DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of claims
This action is in response to the application filed 06/03/2022. Claims 12 and 19 are amended. Claims 1-20 are pending and are examined.
The claims are compliant with 35 USC 101 rejection as the abstract idea is used in a meaningful way beyond linking the abstract idea to a particular technological environment.

Response to Arguments
Applicant's arguments filed 06/03/2022 have been fully considered but they are not persuasive.
Applicant argues as follows:
Thus, McDonald discloses that the application service provider generates the proto-script and transmits the proto-script to the telco computer-based system which then transmits the script to the mobile communication device. However, McDonald does not expressly or inherently disclose that any script is generated by the telco computer-based system. Thus, McDonald does not expressly or inherently disclose “receiving, from the third party server, at least one encrypted data element,” “generating a second script that comprises the at least one encrypted data element,” and “providing, to the electronic device, the second script that comprises the at least one encrypted data element,” as recited in independent claim 1.
The above argument is not found to be persuasive. Examiner disagrees with that assessment. Using the broadest reasonable interpretation of the term “script” to mean a text or program used to produce encrypted data, Examiner recites McDonald recites “This key rotation script is pre-pended to the proto-script to yield the final perso-script that can be sent to the Secure Element for processing.”[0022]. The use of proto-script to yield a perso-script is equivalent to generating a script that comprises encrypted data elements. 
McDonald further recites “A server may include a web service that receives a request from a web server, the request including a URL and an IP address.”[0063]
McDonald further recites “Thereupon, the ASP may provide the Telco 104, the public key generated at step 202f, whereupon the Telco 104 will, via GP, send the ASP public key to the mobile communication device 102—namely, the ASP GP security domain (ASP-SD) on the mobile communication device's secure element (step 202g).”[0026].
The public and private keys are scripts used in encryption.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-4,6-7,9,11-16, 18-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by McDonald et al (US 2016/0267477).

As regards claims 1 and 20 McDonald discloses providing, to an electronic device, a first script to provision an applet instance corresponding to a third-party server, the script comprising a public key corresponding to a private key of the third-party server; [0026]
[0026] With continuing reference to FIG. 2, an example of a “pull” model of GlobalPlatform is shown. In general (although the pull model may be implemented variously), the ASP may generate a public/private key pair (step 202f). Thereupon, the ASP may provide the Telco 104, the public key generated at step 202f, whereupon the Telco 104 will, via GP, send the ASP public key to the mobile communication device 102—namely, the ASP GP security domain (ASP-SD) on the mobile communication device's secure element (step 202g). The ASP security domain on the mobile communication device 102 may thereupon randomly generate a symmetric key (i.e., a randomly generated key or “RGK”) and utilize the ASP public key to encrypt the RGK (step 202h). The public key may be transmitted to the ASP via the Telco 104. The ASP may further utilize the private key to decrypt the RGK (step 202i). In this manner, the ASP may authenticate to the security domain on the mobile communication device 102 using the shared keys (ENC, MAC and DEK) derived (per GP) from the RGK.

