Prosecution Insights
Last updated: July 17, 2026
Application No. 17/665,384

Two-Factor Authentication to Authenticate Users in Unconnected Devices

Final Rejection §103
Filed
Feb 04, 2022
Priority
Apr 13, 2021 — provisional 63/174,269
Examiner
VU, TAYLOR P
Art Unit
2437
Tech Center
2400 — Computer Networks
Assignee
Biosense Webster (Israel) Ltd.
OA Round
5 (Final)
71%
Grant Probability
Favorable
6-7
OA Rounds
0m
Est. Remaining
87%
With Interview

Examiner Intelligence

Grants 71% — above average
71%
Career Allowance Rate
22 granted / 31 resolved
+13.0% vs TC avg
Strong +16% interview lift
Without
With
+16.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
12 currently pending
Career history
60
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
97.8%
+57.8% vs TC avg
§112
1.6%
-38.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 31 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments The present office action is responsive to communications on 02/26/2026. Claims 1, 18, 20, 22, 40, and 42 have been amended. Claims 1-3, 5-10, 12-18, 20-24, 26-32, 33-40, 42, and 43 are currently pending in the application. Applicant’s amendments to the claims and arguments have 35 USC 103 rejection that were previously set forth in the Non-Final Office Action mailed 09/30/2025. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of Avetisov et al. (US PGPub No.20210044976-A1) and Hwang et al. (US PGPub No. 20210160223-A1). The office action has been updated reflecting the claims as currently presented. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1,7, 22, 28, 44, and 45 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No.20210044976-A1), Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1), Covdy et al. (US PGPub No. 20180302400-A1), and Fiducia et al. (US PGPub No. 20130297933-A1). With respect to claim 1, Cha teaches a method to authenticate a user to use an unconnected computing resource (¶0002-0006: The present invention generally relates to digital rights management (DRM) methods in wireless communication networks. More particularly, the present invention provides methods for enhancing security, integrity, and trustworthiness in systems operating in accordance with the Open Mobile Alliance (OMA) DRM specifications. OMA DRM 2.0 also specifies a set of protocols that together called the Rights Object Acquisition Protocol (ROAP) that comprises various sub-protocols related to mutual authentication and registration between a device and a rights issuer (RI), requesting ROs, response to delivery of ROs or refusal to deliver ROs, and joining and leaving of domains by the device.) of an unconnected processing device, (¶0017: Device – A user equipment with a DRM agent. It can be either a connected device or an unconnected device, but this distinction is contextual and variable in nature, since a connected can become an unconnected device when it loses its capability to directly connect to an RI). the method comprising: connecting a mobile storage device to the unconnected processing device that is unconnected over a network, (¶0044: Unconnected Device – A device that is capable of connecting to an RI via a connected device using an appropriate protocol over a local connectivity technology e.g., OBEX over IrDA (object exchanged over infrared), Bluetooth, or Universal Serial Bus (USB). ¶0075: A user, for example, as seen in Figure 1 , may have an OMA DRM compliant portable device (an unconnected device) that has no network connectivity, and an OMA DRM compliant mobile device (a connected device) that has network connectivity. After using the connected device to browse and purchase the DRM content 122 and downloading the DRM content 122 to the connected device, the user then may wish to play the DRM content 122 on the unconnected device.). the mobile storage device storing an expiration value and a digital signature of [login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device,] (¶0005: OMA DRM 2.0 improves and extends the OMA DRM 1.0 delivery mechanism. A device compliant with OMA DRM 2.0 has an individual certificate based on a DRM public key infrastructure (PKI), i.e., each device has a public key, a corresponding private key, and a certificate verifying this fact. ¶0093: 2. Authentication, which is the process by which a party identifies itself to another party. In the OMA DRM, mutual DRM agent and RI authentication is achieved in the 4-pass Registration Protocol, the 2-pass RO Acquisition Protocol, the 2-pass Join Domain protocol. Depending on the protocol used and the message sent, authentication is achieved through digital signatures on nonces or on timestamps). receiving, by the unconnected processing device, the digital signature and the expiration value from the mobile storage device; (¶0093: The 2-pass Leave Domain Protocol authenticates the DRM agent to the RI through the digital signature on the time stamp. RIs are required to authenticate themselves to the DRM agent during delivery of ROs. This provides some level of assurance about the authenticity of the RI.). Cha does not disclose: a digital signature of login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device, the login details comprising at least a username and the expiration value, the username stored in the mobile storage device in an encrypted form; Cha does disclose the mobile device storing an digital signature, but Cha does not disclose the digital signature being the login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device. However, Avetisov teaches a digital signature of login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device, (¶0152-0153: The offline policy may enforce compliance rules beyond user authentication on the mobile device 101 in instances where networked services are unavailable. In some cases, policies may be stored within CEE 113 but may be verified by TEE 103 (e.g., by signature verification) or encrypted with a protocol for which TEE, but not the CEE, includes key operable to decrypt the policy according to the protocol. The TEE 103, as previously described, may store within or cryptographically sign data associated with applications, or modules within the trusted execution environment, such as to protect data from being tampered with, read, or modified by an unauthorized entity, and the TEE 103 may release only representations or certain credentials (e.g., offline values or certificates) or decrypt certain data (e.g., offline values or certificates) or sign certain data (e.g., certificates or representations of credentials) subject to user authentication results determined within the TEE 103 and, in some cases, verification of compliance with policy. Further ¶0336 exemplifies, an entity receiving signed data from the relying device 140, which may be in association with a request, challenge, access attempt, or login pertaining to a particular mobile device of a particular user, may verify the signature (digital signature) based on a corresponding public key distributed by relying device or other entity in association with registration of the mobile device of the user (user being authenticated to use the unconnected computing resource)); the login details comprising at least a username and the expiration value, (¶0178: A token, or ticket, like what described above may be a Ticket Granting Ticket or Ticket to Get Tickets (TGT), which may be encrypted identification file with limited validity period (e.g., like a certificate a limited validity period). After authentication, the encrypted identification file, or TGT, may be granted to a user for data traffic protection by a key distribution center (KDC) subsystem of an authentication service (e.g., 175A or 175B), such as according to a Kerberos protocol. The TGT file, such as for user account access (e.g., the user to which a session was granted (username and expiration value)), may contain a session key, expiration date, and an IP address (e.g., of the relying device) which protects from man-in-the-middle attacks.); the username stored in the mobile storage device in an encrypted form; (¶0365: In some embodiments, the relying device 140 may encrypt the user credentials or other data (e.g., with public key or encryption key associated with the mobile device), like a certificate, for which the TEE of the mobile device stores a corresponding by which encrypted data may be decrypted (e.g., within the TEE of the mobile device)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Avetisov of the login details to the method of Cha in order to prevent man-in-the-middle attacks and attacks that compromise the user (Avetisov ¶0009 & ¶0178). Cha in view of Avetisov does not disclose: receiving, by the unconnected processing device, a user input of a personal identification code; However, Lim teaches receiving, by the unconnected processing device, a user input of a personal identification code; (¶0058: 3) Device Authentication: A user directly inputs the identification code of an unconnected device 50 to a network client 40, or registers the identification code in the network client 40 in advance, thereby creating the authentication code of the unconnected device 50, and then authentication code is stored in mobile storage as a security file 40 at step S43. ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Lim regarding the unconnected processing device receiving a user input to the method of Cha in view of Avetisov in order to prevent unauthorized use of content (Lim ¶0006-0007). Cha in view of Avetisov and Lim does not disclose: decrypting, by the unconnected processing device, the username responsively to the personal identification code; verifying, by the unconnected processing device, While Cha discloses decrypting by the unconnected device as seen in ¶0253-0255 wherein the maintained TPM-maintained asymmetric keys (i.e., encryption is done with public key and decryption is done with private key protected inside a TPM). However, Ow teaches decrypting, [by the unconnected processing device,] the username responsively to the personal identification code; verifying, by the unconnected processing device, (¶0376:The creation of public and private keys (key pair) generally relies on the utilization of a username and password as well as a unique PIN code generated by the AXEL wallet. These elements are utilized to create unique hash code used to encrypt and decrypt the key pair generated by the AXEL wallet. Further in ¶0385 and Figure 16 demonstrates AXEL database/DDB 1630 will review the session information created by transaction manager 1615 (as discussed previously with reference to FIG. 16) to ensure that the username/password, MAC ID and other information for the client/user 1605 match what has been recorded to AXEL database/DDB 1630. Assuming the information matches, AXEL database/DDB 1630 will return the requested hash 1659 to the key and PIN management 1620. The key and PIN management 1620 will send a request 1660 to the encryption 1625 function to decrypt the hash containing the private key so that the transaction being requested (1640) can be processed.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Ow of the decryption to the method of Cha in view of Avetisov and Lim in order to additional layer of security and to prevent unauthorized access (Ow ¶0019 & ¶0376). Cha in view of Avetisov, Lim, and Ow does not disclose: the digital signature responsively to the expiration value and the username to authenticate the expiration value and the username; checking, by the unconnected processing device, that the expiration value has not expired; and providing access to the unconnected computing resource logged in under the username responsively to the expiration value and the username being authenticated, the expiration value having not expired, and the personal identification code. However, Covdy teaches the digital signature responsively to the expiration value and the username to authenticate the expiration value and the username; ( ¶0104: After receiving the encryption request, the first or second security device 710A-B (e.g., whichever one has bandwidth to carry out the encryption request or is not currently offline or busy) can generate the encrypted information using private key (e.g., a 224 bit elliptic curve digital signature algorithm (ECDSA) private key that is non-exportable from the respective security device 710A-B). The encrypted information can be sent back to the user 702 (via device 706) for usage as the password in accessing the instance or encrypted information can include a password when decrypted by instance provides the access to the user 702. Once submitted by the user 702 with the access to the instance. The instance may verify information (e.g., expiration time requirements have been met) that has been decrypted prior to permitting the user 702 to access the instance). checking, by the unconnected processing device, that the expiration value has not expired; and providing access to the unconnected computing resource by the user logged in under the username responsively to the expiration value and the username being authenticated, the expiration value having not expired, and the personal identification code. (¶0113-0115: The information can further include a username of the client device, an authorization level, and an identification value of the instance. The private key can be a 224 bit elliptic curve digital signature algorithm (ECDSA) private key and can be non-exportable from the security device. The instance can authenticate the client device responsive to decrypting the encrypted information and verifying the decrypted information (e.g., determining that a current time is before the expiration time decrypted from the encrypted information) The instance can also authenticate the client device responsive to the decryption of the encrypted information without the verifying of the decrypted information (for example, when there is no decrypted information such as an expiration time to verify). The access request can be generated via a graphical user interface of a security dashboard of the client device.