Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-12 were preliminarily amended in the submission received on 10/17/2018.
In response to the restriction requirement that was mailed on 4/1/2022, the applicant submits claim amendment that amends claims 1, 4, 6, 7, and 12. Claims 1-12 are pending accordingly.

Restriction Requirement
The applicant amends the claims rendering the restriction requirement mailed on 4/1/2022 to be moot. The restriction requirement has been withdrawn in light of the claim amendments.

Claim Objection
Per claim 1, the applicant is advised to amend “the user of the mobile terminal” in the identifying step to “a user of the mobile terminal” since “the user of the mobile terminal” lack antecedent basis.
Per claim 4, the applicant is advised to amend “a token service provider device” in the step of “selecting” to “the token service provider device” for proper antecedent basis.
Per claim 7, the recited “verifiying” appear to be a typographical error. The applicant is advised to amend the claim to recite “verifying”.
The claims recite “security token” and “token”. The applicant is advised to keep the term consistent, either change “security token” to “token” or “token” to “security token” to avoid any confusion in the terms.
Per claims 11 and 12, the applicant is advised to amend the recite “the verification module” to “the first verification module” for proper antecedent basis.
Claim Interpretation
In light of the claimed expression in claim 9, i.e. “A mobile terminal, having a processor and software including modules”, the claimed expression of an identification module, a generator module, a send module, a reception module, a selection module, and a decryption module in claims 9, 10, and 12 have been interpreted as not invoking 112(f) rather that these modules are software.
Similarly, in light of claimed expression in claims 11 and 12, i.e. “a processor and a memory arranged to execute software modules”, the claimed expression of a first reception module, a first verification module, a first generator module, a first verification module, a first generator module, a second generator module, an encryption module, and a send module recited in claims 11 and 12 have been interpreted as not invoking 112(f) rather that these modules are software.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-5 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Per claim 1, the claim has been amended preliminarily to recite, in part, “generating, triggered if the user is successfully identified, by use of at least one identification value for the mobile terminal by using a first secret key shared between the secure element and a token service provider device” (markings as presented in the amendment). 
Here, the claim clearly recites a step of generating a secure element, specifically that the method of the user mobile terminal in obtaining at least one security token comprises generating the secure element. The instant specification describes the secure element as “a secure digital (SD) memory card or a microSD card, a universal integrated circuit card (UICC), e.g. such as a subscriber identity module (SIM) card, etc.” (see ¶0007).  While there is a support for the secure element generating at least one identification value (see ¶0014), there is no support for generating by the mobile device a secure element (e.g. physical component) by use of at least one identification value.
Even if the Specification show support, there is no description how the mobile terminal is able to generate the secure element that is in the form of a card.
For the purpose of compact prosecution, the examiner will interpret “generating, triggered if the user is successfully identified, in a secure element of the mobile terminal at least one identification value for the mobile terminal by using a first secret key shared between the secure element and a token service provider device”.
Claims 2-5 are rejected as they depend on claim 1 and do not cure the deficiency(s) as identified above.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-8 and 10-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Per claim 1, the claim recites “each security token … being encrypted by an encryption key …” Here, the scope of the claim is unclear as one of ordinary skill in the art would appreciate that encryption key represents string of bits or information. In other words, that the encryption key is a non-functional descriptive material. Yet, the claim recites that the encryption key, i.e., non-functional descriptive material, is performing encryption function.
As per claim 4, the claim recites “the token” in the “generating by the secure element …” The scope of the claim is unclear as it is unclear which one of the previously recited tokens refer to “the token”.
As per claim 5, the scope of the claim is unclear as it is unclear which one of the previously recited steps of generating refers to “the generating” in “during the generating”. Please see claim 4 and claim 1 that recite “generating” steps.
As per claim 6, the claim recites “generating, triggered if the at least one identification value is valid, of generating for the mobile terminal …” Here, the scope of the claim is unclear as the claim recites that the object of generating is of generating.
As per claims 6 and 11-12, the scope of the claim is unclear as it is unclear which one of the recited security tokens (i.e. “at least one security token” embodies multiple tokens) refers to “that token”.
As per claim 7, the claim recites “the security token” and “the token”. Here, the scope of the claim is unclear as it is unclear which one of the previously recited tokens refers to “the security token” and “the token”.
Per claim 8, the term “the commercial device” lack antecedent basis. The scope of the claim is unclear as it is unclear as to whether “the commercial device” refers to any one of the previously recited elements.
Furthermore, the claim recites “the request”. Here, the scope of the claim is unclear as it is unclear as to which one of the previously recited requests, i.e., request recited in claim 6 and request recited in claim 7, refers to “the request”.
As per claim 10, the claim is dependent on claim 9. Claim 10 recites “a generator module” while claim 9 also recites “a generator module”. It is unclear as to whether these two generator modules are same or different.
Similarly, claim 10 recites “a send module” while claim 9 also recites “a send module”. It is unclear as to whether these two send modules are same or different.
As per claim 12, the claim is directed to a system. The claim further recites, in part, “a mobile terminal according to claim 10”. Once the claimed limitation of claim 10 is introduced in its place, the claim renders itself to be indefinite as importing of the claim 10 expressions in the specific place causes antecedent basis of the claimed expressions in claim 10. The applicant is advised to amend the claim to recite in independent form.
The dependent claims of above are rejected for their dependency on claim(s) above and for failing to cure the deficiency(s) as identified above.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) 1-9 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Publication No. 20150262170 (“Bouda”) in view of US Patent Publication No. 20140068722 (“Hayat”) and US Patent Publication No. 20010052070 (“Oishi”).
Per claims 1 and 9, Bouda fairly teaches a method implemented by a user mobile terminal (see Fig. 3 and Fig. 4, the mobile communication device; ¶0049, transactions using a mobile phone; ¶0061), the method comprising: obtaining at least one security token for use during an electronic transaction, wherein obtaining at least one security token comprises (see ¶0101, to send a token request message to the remote security server; ¶0111, if the authentication is successful the security server 24 generates a token and then sends the token to the mobile phone 21):
identifying the user of the mobile terminal (see ¶0015-¶0016, the user identity verifier may be a PIN … request entry for user identity verifier; ¶0074)
sending a request to the token service provider device (i.e., security server) to obtain at least one security token for use by the mobile terminal during an electronic transaction, the request including at least one identification value of the mobile terminal (see ¶0006, token request comprising device identification data identifying the mobile device; ¶0010; ¶0028; ¶0029; ¶0030; ¶0101, to send a token request … message contains device identification data identifying the mobile phone);
receiving from the token service provider device the at least one security token in encrypted form (see ¶0006, the server sending a token to the mobile device; ¶0007; ¶0028; ¶0029; ¶0104, the security server receives the token request message and generates a plurality of asymmetric key pairs … the asymmetric key pair, i.e., private and public key, is used to encrypt communications between the server and the mobile phone).
Bouda does not specifically teach generating in a secure element of the mobile terminal at least one identification value for the mobile terminal by using a first secret key shared between the secure element and a token service provider device.
Hayat, however, discloses generating in a secure element of the mobile terminal at least one identification value for the mobile terminal by using a first secret key shared between the secure element and an entity (see ¶0243, the (U)SAT application 108 may communicate securely with the SIM administration and transaction messenger 121 using the administration (MAK.sub.C) or transition (MTK.sub.C) keys for encryption … Mutual authentication is achieved as all keys and counters are kept secret).
Hence, as Bouda teaches the technique of authentication using at least one identification value of the mobile device for authentication as described above, it would have been obvious to one of ordinary skill in the art before the effective filing of the claimed invention to substitute one known technique of authentication, e.g. authentication as taught by Hayat, as an authentication technique as taught in Bouda.