receiving, from the electronic device, an encrypted symmetric key and providing the encrypted symmetric key to the third-party server, the symmetric key being encrypted with the public key of the third-party server; 
[0022] To minimize the amount of real-time processing needed to support a provisioning request, the method may comprise creating a globally unique identifier (“GUID”), which can be a binary value that can be sequential or randomly generated and a multiple of the size of the block cipher being used, one or more symmetric master cryptographic keys to derive GUID specific master keys, where the derived keys can either be created on the fly or generated and securely stored. The GUID specific master keys are used, as per GP, to create GUID specific base keys, either directly or by first creating a GUID specific base master key, which are used (as per GP) to create GUID specific session keys. The GUID specific session keys are used to build the majority (e.g., approximately 95%) of the perso script, called the “proto-script.” The proto-scripts can be stored on the back-end systems of the entity looking to provide the application functionality, whether a Telco, a Service Provider, etc. During real-time activities, whether following the GP “push” or “pull” method, the remaining steps for the back-end system is to select an available GUID and associate it with the details of the given mobile device and Secure Element, such as GP Sub-Security Domain identifiers, etc. The back-end systems then use the just received/created keys (that correspond to the keys on the Secure Element) to create the corresponding session keys (as per GP) and make a portion of script that rotates the current keys on the Secure Element to the new GUID specific base keys. This key rotation script is pre-pended to the proto-script to yield the final perso-script that can be sent to the Secure Element for processing. Note that this entire approach can also work in a “batch” mode, whereby the keys could be pushed or pulled from the Secure Element (as per GP) during the manufacturing process, with the results given to the Application Provider for finalized script building. The finalized scripts would then be sent to the Secure Element during the real-time provisioning request.
receiving, from the third-party server, at least one encrypted data element corresponding to a transaction to be performed by the applet instance, the at least one encrypted data element being encrypted with the symmetric key; [0056]
generating a second script that comprises the at least one encrypted data element; [0022, [0033, In various embodiments, the ASP's TSM may use the GUID specific ENC and MAC session keys (and in some instances the DEK base key or DEK session key) to create a “proto-script.” As used herein, a proto-script may comprise any data necessary to personalize an application (e.g., requested functionality) to a mobile communication device 102. Such data may include an alias account code (e.g., a unique number linked to a transaction account code) and/or payment keys (step 312). The resultant proto-script may be stored with reference(s) to its GUID and/or the identifier to the GUID master key that was used to derive the keys that created the proto-script, as described above (step 314)] and
providing, to the electronic device, the second script that comprises the at least one encrypted data element. [0022,0033]
As regards claim 2, McDonald discloses receiving, from the third-party server and prior to providing the first script to the electronic device, the public key corresponding to the third-party server. [0026]
As regards claim 3, McDonald discloses the method of claim 1, wherein providing, to the electronic device, the first script comprises providing, to a secure hardware component of the electronic device, the first script, the first script being executed by the secure hardware component to provision the applet instance. [0022,0025]
As regards claims 4 and 13, McDonald discloses the method of claim 3, wherein providing, to the electronic device, the second script comprising the at least one encrypted data element comprises providing, to the secure hardware component of the electronic device, the second script comprising the at least one encrypted data element, the second script being executed by the secure hardware component and the at least one data element being decrypted by the applet instance using the symmetric key to perform the transaction.[0022,0025]
As regards claims 6 and 15, McDonald discloses the method of claim 4, wherein the first script is provided to the secure hardware component of the electronic device by a secure mobile platform trusted service manager server and the second script is generated by a server provider trusted service manager server and provided to the secure hardware component of the electronic device by the secure mobile platform trusted service manager server. [0025,0026]
As regards claims 7, 14 and 16, McDonald discloses the method of claim 6, wherein one or more mobile payment system servers comprise the secure mobile platform trusted service manager server and the service provider trusted service manager server. [0022]
As regards claim 9, McDonald discloses the method of claim 1, wherein the third-party server decrypts the symmetric key using the private key. [0026]
As regards claims 11 and 18, McDonald discloses the method of claim 1, wherein the symmetric key is randomly generated by the electronic device. [0026]

As regards claim 12 , McDonald discloses a host processor; [0024,0050]  and at least one secure hardware component configured to:[0024]
receive, from a trusted service manager server, a first script for provisioning an applet instance corresponding to a third party server, the first script comprising a public key of the third party server, the third party server being distinct from the trusted service manager server;[0026]
execute the first script to provision the applet instance;[0026]
generate a symmetric key for the applet instance;[0022,0025]
encrypt the symmetric key using the public key of the third party server;[0026]
transmit the encrypted symmetric key to the trusted service manager server;[0022]
receive, from the trusted service manager server, a second script for performing a transaction corresponding to the applet instance, the second script having been generated by the trusted service manager server and comprising at least one encrypted data element from the third party server, the at least one encrypted data element being encrypted with the symmetric key;[0034,0056,0063]
execute the second script to provide the at least one encrypted data element to the applet instance;[0022]
decrypt the at least one encrypted data element;[0026,0060] and
perform the transaction based at least in part on the at least one decrypted data element.[0020,0060]
 As regards claim 19 , McDonald discloses  code to provide, to a trusted service manager server, a public key;[0026]
code to receive, from the trusted service manager server, an encrypted symmetric key generated by an applet instance on a secure hardware component of an electronic device;[0026]
code to decrypt the encrypted symmetric key using a private key corresponding to the public key;[0026,0060]
code to encrypt, using the symmetric key, at least one data element corresponding to a transaction to be performed by the applet instance on the secure hardware component of the electronic device; [0026] and
code to transmit the encrypted at least one data element to the trusted service manager server for generation of a script that comprises the encrypted at least one data element for provisioning to the electronic device.[0022]
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 5 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over McDonald et al (US 2016/0267477) and further in view of Karpen et al (WO 2015023999).
As regards claim 5, McDonald discloses the method of claim 4, McDonald does not expressly disclose wherein the applet instance corresponds to a stored value payment applet instance and the transaction comprises adding or removing funds from the stored value payment applet instance.
Karpen discloses wherein the applet instance corresponds to a stored value payment applet instance and the transaction comprises adding or removing funds from the stored value payment applet instance. [0032,0037]
It would have been obvious for a person of ordinary skill in the art at the time of effective filing the invention was made to use in the applet instance corresponds to a stored value payment applet instance and the transaction comprises adding or removing funds from the stored value payment applet instance in the device of McDonald. The rationale to support a conclusion that the claim would have been obvious is that 
a remote transaction may include any type of transaction including a person-to-person transaction, business-to-business transaction, retail or other provider-customer transaction, or any other type of transaction using any type of account (e.g., debit, credit, pre-paid, etc.)[0032]. One of ordinary skill in the art would have been capable of applying this known method of enhancement to a base device in the prior art and the results would have been predictable to one of ordinary skill in the art. 