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding decryption and digital signature to the method of Cha in view of Avetisov and Lim in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). Although, Covdy discloses the use of a digital signature and expiration value to authenticate the username and gain access, but Cha in view of Avetisov, Lim, Covdy, and Ow does not wholly disclose: the username being authenticated, the expiration value having not expired, and the personal identification code. However, Fiducia teaches the username being authenticated, the expiration value having not expired, and the personal identification code. (¶0012: The MESA App may then appropriately extract the user's digital or identity certificate and digital signature (the latter being generated by the smart card with a private key in the smart card after correct entry of the PIN) from the inserted smart card (e.g., via the card reader) and send the extracted identity certificate and digital signature to a MESA Server that requests validation of the same from an enterprise CA (e.g., confirmation that the identity certificate is not expired and/or revoked). In addition to validation of the identity certificate and digital signature, the user's user information (e.g., username) may be extracted from the identity certificate and then validated against enterprise directory services to confirm the user's access to the enterprise network via a VPN connection (e.g., validating the user's network permissions).) . It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Fiducia regarding the inclusion of the personal identification code being authenticated along with the expiration value and username to the method of Cha in view of Avetisov, Lim, Covdy, and Ow in order to provide an ease of authentication and extra layer of security by facilitating a multi-factor authentication (Fiducia ¶0005- 0009). With respect to claim 7, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) wherein the digital signature is generated and verified responsively to a private key and a public key of a public key infrastructure, respectively. (Cha ¶0005: A device compliant with OMA DRM 2.0 has an individual certificate based on a DRM public key infrastructure (PKI), i.e., each device has a public key, a corresponding private key, and a certificate verifying this fact. Each rights object (RO) is protected for both confidentiality (by encryption) and integrity (by digital signatures). Further in ¶0110: This digital signature is made using the device's private key. Including the digital signature provides some integrity protection of the associated ROAP messages.). With respect to claim 22, Cha teaches a system to authenticate a user, (¶0002-0006: The present invention generally relates to digital rights management (DRM) methods in wireless communication networks. More particularly, the present invention provides methods for enhancing security, integrity, and trustworthiness in systems operating in accordance with the Open Mobile Alliance (OMA) DRM specifications. OMA DRM 2.0 also specifies a set of protocols that together called the Rights Object Acquisition Protocol (ROAP) that comprises various sub-protocols related to mutual authentication and registration between a device and a rights issuer (RI), requesting ROs, response to delivery of ROs or refusal to deliver ROs, and joining and leaving of domains by the device.) comprising an unconnected processing device (¶0017: Device – A user equipment with a DRM agent. It can be either a connected device or an unconnected device, but this distinction is contextual and variable in nature, since a connected can become an unconnected device when it loses its capability to directly connect to an RI). including: a data interface configured to connect to a mobile storage device, (¶0044: Unconnected Device – A device that is capable of connecting to an RI via a connected device using an appropriate protocol over a local connectivity technology e.g., OBEX over IrDA (object exchanged over infrared), Bluetooth, or Universal Serial Bus (USB). An unconnected device may support DRM Time). the mobile storage device storing an expiration value and a digital signature of [login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device,] (¶0005: OMA DRM 2.0 improves and extends the OMA DRM 1.0 delivery mechanism. A device compliant with OMA DRM 2.0 has an individual certificate based on a DRM public key infrastructure (PKI), i.e., each device has a public key, a corresponding private key, and a certificate verifying this fact. ¶0093: 2. Authentication, which is the process by which a party identifies itself to another party. In the OMA DRM, mutual DRM agent and RI authentication is achieved in the 4-pass Registration Protocol, the 2-pass RO Acquisition Protocol, the 2-pass Join Domain protocol. Depending on the protocol used and the message sent, authentication is achieved through digital signatures on nonces or on timestamps). processing circuitry configured to: receive the digital signature and the expiration value from the mobile storage device; (¶0093: The 2-pass Leave Domain Protocol authenticates the DRM agent to the RI through the digital signature on the time stamp. RIs are required to authenticate themselves to the DRM agent during delivery of ROs. This provides some level of assurance about the authenticity of the RI.). Cha does not disclose: a digital signature of login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device, the login details comprising at least a username and the expiration value, the username stored in the mobile storage device in an encrypted form; Cha does disclose the mobile device storing an digital signature, but Cha does not disclose the digital signature being the login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device. However, Avetisov teaches a digital signature of login details of the user being authenticated to use the unconnected computing resource of the unconnected processing device, (¶0152-0153: The offline policy may enforce compliance rules beyond user authentication on the mobile device 101 in instances where networked services are unavailable. In some cases, policies may be stored within CEE 113 but may be verified by TEE 103 (e.g., by signature verification) or encrypted with a protocol for which TEE, but not the CEE, includes key operable to decrypt the policy according to the protocol. The TEE 103, as previously described, may store within or cryptographically sign data associated with applications, or modules within the trusted execution environment, such as to protect data from being tampered with, read, or modified by an unauthorized entity, and the TEE 103 may release only representations or certain credentials (e.g., offline values or certificates) or decrypt certain data (e.g., offline values or certificates) or sign certain data (e.g., certificates or representations of credentials) subject to user authentication results determined within the TEE 103 and, in some cases, verification of compliance with policy. Further ¶0336 exemplifies, an entity receiving signed data from the relying device 140, which may be in association with a request, challenge, access attempt, or login pertaining to a particular mobile device of a particular user, may verify the signature (digital signature) based on a corresponding public key distributed by relying device or other entity in association with registration of the mobile device of the user (user being authenticated to use the unconnected computing resource)); the login details comprising at least a username and the expiration value, (¶0178: A token, or ticket, like what described above may be a Ticket Granting Ticket or Ticket to Get Tickets (TGT), which may be encrypted identification file with limited validity period (e.g., like a certificate a limited validity period). After authentication, the encrypted identification file, or TGT, may be granted to a user for data traffic protection by a key distribution center (KDC) subsystem of an authentication service (e.g., 175A or 175B), such as according to a Kerberos protocol. The TGT file, such as for user account access (e.g., the user to which a session was granted (username and expiration value)), may contain a session key, expiration date, and an IP address (e.g., of the relying device) which protects from man-in-the-middle attacks.); the username stored in the mobile storage device in an encrypted form; (¶0365: In some embodiments, the relying device 140 may encrypt the user credentials or other data (e.g., with public key or encryption key associated with the mobile device), like a certificate, for which the TEE of the mobile device stores a corresponding by which encrypted data may be decrypted (e.g., within the TEE of the mobile device)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Avetisov of the login details to the method of Cha in order to prevent man-in-the-middle attacks and attacks that compromise the user (Avetisov ¶0009 & ¶0178). Cha in view of Avetisov does not disclose: a user input device; and receive a user input of a personal identification code via the user input device; However, Lim teaches a user input device; and receive a user input of a personal identification code via the user input device; (¶0058: 3) Device Authentication: A user directly inputs the identification code of an unconnected device 50 to a network client 40, or registers the identification code in the network client 40 in advance, thereby creating the authentication code of the unconnected device 50, and then authentication code is stored in mobile storage as a security file 40 at step S43. ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Lim regarding the unconnected processing device receiving a user input to the method of Cha in view of Avetisov in order to prevent unauthorized use of content (Lim ¶0006-0007). Cha in view of Avetisov and Lim does not disclose: decrypt the username responsively to the personal identification code; However, Ow teaches decrypt the username responsively to the personal identification code; (¶0376:The creation of public and private keys (key pair) generally relies on the utilization of a username and password as well as a unique PIN code generated by the AXEL wallet. These elements are utilized to create unique hash code used to encrypt and decrypt the key pair generated by the AXEL wallet. Further in ¶0385 and Figure 16 demonstrates AXEL database/DDB 1630 will review the session information created by transaction manager 1615 (as discussed previously with reference to FIG. 16) to ensure that the username/password, MAC ID and other information for the client/user 1605 match what has been recorded to AXEL database/DDB 1630. Assuming the information matches, AXEL database/DDB 1630 will return the requested hash 1659 to the key and PIN management 1620. The key and PIN management 1620 will send a request 1660 to the encryption 1625 function to decrypt the hash containing the private key so that the transaction being requested (1640) can be processed.