DETAILED ACTION
Acknowledgements
This Office Action is in response to Applicant’s response/application filed on 11/27/2020.
The Examiner notes that citations to United States Patent Application Publication paragraphs are formatted as [####], #### representing the paragraph number.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 2-3, 7-8, and 12-21 have been canceled.
Claims 1, 4-6, 9-11, and 22-25 are currently pending.
Claims 1, 4-5, and 22-25 are withdrawn.
Claims 6, and 9-11 have been examined.

Election/Restrictions
Applicant’s election without traverse of group II, claims 6, and 9-11 in the reply filed on 07/08/2022 is acknowledged.
Claims 1, 4-5 and 22-25 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected group.
Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim(s) 9-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 9 recites a limitation: “the random number corresponding to the MST device” in lines 2.  There is insufficient antecedent basis for this limitation in the claim.  For examination purposes examiner has interpreted “the random number” to be the “second random number”.  
Claim 10 recites “matching the second random number corresponding to the MST device received by the MST device”. It is unclear which number is to be matched with “the second random number corresponding to the MST device received by the MST device”. For examination purposes examiner has interpreted “the second random number corresponding to the MST device received by the MST device” is to be matched with “the second random number in the response to the binding challenge”.
Claims 11 is also rejected since it inherits these deficiencies.

Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 10 and 11 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
As per claim 10, the limitation “matching the second random number corresponding to the MST device received by the MST device” fails to comply with the written description requirement. Specifically, the Specification does not disclose which number is to be matched with “the second random number corresponding to the MST device received by the MST device”. Instead, the Specification only teaches “The MST verifies the binding token using the key KMST and matches RMST” ([0026] of the Specification filed on 11/27/2020). 
Claims 11 is also rejected since it inherits this deficiency.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ronda (US 20110265159), in view of Yu (CN 101114901A), further in view of Goodman (US 20120270528), and Poidomani (US 20070034700).
Regarding claim(s) 6, Ronda discloses:
           receiving a binding challenge including an indication to initiate binding including a first random number from a user device (By disclosing, “the Registration Server 160 generates a registration message RegistrationMsg, and a session token, such as a random session number ([first random number]), and may sign the registration message RegistrationMsg and the session token using the Registration Server's private encryption key RSPrivK” ([0129] of Ronda); “The Registration Server 160 may then encrypt the signed registration message RegistrationMsg and the signed session token (and the signed server pseudo-random code, if generated) with the Token Manager's Public Certificate THPubC. Preferably, the Registration Server 160 embeds the encrypted data and the Registration Server's Public Certificate RSPubC in a browser cookie, and sends the cookie to the browser 400, at step S810” ([0130] of Ronda); and “The Network Client ([user device]) 345 forwards the encrypted data and the Registration Server's Public Certificate RSPubC to the Token Manager 100.” ([0131] and Fig. 6a of Ronda)); 
           generating a second random number (By disclosing, “the Token Manager 100 or the Network Client 345 generates a credential from the Token Manager Public Certificate THPubC” ([0133] and Fig. 6a of Ronda); and “the Token Manager 100 may implement the credential as a pseudo-random code ([second random number]), such as a One-Time-Password (OTP), using a suitable application on the Token Manager 100, such as the One-Time-Password application.” ([0138] of Ronda));
           sending a response to the binding challenge comprising the first random number, the second random number, and a unique identifier of the MST device to the user device (By disclosing, “the Registration Server 160 generates a registration message RegistrationMsg, and a session token, such as a random session number ([first random number]), and may sign the registration message RegistrationMsg and the session token using the Registration Server's private encryption key RSPrivK” which teaches that the session token includes a first random number ([0129] of Ronda); “the Token Manager 100 may implement the credential as a pseudo-random code ([second random number]), such as a One-Time-Password (OTP), using a suitable application on the Token Manager 100, such as the One-Time-Password application. Preferably, the credential also includes the session token.” ([0138] of Ronda); “The Activation process also causes the Activation Server 150 to associate the Token Manager Public Certificate THPubC with the Serial Number 321 of the Token Manager 100 (MST device)” which teaches that THPubC is associated with a unique identifier of the token manager ([0094] of Ronda); and the token manager sends the credential and THPubC to the network client (Fig. 6a of Ronda)); 
