DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This office action is in response to the amendment filed on 03/18/2022. Claims 1 – 20 are pending for consideration. 

Information Disclosure Statement
The information disclosure statement (IDS) dated 05/16/2022 has been received and considered.

Response to Arguments
Applicant’s arguments with respect to claims 1 – 20 have been fully considered but they are not persuasive.
On p. 9 of the Arguments/Remarks dated by 03/18/2022 (hereafter Remarks) Applicant stated that Goldfarb, however, fails to reasonably teach, suggest, or disclose generating a data set associated with a first credential information stored by a first entity in a first data storage medium, or submitting the data set to a data provider over a computing network to validate the first credential information, where the data provider analyzes the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised
On p. 9 Applicant further stated in Remarks that the Examiner has presented no evidence to support such teachings in the cited portions of Goldfarb as being inherent.
Examiner respectfully disagrees. Additional comments are added to Examiner notes clarifying prior art excerpts cited in OA thus providing the requested interpretation of the prior art teaching. In particular, the recited above limitation of claim 1, i.e. generating a data set associated with a first credential information, is met by the creation of the full text representation of a user credential, Goldfarb, Para. [191]. Other arguments of the Remarks are moot in view of new ground of rejection.
Accordingly claims 1 – 20 are rejected under 103.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Goldfarb et al. (US 2017/0364700) (hereafter Goldfarb) and in view of Vazquez et al. (US 9640001) (hereafter Vazquez).

Regarding claim 1 Goldfarb teaches: A data validation method comprising: generating a data set associated with a first credential information (Examiner note: first credential information is met by the full text representation of a user credential, like user names and passwords) (Goldfarb, in Para. [0190] discloses “Often system access credentials, like user names and passwords, are particularly sensitive, as entire accounts may be compromised if such information is subject to unauthorized access” Goldfarb, in Para. [0191] discloses “Some embodiments interface with blockchains as a storage data structure with an arbiter or other piece of middleware that is capable of taking as an input the full text representation of a user credential, starting from the last byte of that credential, fragmenting that credential into N pieces”);  
[stored by a first entity in a first data storage medium;]
submitting the data set to a data provider over a computing network to validate the first credential information (Goldfarb, in Para. [0226] discloses “Some embodiments of the process 230 may include validating the tamper-evident log, as indicated by 240. Validation may include determining whether the tamper evident log indicates that logged entries have been modified after being logged.”),
the data provider analyzing the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised, (Examiner note: data analysis is met by the hashed data values comparative analysis) (Goldfarb, in Para. [0228] discloses “the process 230 includes determining whether the validation operation evinces tampering, as indicated by block 241, for example indicating a mismatch between cryptographic hash values within a directed acyclic graph.”);
[the second credential information stored by a second entity other than the first entity on a second data storage medium, the second data storage medium remotely located with respect to the first data storage medium;] 
[and in response to a match being found, determining whether the first credential information has been potentially compromised and prompting an update of the first credential information stored on the first data storage medium to third credential information different from the first credential information.]
Goldfarb fails to explicitly teach:
stored by a first entity in a first data storage medium;
the second credential information stored by a second entity other than the first entity on a second data storage medium, the second data storage medium remotely located with respect to the first data storage medium
and in response to a match being found, determining whether the first credential information has been potentially compromised and prompting an update of the first credential information stored on the first data storage medium to third credential information different from the first credential information.
Vazquez from the analogous technical field teaches:  
stored by a first entity in a first data storage medium (Examiner note: the first, second etc. storage mediums are met by the one or more mass storage devices) (Vazquez in col. 20, ll. 54-56 discloses “a computer will also include, or be operatively coupled to communicate with, one or more mass storage devices for storing data files”);
the second credential information stored by a second entity other than the first entity on a second data storage medium, the second data storage medium remotely located with respect to the first data storage medium (Examiner note: the first and the second sets of credential information are met by a creation of the first and the second sets of alphanumerical characters that are generated by timing device and that correspond to respective data sets of user credential information; storage of first, second, etc. sets in respective data storage medium is met by storage of first, second etc. sets in the above mentioned mass storage devices through suitable interface) (Vazquez in col. 3, ll. 7-13 discloses “The actions then include generating a second set of alphanumeric characters comprising data corresponding to the key, the credential identifier, and the second time from the timing device and determining that the second set of alphanumeric characters matches the first set of alphanumeric characters.” Vazquez in col. 7, ll. 46-48 discloses “Any suitable interface can be used that enables the creation and storage of credentials, and user accounts”);
and in response to a match being found, determining whether the first credential information has been potentially compromised and prompting an update of the first credential information stored on the first data storage medium to third credential information different from the first credential information. (Examiner note: determination if a respective credential information set is compromised is met by validation of respective alphanumerical character sets corresponding to the relevant credential information, as noted above, that could be updated; storage of the first, second, and third sets of credential information is met by the storage of respective credential data sets in one or more storage devices) (Vazquez in col. 13, ll. 59-63 discloses “If the generated set of alphanumeric characters matches the set of alphanumeric characters from the validation request message, then the server 630 can generate a validation response message indicating that the time-varying representation of the credential was validated” Vazquez in col. 20, ll. 54-56 discloses “a computer will also include, or be operatively coupled to communicate with, one or more mass storage devices for storing data files” Vazquez in col. 19, ll. 37-39 discloses “the client device 602, 604 may periodically update the representation for the credential at a predetermined frequency”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Goldfarb, in view of the teaching of Vazquez which discloses a validation system of user credentials based on creation of different data sets followed by comparative analysis and verification using timing system in order to achieve efficient and secure user credential verification (Vazquez, [col. 3, ll. 7-13, col. 7, ll. 46-48, col. 13, ll. 59-63, col. 19, ll. 37-39, col. 20, ll. 54-56]).