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Ow of the decryption to the method of Cha in view of Avetisov and Lim in order to additional layer of security and to prevent unauthorized access (Ow ¶0019 & ¶0376). Cha in view of Avetisov, Lim, and Ow does not disclose: verify the digital signature responsively to the expiration value and the username to authenticate the expiration value and the username; check that the expiration value has not expired; provide access to an unconnected computing resource of the unconnected processing device by the user logged in under the username responsively to the expiration value and the username being authenticated, the expiration value having not expired, and the personal identification code. However, Covdy teaches verify the digital signature responsively to the expiration value and the username to authenticate the expiration value and the username; ( ¶0104: After receiving the encryption request, the first or second security device 710A-B (e.g., whichever one has bandwidth to carry out the encryption request or is not currently offline or busy) can generate the encrypted information using private key (e.g., a 224 bit elliptic curve digital signature algorithm (ECDSA) private key that is non-exportable from the respective security device 710A-B). The encrypted information can be sent back to the user 702 (via device 706) for usage as the password in accessing the instance or encrypted information can include a password when decrypted by instance provides the access to the user 702. Once submitted by the user 702 with the access to the instance. The instance may verify information (e.g., expiration time requirements have been met) that has been decrypted prior to permitting the user 702 to access the instance). check that the expiration value has not expired; provide access to an unconnected computing resource of the unconnected processing device by the user logged in under the username responsively to the expiration value and the username being authenticated, the expiration value having not expired, and the personal identification code. (¶0113-0115: The information can further include a username of the client device, an authorization level, and an identification value of the instance. The private key can be a 224 bit elliptic curve digital signature algorithm (ECDSA) private key and can be non-exportable from the security device. The instance can authenticate the client device responsive to decrypting the encrypted information and verifying the decrypted information (e.g., determining that a current time is before the expiration time decrypted from the encrypted information) The instance can also authenticate the client device responsive to the decryption of the encrypted information without the verifying of the decrypted information (for example, when there is no decrypted information such as an expiration time to verify). The access request can be generated via a graphical user interface of a security dashboard of the client device.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding decryption and digital signature to the method of Cha in view of Avetisov, Lin, and Ow in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). Although, Covdy discloses the use of a digital signature and expiration value to authenticate the username and gain access, but Cha in view of Avetisov, Lim, Covdy, and Ow does not wholly disclose: the username being authenticated, the expiration value having not expired, and the personal identification code. However, Fiducia teaches the username being authenticated, the expiration value having not expired, and the personal identification code. (¶0012: The MESA App may then appropriately extract the user's digital or identity certificate and digital signature (the latter being generated by the smart card with a private key in the smart card after correct entry of the PIN) from the inserted smart card (e.g., via the card reader) and send the extracted identity certificate and digital signature to a MESA Server that requests validation of the same from an enterprise CA (e.g., confirmation that the identity certificate is not expired and/or revoked). In addition to validation of the identity certificate and digital signature, the user's user information (e.g., username) may be extracted from the identity certificate and then validated against enterprise directory services to confirm the user's access to the enterprise network via a VPN connection (e.g., validating the user's network permissions).) . It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Fiducia regarding the inclusion of the personal identification code being authenticated along with the expiration value and username to the method of Cha in view of Avetisov, Lim, Covdy, and Ow in order to provide an ease of authentication and extra layer of security by facilitating a multi-factor authentication (Fiducia ¶0005- 0009). With respect to claim 28, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 22 (see rejection of claim 22 above), wherein the processing circuitry is configured to verify the digital signature responsively to a public key of a public key infrastructure. (Cha ¶0005: A device compliant with OMA DRM 2.0 has an individual certificate based on a DRM public key infrastructure (PKI), i.e., each device has a public key, a corresponding private key, and a certificate verifying this fact. Each rights object (RO) is protected for both confidentiality (by encryption) and integrity (by digital signatures). Further in ¶0110: This digital signature is made using the device's private key. Including the digital signature provides some integrity protection of the associated ROAP messages.). With respect to claim 44, the combination of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia teaches the method of claim 1 (see rejection of claim 1 above) wherein the mobile storage device comprises a flash disk, a compact disc, a digital versatile disc, or a secure digital disk. (Lim ¶0020: According to the method of providing DRM content, mobile storage, such as a USB memory stick, which has no security function and has a simple storage function, can be used to transfer DRM content to another external device. Of course, the possibility that mobile storage, such as a Secure Digital (SD) card, which has a security function, can be used is not excluded.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Lim with regards identification list and replacing older list with a newer list method of Cha in view of Avetisov, Covdy, and Fiducia in order to provide to transmit content through a widely distributed and inexpensive means while being protected (Lim : ¶0006 & ¶0020). With respect to claim 45, the combination of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia teaches the method of claim 22 (see rejection of claim 22 above) wherein the mobile storage device comprises a flash disk, a compact disc, a digital versatile disc, or a secure digital disk. (Lim ¶0020: According to the method of providing DRM content, mobile storage, such as a USB memory stick, which has no security function and has a simple storage function, can be used to transfer DRM content to another external device. Of course, the possibility that mobile storage, such as a Secure Digital (SD) card, which has a security function, can be used is not excluded.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Lim with regards identification list and replacing older list with a newer list method of Cha in view of Avetisov, Covdy, and Fiducia in order to provide to transmit content through a widely distributed and inexpensive means while being protected (Lim : ¶0006 & ¶0020). Claim 2 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No. 20210044976-A1) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), and Ikeda et al. (US PGPub No. 20050235153-A1). With respect to claim 2, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) but does not disclose wherein: the login details include at least one access right; the verifying includes verifying the digital signature responsively to the expiration value, the username, and the at least one access right to authenticate the expiration value, the username, and the at least one access right; the checking includes checking the at least one access right to verify whether access to functionality is authorized; and the providing access includes providing access to the unconnected computing resource according to the verified at least one access right. However, Ikeda teaches wherein: the login details include at least one access right; the verifying includes verifying the digital signature responsively to the expiration value, the username, and the at least one access right to authenticate the expiration value, the username, and the at least one access right; (¶0052: The combination Figure 1 and Figure 2 , the control unit 16 confirms that the user has a right to use of an digital signature generation key required by user or not when the result of the user authentication indicates, and if the right to use can be confirmed, the control unit 16 transmits a transmission of a the digital information D of the signature target to the client apparatus 20A (ST3) the checking includes checking the at least one access right to verify whether access to functionality is authorized; (¶0060-0061: Then, the client assertion by the hash value due to the operation of the operation (ST8), and certifies that the assertion is not falsified when the verification result indicates the validity. Next, the client apparatus 20B verifies the digital signature on the basis the public key of the user of the client apparatus 20A (ST9), and if the verification result is valid, the validity of the digital signature is assured and further, the validity of the digital information D is assured. s described above, according to the present embodiment, in the case of generating the digital signature, the assertion to assert the key management system and the user authentication system is generated, the hash function is provided to both of the digital signature and the assertion, and the acquired hash value, digital signature, and assertion are outputted. Thereby, the validity of the assertion can be verified and on the basis of the key management system and the user authentication system included in the assertion, the security environment of the digital signature can be verified.) and the providing access includes providing access to the unconnected computing resource according to the verified at least one access right. (¶0096: Exemplified in Figure 5, the user authentication indicates validity the identity provider 10a confirms (verified) the right to use of the user (access right))). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings including at least one access right of Ikeda to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to assure the validity of the user on the basis of reliability of the identity (profile information group such as attribution information and the authentication information with related) of the user (Ikeda ¶0037). With respect to claim 23, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 22 (see rejection of claim 22) but does not disclose wherein: the login details include at least one access right; and the processing circuitry is configured to: verify the digital signature responsively to the expiration value, the username, and the at least one access right to authenticate the expiration value, the username, and the at least one access right; check the at least one access right to verify whether access to functionality is authorized; and provide access to the unconnected computing resource according to the verified at least one access right. However, Ikeda teaches wherein: the login details include at least one access right; and the processing circuitry is configured to: verify the digital signature responsively to the expiration value, the username, and the at least one access right to authenticate the expiration value, the username, and the at least one access right; (¶0052: The combination Figure 1 and Figure 2 , the control unit 16 confirms that the user has a right to use of an digital signature generation key required by user or not when the result of the user authentication indicates, and if the right to use can be confirmed, the control unit 16 transmits a transmission of a the digital information D of the signature target to the client apparatus 20A (ST3)). check the at least one access right to verify whether access to functionality is authorized; and(¶0060-0061: Then, the client assertion by the hash value due to the operation of the operation (ST8), and certifies that the assertion is not falsified when the verification result indicates the validity. Next, the client apparatus 20B verifies the digital signature on the basis the public key of the user of the client apparatus 20A (ST9), and if the verification result is valid, the validity of the digital signature is assured and further, the validity of the digital information D is assured. s described above, according to the present embodiment, in the case of generating the digital signature, the assertion to assert the key management system and the user authentication system is generated, the hash function is provided to both of the digital signature and the assertion, and the acquired hash value, digital signature, and assertion are outputted. Thereby, the validity of the assertion can be verified and on the basis of the key management system and the user authentication system included in the assertion, the security environment of the digital signature can be verified.) provide access to the unconnected computing resource according to the verified at least one access right. (¶0096: Exemplified in Figure 5, the user authentication indicates validity the identity provider 10a confirms (verified) the right to use of the user (access right))). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings including at least one access right of Ikeda to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to assure the validity of the user on the basis of reliability of the identity (profile information group such as attribution information and the authentication information with related) of the user (Ikeda ¶0037). Claim 3 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No. 20210044976-A1) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), and Momchilov et al. (US PGPub No. 20160337346-A1). With respect to claim 3, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 above (see rejection of claim 1 above) but does not disclose wherein the mobile storage device stores the expiration value in an encrypted form, the method further comprising decrypting, by the unconnected processing device, the expiration value responsively to the personal identification code. However, Momchilov teaches wherein the mobile storage device stores the expiration value in an encrypted form, (¶0208: In step 732K, the server 704 may generate a time-based validator, such as a PIN validator (e.g., timeBasedPinValidator), by encrypting one or more of the information previously described. For example, the server may encrypt the expiration time at the client device 702 when PIN validator expires (in seconds), the tick count at the processor of the client device 702 when the PIN validator expires (and similarly the tick count at the processor of the client device 702 when the PIN validator was created), the encrypted PIN, the encrypted static entropy, and/or the KDF used to generate one or more encryption keys. The time-based PIN validator may be encrypted using the public key of the client device 702. ). the method further comprising decrypting, by the unconnected processing device, the expiration value responsively to the personal identification code. (¶0213: In step 812B, the client device 702 may verify the signature of the signed expiration ticket using the server's public key. If the signature cannot be verified, the client device 702 may display an error and optionally discard the data. If the expiration ticket's signature is valid, the client device 702 may decrypt the timed-based PIN validator using the client device's private key in step 814 (illustrated in FIG. 8A). The client device 702 may optionally store the signed expiration ticket in step 812C.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Momchilov with regards to encrypting the expiration value to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to prevent attacks and protected access to sensitive information for authenticated user (Momchilov ¶0003). With respect to claim 24, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 22 (see rejection of claim 22 above) wherein: the mobile storage device is configured to store the expiration value in an encrypted form; and the processing circuitry is configured to decrypt the expiration value responsively to the personal identification code. However, Momchilov teaches wherein: the mobile storage device is configured to store the expiration value in an encrypted form; and (¶0208: In step 732K, the server 704 may generate a time-based validator, such as a PIN validator (e.g., timeBasedPinValidator), by encrypting one or more of the information previously described. For example, the server may encrypt the expiration time at the client device 702 when PIN validator expires (in seconds), the tick count at the processor of the client device 702 when the PIN validator expires (and similarly the tick count at the processor of the client device 702 when the PIN validator was created), the encrypted PIN, the encrypted static entropy, and/or the KDF used to generate one or more encryption keys. The time-based PIN validator may be encrypted using the public key of the client device 702. ). the processing circuitry is configured to decrypt the expiration value responsively to the personal identification code. (¶0213: In step 812B, the client device 702 may verify the signature of the signed expiration ticket using the server's public key. If the signature cannot be verified, the client device 702 may display an error and optionally discard the data. If the expiration ticket's signature is valid, the client device 702 may decrypt the timed-based PIN validator using the client device's private key in step 814 (illustrated in FIG. 8A). The client device 702 may optionally store the signed expiration ticket in step 812C.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Momchilov with regards to encrypting the expiration value to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to prevent attacks and protected access to sensitive information for authenticated user (Momchilov ¶0003). Claims 5 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No.20210044976-A1) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), and French et al. (US PGPub No. 20160292676-A1). With respect to claim 5, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) but does not disclose wherein the mobile storage device stores the digital signature in an encrypted form, the method further comprising decrypting, by the unconnected processing device, the digital signature responsively to the personal identification code. However, French teaches wherein the mobile storage device stores the digital signature in an encrypted form, (¶0172: When cryptographic algorithms are used, the algorithms may perform symmetric and/or asymmetric cryptographic operations (such as encryption, decryption, digital signature generation, message authentication code generation, keyed hashing, etc.). As seen in Figure 3, underlying method, or some or all of CA1, CA2, CA3 and CA4 may use different underlying methods. By way of example: CA2 may generate the ARQC 360 as a (hashed) message authentication code (MAC), e.g. using SHA256, based, at least in part, on the data relating to the transaction 340 and the device information 350 (using SK1 as a key) or may generate a digital signature for the data relating to the transaction 340 and the device information 350 using an asymmetric signature algorithm. The ARQC 360 may be the whole, or a part, of the message authentication code or the digital signature generated. the method further comprising decrypting, by the unconnected processing device, (¶0176: As seen in Figure 1, the POS 160 and/or authorization system 171 are configured to perform MPC to carry out at least part of the one or more of their respective cryptographic processes described above, for example the authorization process carried out by the authorization system 171 and/or decryption/authentication of the digital signature by the POS 160.) the digital signature responsively to the personal identification code. (¶0176: CA4 may generate the PIN authentication data 390 as a (hashed) message authentication code (MAC), e.g. using SHA256, based, at least in part, on the PIN 380, or may generate a digital signature for the PIN 380 using an asymmetric signature algorithm. The PIN authentication data 390 may be the whole, or a part, of the message authentication code or the digital signature generated.). ¶0245: In either case, the response provided to the POS 160 comprises: (a) One or more items of information for use in processing the transaction. The one or more items of information may comprise one or more of: A digital signature generated by the transaction software 110 at step S640 based on at least one of the one or more items of information. This digital signature is generated using the device private key.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of French with regards to encrypting the digital signature to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to enable a secure authentication process (French ¶0005-0006). With respect to claim 26, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 22 (see rejection of claim 22 above) but does not disclose wherein: the mobile storage device is configured to store the digital signature in an encrypted form; and the processing circuitry is configured to decrypt the digital signature responsively to the personal identification code. However, French teaches wherein: the mobile storage device is configured to store the digital signature in an encrypted form; and (¶0172: When cryptographic algorithms are used, the algorithms may perform symmetric and/or asymmetric cryptographic operations (such as encryption, decryption, digital signature generation, message authentication code generation, keyed hashing, etc.). As seen in Figure 3, underlying method, or some or all of CA1, CA2, CA3 and CA4 may use different underlying methods. By way of example: CA2 may generate the ARQC 360 as a (hashed) message authentication code (MAC), e.g. using SHA256, based, at least in part, on the data relating to the transaction 340 and the device information 350 (using SK1 as a key) or may generate a digital signature for the data relating to the transaction 340 and the device information 350 using an asymmetric signature algorithm. The ARQC 360 may be the whole, or a part, of the message authentication code or the digital signature generated.) the processing circuitry is configured to decrypt (¶0176: As seen in Figure 1, the POS 160 and/or authorization system 171 are configured to perform MPC to carry out at least part of the one or more of their respective cryptographic processes described above, for example the authorization process carried out by the authorization system 171 and/or decryption/authentication of the digital signature by the POS 160.) the digital signature responsively to the personal identification code. (¶0176: CA4 may generate the PIN authentication data 390 as a (hashed) message authentication code (MAC), e.g. using SHA256, based, at least in part, on the PIN 380, or may generate a digital signature for the PIN 380 using an asymmetric signature algorithm. The PIN authentication data 390 may be the whole, or a part, of the message authentication code or the digital signature generated.). ¶0245: In either case, the response provided to the POS 160 comprises: (a) One or more items of information for use in processing the transaction. The one or more items of information may comprise one or more of: A digital signature generated by the transaction software 110 at step S640 based on at least one of the one or more items of information. This digital signature is generated using the device private key.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of French with regards to encrypting the digital signature to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to enable a secure authentication process (French ¶0005-0006). Claims 6, 24, 15, 27, 36, and 37 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No. 20210044976-A1) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), and Holtzman et al. (US PGPub No. 20080010452-A1). With respect to claim 6, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) but does not disclose further comprising symmetrically decrypting at least one of: the expiration value; the username; and the digital signature responsively to the personal identification code. However, Holtzman teaches further comprising symmetrically decrypting at least one of: the expiration value; the username; and the digital signature responsively to the personal identification code. (¶0083-0084: data confidential and integrity can be provided through symmetric encryption method for key values (referring to the use of OTP for username and passwords disclosed in ¶0371-0373 that is received from flash device and can restrict access by decryption can allow authorized entities to use the data) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman of symmetrical decryption to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect the system by verifying the identity of a party through decrypting the response (login data) and authorizing only to decrypted responses that pass the challenge (matching the singular key). With respect to claim 14, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) but does not disclose wherein the mobile storage device stores a user revocation list, and the digital signature digitally signs the login details and the user revocation list, the method further comprising: receiving, by the unconnected processing device, the user revocation list from the mobile storage device; verifying, by the unconnected processing device, the digital signature responsively to the user revocation list to authenticate the user revocation list; and denying access to the unconnected computing resource responsively to the authenticated user revocation list. However, Holtzman teaches wherein the mobile storage device stores a user revocation list, (¶0017: Thus in another embodiment, at least one certificate revocation list is stored in a public area of the memory; the memory also stores protected data or content a user or consumer may wish to access. In this manner, the consumer or user will not need to obtain from a certificate authority the certificate revocation list every time access to the content stored in the memory is desired.) and the digital signature digitally