DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                                                      EXAMINER’S AMENDMENT

An examiner’s amendment to the record appears below. Should the changes and/or
additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s Amendment was given in a telephone interview with
Applicant’s representative, Sang Yoon Kang (Reg. No.: 75,762) has agreed and authorized the
Examiner to amend claims 1, 5, 8, and 10; cancel claims 11-12.
The application has been amended as follows:

                                                        Claims
1.  (Currently Amended) A system for authenticating a device through an Internet of Things (IoT) cloud by using a hardware security module, the system comprising:
an IoT device connectable to the IoT cloud which is configured to provide an IoT service; and
the hardware security module configured to 
	be connected to the IoT device, and 

wherein the IoT device is configured to
	transmit, when the IoT device is onboarding on the IoT cloud, a first device identifier to an authentication server through the IoT cloud in order to register the IoT device in the authentication server, and
	transmit a certificate generation request including the public key and a second device identifier to the authentication server through the IoT cloud in order to generate a device certificate,
wherein the authentication server is configured to
	match the first device identifier and the second device identifier, and
	generate the device certificate in response to the match of the first device identifier and the second device identifier
wherein the authentication server is configured to generate a signed device certificate by signing the generated device certificate, 
wherein the IoT device is further configured to receive the signed device certificate generated by the authentication server according to the certificate generation request,
wherein the hardware security module comprises a security storage configured to store the private key and the device certificate, [[and]]
wherein the security storage is further configured to prevent an external device from accessing a non-allowed storage area of the security storage, and
wherein the device certificate includes the first device identifier, the second device identifier, a hardware chip identifier of a hardware chip installed in the IoT device, a random
number, a transaction identifier which is generated according to an order of the certificate generation request received by the authentication server, a valid time, which indicates validity of the device certificate, a valid number of times, which indicates a number of times that the IoT device in which the device certificate is stored may communicate with a gateway installed at a specific location to be used at the specific location, an access control policy, which indicates the gateway that is accessible by the IoT device, and an encryption algorithm, which is an algorithm used for the authentication server to encrypt the device certificate.

2. (Canceled)
3. (Canceled) 
5.  (Currently Amended)  A hardware security module for supporting device authentication through an Internet of Things (IoT) cloud, the hardware security module comprising:
a microcontroller unit (MCU) including an input and output module connected to an IoT device connectable to the IoT cloud; and
a hardware security element configured to generate a pair of public and private keys for authenticating the IoT device,
wherein the hardware security element is configured to 
	transmit, when the IoT device is onboarding on the IoT cloud, a first device identifier to an authentication server through the IoT cloud in order to register the IoT device in the authentication server, and

wherein the authentication server is configured to
	match the first device identifier and the second device identifier, and
	generate the device certificate in response to the match of the first device identifier and the second device identifier
wherein the authentication server is configured to generate a signed device certificate by signing the generated device certificate, 
wherein the IoT device is further configured to receive the signed device certificate generated by the authentication server according to the certificate generation request, 
wherein the hardware security module comprises a security storage configured to store the private key and the device certificate, [[and]]
wherein the security storage is further configured to prevent an external device from accessing a non-allowed storage area of the security storage, and
wherein the device certificate includes the first device identifier, the second device identifier, a hardware chip identifier of a hardware chip installed in the IoT device, a random number, a transaction identifier which is generated according to an order of the certificate generation request received by the authentication server, a valid time, which indicates validity of the device certificate, a valid number of times, which indicates a number of times that the IoT device in which the device certificate is stored may communicate with a gateway installed at a specific location to be used at the specific location, an access control policy, which indicates the gateway that is accessible by the IoT device, and an encryption algorithm, which is an algorithm used for the authentication server to encrypt the device certificate.

6. (Canceled) 
7. (Canceled)
8.  (Currently Amended)  A method of authenticating a device through an Internet of Things (IoT) cloud by using a hardware security module, the method comprising:
providing an IoT device connectable to the IoT cloud which provides an IoT service;
generating, by the hardware security module connected to the IoT device, a pair of public and private keys for authenticating the IoT device; 
transmitting, by the IoT device, when the IoT device is onboarding on the IoT cloud, a first device identifier to an authentication server through the IoT cloud in order to register the IoT device in the authentication server; and
transmitting, by the IoT device, a certificate generation request including the public key and a second device identifier to the authentication server through the IoT cloud in order to generate a device certificate,
wherein the authentication server is configured to
	match the first device identifier and the second device identifier, and
	generate the device certificate in response to the match of the first device identifier and the second device identifier

wherein the IoT device is further configured to receive the signed device certificate generated by the authentication server according to the certificate generation request, 
wherein the hardware security module comprises a security storage configured to store the private key and the device certificate, [[and]]
wherein the security storage is further configured to prevent an external device from accessing a non-allowed storage area of the security storage, and
wherein the device certificate includes the first device identifier, the second device identifier, a hardware chip identifier of a hardware chip installed in the IoT device, a random number, a transaction identifier which is generated according to an order of the certificate generation request received by the authentication server, a valid time, which indicates validity of the device certificate, a valid number of times, which indicates a number of times that the IoT device in which the device certificate is stored may communicate with a gateway installed at a specific location to be used at the specific location, an access control policy, which indicates the gateway that is accessible by the IoT device, and an encryption algorithm, which is an algorithm used for the authentication server to encrypt the device certificate.

