DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 13, 15 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Won (US 20180183587 A1).
Regarding claim 13, Won discloses a method of authenticating data communication between an electronic lock ((0018]“lock") and a server (fig.5) comprising:
generating a random number challenge at the electronic lock ([0065] "at step 504, loT device 100 (and more specifically, communication application 104) authenticates server 140 via the typical TLS/SSL handshake process" wherein the ClientHello of the TLS/SSL handhsake includes a randomly picked prime number called "client random", see Specification of TLS handshake);
transmitting the random number challenge to the server ([0065] "at step 504, loT device 100 (and more specifically, communication application 104) authenticates server 140 via the typical TLS/SSL handshake process" wherein the ClientHello of the TLS/SSL handhsake includes a randomly picked prime number called "client random");
receiving a signed certificate from the server, the signed certificate being signed with a private key associated with the server ([0032] "loT device 100 may store a list of certificate authority (CA) root certificates and authenticate server 140 via the typical Transport Layer Security (TLS)/Secure Sockets Layer (SSL) handshake process after server 140 transmits its X.509 certificate to loT device 100" wherein during the TLS/SSL handshake the certificate of the server is received and authenticated by checking its
signature);
verifying the signed certificate with the random number challenge and a public key associated with the server ([0065] "at step 504, loT device 100 (and more specifically, communication application 104) authenticates server 140 via the typical TLS/SSL handshake process" wherein during the TLS/SSL handshake the certificate of the server is received and authenticated by checking its signature); and
signing a second random number challenge received from the server at the electronic lock ([(0071] "where server 140 runs a challenge-response protocol to verify that loT device 100 has a valid private key associated with the public key").
Regarding claim 15, Won discloses wherein verifying the signed certificate comprises decrypting the signed certificate using a public key of the server at the electronic lock (Para. 65).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1, 3, 7, 10, 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Glouche (WO 2018011078 A1), and further in view of Won (US 20180183587 A1).
Regarding claim 1, Glouche discloses a method of authenticating an Internet of Things device (fig.1 cf. [0002] “authentication of a communication device for communicating with a server") comprising: 
generating a first challenge at a server ([0066] "server 30 may generate
communication challenge 107");
transmitting the first challenge to the Internet of Things device ([0067] "server 30
may send communication challenge 107 to the one of the plurality of communication
devices (e.g., loT device 150)");
receiving a first response from the Internet of Things device ([0068] "server 30 may
receive response 110 over the IP communication network from the one of the plurality of
communication devices in reply to communication challenge 107"); and
verifying the first response with the first challenge ([0069] "server 30 may assess if response 110 is authentic" cf. [0073] "server 30 may encrypt communication challenge 107 with the public
key associated with loT device 150", [0076]“response=Hash(IMEI+IMSI+Decrypt(challenge, privateKey)").
	Glouche fails to disclose verifying the first response includes a public key associated with the Internet of Things device.
	Won teaches verifying a response to an authentication request includes a public key associated with the device that transmitted the response (server 140 may generate a symmetric key (k), encrypt the symmetric key using the public key and send the encrypted key to IoT device 100. In such a case, IoT device 100 would only be able to decrypt the encrypted symmetric key if it has the necessary private key, in which case IoT device 100 may decrypt the encrypted symmetric key using the private key and send a “success” message encrypted using the symmetric key, i.e., ENC.sub.k(“success”), Para. 71-72).
	From the teachings of Won, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Glouche to include verifying the first response includes a public key associated with the Internet of Things device in order to allow authentication of the IOT device to improve security.
	Regarding claim 3, Glouche discloses the Internet of Things device is an electronic lock (devices including lock, Para. 4).
Regarding claim 7, the combination of Glouche and Won discloses the claimed invention, wherein Glouche discloses wherein the transmitting occurs directly between the Internet of Things device and the server via a wireless network connection (cellular communication network 45, Para. 67).
Regarding claim 10, Glouche discloses wherein the first challenge comprises a first random number challenge (Challenge=Encrypt(randomNonce, publicKey), Para. 74).
	Regarding claim 11, Glouche discloses the first response is the first challenge signed with a private key associated with the Internet of Things device (response=Hash(IMEI+IMSI+Decrypt(challenge, privateKey), Para. 76).
Claim(s) 2, 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Glouche in view of Won, and further in view of Bhattacharya (EP 2903204 A1).
	Regarding claim 2, Glouche and Won fail to disclose receiving a second challenge from the Internet of Things device; responding to the second challenge to produce a second response; transmitting the second response to the Internet of Things device; and receiving confirmation of authentication from the Internet of Things device.
Bhattacharya teaches mutual authentication using challenges and responses to improve security of communication between server and client (Para. 32, lines 14-49).