signs the login details and the user revocation list, (¶0288-0289: The CRL also will need to be verified to be genuine in order for it to serve the purpose of validating certificates. CRLs are signed using the private key of the CA that issued the CRL, and can be verified to be genuine by decrypting the signed CRL using the public key of the CA. One of the characteristics of the CRL scheme is that the validation of the certificate (against the CRL) can be performed separate from obtaining the CRL. CRLs are also signed by the issuers of the pertinent certificates, and are verified in a manner similar to the verification of certificates, using the public keys of CAs that issued the CRLs, in the manner described above. The memory device verifies that the signature is of the CRL and that the issuer of the CRL matches the issuer of the certificate.); the method further comprising: receiving, by the unconnected processing device, the user revocation list from the mobile storage device; (¶0017: user may simply retrieve at least one certificate revocation list stored in the public area of the memory for authentication for content access) verifying, by the unconnected processing device, the digital signature responsively to the user revocation list to authenticate the user revocation list; and (¶0287-0289: The SSA system uses a revocation scheme which involves each CA periodically issuing a signed data structure called a Certificate Revocation List (CRL). One of the characteristics of the CRL scheme checks certificate (for verifying host's identity) the device not only checks the certificate signature (validity) but also verifies against list of serial numbers received through CRL (verify)). denying access to the unconnected computing resource responsively to the authenticated user revocation list. (¶0291-0293: Host devices, on the other hand, have been used to connect to CAs to obtain CRLs, so that when memory device 10 is to be authenticated by host devices, the memory device need not present CRLs to the host devices along with their certificates or certificate chains. (authenticated user revocation list) The authenticating entity then verifies the authenticity of the certificate and of the certificate revocation list received. The authenticating entity checks whether the certificate is on the revocation list by checking whether an identification of the certificate, such as a serial number of the certificate, is present on the list.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman user revocation list to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to verify the genuinely of party’s pubic key and preventing access to compromised keys by revoking access when certificates are invalid. With respect to claim 15, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Holtzman teaches the method of claim 14 (see rejection of claim 14 above) wherein the mobile storage device stores a version identification of the user revocation list, (Holtzman: ¶0295: the host reads the public area of the memory device the CRL that pertains to certificate the host will present to the memory device for authentication) the method further comprising replacing use of an old user revocation list stored within a memory of the unconnected processing device with the authenticated user revocation list responsively to the version identification of the authenticated user revocation list indicating that the authenticated user revocation list is newer than the old user revocation list. (Holtzman: ¶00296-0298: CRL contains in its field a time for the next update illustrated in Figure 32 the SSA thus preferably checks both theme of the next update as well as CET against the current time when the CRL is received by the memory). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman user revocation list to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to verify the genuinely of party’s pubic key and preventing access to compromised keys by revoking access when certificates are invalid. With respect to claim 27, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 22 (see rejection of claim 22 above) but does not disclose wherein the processing circuitry is configured to symmetrically decrypt at least one of: the expiration value; the username; and the digital signature responsively to the personal identification code. However, Holtzman teaches wherein the processing circuitry is configured to symmetrically decrypt at least one of: the expiration value; the username; and the digital signature responsively to the personal identification code. (¶0083-0084: data confidential and integrity can be provided through symmetric encryption method for key values (referring to the use of OTP for username and passwords disclosed in ¶0371-0373 that is received from flash device and can restrict access by decryption can allow authorized entities to use the data) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman of symmetrical decryption to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect the system by verifying the identity of a party through decrypting the response (login data) and authorizing only to decrypted responses that pass the challenge (matching the singular key). With respect to claim 36, the combination of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia teaches the method of claim 22 (see rejection of claim 22 above),but does not disclose wherein: the mobile storage device stores a user revocation list, and the digital signature digitally signs the login details and the user revocation list; and the processing circuitry is configured to: receive the user revocation list from the mobile storage device; verify the digital signature responsively to the user revocation list to authenticate the user revocation list; and deny access to the unconnected computing resource responsively to the authenticated user revocation list. However, Holtzman wherein: the mobile storage device stores a user revocation list, (¶0017: Thus in another embodiment, at least one certificate revocation list is stored in a public area of the memory; the memory also stores protected data or content a user or consumer may wish to access. In this manner, the consumer or user will not need to obtain from a certificate authority the certificate revocation list every time access to the content stored in the memory is desired.) and the digital signature digitally signs the login details and the user revocation list; and (¶0288-0289: The CRL also will need to be verified to be genuine in order for it to serve the purpose of validating certificates. CRLs are signed using the private key of the CA that issued the CRL, and can be verified to be genuine by decrypting the signed CRL using the public key of the CA. One of the characteristics of the CRL scheme is that the validation of the certificate (against the CRL) can be performed separate from obtaining the CRL. CRLs are also signed by the issuers of the pertinent certificates, and are verified in a manner similar to the verification of certificates, using the public keys of CAs that issued the CRLs, in the manner described above. The memory device verifies that the signature is of the CRL and that the issuer of the CRL matches the issuer of the certificate.); the processing circuitry is configured to: receive the user revocation list from the mobile storage device; (¶0017: user may simply retrieve at least one certificate revocation list stored in the public area of the memory for authentication for content access) verify the digital signature responsively to the user revocation list to authenticate the user revocation list; (¶0287-0289: The SSA system uses a revocation scheme which involves each CA periodically issuing a signed data structure called a Certificate Revocation List (CRL). One of the characteristics of the CRL scheme checks certificate (for verifying host's identity) the device not only checks the certificate signature (validity) but also verifies against list of serial numbers received through CRL (verify)). and deny access to the unconnected computing resource responsively to the authenticated user revocation list. (¶0291-0293: Host devices, on the other hand, have been used to connect to CAs to obtain CRLs, so that when memory device 10 is to be authenticated by host devices, the memory device need not present CRLs to the host devices along with their certificates or certificate chains. (authenticated user revocation list) The authenticating entity then verifies the authenticity of the certificate and of the certificate revocation list received. The authenticating entity checks whether the certificate is on the revocation list by checking whether an identification of the certificate, such as a serial number of the certificate, is present on the list.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman user revocation list to the method of Cha in view of Avetisov, Lim, Covdy, and Fiducia in order to verify the genuinely of party’s pubic key and preventing access to compromised keys by revoking access when certificates are invalid. With respect to claim 37, the combination of Cha in view of Avetisov, Lim, Covdy, Ow, Fiducia, and Holtzman teaches the method of claim 36 (see rejection of claim 36 above), wherein: the mobile storage device stores a version identification of the user revocation list; (Holtzman: ¶0295: the host reads the public area of the memory device the CRL that pertains to certificate the host will present to the memory device for authentication) and the processing circuitry is configured to replace use of an old user revocation list stored in a memory of the unconnected processing device with the authenticated user revocation list responsively to the version identification of the authenticated user revocation list indicating that the authenticated user revocation list is newer than the old user revocation list. (Holtzman: ¶00296-0298: CRL contains in its field a time for the next update illustrated in Figure 32 the SSA thus preferably checks both theme of the next update as well as CET against the current time when the CRL is received by the memory). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman user revocation list to the method of Cha in view of Avetisov, Lim, Covdy, and Fiducia in order to verify the genuinely of party’s pubic key and preventing access to compromised keys by revoking access when certificates are invalid. Claims 8 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No. 20210044976-A1) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), and Holtzman et al. (US PGPub No. 20080010452-A1). With respect to claim 8, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) further comprising: verifying, by the unconnected processing device, the digital signature responsively to the expiration value, the username, and (Covdy ¶0104: After receiving the encryption request, the first or second security device 710A-B (e.g., whichever one has bandwidth to carry out the encryption request or is not currently offline or busy) can generate the encrypted information using private key (e.g., a 224 bit elliptic curve digital signature algorithm (ECDSA) private key that is non-exportable from the respective security device 710A-B). The encrypted information can be sent back to the user 702 (via device 706) for usage as the password in accessing the instance or encrypted information can include a password when decrypted by instance provides the access to the user 702. Once submitted by the user 702 with the access to the instance. The instance may verify information (e.g., expiration time requirements have been met) that has been decrypted prior to permitting the user 702 to access the instance). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding digital signature to the method of Cha in view of Avetisov, Lim, Fiducia, and Ow in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia does not disclose: the personal identification code to authenticate the expiration value, the username, and the personal identification code. However, Larson teaches the personal identification code to authenticate the expiration value, the username, and the personal identification code. ( ¶0136: Beginning with authentication, access to the application server can be limited to a finite set of users who will have to enter a username and a password to gain access into any part of the system where critical information or critical information or critical function are maintained. Devices such as a cell phone or Palm PDA have a unique serial number that is sent with every transaction. This is called Two-factor User authentication because it requires a secret, memorized personal identification number (PIN) and the current code generated by the token assigned to the user. Because the generated code expires after 60 seconds, the code is not reusable, so someone knowing both the PIN and the generated code has only 60 seconds in which to use it.