9.  (Canceled)  
10.  (Currently Amended)  A non-transitory computer-readable storage medium storing at least one program configured to be executed by at least one processor of a computing device, wherein the at least one program comprises instructions for performing a method comprising:

generating, by a hardware security module connected to the IoT device, a pair of public and private keys for authenticating the IoT device; 
transmitting, by the IoT device, when the IoT device is onboarding on the IoT cloud, a first device identifier to an authentication server through the IoT cloud in order to register the IoT device in the authentication server; and
transmitting, by the IoT device, a certificate generation request including the public key and a second device identifier to the authentication server through the IoT cloud in order to generate a device certificate,
wherein the authentication server is configured to
	match the first device identifier and the second device identifier, and
	generate the device certificate in response to the match of the first device identifier and the second device identifier

wherein the authentication server is configured to generate a signed device certificate by signing the generated device certificate,
wherein the IoT device is further configured to receive the signed device certificate generated by the authentication server according to the certificate generation request, 
wherein the hardware security module comprises a security storage configured to store the private key and the device certificate, [[and]]
, and
wherein the device certificate includes the first device identifier, the second device identifier, a hardware chip identifier of a hardware chip installed in the IoT device, a random number, a transaction identifier which is generated according to an order of the certificate generation request received by the authentication server, a valid time, which indicates validity of the device certificate, a valid number of times, which indicates a number of times that the IoT device in which the device certificate is stored may communicate with a gateway installed at a specific location to be used at the specific location, an access control policy, which indicates the gateway that is accessible by the IoT device, and an encryption algorithm, which is an algorithm used for the authentication server to encrypt the device certificate.

11. (Canceled)
12. (Canceled)


                         Examiner’s Statement of Reasons for Allowance

Claims 1, 4-5, 8, and 10 are allowable.
The following is an Examiner’s statement of reasons for allowance:
A system and method for providing the authenticating a device through an
Internet of Things (IoT) cloud by using a hardware security module. The system includes an IoT device connectable to a cloud which provides an IoT service and a security module connected to 
The closest prior art is Loladia et al. (10,447,683).  Loladia discloses provisioning device-specific credentials to an Internet of Things device that accesses a cloud-based IoT service. The IoT service receives, from the IoT device, a request for device-specific credentials. The request comprises a provisioning certificate including information identifying a group of devices associated with the IoT device. The provisioning certificate is authenticated by evaluating the information with expected information. The device-specific credentials are generated based, at least in part, on the information provided in the provisioning certificate. The device-specific credentials are sent to the IoT device, and the IoT device installs and activates the device-specific credentials. The device-specific credentials are associated with the IoT device in a registry of the IoT service.
The closest prior art of Loladia et al. (10,447,683) does not disclose or suggest, “the authentication server is configured to match the first device identifier and the second device identifier, and generate the device certificate in response to the match of the first device identifier and the second device identifier, wherein the authentication server is configured to generate a signed device certificate by signing the generated device certificate, wherein the security storage is further configured to prevent an external device from accessing a non-allowed storage area of the security storage, and wherein the device certificate includes the first device identifier, the second device identifier, a hardware chip identifier of a hardware chip installed in the IoT device, a random number, a transaction identifier which is generated according to an order of the certificate generation request received by the authentication server, a valid time, which indicates validity of the device certificate, a valid number of times, which indicates a number of times that the IoT device in which the device certificate is stored may communicate with a gateway installed at a specific location to be used at the specific location, an access control policy, which indicates the gateway that is accessible by the IoT device, and an encryption algorithm, which is an algorithm used for the authentication server to encrypt the device”. 
The prior art of Pala (11,042,609) discloses registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a remote server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the remote server, the electronic device credentials. The method further includes a step of registering, by the remote server, the electronic device. The method further includes a step of transmitting, from the remote server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.
The prior art of Pala (11,042,609) does not disclose or suggest, “the authentication server is configured to match the first device identifier and the second device identifier, and generate the device certificate in response to the match of the first device identifier and the second device identifier, wherein the authentication server is configured to generate a signed device certificate by signing the generated device certificate, wherein the security storage is further configured to prevent an external device from accessing a non-allowed storage area of the security storage, and wherein the device certificate includes the first device identifier, the second device identifier, a hardware chip identifier of a hardware chip installed in the IoT device, a random number, a transaction identifier which is generated according to an order of the certificate generation request received by the authentication server, a valid time, which indicates validity of the device certificate, a valid number of times, which indicates a number of times that the IoT device in which the device certificate is stored may communicate with a gateway installed at a specific location to be used at the specific location, an access control policy, which indicates the gateway that is accessible by the IoT device, and an encryption algorithm, which is an algorithm used for the authentication server to encrypt the device”.
	The non-patent literature of Corbett (Title: Understanding the AWS IoT Security Model) teaches an X.509 certificate is a document that is used to prove ownership of a public key.  To make a new certificate you need to create a certificate signing request and give it the CA.  The CSR is a digital document that contains your public key and other identifying information.  When you send a CSR to a CA it first validates that the identifying information you’ve supplied is correct.  Once the identity has been verified, the CA creates a certificate and signs it with a private key.  
However, the non-patent literature of Corbett does not teach or suggest, “the authentication server is configured to match the first device identifier and the second device identifier, and generate the device certificate in response to the match of the first device identifier and the second device identifier, wherein the authentication server is configured to generate a signed device certificate by signing the generated device certificate, wherein the security storage is further configured to prevent an external device from accessing a non-allowed storage area of the security storage, and wherein the device certificate includes the first device identifier, the second device identifier, a hardware chip identifier of a hardware chip installed in the IoT device, a random number, a transaction identifier which is generated according to an order of the certificate generation request received by the authentication server, a valid time, which indicates validity of the device certificate, a valid number of times, which indicates a number of times that the IoT device in which the device certificate is stored may communicate with a gateway installed at a specific location to be used at the specific location, an access control policy, which indicates the gateway that is accessible by the IoT device, and an encryption algorithm, which is an algorithm used for the authentication server to encrypt the device”

Any comments considered necessary by applicant must be submitted no later than the
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



3/16/2022


 /J.E.J/ Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439