While Bouda discloses identifying the user of the mobile terminal by using PIN as described above, Bouda does not specifically teach that the user mobile terminal identifies the user and generates the at least one identification value triggered if the user is successfully identified. 
However, as Hayat teaches an application residing on the secure element to authenticate themselves to the application prior to performing an action (see ¶0122; ¶0205, application receives PIN input by the subscriber and compares the PIN for authenticating the subscriber), it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed to require user authentication in any one of the actions, including generation of the at least one identification value as taught the combination of Bouda and Hayat as the combination allows additional layers of protection on actions that are performed on the mobile device.
 
While the combination of Bouda and Hayat discloses that the security token that is sent from the server to the mobile device is encrypted (see Bouda: ¶0006, the server sending the token to the mobile device and the mobile device storing the token; ¶0020, the communications between the mobile device and the service provider device may be encrypted), the combination of Bouda and Hayat does not specifically teach each security token being associated with a random number generated by the token service provider device and being encrypted by an encryption key generated for that security token from the random number and from a second secret key shared between the token service provider device and the secure element of the mobile terminal.
Oishi, however, teaches a technique of sender generating an encryption key (i.e., Kcont) using an exchange key Kx that is shared between the sender and a recipient and the random number value seed and encrypting the data exchanged from the sender to the recipient using the generated key (i.e. Kcont)(see ¶0050, audiovisual device 800A executes a key generation program recorded on the ROM 501 to generate an encryption key Kcont using the exchange key Kx and the random number value seed and then sets the encryption key Kcont to the key register 34 of the encryption circuit 300. In response thereto, the circuit 300 encrypts a digital content including an ordinary statement data contained in, for example, an MPEG2-TS packet inputted from the external device 90 of the audiovisual device 800A into encrypted statement data using the encryption key Kcont; ¶0051).
Hence, as the combination of Bouda and Hayat discloses that the security token that is sent from the server to the mobile device is encrypted, it would have been obvious to one of ordinary skill in the art to utilize any known encryption technique, including the encryption technique as taught by Oishi, as encrypting of information exchanged, including the token, between the server and the mobile device in the combined Bouda and Hayat (In re Wolfe, 116 USPQ 443, 444 (CCPA 1961); Ex parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
In further reference to claim 9, Bouda also teaches a mobile terminal having a processor and software including modules (see ¶0052, processor … software) comprising: a secure element (see ¶0052, a processor of SIM card; ¶0061).

Note:
Bouda does not specifically teach each security token being associated with a random number generated by the token service provider device and being encrypted by an encryption key generated for that security token from the random number and from a second secret key shared between the token service provider device and the secure element of the mobile terminal. However, the description of each security token being associated with a random number generated by the token service provider device and being encrypted as described in the claimed expression does not move to distinguish over prior art as the claim is directed to the step perform by the mobile terminal and does not affect the positively recited step of receiving of the at least one security token in encrypted form in a manipulative sense.
In further reference to claim 1, the examiner finds that claim 1 is directed to a method. The examiner also finds that the claimed expression “generating, triggered if the user is successfully identified, a secure element of the mobile terminal by use of at least one identification value for the mobile terminal by using a first secret key shared between the secure element and a token service provider device …” is an optional as the generating step as well as the subsequent steps would only occur if the user is successfully identified. In other word, the claim scope is not limited by claim language that suggests or makes optional but does not require steps to be performed.

As per claim 2, the combination of Bouda, Hayat, and Oishi further teaches wherein the at least one identification value generated by the secure element comprises: a count maintained by the secure element (see ¶0244, (U)SAT application 108 may communicate securely with the SIM administration and transaction messenger 121 using the administration (MAK.sub.C) or transaction (MTK.sub.C) keys for encryption, along with the MIK.sub.C for integrity and C.sub.A or C.sub.T for anti-replay. Mutual authentication is achieved as all keys and counters are kept secret). 
