DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 02/28/2022. Claims 1 – 20 are pending for consideration.

Priority
	This application is a continuation of allowed application16/124728 filed on 09/07/2018 now patent US 11310217.

Drawings
	The drawings were received on 02/28/2022. These drawings are accepted.

Information Disclosure Statement
The information disclosure statements (IDS) dated 04/05/2022 and 09/09/2022 have been received and considered.

Claim Objections
Claims 15 – 20 objected to because of the following informalities:  the phrase ‘The non-transitory computer-readable of claim…’ should be read ‘The non-transitory computer-readable medium of claim …’.  
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp .

Claims 1 – 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over independent claims of U.S. Patent No. 11310217 (Reference Patent), in view of Gupta (US 10262129) (hereafter Gupta), and in view of Fenton et al (US 2013/0198516) (hereafter Fenton). 

Claim #
Instant Application
Reference Patent (11310217)
Claim #
1,2
1.A system, comprising: a processor; a network interface device; and a non-transitory computer-readable medium having stored thereon instructions executable 




to cause the system to perform operations comprising: detecting a first request to access a protected uniform resource locator (URL) from a client computing device; 

without first providing the client computing device access to specific content of the protected URL, issuing a time-limited challenge 

request for a URL password to the client computing device, 

wherein the time-limited challenge request includes a nonce comprising a specific string; receiving, from the client computing device and in response to the time-limited challenge request, the URL password, 


wherein the URL password includes a key value computed by the client computing device using a cryptographic signature algorithm, and wherein a correct key value for the URL password, when used to sign the nonce using the cryptographic signature algorithm, results in a cryptographic signature value that includes a minimum specified length bit string matching a required bit string for the time-limited challenge request; 

performing a verification operation to determine whether the key value included in the URL password, when used to sign the nonce using the cryptographic signature algorithm, results in a cryptographic signature value that includes the required bit string; 
and responsive to a success of the verification operation, providing the client computing device access to the specific content of the protected URL.

2.The system of claim 1, wherein the operations further comprise: 



providing a codebook to the client computing device, wherein the codebook comprises information specifying details of the cryptographic signature algorithm.


1.A system for protecting uniform resource locators (URLs) comprising: a non-transitory memory storing instructions; and one or more hardware processors coupled to the non-transitory memory and configured to read the instructions from the non-transitory memory 
to cause the system to perform operations comprising: detecting a first request to access a protected URL from a client computing device; 

providing, to the client computing device, 



a second request for a URL password, 

wherein the second request includes a nonce; receiving, from the client computing device and in response to the second request, the URL password including a parameter computable by the client computing device using a hash-based computation, 

wherein the parameter, when used as a key in the hash-based computation on the nonce provided to the client computing device, enables a signature having a prefix associated with the protected URL to be produced by the client computing device; 






and redirecting the first request to the protected URL upon determining that the received URL password is valid for the protected URL by confirming the parameter used in the hash-based computation on the nonce results in the signature having the prefix.






2.The system of claim 1, wherein the hash-based computation is performed in response to a challenge-response problem 

provided in a codebook downloadable by the client computing device.
1, 2


The reference patent (11310217) discloses providing an access to the client computing device, but failed to disclose limiting an access to the client computing device by issuing the time-limited challenge. However, in an analogous art, Gupta discloses the time-limited challenge by forcing in real-time the password generator to limit a number of attempts (Gupta, 12, 66-67, 13, 1-2, discloses “The system generates passwords for the user in real-time using multiple different factors, as described herein. This allows the system to rate limit the number of password generation attempts”).  
The reference patent (11310217) fails to disclose granting an access to a specific URL as a result of the verification operation. However, in an analogous art, Gupta discloses providing an access to a specific URL (Gupta, 5, 28-33, discloses “The password, along with any additional information, such as username, may be transmitted to the application server 104 as login information either in connection with a password generation process or to verify that the user 105 has access to additional information provided by the application server 104” Gupta, 1, 23-24, discloses “Many websites, systems and services require users to send login information to gain access.” Gupta,11, 18-21, discloses “The derivative of the combined keys is used to generate a password that matches the length and complexity requirements that were pre-recorded for the organization (or the specific URL).”).    
It would have been obvious to a person of ordinary skill in the art at the time of invention to modify Rudraraju, as referred in the reference patent, in view of the teaching of Gupta which discloses the additional limiting procedure incorporated into the password generation procedure, as well as the access granting to a specific URL based on the verification process, in order to improve security in the network (Gupta, 1, 23-24, 5, 28-33, 11, 18-21, 12, 66-67, 13, 1-2).  
The reference patent (11310217), as modified by Gupta, fails to disclose usage of cryptographic units, i.e., passwords, signatures, keys, etc., of specified length. However, in an analogous art, Fenton discloses a Level of Assurance mode comprising a digital challenge using key of predefined length for digital signature (Fenton, in Para. [0061] discloses “transactions may use a varying "Level of Assurance" (LoA) mode” Fenton, in Para. [0073] discloses “When the LoA mode requirements of each device of been met, each device may sign the digital challenge using the private keys that correspond to the public key of the particular resource” Fenton, in Para. [0140] discloses “Transferring secret information may often involve sharing cryptographic keys that can typically exceed 128 bits in length.”)
It would have been obvious to a person of ordinary skill in the art at the time of invention to modify Rudraraju, as referred in the reference patent, as modified by Gupta, in view of the teaching of Fenton which discloses the cryptographic digital challenge by using of signature/keys of predefined length, in order to, improve security in the network (Fenton, [0061, 0073, 0140]).
Independent claims 8 and 14 disclose a method and a medium, respectively, which are substantially equivalent to the system of claim 1. Dependent claims are rejected because of their dependency on respective base claims. 
Accordingly, claims 1 – 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over cited claims of U.S. Patent No. 11310217 (Reference Patent) and the cited prior art.

