Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 17/193,572 is presented for examination by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 19 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 20 of U.S. Patent No. 10,956,591. Although the claims at issue are not identical, they are not patentably distinct from each other because all the limitation of broader genus claims of the instant application are contained in the narrower species claims of ‘591, as enunciated in (ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED:  May 30, 2001).  “A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “ ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED:  May 30, 2001)..



 
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-18 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

As per claims 1 and 11, the user object and the hash of the user object are distinctly defined as two different entities.  The encrypting step specifically encrypts the user object with the encryption key.  The specification appears to only teaches encrypting the hash of the user object.   Appropriate correction is required.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-8 and 11-15 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication 2005/0154887 to Birk et al., hereinafter Birk in view of USP Application Publication 2020/0076578 to Ithal et al., hereinafter Ithal.
As per claims 1 and 11, Birk teaches receiving, from a client device, a tokenization request that includes a user object [access control data in cookie; 0066 and 0084]; 
determining, by the application server, that the user object or a hash of the user object has not previously been stored in a multi-level cache in the application server (token contains hash of access control data 240; not in cache 0070), wherein the multi-level cache is an in-memory database in the application server (0050 and 0070); 
generating, based on the determining, a token [hash access control data; step 540] 
encrypting, by the application server, the user object using the encryption key to generate an encrypted user object [Fig. 2, step 260]; and 
storing the encrypted user object and the token in the multi-level cache [token is the encrypted hash user object; 0070 and 0070; instant specification stores the encrypted hashed user object].
Birk does not explicitly teach transmitting, from the application server to a hardware security module, a request for an encryption key; receiving, in response to the request and from the hardware security module, the encryption key.  Ithal teaches transmitting, from the application server to a hardware security module, a request for an encryption key; receiving, in response to the request and from the hardware security module, the encryption key (0055 and 0056).  The application server of Birk uses secret keys (0064) and wishes to keep them secret from the client.  Ithal teaches a means to protect the keys by storing them in an HSM.  The claim is obvious because one of ordinary skill in the art before the effective filing date can combine known methods which do not produce unpredictable results.  

As per claim 19, Birk teaches receiving, from a client device, a tokenization request that includes a user object [step 420]; 
validating the user object by: 
determining whether the user object or a hash of the user object matches a first plurality of user objects stored in a local cache of a multi-level cache or a second plurality of user objects stored in a key-value store of the multi-level cache, wherein the multi-level cache is an in-memory database of an application server [step 425; 0074]; and 
responsive to the determining [once a user is authenticated, two things can occur]: 
receiving, from the multi-level cache, a cached token associated with the user object [on next request, server retrieves cached token because client was able to provide cookie with the request; Fig. 3, path 332]; and 
transmitting the cached token to the client device [after authenticated, server places the same token into the cookie, that is cached, and sends to the client in Fig. 4, 480->415 and Fig. 2 step 280; “the token is the value that is stored in the application access cookie (i.e., the value stored in FIG. 2, cookie value 270)”; 0079].
Birk does not explicitly teach transmitting, from the application server to a hardware security module, a request for an encryption key; receiving, in response to the request and from the hardware security module, the encryption key.  Ithal teaches transmitting, from the application server to a hardware security module, a request for an encryption key; receiving, in response to the request and from the hardware security module, the encryption key (0055 and 0056).  The application server of Birk uses secret keys (0064) and wishes to keep them secret from the client.  Ithal teaches a means to protect the keys by storing them in an HSM.  The claim is obvious because one of ordinary skill in the art before the effective filing date can combine known methods which do not produce unpredictable results.  

As per claim 2, Birk teaches the multi-level cache comprises a local cache and a key-value store and wherein the local cache and the key-value store are implemented using a main memory of the application server (0050).
As per claims 3, 13, and 21, Birk teaches the key-value store is implemented as an in-memory non-relational key-value store [0050; token is used as a key to retrieve the authenticated user's security context information].
As per claims 4 and 14, Birk teaches the local cache is implemented as a non- persistent data store and the key-value store is implemented as a persistent data store (0076; suggests either/both types of memory can be used based on preference).
As per claims 5 and 12, Birk teaches asynchronously replicating, from the key-value store to a second key-value store, the token and the encrypted user object, wherein the second key-value store is located remotely from the application server [sends SSO token, previously stored in memory 130, to second sever which has its own memory storage 170; 0034].
As per claim 6, Birk teaches the user object is associated with a financial account (0049).
As per claim 7, Birk teaches the token is generated based on a hash- based message authentication code (0063 and 0084).
As per claims 8 and 15, Birk teaches transmitting the token to the client device [token stored in cookie that is sent to client; 0065].

As per claim 20, the combined system of Birk and Ithal teaches wherein the multi-level cache comprises a local cache and a key-value store (0050), 
wherein the cached token is generated based on hashing a token to generate a hashed token [value is created from 230 being hashed, Fig. 2, step 240/250], and wherein the hashed token is stored as the cached token in the local cache and the key-value store of the multi-level cache [Birk: “the token is the value that is stored in the application access cookie (i.e., the value stored in FIG. 2, cookie value 270)”; 0079].  
The combined system of Birk and Ithal does not explicitly teach that the encryption key is stored in the local cache and the key-value store of the multi-level cache.  However, given the two teachings of Birk and Ithal, one of ordinary skill in the art before the effective filing date could have arrived at the claimed subject matter from the suggestions in the references.  Birk teaches security attributes are stored in cache memory for faster retrieval, 0074.  The key from the HSM [provided by Ithal] would be stored locally in order to be able to quickly decrypt client cookies during requests.  One would not want to wait for the HSM to provide the same key over and over.  Therefore, it is obvious to at least temporarily store the encryption in the application server’s local cache and key-value store along with the other security attributes.  Birk already teaches the token is used as a key to security context thus predictably the encryption key can be retrieved.  The claim is obvious because one of ordinary skill in the art before the effective filing date would have been motivated to combine the prior art to achieve the claimed invention and that there would have been a reasonable expectation of success.  If this leads to the anticipated success, it is likely the product not of innovation but of ordinary skill and common sense.  

Claim(s) 9, 10, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Birk and Ithal as applied to claims 1 and 11 above, and further in view of USP Application Publication 2002/0032662 to Maclin et al., hereinafter Maclin.
As per claims 9 and 17, the combined system of Birk and Ithal are silent in explicitly teaching the application server is associated with a credit card issuer.  Birk does however teach the application server is associated with a financial application 120.  Maclin teaches a credit card server that sends encrypted cookies to the client (0025).  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.   The financial application of Birk obviously could be associated with a credit card provider.
As per claims 10 and 18, the combined system of Birk, Ithal, and Maclin teaches the tokenization request includes authentication information for an account associated with the credit card issuer, the method further comprising: verifying, based on the authentication information, an identity of a user associated with the account [cookie contains client ID which is hashed into the value that becomes the token used to authentication the client’s request; Birk 0063 and 0070].



Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431