            receiving a binding token generated by a server from the user device, the binding token including personal identification information set for the account, the binding token signed using a key corresponding to the MST device as identified by the unique identifier (By disclosing, a registration server generates a E(S(URPPubC, RPCAPubC)) message (binding token) and sends this message to the network client (user device). The network client then sends this E(S(URPPubC, RPCAPubC)) message to the token manager (Fig. 6b, [0152]-[0153] of Ronda); “The Registration Server 160 then generates an encrypted message by encrypting the signed authentication payload and the signed Certificate Authority's Public Certificate RPCAPubC using the Token Manager Public Certificate THPubC ([a key corresponding to the MST device]).” ([0153] of Ronda); “a Certificate Authority-signed Token Manager public certificate THPubC that includes a Token Manager public key THPubK corresponding to the Token Manager private key THPrivK” ([0089] of Ronda); “The Registration process causes the Token Manager 100 to be provided with a User private key URPPrivK and a Certificate Authority-signed User-Relying Party public certificate (a parent digital certificate) URPPubC that includes a User public key URPPubK corresponding to the User private key URPPrivK.” which teaches that the URPPubC in the E(S(URPPubC, RPCAPubC)) message includes personal identification information ([0089] of Ronda); and “The Relying Party Server 140 saves the User-RP Public Certificate URPPubC in the Registered User Database 520, and links the CFFID (and optionally the Serial Number 321) to the User-RP Public Certificate URPPubC via the User-ID” which teaches that the URPPubC is set for the user account ([0158] of Ronda)); 
           verifying the binding token (By disclosing, “The Token Manager 100 or the Network Client 345 decrypts the encrypted message using the Token Manager Private Key THPrivK, and verities that the Registration Server's Public Certificate RSPubC was signed by the Root Certificate Authority.” ([0152]-[0154], and Fig. 6b of Ronda)); 
           binding the device to the user account in response to the verification of the binding token (By disclosing, the token manager decrypts the E(S(URPPubC, RPCAPubC)) message and verifies the information in the decrypted message (Fig. 6b, and [0154]-[0155] of Ronda); “If verified, the Token Manager 100 or the Network Client 345 uses the Certificate Authority's Public Certificate RPCAPubC to verify that the User-RP Public Certificate URPPubC was signed by the Certificate Authority 170. If the signature on the User-RP Public Certificate URPPubC is invalid, …. Otherwise, the Token Manager 100 saves the User-Relying Party Private Key URPPrivK in the User RP Private Key store 326, saves the User-RP Public Certificate URPPubC in the User Certificate store 327, saves the identifying data in the Form Factor Details store 329, and links the identifying data to the User Relying Party Private Key URPPrivK and the User-RP Public Certificate URPPubC.” ([0154]-[0155] and Fig. 6b of Ronda); and “The Relying Party Server 140 saves the User-RP Public Certificate URPPubC in the Registered User Database 520, and links the CFFID (and optionally the Serial Number 321) to the User-RP Public Certificate URPPubC via the User-ID. The Relying Party Server 140 also updates the Registered User Database 520 with the user's User-ID, to indicate that the user has registered the associated Token Manager 100 with the Relying Party” ([0158] of Ronda)); and 
           wherein the authentication is performed on a per message basis based on the personal identification information (By disclosing, “Dynamic secrets, such as One-Time Passwords (OTPs) are becoming increasingly popular. Whereas static secrets are used for each authentication attempt until expiry, dynamic secrets change with each authentication attempt.” ([0005] of Ronda); and “if the Token Manager 100 is implemented as a self-contained plug-in peripheral or a self-contained contactless device where the functionality of the hardware token 110 is embedded in the Token Manager 100, the server pseudo-random code may be validated by a suitable application on the Token Manager 100, such as the One-Time-Password application” ([0101] of Ronda)).