The combination of Bouda, Hayat, and Oishi does not specifically teach that the at least one identification value generated by the secure element comprises a hash generated by applying a hashing function to the count and to the first secret key.
However, as the combination of , Hayat, and Oishi discloses a technique for secure element to authenticate itself to an entity as described above and as Hayat teaches a technique of applying hashing function to counter and keys (see ¶0244, the SIM administration and transaction messenger 121 generates a request (administrative or transaction) whereby the request payload itself (RQ-PD) along with the counter (C.sub.A or C.sub.T) are encrypted using an algorithm, such as AES with the key (MAK.sub.C, or MTK.sub.C). This is then sent along with a Hash Message Authentication Code (MAC) using an algorithm such as SHA-2 Secure Hash Algorithm with the integrity key (MIK.sub.C) and the encrypted message derived previously as inputs. The SIM administration and transaction messenger 121 transmits the message to the (U)SAT application 108 which includes the MAC and the encrypted messaged which includes the anti-replay counter), it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the any known technique, including hashing of the counter and the key as taught by Hayat, as a technique of authenticating the secure element of the mobile device to the security server as disclosed in the combination of Bouda, Hayat, and Oishi.
As per claim 3, the combination of Bouda, Hayat, and Oishi teaches storing the at least one security token in the mobile device (see ¶0116, The above description refers to the issue and storage in the mobile phone 21 of a token. In some examples multiple tokens may be issued and stored. In such examples the mobile phone 21 may display to the use the number of stored tokens which are available), the combination does not specifically teach wherein the at least one security token and the associated random number are stored in the mobile terminal outside the secure element. 
However, as the combination of Bouda, Hayat, and Oishi teaches a mobile device with storage device outside of the secure element (see Bouda: ¶0061; ¶0175-¶0176, memory, storage), it would have been obvious to store the at least one security token and any known information, i.e., associated random number, in any one of these finite storage(s), each of which had a reasonable expectation of success of storing information outside the secure element.
While Bouda teaches storing the at least one security token in the mobile device as described above, Bouda does not specifically teach that the at least one security token is stored in encrypted form.
However, as Hayat teaches storing sensitive data in encrypted form (see ¶0194), it would have been obvious to one of ordinary skill in the art at the time of the invention to store the at least one security token in an encrypted form as taught by Hayat as the combination generally improves the overall security of the invention by protecting stored information that may be vulnerable to hacking.
As per claims 4 and 5, the combination of Bouda, Hayat, and Oishi further teaches enabling the user mobile terminal to process a request relating to an electronic transaction (see Bouda: ¶0006, mobile device sending token to the service provider device and the service provider device executing the requested service; ¶0010, executing the requested service; ¶0021, the requested service may be a purchase) wherein enabling the user mobile terminal to process the request comprises identifying, triggered upon receiving a predetermined request coming from a third-party device and relating to an electronic transaction, the user of the mobile terminal (see Bouda: ¶0042, authentication using PIN).
The combination of Bouda, Hayat, and Oishi does not explicitly teach selecting, triggered if the user is successfully identified, a security token from the at least one encrypted security token stored in the mobile terminal and obtained from a token service provider device, the selected token being associated with a random number; generating by the secure element of the mobile terminal for the selected token an encryption key from the random number associated with the token and from the second secret key shared between the token service provider device and the secure element, and used during the obtaining method; decrypting the selected token by use of the encryption key that has been generated; and sending a response including the decrypted token to the request from the third- party device wherein during the generating, the secure element of the mobile terminal also generates a signature element for the electronic transaction from an identifier of the third-party device, from data characteristic of the transaction as supplied by the third-party device, from the random number associated with the security token, and from the second secret key, the signature element for the transaction being transmitted to the third-party device in the response to the request.
However, the recited steps are contingent limitations depending on if the user is successfully identified and as the claim is directed to a method. In other word, the claim scope is not limited by claim language that suggests or makes optional but does not require steps to be performed.

