’ into the teachings of ‘Bouda’ as modified by ‘Cavendish’, with a motivation to validating whether the communication message is a received message based on the time information, as taught by Birrell, in order to reduce unwanted behavior, such as sending .

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over BOUDA; Mohammed (US 2018/0047023 A1; PCT Filed On: March 3, 2016), hereinafter (Bouda), in view of Marc E Mosko (JP 2015-149716 A; Published On: Aug 20, 2015), hereinafter (Mosko).

Regarding claim 20, Bouda teaches one or more memories storing computer readable instructions that, executable by one or more processors, cause the one or more processors to perform acts comprising (Bouda, Para. [0064-0065], discloses “storage” type media include any or all of the memory comprising (a transitory and/or non-transitory) computer/machine readable medium carrying one or more sequences of one or more instructions to a processor for execution): 
sending a session parameter (Bouda, Para. [0018 and/or 0050], that the server sends the generated mobile device session transport key (msTK; hereinafter represents as a session parameter) to the mobile device), the session parameter comprising a session identifier and a secret key (Bouda, Para. [0050]), disclose that the server derives 210 a mobile device transport session key (msTK) is a key that is generated independently on both the server and the mobile application, and is based on the server generated session identifier (ID) and the mutually established mobile device transport key (mTK; hereinafter represents as a secret key));  
56establishing a connection based on the session parameter (Bouda, Para. [0001-0002], discloses for processing secure transactions using a mobile device, and );
receiving encrypted data through the connection (Bouda, Para. [0018 and/or 0051], discloses that the mobile device extracts the mobile device session transport key (msTK), and encrypts the transaction data using the mobile device session transport key ((msTK); wherein msTK includes a session identifier and a derived session key for the AES mobile device transport key (mTK)) and sends the encrypted data to the server); and 
parsing the encrypted data basedBouda, Para. [0018 and/or 0052], discloses that the server decrypts the received encrypted transaction data using the mobile device transport session key ((msTK); wherein msTK is a key that is based on the server generated session identifier (ID) and the mutually established mobile device transport key (mTK), as disclosed in Para. [0050]), and verifies the decrypted transaction data).
Bouda fails to explicitly disclose but Mosko teaches parsing the encrypted data based, at least in part, on the secret key of the session parameter (Mosko, PDF Page 8 (4th Paragraph), discloses to decrypt the payload of the content object by obtaining a session identifier and a decryption key (e.g., a secret key) corresponding to the content object, and as disclosed in PDF Page 6 (2nd Paragraph), wherein the content creator (server) can generate a session key (hereinafter session parameter) based on the session identifier and the secret (key)).

Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Mosko’ into the teachings of ‘Bouda’, with a motivation to parsing the encrypted data based, at least in part, on the secret key of the session parameter, as taught by Mosko, in order to establish a secure network connection for securely processing/ transmitting content data between devices such as between server and mobile device; Mosko, PDF Page 2 (1st Paragraph) and PDF Page 6 (2nd & 4th Paragraph).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose telephone number is 571-272-1239. The examiner can normally be reached on 8AM-4PM (EST) Monday-Friday. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 571-272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALI CHEEMA/
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496