Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  Claim 6 is amended.  Claims 1-8, 20 and 22 is pending.
Response to Arguments
Applicant's arguments filed 6/17/2022 have been fully considered but they are not persuasive. 
 	In Remarks, Applicant argues:
 	“…Hewitt relates to authenticating a remote server to a user, or vice-versa, by using a “service authentication code,”  the generation of which entails encoding a first secret key to provide the service authentication code, in embodiments by running a code-generation algorithm against the first secret key (see Hewitt [0020], Field of the Invention, Summary of the Invention, and Abstract).  Hewitt then compares the service authentication code to the results of a code-generation algorithm run on a second machine, the authenticity of which is being verified by the first, against a second secret key (see id.).  If the service authentication codes generated by these processes match, the identity of the second machine is verified (see id.).

 	“In contract, in the present invention, as claimed, the use of a hash, which can be similar to Hewitt’s code-generation algorithm, is advantageous, but optional.  More specification, the present invention, as claimed herein, provides an effective level of security without hashing or otherwise applying any code-generation algorithm to the underlying data through the use of a one-time pad, which is not possible in Hewitt, as the nature of the architecture is intrinsically different.”

	Examiner respectfully disagrees.  
 	
 	Hewitt discloses the use of authentication code and does not mention the use of hash.  However, the claim does not recite using the authentication code is a hash in the independent claims. 
  

 	Moreover, Applicant argues that Hewitt does not teach a one-time pad at all.  Rather Hewitt requires the use of a code generation algorithm to achieve good security since his first and second secret keys are reused for each authentication process, rendering them predictable over time. 
 	Examiner respectfully disagrees.   Hewitt does mention the authentication code may be used as a one-time pad (see paragraph 0392).
 	Applicant further argues:
 	While the Office describes identifying address location to access data and instruction from memory as being well-known in the art.  Applicant respectfully disagrees.  As applied to the present claims and disclosure.  More specifically, the transmission of a starting point and use of that starting point to determine the first part of the second one-time pad for purpose of generating, by the entity, a second code, amounts so far more than routine identification and access of data, this concept being integral to the function invention while also allowing significant additional flexibility (e.g. a start location could be anywhere in either one time pad, it does not need to be the first bit).
 	
