DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is response to communication:  response to preliminary amendment filed on 10/29/2020.
Claims 1-21 are currently pending in this application.  
The IDS filed on 10/29/2020 has been accepted.  
	
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


.


Claims 1-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The claims are generally narrative and indefinite, failing to conform with current U.S. practice.  They appear to be a literal translation into English from a foreign document and are replete with grammatical and idiomatic errors.  
For example, as per claim 1, the claims recite a method for mutual authentication of a device and a user.  However, the claims really do not recite how such authentication is performed.  How does the user authenticate the device?  How does the device authenticate the user? The claims also seem to recite a preliminary user authentication step before a user may perform some type of standard operation.  The claim continues to recite that if the device is not proven to be genuine, the user can prevent the execution “such that first the device and then the user are authenticated, and the operation and the service provided are secure.”  No steps are provided on how this is performed.  Further, the terms “such that” is unclear, as the claims recite preventing an execution such that an authenticaiotn step is then taken before execution can then resume? The terms “such that” and “so as” included in claim 1 are unclear because the metes and bounds of the term are unclear and it is unclear how the clauses limit the claimed invention.  Other limitaitons are unclear in claim 1 as well. For example, the claim recites “the user can prevent execution of the operational phase.”  It is unclear what the applicants are trying to limit as limiting the actions a person can do is not patentable. 
As per claim 7, the claim is dependent on claim 5.  The claim, however, referes to the preliminary question, which is found in dependent claim 4.  It is unclear if claim 7 should be dependent on claim 4 or 5. 
As per claim 10, the claim recites combining a preliminary configuration phase with an unlimited number of successive preliminary deivce phases.  An unliminted number of successive preliminary device authentication phases is unclear as a system would continually be in an authentication phase.
All the claims are generally rejected under 112b for indefiniteness. The specific citations above are merely examples of the indefiniteness, and applicants are suggested to revise and amend the other claims to conform to patent law and practice.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-12 and 15-21 are rejected under 35 U.S.C. 103 as being unpatentable over Jakobsson US Patent Application Publication 2016/0241556 (Jakob), in view of Samuelsson et al US Patent Application Publication 2013/0347129 (Samuelsson).