           Rondo does not expressly disclose:
           the binding token including number matching the second random number,
           in response to receiving a financial transaction request from the user device, transmitting information using a magnetic field transmitter of the MST device to a magnetic stripe reader (MSR) based on authentication for the MST device using the personal identification information.
          However, Yu teaches:
          the binding token including a number matching the second random number (By disclosing, device B transmits RandomB to device A; device A signs the received RandomB to form TokenB (binding token); device A transmits TokenB to device B; device B decrypts Token B and compare the RandomB in the decrypted TokenB (a number matching the second random number) with the RandomB sent to the device A (second random number); and if the decryption result is equal to RandomB, then master device A legal (Page 18 step 61-step 64 of Yu)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Ronda in view of Yu to include a number matching the second random number in the binding token. Doing so would result in an improved invention because this would allow the server being authenticated by comparing the second random number with the number that matches the second random number in the binding token, so the identity of the server can be verified, thus improving the security of the claimed invention. 
          And Goodman teaches:
          in response to receiving a financial transaction request from the user device, transmitting information to a magnetic stripe reader (MSR) based on authentication for the MST device using the personal identification information (By disclosing, “the wallet application and programmable magnetic stripe can now be used to emulate the actual card” ([0048] of Goodman); “The manner in which the phone 302 and case or attachment device 318 can be used following download of the wallet application 304 and the entry of payment card data is shown in FIG. 8. In step 702, the user opens the wallet application on the smart phone 302, in the same manner as described above, and now interacts with module 444. One or more payment card options are displayed upon opening the application or following a command entered by the user. As seen at step 703, the entry of a password (which may be set up when the application is downloaded) is preferably required prior to opening the application.” which teaches that an authentication is performed in step 703 using the personal identification information ([0050] of Goodman); “In step 704, the user selects the desired payment card for the transaction (for example, by scrolling through a list of available cards in the on-phone database 448).” which teaches that a financial transaction request is initiated from the user device ([0050] of Goodman); and “In step 706, the wallet application sends the card data to the phone case or attachment 318 (e.g. the track 1, 2, and 3 data), for example by having module 444 interact with hardware interface 450. In step 708, the controller 328 receives the card data and renders it to the programmable magnetic stripe 152.” ([0052] and Fig. 8 of Goodman)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the combination of Ronda and Yu, in view of Goodman to include the techniques of: in response to receiving a financial transaction request from the user device, transmitting information to a magnetic stripe reader (MSR) based on authentication for the MST device using the personal identification information. Doing so would result in an improved invention because this would provide the storage and usability of stored magnetic stripe data and obviate the need to carry multiple payment cards, thus improving the convenience of the claimed invention ([0003] of Goodman).
           And Poidomani teaches:
           transmitting the information to the magnetic stripe reader using a magnetic field transmitter of the MST device (By disclosing, “a swipe emulating broadcaster system includes a coil having an elongated core material and a winding having a plurality of turns around the core material; and a signal generator having a broadcaster driver signal coupled to the coil such that the coil ([magnetic field transmitter]) provides a dynamic magnetic field which emulates the swiping of a magnetic stripe transaction card past a read head of a card reader” ([0035], [0079] and [0097] of Poidomani)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the combination of Ronda, Yu and Goodman, in view of Poidomani to include the techniques of: transmitting the information to the magnetic stripe reader using a magnetic field transmitter of the MST device. Doing so would result in an improved invention because this would lead to a more flexible device that is able to be used to conduct smart transactions with legacy card readers that are adapted only to interact with magnetic stripe cards ([0019] of Poidomani).

Claim(s) 9-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ronda (US 20110265159), in view of Yu (CN 101114901A), further in view of Goodman (US 20120270528), Poidomani (US 20070034700), and Fresko (CA 2659128).