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Larson of the personal identification code to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further enhance the authentication process ( Larson ¶0136). With respect to claim 29, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 22 (see rejection of claim 22 above), wherein the processing circuitry is configured to: verify the digital signature responsively to the expiration value, the username, and (Covdy ¶0104: After receiving the encryption request, the first or second security device 710A-B (e.g., whichever one has bandwidth to carry out the encryption request or is not currently offline or busy) can generate the encrypted information using private key (e.g., a 224 bit elliptic curve digital signature algorithm (ECDSA) private key that is non-exportable from the respective security device 710A-B). The encrypted information can be sent back to the user 702 (via device 706) for usage as the password in accessing the instance or encrypted information can include a password when decrypted by instance provides the access to the user 702. Once submitted by the user 702 with the access to the instance. The instance may verify information (e.g., expiration time requirements have been met) that has been decrypted prior to permitting the user 702 to access the instance). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding digital signature to the method of Cha in view of Avetisov, Lim, Fiducia, and Ow in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow does not disclose: and the personal identification code to authenticate the expiration value, the username, and the personal identification code. However, Larson teaches the personal identification code to authenticate the expiration value, the username, and the personal identification code. ( ¶0136: Beginning with authentication, access to the application server can be limited to a finite set of users who will have to enter a username and a password to gain access into any part of the system where critical information or critical information or critical function are maintained. Devices such as a cell phone or Palm PDA have a unique serial number that is sent with every transaction. This is called Two-factor User authentication because it requires a secret, memorized personal identification number (PIN) and the current code generated by the token assigned to the user. Because the generated code expires after 60 seconds, the code is not reusable, so someone knowing both the PIN and the generated code has only 60 seconds in which to use it.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Larson of the personal identification code to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further enhance the authentication process ( Larson ¶0136). Claims 9, 10, 12, 13, 30, 31, 34, and 35 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No.20210044976-A1) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), and Nordstrom et al. (US PGPub No. 20160308858-A1). With respect to claim 9, the combination of Cha in view of Avetisov , Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) but does not disclose further comprising: connecting a web server to the mobile storage device; receiving the username, a password, and the personal identification code by the web server; generating the expiration value by the web server; generating the digital signature of the login details; and storing the expiration value and the digital signature of the login details in the mobile storage device responsively to authenticating the password. However, Nordstrom teaches further comprising: connecting a web server to the mobile storage device; ( ¶0124-0125 : As seen in Figure 7, in step 712, the client device 702 may be deployed (e.g., activated) and send a logon request to the server 704 (connecting to mobile storage device)) receiving the username, a password, and the personal identification code by the web server; ( ¶0007: The request for the time-limited entropy may be received at the server, and the method may further comprise sending, by the server, a response requesting the client device to perform a hard authentication if the current time exceeds the expiration time of the time-limited entropy. The hard authentication may comprise providing a username and a password or a two-factor authentication code.) generating the expiration value by the web server; ( ¶0006: To overcome limitations in the prior art described above, and to overcome other limitations that will be apparent upon reading and understanding the present specification, aspects described herein are directed towards a system and method comprising receiving a request from a client device for time-limited entropy generated by a server, wherein the time-limited entropy comprises an expiration time, and wherein the time-limited entropy is usable to access a static entropy generated by the server.). generating the digital signature of the login details; ( ¶0122: In some cases, managed applications 610 may be allowed to access a certificate and private key via an API (example OpenSSL). Trusted managed applications 610 of an enterprise may be allowed to perform specific Public Key operations with an application's client certificate and private key. Various use cases may be identified and treated accordingly, such as when an application behaves like a browser and no certificate access is required, when an application reads a certificate for “who am I,” when an application uses the certificate to build a secure session token, and when an application uses private keys for digital signing of important data (e.g. transaction log) or for temporary data encryption) and storing the expiration value and the digital signature of the login details in the mobile storage device responsively to authenticating the password. ( ¶0173: As seen in Figure 7, if the ticket has not expired, the server 704, in step 820B, may attempt to validate the digital signature on the request. In particular, the server 704 may obtain the public key of the client device 702 using the user ID and/or the client device ID. If the signature on the request is invalid, the server 704 may return an error and request the user to perform a hard authentication with the server 704.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of the web server to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect sensitive information and withstand password cracking attacks ( Nordstrom ¶0002) With respect to claim 10, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Nordstrom teaches the method of claim 9 (see rejection of claim 9 above) further comprising encrypting the expiration value responsively to the personal identification code, wherein the storing comprises storing the encrypted expiration value in the mobile storage device. (Nordstrom ¶0039-0040: The signed data may comprise a time-limited ticket and an encrypted copy of the user's passcode, such as a PIN or a password. The time-limited ticket included in the signed data may be valid for a range of hours to days (e.g., 24 hours, 72 hours, etc.). If the current time is within the ticket validity window, a cryptographic key may be used to decrypt the PIN that is stored at the client device. The cryptographic key may comprise key material created on the server. The PIN entered by the user may be compared to the correct PIN to authenticate the user and/or the client device. Keys may also allow the client device to unlock encrypted vaults on the client device that contain additional passwords, certificates, cookies, and other sensitive information.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of encrypting the expiration value to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect sensitive information and withstand password cracking attacks (Nordstrom ¶0002). With respect to claim 12, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Nordstrom teaches the method of claim 9 (see rejection of claim 9 above) further comprising encrypting the digital signature responsively to the personal identification code, wherein the storing comprises storing the encrypted digital signature in the mobile storage device. (Nordstrom ¶0166: With reference to FIG. 8C, in step 812D, the client device 702 may reset (e.g., set to false) the trigger indicating that the entered PIN is correct (e.g., correctPin). The client device 702 may also retrieve the server's public key and the signed expiration ticket. In step 812B, the client device 702 may verify the signature of the signed expiration ticket by calling the VerifySignature( ) function and inputting the server public key, as previously explained.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of encrypting the expiration value to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect sensitive information and to prevent tampering ( Nordstrom ¶0002 & ¶0166) With respect to claim 13, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, Nordstrom teaches the method of claim 9 (see rejection of claim 9 above) wherein the login details include the personal identification code. (Nordstrom ¶0129-0130: With brief reference back to Figure 7a , in step 720, the client device 702 may prompt the user to enter a PIN, such as a four or six digit PIN. The user may be prompted to enter the PIN twice in order to confirm the chosen PIN. In step 722, the client device 702 may generate an encrypted data blob to send to the server 704. Returning to FIG. 7B and with reference to element 718B, the data blob may include a user ID (e.g., a username, user account number, etc.) and/or a device ID (e.g., a MAC address, a serial number, an IMEI number, etc.). The data blob may also include a random or pseudorandom number, which is referred to as “salt” in the pseudo code illustrated in Figure 7B). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of login details includes the personal identification code to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect sensitive information and withstand password cracking attacks ( Nordstrom ¶0002) With respect to claim 30, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 22 (see rejection of claim 22 above), but does not disclose further comprising a server configured to: connect to the mobile storage device; receive user input of the username, a password, and the personal identification code; generate the expiration value; generate the digital signature of the login details; store the expiration value and the digital signature of the login details in the mobile storage device responsively to authenticating the password; encrypt the username responsively to the personal identification code; and store the encrypted username in the mobile storage device. However, Nordstrom teaches further comprising a server configured to: connect to the mobile storage device; ( ¶0124-0125 : As seen in Figure 7, in step 712, the client device 702 may be deployed (e.g., activated) and send a logon request to the server 704 (connecting to mobile storage device)) receive user input of the username, a password, and the personal identification code; ( ¶0007: The request for the time-limited entropy may be received at the server, and the method may further comprise sending, by the server, a response requesting the client device to perform a hard authentication if the current time exceeds the expiration time of the time-limited entropy. The hard authentication may comprise providing a username and a password or a two-factor authentication code.) generate the expiration value; ( ¶0006: To overcome limitations in the prior art described above, and to overcome other limitations that will be apparent upon reading and understanding the present specification, aspects described herein are directed towards a system and method comprising receiving a request from a client device for time-limited entropy generated by a server, wherein the time-limited entropy comprises an expiration time, and wherein the time-limited entropy is usable to access a static entropy generated by the server.) generate the digital signature of the login details; ( ¶0122: In some cases, managed applications 610 may be allowed to access a certificate and private key via an API (example OpenSSL). Trusted managed applications 610 of an enterprise may be allowed to perform specific Public Key operations with an application's client certificate and private key. Various use cases may be identified and treated accordingly, such as when an application behaves like a browser and no certificate access is required, when an application reads a certificate for “who am I,” when an application uses the certificate to build a secure session token, and when an application uses private keys for digital signing of important data (e.g. transaction log) or for temporary data encryption) store the expiration value and the digital signature of the login details in the mobile storage device responsively to authenticating the password; ( ¶0173: As seen in Figure 7, if the ticket has not expired, the server 704, in step 820B, may attempt to validate the digital signature on the request. In particular, the server 704 may obtain the public key of the client device 702 using the user ID and/or the client device ID. If the signature on the request is invalid, the server 704 may return an error and request the user to perform a hard authentication with the server 704.). encrypt the username responsively to the personal identification code; and store the encrypted username in the mobile storage device. ( ¶0039-0040: The signed data may comprise a time-limited ticket and an encrypted copy of the user's passcode, such as a PIN or a password. The time-limited ticket included in the signed data may be valid for a range of hours to days (e.g., 24 hours, 72 hours, etc.). If the current time is within the ticket validity window, a cryptographic key may be used to decrypt the PIN that is stored at the client device. The cryptographic key may comprise key material created on the server. The PIN entered by the user may be compared to the correct PIN to authenticate the user and/or the client device. Keys may also allow the client device to unlock encrypted vaults on the client device that contain additional passwords, certificates, cookies, and other sensitive information.