Per claims 6 and 11, Bouda teaches a method implemented by a token service provider device, the method comprising: generating at least one security token that is to be used by a mobile terminal during an electronic transaction (see ¶0111, the security server generates a token and then sends the token to the mobile phone), wherein the generating the at least one security token comprises:
receiving from the mobile terminal a request to obtain at least one security token for use by the mobile terminal during an electronic transaction, the request including at least one identification value for the mobile terminal (see ¶0006, token request comprising device identification data identifying the mobile device; ¶0010; ¶0028; ¶0029; ¶0030; ¶0101, to send a token request … message contains device identification data identifying the mobile phone);
generating, triggered if the at least one identification value is valid, of generating for the mobile terminal the at lest one security token (see ¶0111, if the authentication is successful the server generates a token);
encrypting each security token (see ¶0006, the server sending a token to the mobile device; ¶0007; ¶0028; ¶0029; ¶0104, the security server receives the token request message and generates a plurality of asymmetric key pairs … the asymmetric key pair, i.e., private and public key, is used to encrypt communications between the server and the mobile phone);
sending the at least one encrypted security token to the mobile terminal (see ¶0006, the server sending a token to the mobile device; ¶0007; ¶0028; ¶0029; ¶0104, the security server receives the token request message and generates a plurality of asymmetric key pairs … the asymmetric key pair, i.e., private and public key, is used to encrypt communications between the server and the mobile phone).
Bouda does not specifically teach that the at least one identification value for the mobile terminal is generated by a secure element of the mobile terminal at least one identification value for the mobile terminal by using a first secret key shared between the secure element and a token service provider device and verifying the at least one identification value by use of the first secret key.
Hayat, however, discloses the at least one identification value for the mobile terminal is generated by a secure element of the mobile terminal using a first secret key shared between the secure element and an entity and verifying by the entity the at least one identification value by use of the first secret key (see ¶0243, the (U)SAT application 108 may communicate securely with the SIM administration and transaction messenger 121 using the administration (MAK.sub.C) or transition (MTK.sub.C) keys for encryption … Mutual authentication is achieved as all keys and counters are kept secret).
Hence, as Bouda teaches the technique of authentication using at least one identification value of the mobile device for authentication as described above, it would have been obvious to one of ordinary skill in the art before the effective filing of the claimed invention to substitute one known technique of authentication, e.g. authentication as taught by Hayat, as an authentication technique as taught in Bouda.