Regarding claim 2 Goldfarb, as modified by Vazquez, teaches: The method of claim 1 further comprising requesting a user associated with the first credential information to update the first credential information, in response to confirming that the first credential information has been compromised (Examiner note: update of the first credential information is met by modifying the log comprising logged entries, i.e. user names and passwords) (Goldfarb, in Para. [0225] discloses “Some embodiments may store the tamper-evident log in memory, as indicated by block 238, which in some cases may include adding a new entry or modifying an entry in a tamper-evident log already stored in memory

Regarding claim 3 Goldfarb, as modified by Vazquez, teaches: The method of claim 1, wherein the data set comprises a cryptographic hash of at least a part of the first credential information (Goldfarb, in Para. [0006] discloses “the tamper-evident log defines one or more sequences of cryptographic hash values based on earlier logged entries”).

Regarding claim 4 Goldfarb, as modified by Vazquez, teaches: The method of claim 3, wherein the data provider searches a series of hash values to find a match for the cryptographic hash (Goldfarb, in Para. [0226] discloses “some embodiments may compare that cryptographic hash value to a cryptographic hash value stored in an adjacent node in one of the above-described directed acyclic graphs to determine whether the cryptographic hash values match or, if they do not match, indicate that the record was modified”).

Regarding claim 5 Goldfarb, as modified by Vazquez, teaches: The method of claim 4, wherein the series of hash values comprise a hash of at least a part of the second credential information known to have been compromised (Examiner note: the second, i.e. compromised, credential information is met by the tamper-evident log) (Goldfarb, in Para. [0223] discloses “the record may be stored outside of the tamper-evident log, and a cryptographic hash of the record and a timestamp of the record may be stored as node content of one of the above described tamper-evident directed acyclic graphs having cryptographic hash pointers as edges”).

Regarding claim 6 Goldfarb, as modified by Vazquez, teaches: The method of claim 1 further comprising storing information associated with the match found in a cache locally available to a customer credential system of an institution responsible for safeguarding the first credential information (Goldfarb, in Para. [0115] discloses “some embodiments may recalculate the cryptographic hash values for each cryptographic hash pointer along each path to each document and determine whether the recalculate cryptographic hash values match those stored as node attributes of nodes storing the respective cryptographic hash pointers”).

Regarding claim 7 Goldfarb, as modified by Vazquez, teaches: The method of claim 6, wherein a splitter is utilized to provide the information associated with the match found to one or more of the cache or the customer credential system of the institution responsible for safeguarding the first credential information (Examiner note: data splitting is met by the data fragmentation) (Goldfarb, in Para. [0191] discloses “Some embodiments interface with blockchains as a storage data structure with an arbiter or other piece of middleware that is capable of taking as an input the full text representation of a user credential, starting from the last byte of that credential, fragmenting that credential into N pieces, and placing each piece on a physically (or virtually) separate blockchain backed storage data structure, with each piece containing pointers to the next storage locations of the fragmented credential.”).

Regarding claim 8 Goldfarb, as modified by Vazquez, teaches: The method of claim 2, wherein the match is found by comparing a partial hash of the first credential information with a partial hash of the second credential information known to have been compromised (Goldfarb, in Para. [0226] discloses “some embodiments may compare that cryptographic hash value to a cryptographic hash value stored in an adjacent node in one of the above-described directed acyclic graphs to determine whether the cryptographic hash values match or, if they do not match, indicate that the record was modified”).

Regarding claim 9 Goldfarb, as modified by Vazquez, teaches: The method of claim 8, wherein in response to the match being found, a full hash value of the second credential information known to have been compromised is received (Examiner note: as noted above, the second, i.e. compromised, credential information is met by the tamper-evident log) (Goldfarb, in Para. [0181] discloses “an initial node or block in those tamper-evident logs may include a cryptographic hash pointer to the older tamper-evident log, for example, a cryptographic hash value based on a root node of a newest block of a consecutively older tamper-evident log.” Goldfarb, in Para. [0193] discloses “Executing the process 200 in a client computing device, before data leaves the client computing device, or upon data arriving into the client computing device, is expected to yield certain security benefits in some use cases, where for example, the database that the workload application executing on the client computing device is configured to access has been compromised.” Goldfarb, in Para. [0226] discloses “a sequence of cryptographic hash values based upon one another may be calculated to determine which match”).