Regarding claim(s) 9, Ronda does not expressly disclose:
          wherein the receiving the binding token includes receiving the second random number corresponding to the MST device, a server generated time-stamp, and a personal identification number.  
          However, Yu teaches:
          wherein the receiving the binding token includes receiving the second random number corresponding to the MST device (By disclosing, device B transmits RandomB to device A; device A signs the received RandomB to form TokenB (binding token); device A transmits TokenB to device B (MST device); device B decrypts Token B and compare the RandomB in the decrypted TokenB (the second random number) with the RandomB sent to the device A; and if the decryption result is equal to RandomB, then master device A legal (Page 18 step 61-step 64 of Yu)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Ronda in view of Yu to include the second random number corresponding to the MST device in the binding token. Doing so would result in an improved invention because this would allow the server being authenticated by comparing the second random number with the number that matches the second random number in the binding token, so the identity of the server can be verified, thus improving the security of the claimed invention. 
          And Fresko teaches:
         a token includes a server generated time-stamp, and a personal identification number (By disclosing, “In response to the request message for the token, token server 695 produces a token for the mobile device 624 (step 806 of Fig. 8A) and sends the token to mobile device 624 via the wireless network in a response message (step 808 of Fig. 8A). … The token may include information such as a sequence number for uniquely identifying the token, an identification of mobile device 624 (e.g. its PIN), and a timestamp of the current date and/or time” ([0076] of Fresko)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of receiving a binding token generated by a server, in view of Fresko to include techniques of including a server generated time-stamp, and a personal identification number in the token. Doing so would result in an improved invention because this would detect duplicate tokens in replay attacks by using the time-stamp of the token, this would also allow the mobile device authenticate the token by comparing the PIN received from the server and the PIN stored in the mobile device, thus improving the security of the claimed invention. 

Regarding claim(s) 10, Ronda does not expressly disclose:
          wherein the verifying the binding token includes matching the second random number corresponding to the MST device received by the MST device with the second random number in the response to the binding challenge.  
          However, Yu teaches:
          wherein the verifying the binding token includes matching the second random number corresponding to the MST device received by the MST device with the second random number in the response to the binding challenge.  
 (By disclosing, device B transmits RandomB to device A; device A signs the received RandomB to form TokenB (binding token); device A transmits TokenB to device B (MST device); device B decrypts Token B and compare the RandomB in the decrypted TokenB (the second random number received by the MST device) with the RandomB sent to the device A (the second random number in the response to the binding challenge); and if the decryption result is equal to RandomB, then master device A legal (Page 18 step 61-step 64 of Yu)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Ronda in view of Yu to include the techniques of matching the second random number corresponding to the MST device received by the MST device with the second random number in the response to the binding challenge. Doing so would result in an improved invention because this would allow the server being authenticated by comparing the second random number with the number that matches the second random number in the binding token, so the identity of the server can be verified, thus improving the security of the claimed invention. 

Regarding claim(s) 11, Ronda does not expressly disclose:
          wherein the binding the MST device to the user account includes installing the personal identification number.
          However, Poidomani teaches:
         installing the personal identification number (By disclosing, “The reader device 74 can be used to program and personalize secure processor 44 with various information including, by way of example and not limitation, firmware code, account numbers, cryptographic keys, PIN numbers, etc.” ([0083] of Poidomani)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Ronda in view of Poidomani to include the techniques of installing the personal identification number. Doing so would result in an improved invention because this would leverage the benefits of using PIN numbers (e.g. authorizing to access sensitive information, stored locally, etc.).

                                                       Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20020099942 to Gohl for disclosing authenticating a first terminal to a second terminal.
US 20120045057 to Brown for disclosing authenticating a requesting device by an authenticating device. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUAN ZHANG whose telephone number is (571)272-4642. The examiner can normally be reached Mon - Fri 10 AM-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 5712701492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DUAN ZHANG/Examiner, Art Unit 3685