	However, Hewitt discloses:
	[0015] In another embodiment, the obtaining of the service authentication code by the remote service includes the remote service redirecting a user accessing the remote service to an authentication service hosted by the authentication server, and the authentication service providing the service authentication code to the user.
	Since the authentication code is used to redirect to a user accessing the remote service.  Redirecting to the service to include address location of the remote service in order to access the resource would have been an obvious since accessing information in the database or particular files encompasses knowing where the resource is located.
Moreover, in the following paragraph, Hewitt discloses the authentication code generated based on first secret key and the first secret key being retrieved from a database by indexing the unique identification code into the data, the database including identification codes for accessing the remote service.  The identification code is the information linking to the resource location.  Even though Hewitt suggest identifying address location to access data.  Whether it is the first or the second OTP, identify the location would be obvious regardless of whether it is the first bit or anywhere in the memory, Identifying address location to access data and/or instruction from memory is a well-known in order to access the information requested. 
 [0088] the remote service obtaining a service authentication code that has been generated, using a code generation algorithm, based on a first secret key, the first secret key being retrieved from a database by indexing the unique identification code into the database, the database including identification codes for authentication devices that have been registered for accessing the remote service.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 	Claims 1-8, 13-18, 20 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Hewitt et al. (U.S. Patent Application Publication No. 2007/0088952, hereinafter Hewitt).
 	With respect to claim 1, Hewitt discloses a method of authenticating an entity, comprising:  
 	generating, at a one-time pad authenticator associated with a user, a first code corresponding to a first part of a first one-time pad stored on the one-time pad authenticator,  
  	the first part starting at a starting address within the first one-time pad; transmitting (e.g. Hewitt, paragraphs 0007-0013, “…authenticating a remote service to a user via a communications network…”; (0007), “the remote service obtaining a service authentication code that has been generated, using a code generation algorithm, based on a first secret key” (0008), from a user device to the entity, a request for the entity to authenticate itself (“…generating a response that indicates, to the user, the authenticity of the remote service” (0012), in response to receiving the request, generating, by the entity, a second code corresponding to the first part of a second one-time pad stored on the entity; transmitting the second code to the user device; and receiving, at the user device, the second code for comparison with the first code, wherein, if the first code is equal to the second code, the entity is authenticated (“the authentication device generating, using the same code generation algorithm, an expected code value based on a second secret key and thereafter comparing the expected code value to the service authentication code; and responsive to the comparison, and in the event that the expected code value correlates with the service authentication code, the authentication device generating a response that indicates, to the user, the authenticity of the remote service” (paragraph 0012); “For the authentication device to generate a response that indicates, to the user, that the remote service is authentic, the first secret key must be the same as the second secret key.  If the first secret key is different to the second secret key, the expected code value will be different to the service authentication code and thus the authentication device will not authenticate the remote service” (0013).
 	Hewitt does not explicitly mention the request comprising the starting address; wherein the first part of the second one-time pad is determined using the received starting address.   
 	However, identifying address location  to access data and instruction from memory is well-known in the art.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention in order to access data and instruction from the memory.  
 	With respect to claim 2, Hewitt discloses the method according to claim 1, comprising comparing, by the user device, the first code and second code (e.g. Hewitt, paragraphs 0008-0012) .  	With respect to claim 3, Hewitt discloses the method according to claim 1, comprising displaying at least the second code on the user device (e.g. Hewitt, paragraph 0202).  	With respect to claim 4, Hewitt discloses the method according to claim 1, wherein the first code and second code are of the same length, and transmitting the request comprises transmitting an indicator of length of a sequence of bits used to generate the first code, and generating the second code comprises the entity using the indicator of length of the sequence of bits (e.g. Hewitt, paragraphs 0055 and 0139). 
	With respect to claim 5, Hewitt does not explicitly disclose the method according to claim 1, wherein the first code comprises the starting address, and wherein the request comprises the first code.
 	Hewitt does not explicitly mention the request comprising the starting address; wherein the first part of the second one-time pad is determined using the received starting address.   
 	However, identifying address location  to access data and instruction from memory is well-known in the art.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention in order to access data and instruction from the memory.  

 	With respect to claim 6, Hewitt discloses the method according to claim 1, wherein generating the first code comprises: 
 	forming a key from a plurality of bits from the first one-time pad; and using the key to generate the first code by using the key in a predetermined hash and 
 	wherein generating the second code comprises: 
 	forming a key from a plurality of bits from the second one-time pad; and using the key to generate the second code by using the key in a predetermined hash (e.g. Hewitt, paragraphs 0007-0013, 0055 and 0139).
 	Hewitt does not explicitly disclose the generate the key in a hash.  However, this is old and well-known in the art  (e.g.  U.S. Patent No. 2016/0149879 to Haynes, paragraph 0024).  	it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the key in the hash so that a cryptographically secure hash function maps an arbitrary length input into a fix length output (the hash value). 
	With respect to claim 7, Hewitt discloses the method according to claim 1, wherein the entity comprises a plurality of second one-time pads, each associated with a separate user, wherein the step of requesting the entity to authenticate itself comprises transmitting user credentials to the entity, and wherein the method further comprises: selecting, by the entity, the second one-time pad associated with the user based on the user credentials and using the selected one-time pad to generate the second code (e.g. Hewitt, paragraphs 0008).  	With respect to claim 8, Hewitt discloses the method according to claim 1, comprising transmitting the first code to the entity such that the user can be authenticated by the entity (e.g. Hewitt, paragraph 0013). 
 	With respect to claims 13-18, 20 and 22 are system claims that are similar to 1-8.  Therefore, claims 13-18, 20 and 22 are rejected based on the similar rationale.

					Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to TONGOC TRAN whose telephone number is (571)272-3843. The examiner can normally be reached 9-5 Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/TONGOC TRAN/Primary Examiner, Art Unit 2434