Regarding claim 10 Goldfarb, as modified by Vazquez, teaches: The method of claim 9 further comprising: comparing the full hash value of the second credential information with the full hash value of the first credential information to confirm the first credential information has been compromised (Goldfarb, in Para. [0226] discloses “some embodiments may compare that cryptographic hash value to a cryptographic hash value stored in an adjacent node in one of the above-described directed acyclic graphs to determine whether the cryptographic hash values match or, if they do not match, indicate that the record was modified” Goldfarb, in Para. [0193] discloses “Executing the process 200 in a client computing device, before data leaves the client computing device, or upon data arriving into the client computing device, is expected to yield certain security benefits in some use cases, where for example, the database that the workload application executing on the client computing device is configured to access has been compromised.”).

Regarding claim 11, claim 11 discloses a system that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 11 and rejected for the same reasons.

Regarding claim 12, claim 12 dependent on claim 11 discloses a system that is substantially equivalent to the method of claim 2 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 2 are equally applicable to claim 12 and rejected for the same reasons.

Regarding claim 13, claim 13 dependent on claim 11 discloses a system that is substantially equivalent to the method of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 13 and rejected for the same reasons.

Regarding claim 14, claim 14 dependent on claim 13 discloses a system that is substantially equivalent to the method of claim 4 dependent on claim 3. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 14 and rejected for the same reasons.

Regarding claim 15, claim 15 dependent on claim 14 discloses a system that is substantially equivalent to the method of claim 5 dependent on claim 4. Therefore, the arguments set forth above with respect to claim 5 are equally applicable to claim 15 and rejected for the same reasons.

Regarding claim 16, claim 16 dependent on claim 11 discloses a system that is substantially equivalent to the method of claim 6 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 6 are equally applicable to claim 16 and rejected for the same reasons.

Regarding claim 17, claim 17 dependent on claim 16 discloses a system that is substantially equivalent to the method of claim 7 dependent on claim 6. Therefore, the arguments set forth above with respect to claim 7 are equally applicable to claim 17 and rejected for the same reasons.

Regarding claim 18, claim 18 discloses a product that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 18 and rejected for the same reasons.

Regarding claim 19, claim 19 dependent on claim 18 discloses a product that is substantially equivalent to the method of claim 8 dependent on claim 2. Therefore, the arguments set forth above with respect to claim 8 are equally applicable to claim 19 and rejected for the same reasons.

Regarding claim 20 Goldfarb, as modified by Vazquez, teaches: The computer program product of claim 19, further comprising: in response to the match being found, receiving a full hash value of the second credential information known to have been compromised (Examiner note: as noted above, the second, i.e. compromised, credential information is met by the tamper-evident log) (Goldfarb, in Para. [0181] discloses “an initial node or block in those tamper-evident logs may include a cryptographic hash pointer to the older tamper-evident log, for example, a cryptographic hash value based on a root node of a newest block of a consecutively older tamper-evident log.” Goldfarb, in Para. [0193] discloses “Executing the process 200 in a client computing device, before data leaves the client computing device, or upon data arriving into the client computing device, is expected to yield certain security benefits in some use cases, where for example, the database that the workload application executing on the client computing device is configured to access has been compromised.” Goldfarb, in Para. [0226] discloses “a sequence of cryptographic hash values based upon one another may be calculated to determine which match”); 
and comparing the full hash value of the second credential information with the full hash value of the first credential information to confirm the first credential information has been compromised (Goldfarb, in Para. [0226] discloses “some embodiments may compare that cryptographic hash value to a cryptographic hash value stored in an adjacent node in one of the above-described directed acyclic graphs to determine whether the cryptographic hash values match or, if they do not match, indicate that the record was modified” Goldfarb, in Para. [0193] discloses “Executing the process 200 in a client computing device, before data leaves the client computing device, or upon data arriving into the client computing device, is expected to yield certain security benefits in some use cases, where for example, the database that the workload application executing on the client computing device is configured to access has been compromised.”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
Applicant's amendment necessitated the new ground(s) of rejection presented in
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37
CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE
MONTHS from the mailing date of this action. In the event a first reply is filed within
TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VLADIMIR IVANOVICH GAVRILENKO whose telephone number is (313) 446-6530.  The examiner can normally be reached on Monday-Friday 7:30-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Vladimir I. Gavrilenko/Examiner, Art Unit 2431      

/TRANG T DOAN/Primary Examiner, Art Unit 2431