As per claim 1, as best understood by the Examiner, Jakob teaches a method for the mutual authentication of a controllable function electronic device and of its user comprising a preliminary device configuration phase defining the modalities for verifying its authenticity; the user then beign able to control the device such that it provides him with a determined service, the device containing sensitive or confidential data and being arranged so as -during an operational phase inited by the user and including a preliminary user authentication step by the device to perform a specific operation appropriate to provide the service, the method further comprising, before any operational phase is performed, a preliminary device authentication phase in which the authenticity of the device is verified, such that: if, at the end of the preliminary device authentication phase, the device is proven to be genuine, the user can perform the operational phase, (abstract, paragraph 45-59 with mutual authentication of client device and user; user, before performing actions on device, needs to perform a preauthentication step; user is able to detect if website is fraudulent during authentication process as seen in paragraph 48; see paragraph 51 wherein the starting symbols may be set when user activates account; see paragarph 45 wherein device may be peronal device or ATM; devices may be associated with financial services which contains sensitive or confidential data; see paragraph 51, 89, and throughout wherein access is granted after a user verifies device and device/service verifies user; see also paragraph 61 wherein correct starting symbols are only displayed after user has entered appropriate account identifier).
Jakob does not explicitly teach if, at the end of the preliminary device authentication phase, the device is not proven to be genuine, the user can prevent execution of the operational phase, such that first the device and then the user are authenticated, and the operation and the service provided are secure.  However, this would have been obvious, if not inherent.  Jakob in paragraph 48 and 67 teaches wherein a user may recognize a site is fraudulent if it does not look or feel familiar.  It would have been obvious, if not inherent, that user would not enter any sensitive information if the user realized the device/site was fraudulent.  However, for a further teaching of such obviousness, see Samuelsson (paragraph 57, wherein a user takes steps and alerts a user’s bank by phone). 
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Samuelsson with Jakob.  One of ordinary skill in the art would have been motivated to perform such an addition to create more security by preventing phishing (paragraph 57).
As per claim 2, Jakob teaches wherein the preliminary device authentication phase is performed by the user (Jakob paragraph 46 with user interacting with security code). 
As per claim 3, Jakob teaches includes several operational phases over time, in which a preliminary device authentication phase is performed before each operational phase (Jakob pargraph 48 wherein preliniary device authentication phase occurs before operational phase each time; also see paragraph 43; see further Samuelsson paragraph 56 with alternative or additional validation steps).
As per claim 4, Jakob as modified teaches in which the preliminary device authentication phase performed by the user, is based on a question/answer authenticaition process, by means of a device authentication secret which involves a preliminary question from the user to the device and a preliminary answer to the preliminary question from the device to the user, the preliminaru question and the preliminary answer being secret so as to be known or accessible only to the sole genuine user, such that the device is only genuiune if, and only if, the user verifies that there is equivalence between the answer provided by the device to the preliminary question, and the preliminary answer (Samuelsson paragraph 55-57, wherein a user sends a an identifier, and the device/webpage answers by displaying a secret on the webpage).
As per claim 5, Jakob as modified teaches wherein the preliminary configuration phase configures the device with the device authentication secret (Jakob paragarph 43 wherein starting symbols are obtained every time the account identifier is received from the device; paragraph 50 wherein the security interface may be configured/modified by user).
As per claim 6, Jakob as modified teaches wherein the preliminary configuration phase of the device is performed by the user (paragraph 50 wherein the user may modify/configure the preliminary configuration phase; see also paragraph 61 wherein user may set up/change the pre-authentication process).
As per claim 7, as best understood by the Examiner, Jakob as modified teaches such that the configuration of the device with the preliminary question and the preliminary answer is done using a question form the user, through a question-to-answer generation process (Samuelsson paragraphs 55-57 wherein input/question to answer/response is generated based on the user’s selection; secrets/identiifers are stored on a 1-1 relationship basis).
As per claim 8, as best understood by the Examiner, Jakob as modified teaches in which the preliminary device authentication phase is executed after the preliminary configuration phase has been executed, and under the condition that no other preliminary authentication phase or operational phase of the device has been executed in the meantime (Jakob paragraph 51 with authentication being generated once user first activates online account; see also paragraph 61 with user setting up the pre-authentication process).
As per claim 9, as best understood by the Examiner, Jakob as modified teaches in which the preliniary device authentication phase is executed after the preliminary configuration phase has been executed, and under the condition that one or more other preliminary authentication phases or operational phases of the device have been executed in the meantime (Jakob paragraph 51 with authentication being generated once user first activates online account; see paragraph 78 wherein authentication procedures may change the following time; see also paragraph 56 with alternative or additional validation steps).
 As per claim 10, as best understood by the Examiner, the Jakob combination teaches a preliminary configuration phase is necessarily and sufficiently combined with either a single preliminary device authentication phase or a pre-set plurality of successive preliminary device authentication phase or an unliminted number of successive preliminary device authentication phases (Jakob paragraph 78 wherein when security code is changed, newly generated symbols are then associated with account identifier; see also Samuelsson paragraph 56 with alternative or additional validation steps).
As per claim 11, as best understood by the Examiner, the Jakob combination teaches wherein the preliminary step for the authentication of the user by the device is based on a user authentication secret which is an operational answer from the user to the device, which is secret so as to be known and accessible only tot eh sole genuine user, such that the authenticity of the user is proven if, and only if, the device verifies that there is equivalence between the answer provided by the user and the operational answer (Figure 12 wherein access is granted if security code is successfully authenticated).
As per claim 12, as best understood by the Examiner, Jakob teaches wherein the preliminary question and the operational answer are different (Samuelsson paragraphs 55-57).
Claim 15, as best understood by the Examiner, is rejected using the same basis of arguments used to reject claim 1 above. 
Claim 16, as best understood by the Examiner, is rejected using the same basis of arguments used to reject claim 1 above.  The devices taught by Jakob are functional devices.
Claim 17, as best understood by the examiner, is rejected using the same basis of arguments used to reject claim 4 above.  
Claim 18, as best understood by the Examiner, is rejected using the same basis of arguments used to reject claim 5 above.  Jakob also teaches utilizing a user authentication secret as well (paragraph 46).
Claim 19, as best understood by the Examiner, is rejected using the same basis of arguments used to reject claim 1 above.  Implementing this on multiple devices is obvious to one of ordinary skill in the art.  See further Jakob paragraph 52 wherein user may utilizie multiple devices. 
As per claim 20, as best understood by the Examiner, the Jakob combination teaches a plurality of electronic devices forming one or more function chains with one or more upstream devices and one or more downstream devices, in which, if, at the end of the prior authentication phase of an upstream device in a chain of devices, this device is proven to be genuine, the downstream devices in the same chain of devices are also authenticated, if at the end of the preliminary authentication phase of an upstream device in a chain of devices, this device is not proven to be genuine, the downstream devices in the same chain of devices are not authenticated, the system being proven not to be genuine (see Jakob paragraph 52-54 with authentication of known and unknown devices; obvious to one of ordinary skill in the art to not trust devices in the same family and to trust devices from the same family).
Claim 21, as best understood by the Examiner, is rejected using the same basis of arguments used to reject claim 1 above.  

Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over The Jakob combination as applied above, and further in view of Baer et al. US Patent Application Publication 2013/0081101 (Baer)
As per claim 13, the Jakob combination does not explicitly teach in which sensitive or confidential data are deleted from the device , this being executed automatically at the end of a pre-set number of executions of successive preliminary device authetnicatino phases in which the device has not been proven genuine.  However, erasing data from memory after a preset number of failed attempts is notoriously well known in the art.  For example, see Baer paragraph 14.
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Jakob combination with Baer.  One of ordinary skill in the art would have been motivated to perform such an addition to increase security by having security policies in place (paragraph 14). 
As per claim 14, it would have been obvious over the Jakob combination in which the step in which the sensitive or confidential data are deleted from the device also involves deletion of the preliminary question and the preliminary answer when, at the end of a pre-set number of successive execution of preliminary device or system authentication phases SDAP, the user has filed to provide the preliminary question corresponding to the preliminary answer, such that the device or system will consider that the user is not the genuine user (paragraph 14 and 34 of Baer wherein the memory is wiped after threshold number of attempts of failed login. ).
	


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431.  The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JASON K GEE/Primary Examiner, Art Unit 2495