The combination of Bouda and Hayat does not specifically teach generating a random number associated with each token; generating an encryption key for each security token from the random number associated with that token from a second secret key shared between the token service provider device and the secure element of the mobile terminal; encrypting each security token by using the encryption key generated for that token; and sending the associated random number to the mobile device.
Oishi, however, teaches a technique of sender generating a random number associated with the information; generating an encryption key (i.e., Kcont) for each information using an exchange key Kx that is shared between the sender and a recipient and the random number value seed and encrypting the data exchanged from the sender to the recipient using the generated key and sending of the associated random number to the recipient (i.e. Kcont)(see ¶0050, audiovisual device 800A executes a key generation program recorded on the ROM 501 to generate an encryption key Kcont using the exchange key Kx and the random number value seed and then sets the encryption key Kcont to the key register 34 of the encryption circuit 300. In response thereto, the circuit 300 encrypts a digital content including an ordinary statement data contained in, for example, an MPEG2-TS packet inputted from the external device 90 of the audiovisual device 800A into encrypted statement data using the encryption key Kcont; ¶0051, sends the random number).
Hence, as the combination of Bouda and Hayat discloses that the security token that is sent from the server to the mobile device is encrypted, it would have been obvious to one of ordinary skill in the art to utilize any known encryption technique, including the encryption technique as taught by Oishi, as encrypting of information exchanged, including the token, between the server and the mobile device in the combined Bouda and Hayat (In re Wolfe, 116 USPQ 443, 444 (CCPA 1961); Ex parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
In further reference to claim 11, Bouda also teaches a security token service provider comprising a processor and a memory arranged to execute software modules (see ¶0173-¶0177).
Note:
In further reference to claim 9, the examiner finds that claim 9 is directed to a method. The examiner also finds that the claimed expression “generating, triggered if the at least one identification value is valid, of generating for the mobile terminal the at least one security token and a random number associated with each token; generating an encryption key for each security token from the random number associated with that token and from a second secret key shared between the token service provider device and the secure element of the mobile terminal; encrypting each security token by using the encryption key generated for that token; and sending the at least one encrypted security token and the associated random number to the mobile terminal” is an optional as the generating step as well as the subsequent steps would only occur if the at least one identification value is valid. In other word, the claim scope is not limited by claim language that suggests or makes optional but does not require steps to be performed.
As per claim 7, the combination of Bouda, Hayat, and Oishi discloses verifying the security token supplied by a user mobile terminal to a third-party device during an electronic transaction wherein verifying the security token comprises: receiving a verification request including the token from the third-party device and verifying that the token included in the request was indeed generated by the token service provider device for the mobile terminal (see ¶0132, the bank system checks that the token has not already been used … confirming that the token is valid; ¶0139, In such examples communication between the bank system 27 and the security server 24 may be required in order to determine whether a token is valid as part of the authentication process).
As per claim 8, the combination of Bouda, Hayat, and Oishi does not specifically teach validating a signature element for the transaction included in the request. 
The examiner takes Official Notice that validating digital signature in a transaction request is old and well known at the time of the invention.
As the combination of Bouda, Hayat, and Oishi teaches performing transaction including financial transaction with the bank system and transaction authorization request (see ¶0138-¶0145), it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the technique of generating of digital signature and including the digital signature in the transaction authorization request and validate the digital signature to the combination of Bouda, Hayat, and Oishi as the combination provides improvement in the security by providing proof and integrity of the request.
The combination of Bouda, Hayat, and Oishi does not specifically teach wherein the signature element being generated from an identifier of the commercial device, from data characteristic of the transaction, from the random number associated with the security token, and from the second secret key used during the generation method and shared between the secure element of the mobile terminal and the token service provider device. However, as generating of digital signature is old and well known in the art, it would have been obvious to generate the digital signature utilizing any known type of information, i.e., an identifier of the commercial device, from data characteristic of the transaction, from the random number associated with the security token, and from the second secret key used during the generation method and shared between the secure element of the mobile terminal and the token service provider device. 

Allowable Subject Matter
Claims 10 and 12 would be allowable over the prior art of record contingent on curing the deficiencies as identified above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US Patent No. 10,762,499 discloses use of electronic signatures including forming of the signatures using information such as key and identifier and using the signature as part of authorization request;
US Patent No. 8,312,519 discloses a technique of hashing a count and a key in authentication method;
US Patent Publication No. 20160110711 discloses generation of payment cryptogram by use of hashing algorithm to generate a hash using a session key and a transaction counter.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEVEN S KIM whose telephone number is (571)270-5287. The examiner can normally be reached Monday -Friday: 7:00 - 3:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on 571-272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/STEVEN S KIM/Primary Examiner, Art Unit 3685