From the teachings of Bhattacharya, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Glouche and Won to include receiving a second challenge from the Internet of Things device; responding to the second challenge to produce a second response; transmitting the second response to the Internet of Things device; and receiving confirmation of authentication from the Internet of Things device in order to perform mutual authentication, thereby improve security.
Regarding claim 12, the combination of Glouche, Won and Bhattacharya teaches the second response is the second challenge signed with the private key associated with the server (Glouche teaches signing challenge with private key to improve security, Para. 76 and see rejection of claim 2 above).
Claim(s) 4-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Glouche in view of Won, and further in view of Britt (US 2017/0171607).
Regarding claim 4, Glouche and Won fail to disclose wherein the transmitting occurs via a mobile device in data communication with both the Internet of Things device and the server.
Britt teaches including a mobile device to establish communication between IOT devices and a server (providing IoT device access to the IoT service via the user's mobile device or other computing device. For example, the user's mobile device may establish a connection with the IoT service via a cellular or WifI connection as previously described, and may also establish a Bluetooth or WiFi connection with each of the IoT devices, Para. 259).
From the teachings of Britt, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Glouche and Won to include wherein the transmitting occurs via a mobile device in data communication with both the Internet of Things device and the server in order to provide different ways to establish communications between the IOT devices and the server, thereby improve flexibility. 
Regarding claim 5, the combination of Glouche, Won and Britt discloses the claimed invention, wherein Britt teaches wherein the mobile device is in data communication with the Internet of Things device via a Bluetooth connection (Para. 259).
Regarding claim 6, the combination of Glouche, Won and Britt discloses the claimed invention, wherein Britt teaches wherein the mobile device is in data communication with the server via a Wi-Fi connection (Para. 259).
Claim(s) 8-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Glouche in view of Won, and further in view of Grant (US 2019/0334869) and Britt (US 2017/0171607).
	Regarding claim 8, Glouche and Won fail to teach before generating the first challenge, receiving an authentication request from a mobile device, the mobile device being associated with a user account; authenticating and establishing a data connection with the mobile device, the mobile device also being in data communication with the Internet of Things device; receiving, at the server, an Internet of Things device certificate from the mobile device; verifying, at the server, that the Internet of Things device certificate has a trusted source.
Grant teaches including an Internet of Things device certificate for verification at a server that the Internet of Things device certificate has a trusted source (Para. 40).
Britt teaches receiving an authentication request from a mobile device, the mobile device being associated with a user account; authenticating and establishing a data connection with the mobile device, the mobile device also being in data communication with the Internet of Things device (to retrieve information or control one of the IoT devices, the user opens the app on the IoT device 2910, which connects the user to the IoT cloud service 2920. If the user successfully authenticates with the IoT cloud service 2920 (e.g., vis a user name or password), the IoT cloud service 2920 establishes a connection with one or more of the IoT devices 101-103 via the IoT hub 2905. Various different security techniques such as described above (e.g., using digital signatures, encryption, etc) may be employed to protect the communication between the IoT devices 101-103, the IoT cloud service 2920 and the user device 2910, Para. 260).
From the teachings of Grant and Britt, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Glouche and Won to include before generating the first challenge, receiving an authentication request from a mobile device, the mobile device being associated with a user account; authenticating and establishing a data connection with the mobile device, the mobile device also being in data communication with the Internet of Things device; receiving, at the server, an Internet of Things device certificate from the mobile device; verifying, at the server, that the Internet of Things device certificate has a trusted source in order to improve security and avoid malicious attacks.
Regarding claim 9, the combination of Glouche, Won, Grant, and Britt discloses the claimed invention, wherein Grant teaches wherein the Internet of Things device certificate received from the mobile device is validated at the server against a certificate issued by a manufacturer of the Internet of Things device (Para. 40).
Claim(s) 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Won, and further in view of Britt (US 2017/0171607).
Regarding claim 14, Won fails to disclose wherein transmitting the random number challenge to the server comprises transmitting the random number challenge to a mobile device for forwarding to the server.
Britt teaches including a mobile device to establish communication between IOT devices and a server (providing IoT device access to the IoT service via the user's mobile device or other computing device. For example, the user's mobile device may establish a connection with the IoT service via a cellular or WifI connection as previously described, and may also establish a Bluetooth or WiFi connection with each of the IoT devices, Para. 259).
From the teachings of Britt, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Won to include wherein transmitting the random number challenge to the server comprises transmitting the random number challenge to a mobile device for forwarding to the server in order to provide different ways to establish communications between the IOT devices and the server, thereby improve flexibility.
Claim(s) 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharya (EP 2903204 A1) and further in view of Britt (US 2017/0171607).