Allowable Subject Matter
Claims 1 – 20 are indicated as allowable upon overcoming the Double Patenting, unless new grounds of rejection are raised upon filing a response.
The following is a statement of reasons for the indication of allowable subject matter.
The present invention is directed to methods and systems for using ephemeral URL passwords to deter high volume attacks is described. A request to access one of several protected URLs is detected from a client computing device. A URL password is received from the client computing device. The request is redirected to the protected URL upon determining that the received URL password is valid for the one of the several of protected URLs.
Rudraraju (US 2015/0052584) (hereafter Rudraraju) discloses a method for delivering web resources to user devices, the method comprising: receiving a plurality of resource requests for a web resource, each resource request being received from a respective user device; and, for each resource request for the web resource, sending an authorization request to an access server, the authorisation request including authorisation data comprising user identification information. Further, there is provided method for authorizing delivery of web resources, the method comprising: receiving an authorisation request from a content delivery network, the request including authorisation data comprising user identification information; authorising the authorization request based on the authorisation data; and, returning a response to the content delivery network based on the authorisation, wherein if the authorisation is negative the response includes an address of an alternative web resource different from the requested web resource.
Gupta (US 10262129) (hereafter Gupta) discloses a method for aiding a user in recalling and generating a password. Many times it is easier for a user to remember a place, phrase, person, or other piece of information based on a certain context. The present invention allows for generating a password based on contextual information provided by the user. By providing a context type and a pass phrase, a secure password can be generated. The invention also provides a mechanism for "fuzzy matching", in which a user only needs to provide a password that is close enough to a stored password to gain access to a website or service.
Fenton et al. (US 2013/0198516) (hereafter Fenton) discloses a method of pairing an unregistered device with a virtual identity may include, at a first repository: receiving a request from the unregistered device, sending a pairing code and an identifier to the unregistered device, receiving the pairing code from a registered device, and sending the identifier to the registered device. The method may also include, at a second repository, receiving the pairing code and secret information from the registered device, receiving the pairing code in a transmission associated with the unregistered device, associating the unregistered device with the virtual identity using the pairing code, and sending the secret information to the unregistered device.
Orshansky et al. (US 2020/0052913) (hereafter Orshansky) discloses a method, system and computer program product for reducing the amount of helper data that needs to be stored using two innovative techniques. The first technique uses bit-error rate (BER)-aware lossy compression. By treating a fraction of reliable bits as unreliable, it effectively reduces the size of the reliability mask. With the view of practical costs of production-time error characterization, the second technique enables economically feasible across-temperature per-bit BER evaluation for use in a number of fuzzy extractor optimizations based on bit-selection to reduce overall BER (with or without subsequent compression) using room temperature only production-time characterization.
Supramaniam et al. (US 8635373 ) (hereafter Supramaniam) discloses apparatus, systems, methods, and related computer program products for synchronizing distributed states amongst a plurality of entities and authenticating devices to access information and/or services provided by a remote server. Synchronization techniques include client devices and remote servers storing buckets of information. The client device sends a subscription request to the remote serve identifying a bucket of information and, when that bucket changes, the remote server sends the change to the client device.
Koottayi et al. (US 2018/0288063) (hereafter Koottayi) discloses a method that relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.
Lovelock et al. (US 11093207) (hereafter Lovelock) discloses a method providing virtualized credentials of a license holder includes determining contextual data that governs visual information presented on a display and displaying credential data on the display, where visual characteristics of the credential data that is displayed varies according to the contextual data. The display may be a display on a device of the license holder or a display on a device that is viewable by a relying party. The visual characteristics may be modified according to a location of at least some of the credential data on the display on the device of the license holder, a particular font used, a particular color used for text, a color scheme of an existing image and/or a specific image that is independent of the credential data. The visual characteristics may be modified according to the color scheme by changing a background color on the screen of the device of the license holder.
Prior arts reviewed and made of record fail to individually disclose the claimed invention as a whole recited in claim 1 and similarly stated in claims 8 and 14. Also, the reviewed prior arts in combination together fail to render the claimed invention as a whole obvious. Claims 2 – 7, 9 – 13, and 15 – 20 each depend on respective base claim.  Accordingly, as indicated above, claims 1 – 20 are allowed upon overcoming the Double Patenting, unless new grounds of rejection are raised upon filing a response.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VLADIMIR IVANOVICH GAVRILENKO whose telephone number is (313)446-6530.  The examiner can normally be reached on Monday-Friday 7:30-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/VLADIMIR I GAVRILENKO/Examiner, Art Unit 2431    
                                                                                                                                                                                                      /TRANG T DOAN/Primary Examiner, Art Unit 2431