As regards claim 8, McDonald discloses the method of claim 4, McDonald does not expressly disclose wherein the secure hardware component comprises at least one of a secure element or secure enclave processor.
Karpen discloses wherein the secure hardware component comprises at least one of a secure element or secure enclave processor. [0023]
It would have been obvious for a person of ordinary skill in the art at the time of effective filing the invention was made to use the secure hardware component comprises at least one of a secure element or secure enclave processor in the device of McDonald. The rationale to support a conclusion that the claim would have been obvious is that the mobile payment application may obtain the account information from a secure element or secure memory of a mobile device. One of ordinary skill in the art would have been capable of applying this known method of enhancement to a base device in the prior art and the results would have been predictable to one of ordinary skill in the art. 

Claims 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over McDonald et al (US 2016/0267477)and further in view of Mansour et al (US 2017/0149740).

As regards claims 10 and 17 McDonald discloses the method of claim 1, McDonald does not expressly disclose wherein the received encrypted symmetric key further comprises an encrypted nonce, and the at least one encrypted data element further comprises the nonce.
Mansour discloses wherein the received encrypted symmetric key further comprises an encrypted nonce, and the at least one encrypted data element further comprises the nonce. [0092]
It would have been obvious for a person of ordinary skill in the art at the time of effective filing the invention was made to use the received encrypted symmetric key further comprises an encrypted nonce, and the at least one encrypted data element further comprises the nonce in the device of McDonald. The rationale to support a conclusion that the claim would have been obvious is authorization entity mobile application 210A can randomly generate a nonce and asymmetrically encrypt the combination of the Device ID and the Nonce. Upon receipt of this data by authorization entity backend server 214, the authorization entity's private key can be utilized to decrypt this encrypted data. The addition of a nonce can increase security because the nonce is a randomly generated value that helps to obfuscate the Device ID and also cannot be predicted by an intermediary entity. One of ordinary skill in the art would have been capable of applying this known method of enhancement to a base device in the prior art and the results would have been predictable to one of ordinary skill in the art. 
Conclusion
Additional prior art not used in this rejection includes O’Hare et al (US 2013/0013931). O’Hare recites systems and methods are provided for securely sharing data. A processor forms two or more shares of a data set encrypted with a symmetric key, the data set associated with a first user device, and causes the encrypted data set shares to be stored separately from each other in at least one remote storage location. The processor generates first and second encrypted keys by encrypting data indicative of the symmetric key with a first asymmetric key of first and second asymmetric key pairs associated with the first user device and a second user device, respectively, and causes the encrypted key to be stored in the at least one storage location. To restore the data set, a predetermined number of the two or more encrypted data set shares and at least one of the second asymmetric keys of the first and second asymmetric key pairs are needed.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN A ANDERSON whose telephone number is (571)270-3327. The examiner can normally be reached 9:30 AM- 6:30 PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael Anderson can be reached on 571-270-0508. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JOHN A ANDERSON/Examiner, Art Unit 3698                                                                                                                                                                                                        /BRUCE I EBERSMAN/Primary Examiner, Art Unit 3698