Regarding claims 16, 17, Bhattacharya teaches a method of authenticating data communication between a client and a server comprising: requesting a first challenge from the client to authenticate the server; sending a first signature result from the server to the client; requesting a second challenge from the server to authenticate the client; and sending a second signature result from the client to the server to enable secure communications (Para. 32, lines 14-49).
Bhattacharya fails to disclose the method comprising a mobile device to facilitate communications between an electronic lock client and a cloud server.
Britt teaches a method comprising a mobile device to facilitate communications between an electronic lock and a cloud server (via user’s mobile device, Para. 259, 64, 233).
From the teachings of Britt, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Bhattacharya to include the method comprising a mobile device to facilitate communications between an electronic lock client and a cloud server in order to provide different ways to establish communications between IOT devices and the server, thereby improve flexibility.
Regarding claim 18, Bhattacharya and Britt discloses the claimed invention, wherein Britt further teaches a WIFi connection between the electronic lock and the server without intermediation by a mobile device (via IoT hub 110, Para. 50-52, 64, 233).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Bhattacharya and Britt to include wherein, upon authenticating the cloud server at the electronic lock and authenticating the electronic lock at the cloud server, the electronic lock is enabled to communicate with the cloud server via a Wi-Fi connection without requiring intermediation by the mobile device in order to maintain the connection if the mobile device is gone, thereby prevent loss of communication.
Claim(s) 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 2017/0103647), and further in view of Won (US 20180183587 A1).
Regarding claim 19, Davis teaches an electronic lock comprising:
a latch movable between a locked position and an unlocked position (Para. 52); 
a motor operatively connected to the latch and configured to drive the latch between the locked position and the unlocked position (via motor 150, Para. 49); 
at least one wireless communication interface (120, Para. 41); 
a programmable circuit configured to selectively actuate the motor and communicate with a server regarding a status of the electronic lock (microprocessor 112 communicate with server 460, Para. 49 and 88).
Davis fails to disclose the programmable circuit configured to perform an authentication process comprising: generating a random number challenge at the electronic lock; transmitting the random number challenge to the server via the wireless communication interface; receiving a signed certificate from the server, the signed certificate being signed with a private key associated with the server; verifying the signed certificate with the random number challenge and a public key associated with the server; and signing a second random number challenge received from the server at the electronic lock.
Won teaches a method of authenticating data communication between an electronic lock ((0018]“lock") and a server (fig.5) comprising: generating a random number challenge at the electronic lock ([0065] "at step 504, loT device 100 (and more specifically, communication application 104) authenticates server 140 via the typical TLS/SSL handshake process" wherein the ClientHello of the TLS/SSL handhsake includes a randomly picked prime number called "client random", see Specification of TLS handshake);
transmitting the random number challenge to the server ([0065] "at step 504, loT device 100 (and more specifically, communication application 104) authenticates server 140 via the typical TLS/SSL handshake process" wherein the ClientHello of the TLS/SSL handhsake includes a randomly picked prime number called "client random");
receiving a signed certificate from the server, the signed certificate being signed with a private key associated with the server ([0032] "loT device 100 may store a list of certificate authority (CA) root certificates and authenticate server 140 via the typical Transport Layer Security (TLS)/Secure Sockets Layer (SSL) handshake process after server 140 transmits its X.509 certificate to loT device 100" wherein during the TLS/SSL handshake the certificate of the server is received and authenticated by checking its
signature);
verifying the signed certificate with the random number challenge and a public key associated with the server ([0065] "at step 504, loT device 100 (and more specifically, communication application 104) authenticates server 140 via the typical TLS/SSL handshake process" wherein during the TLS/SSL handshake the certificate of the server is received and authenticated by checking its signature); and
signing a second random number challenge received from the server at the electronic lock ([(0071] "where server 140 runs a challenge-response protocol to verify that loT device 100 has a valid private key associated with the public key").
	From the teachings of Won, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Davis to include the programmable circuit configured to perform an authentication process comprising: generating a random number challenge at the electronic lock; transmitting the random number challenge to the server via the wireless communication interface; receiving a signed certificate from the server, the signed certificate being signed with a private key associated with the server; verifying the signed certificate with the random number challenge and a public key associated with the server; and signing a second random number challenge received from the server at the electronic lock in order to authenticate communications, thereby prevent malicious attacks.
Regarding claim 20, the combination of Davis and Won discloses the claimed invention, wherein Davis discloses wherein, upon completion of the authentication process, the electronic lock is enabled to receive a command from the server to actuate the motor and drive the latch between the locked position and the unlocked position (Para. 95 and Fig. 10 and rejection of claim 19 above).
Conclusion
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YONG HANG JIANG whose telephone number is (571)270-3024. The examiner can normally be reached Monday - Friday 9:30-6 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Feild can be reached on (571)272-4090. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YONG HANG JIANG/Primary Examiner, Art Unit 2689