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of the digital signature to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect sensitive information and withstand password cracking attacks ( Nordstrom ¶0001-0004). With respect to claim 31, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Nordstrom teaches the method of claim 30 (see rejection of claim 30 above), wherein the server is configured to generate the digital signature responsively to a private key of a public key infrastructure. (Nordstrom ¶0164: In some aspects, the client device 702 may verify the signature each time the client device 702 performs a hard authentication with the server 704 to obtain a new expiration ticket. In step 812A, the client device 702 may retrieve the server's public key, which may have previously been stored by the client device 702. In step 812B, the client device 702 may verify the signature of the signed expiration ticket using the server's public key.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of the web server to the method of Cha in view of Avetisov, Lim, Covdy, and Fiducia in order to further protect sensitive information and withstand password cracking attacks ( Nordstrom ¶0001-0004). With respect to claim 32, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Nordstrom teaches the method of claim 30 (see rejection of claim 30 above), wherein the server is configured to: encrypt the expiration value responsively to the personal identification code; and store the encrypted expiration value in the mobile storage device. (Nordstrom ¶0039-0040: The signed data may comprise a time-limited ticket and an encrypted copy of the user's passcode, such as a PIN or a password. The time-limited ticket included in the signed data may be valid for a range of hours to days (e.g., 24 hours, 72 hours, etc.). If the current time is within the ticket validity window, a cryptographic key may be used to decrypt the PIN that is stored at the client device. The cryptographic key may comprise key material created on the server. The PIN entered by the user may be compared to the correct PIN to authenticate the user and/or the client device. Keys may also allow the client device to unlock encrypted vaults on the client device that contain additional passwords, certificates, cookies, and other sensitive information.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of encrypting the expiration value to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect sensitive information and withstand password cracking attacks (Nordstrom ¶0002). With respect to claim 34, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Nordstrom teaches the method of claim 30 (see rejection of claim 30 above) wherein the server is configured to: encrypt the digital signature responsively to the personal identification code; and store the encrypted digital signature in the mobile storage device. (Nordstrom ¶0166: With reference to FIG. 8C, in step 812D, the client device 702 may reset (e.g., set to false) the trigger indicating that the entered PIN is correct (e.g., correctPin). The client device 702 may also retrieve the server's public key and the signed expiration ticket. In step 812B, the client device 702 may verify the signature of the signed expiration ticket by calling the VerifySignature( ) function and inputting the server public key, as previously explained.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of encrypting the expiration value to the method of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia in order to further protect sensitive information and to prevent tampering ( Nordstrom ¶0002 & ¶0166). With respect to claim 35, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Nordstrom teaches the method of claim 30 (see rejection of claim 30 above) wherein the login details include the personal identification code. (Nordstrom ¶0129-0130: With brief reference back to Figure 7a , in step 720, the client device 702 may prompt the user to enter a PIN, such as a four or six digit PIN. The user may be prompted to enter the PIN twice in order to confirm the chosen PIN. In step 722, the client device 702 may generate an encrypted data blob to send to the server 704. Returning to FIG. 7B and with reference to element 718B, the data blob may include a user ID (e.g., a username, user account number, etc.) and/or a device ID (e.g., a MAC address, a serial number, an IMEI number, etc.). The data blob may also include a random or pseudorandom number, which is referred to as “salt” in the pseudo code illustrated in Figure 7B). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Nordstrom of login details includes the personal identification code to the method of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia in order to further protect sensitive information and withstand password cracking attacks ( Nordstrom ¶0002) Claims 16 and 38 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No. 20210174363-A) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), and Dare et al. (US PGPub No. 20140201519-A1). With respect to claim 16, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow teaches the method of claim 1 (see rejection of claim 1 above) wherein: the digital signature is generated and verified responsively to a first private key and a first public key of a public key infrastructure, respectively; (Cha ¶0094-0096: 3. Data Integrity Protection ensures the ability to detect unauthorized modification of data. In the OMA DRM, data integrity protection, when applicable, is achieved through digital signatures on ROAP messages and ROs. In the OMA DRM, each DRM agent is provisioned with a unique key pair and an associated certificate, identifying the DRM agent and certifying the binding between the agent and this key pair. This allows RIs to securely authenticate the DRM agent using standard PKI procedures.). Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow does not disclose: the mobile storage device stores a second public key, and the digital signature digitally signs the login details and the second public key, the method further comprising: receiving, by the unconnected processing device, the second public key from the mobile storage device; verifying, by the unconnected processing device, the digital signature responsively to the first public key to authenticate the second public key; and verifying, by the unconnected processing device, additional digital signatures with the second public key responsively to the second public key being authenticated. However, Dare teaches the mobile storage device stores a second public key, and the digital signature digitally signs the login details and the second public key, (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)). the method further comprising: receiving, by the unconnected processing device, the second public key from the mobile storage device; (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)) verifying, by the unconnected processing device, the digital signature responsively to the first public key to authenticate the second public key; (¶105-106: validating digital certificate includes a method of first entity signing the electronic property using a private key of a public/private key (first public key) corresponding public key or indication of its which can include the public/ private key of the second entity (second public key)). and verifying, by the unconnected processing device, additional digital signatures with the second public key responsively to the second public key being authenticated. (¶0112-0118: in an example for verifying multiple digital signature using public/ private key pair (second public key) of the authentication body that can be the second entity). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Dare of first public key and second public key to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Ow in order to further protect the system by providing verification public keys for assurance of the digital signature (Dare ¶0029). With respect to claim 38, the combination of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia teaches the method of claim 22 (see rejection of claim 22 above) wherein: the digital signature is generated and verified responsively to a first private key and a first public key of a public key infrastructure, respectively; (Cha ¶0094-0096: 3. Data Integrity Protection ensures the ability to detect unauthorized modification of data. In the OMA DRM, data integrity protection, when applicable, is achieved through digital signatures on ROAP messages and ROs. In the OMA DRM, each DRM agent is provisioned with a unique key pair and an associated certificate, identifying the DRM agent and certifying the binding between the agent and this key pair. This allows RIs to securely authenticate the DRM agent using standard PKI procedures.). Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia does not disclose: the mobile storage device stores a second public key, and the digital signature digitally signs the login details and the second public key; and the processing circuitry is configured to: receive the second public key from the mobile storage device; verify the digital signature responsively to the first public key to authenticate the second public key; and verify additional digital signatures with the second public key responsively to the second public key being authenticated. However, Dare teaches the mobile storage device stores a second public key, and the digital signature digitally signs the login details and the second public key; (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)). and the processing circuitry is configured to: receive the second public key from the mobile storage device; (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)) verify the digital signature responsively to the first public key to authenticate the second public key; (¶105-106: validating digital certificate includes a method of first entity signing the electronic property using a private key of a public/private key (first public key) corresponding public key or indication of its which can include the public/ private key of the second entity (second public key)). and verify additional digital signatures with the second public key responsively to the second public key being authenticated. (¶0112-0118: in an example for verifying multiple digital signature using public/ private key pair (second public key) of the authentication body that can be the second entity). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Dare of second public key to the method of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia in order to further protect the system by providing verification public keys for assurance of the digital signature (Dare ¶0029). Claims 17 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Avetisov et al. (US PGPub No. 20210174363-A) , Lim et al. (US PGPub No. 20090044278-A1) , Ow et al. (US PGPub No. 20210012332-A1) , Covdy et al. (US PGPub No. 20180302400-A1), Fiducia et al. (US PGPub No. 20130297933-A1), Ahn et al. (US PGPub No. 20090038007-A1), and Sasselli et al. (US PGPub No. 20040107349-A1). With respect to claim 17, the combination of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Dare teaches the method of claim 16 (see rejection of claim 16 above) but does not disclose wherein the mobile storage device stores a new public key list including the first public key and the second public key, and a version identification of the new public key list, the method further comprising replacing use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Ahn teaches the mobile storage device stores a new public key list including the first public key and the second public key, and (¶0036: the service device may create a list of public keys used for persistently storing user cluster devices, and the list of public keys is used for storing public keys and identification codes of user cluster devices that have made a request to access the service device). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Ahn with regards to the public key lists to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, and Dare in order to improve authentication efficiency (An: ¶0005-0007 & 0036). Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, Dare, and Ahn does not disclose: a version identification of the new public key list, the method further comprising replacing use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Sasselli teaches a version identification of the new public key list, (¶0040: A decoder with version 2 software cannot directly decrypt the signature (H(P))PK5 of the new version 5 because the key available in the list of public keys is that of the version immediately higher, namely the key K3. (identifying a version of public key list)); the method further comprising replacing use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. (¶0033 &0053: The solution consists in transmitting a data flow containing the patch P for updating the software of the decoder to version 5 signed with the key PK5 to which a plurality of messages M1, M2, M3, M4 are added, each encrypted with a private key PK1, PK2, PK3, PK4 taken from the key list. The RAM memory stores these messages as well as the patch P with its signature (H(P))PK5. The version of the decoder being 2, the updating key of version 1 to 2 is already deactivated by the first update. (wherein the old public key list is rendered useless and is replaced by new public key list)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Sasselli with regards identification list and replacing older list with a newer list method of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, Dare, and Ahn in order to better adapt to the increasing demands of the user by improving the adaptation to changes in the software environment (Sasselli: ¶0002-0003). With respect to claim 39, the combination of Cha in view of Avetisov, Lim, Covdy, Ow, and Fiducia teaches the method of claim 38 (see rejection of claim 38 above) but does not disclose wherein: the mobile storage device stores: a new public key list including the first public key, and the second public key; and a version identification of the new public key list; and the processing circuitry is configured to replace use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Ahn teaches wherein: the mobile storage device stores: a new public key list including the first public key, and the second public key; and(¶0036: the service device may create a list of public keys used for persistently storing user cluster devices, and the list of public keys is used for storing public keys and identification codes of user cluster devices that have made a request to access the service device). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Ahn with regards to the public key lists to the method of Cha in view of Avetisov, Lim, Covdy, Fiducia, Ow, and Dare in order to improve authentication efficiency (Ahn: ¶0005-0007 & 0036). Cha in view of Avetisov, Lim, Covdy, Ow, Fiducia, Dare, and Ahn does not disclose: a version identification of the new public key list; and the processing circuitry is configured to replace use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Sasselli teaches a version identification of the new public key list; and (¶0040: A decoder with version 2 software cannot directly decrypt the signature (H(P))PK5 of the new version 5 because the key available in the list of public keys is that of the version immediately higher, namely the key K3. (identifying a version of public key list)); the processing circuitry is configured to replace use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. (¶0033 &0053: The solution consists in transmitting a data flow containing the patch P for updating the software of the decoder to version 5 signed with the key PK5 to which a plurality of messages M1, M2, M3, M4 are added, each encrypted with a private key PK1, PK2, PK3, PK4 taken from the key list. The RAM memory stores these messages as well as the patch P with its signature (H(P))PK5. The version of the decoder being 2, the updating key of version 1 to 2 is already deactivated by the first update. (wherein the old public key list is rendered useless and is replaced by new public key list)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Sasselli with regards identification list and replacing older list with a newer list method of Cha in view of Avetisov, Lim, Covdy, Ow, Fiducia, Dare, and Ahn in order to better adapt to the increasing demands of the user by improving the adaptation to changes in the software environment (Sasselli: ¶0002-0003). Claims 18 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Holtzman et al. (US PGPub No. 20080010452-A1), Hwang et al. (US PGPub No.20210160223-A1), and Covdy et al. (US PGPub No. 20180302400-A1). With respect to claim 18, Cha teaches a method to authenticate [human] users, comprising: (Abstract: The present invention discloses several methods to strengthen the integrity entities, messages, and processing related to content distribution as defined by the Open Mobile Alliance (OMA) Digital Rights Management (DRM). The methods use techniques related to the Trusted Computing Group (TCG) specifications. ¶0002-0006: OMA DRM 2.0 also specifies a set of protocols that together called the Rights Object Acquisition Protocol (ROAP) that comprises various sub-protocols related to mutual authentication and registration between a device and a rights issuer (RI), requesting ROs, response to delivery of ROs or refusal to deliver ROs, and joining and leaving of domains by the device.); connecting a mobile storage device to an unconnected processing device that is unconnected over an network (¶0044: Unconnected Device – A device that is capable of connecting to an RI via a connected device using an appropriate protocol over a local connectivity technology e.g., OBEX over IrDA (object exchanged over infrared), Bluetooth, or Universal Serial Bus (USB). ¶0075: A user, for example, as seen in Figure 1 , may have an OMA DRM compliant portable device (an unconnected device) that has no network connectivity, and an OMA DRM compliant mobile device (a connected device) that has network connectivity. After using the connected device to browse and purchase the DRM content 122 and downloading the DRM content 122 to the connected device, the user then may wish to play the DRM content 122 on the unconnected device.) receiving, by the unconnected processing device, the digital signature and the user revocation list from the mobile storage device; (¶0093: The 2-pass Leave Domain Protocol authenticates the DRM agent to the RI through the digital signature on the time stamp. RIs are required to authenticate themselves to the DRM agent during delivery of ROs. This provides some level of assurance about the authenticity of the RI. ¶0152-0153: The offline policy may enforce compliance rules beyond user authentication on the mobile device 101 in instances where networked services are unavailable. In some cases, policies may be stored within CEE 113 but may be verified by TEE 103 (e.g., by signature verification) or encrypted with a protocol for which TEE, but not the CEE, includes key operable to decrypt the policy according to the protocol. The TEE 103, as previously described, may store within or cryptographically sign data associated with applications, or modules within the trusted execution environment, such as to protect data from being tampered with, read, or modified by an unauthorized entity, and the TEE 103 may release only representations or certain credentials (e.g., offline values or certificates) or decrypt certain data (e.g., offline values or certificates) or sign certain data (e.g., certificates or representations of credentials) subject to user authentication results determined within the TEE 103 and, in some cases, verification of compliance with policy. Further ¶0336 exemplifies, an entity receiving signed data from the relying device 140, which may be in association with a request, challenge, access attempt, or login pertaining to a particular mobile device of a particular user, may verify the signature (digital signature) based on a corresponding public key distributed by relying device or other entity in association with registration of the mobile device of the user (user being authenticated to use the unconnected computing resource)); Cha does not disclose: which stores the mobile storage device storing a user revocation list that identifies human users, a version identification of the user revocation list, and a digital signature of login details and the user revocation list; verifying, by the unconnected processing device, the digital signature responsively to the user revocation list and login data to authenticate the user revocation list and the login data included in the login details; providing access to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; replacing use of an old user revocation list stored in a memory of the unconnected processing device with the authenticated user revocation list received from the mobile storage device responsively to the version identification of the authenticated user revocation list indicating that the authenticated user revocation list is newer than the old user revocation list; and denying access the human to the unconnected computing resource responsively to the authenticated user revocation list. However, Holtzman teaches which stores the mobile storage device storing a user revocation list that [identifies human users], (¶0017: Thus in another embodiment, at least one certificate revocation list is stored in a public area of the memory; the memory also stores protected data or content a user or consumer may wish to access. In this manner, the consumer or user will not need to obtain from a certificate authority the certificate revocation list every time access to the content stored in the memory is desired.) a version identification of the user revocation list, (¶0295: the host reads the public area of the memory device the CRL that pertains to certificate the host will present to the memory device for authentication) and a digital signature [of login details of a human user] and the user revocation list; (¶0288-0289: The CRL also will need to be verified to be genuine in order for it to serve the purpose of validating certificates. CRLs are signed using the private key of the CA that issued the CRL, and can be verified to be genuine by decrypting the signed CRL using the public key of the CA. One of the characteristics of the CRL scheme is that the validation of the certificate (against the CRL) can be performed separate from obtaining the CRL. CRLs are also signed by the issuers of the pertinent certificates, and are verified in a manner similar to the verification of certificates, using the public keys of CAs that issued the CRLs, in the manner described above. The memory device verifies that the signature is of the CRL and that the issuer of the CRL matches the issuer of the certificate.); verifying, by the unconnected processing device, the digital signature responsively to the user revocation list and login data to authenticate the user revocation list and the login data included in the login details; (¶0287-0289: The SSA system uses a revocation scheme which involves each CA periodically issuing a signed data structure called a Certificate Revocation List (CRL). One of the characteristics of the CRL scheme checks certificate (for verifying host's identity) the device not only checks the certificate signature (validity) but also verifies against list of serial numbers received through CRL (verify)). replacing use of an old user revocation list stored in a memory of the unconnected processing device with the authenticated user revocation list received from the mobile storage device responsively to the version identification of the authenticated user revocation list indicating that the authenticated user revocation list is newer than the old user revocation list; and (¶00296-0298: CRL contains in its field a time for the next update illustrated in Figure 32 the SSA thus preferably checks both theme of the next update as well as CET against the current time when the CRL is received by the memory). denying access the human to the unconnected computing resource responsively to the authenticated user revocation list. (¶0291-0293: Host devices, on the other hand, have been used to connect to CAs to obtain CRLs, so that when memory device 10 is to be authenticated by host devices, the memory device need not present CRLs to the host devices along with their certificates or certificate chains. (authenticated user revocation list) The authenticating entity then verifies the authenticity of the certificate and of the certificate revocation list received. The authenticating entity checks whether the certificate is on the revocation list by checking whether an identification of the certificate, such as a serial number of the certificate, is present on the list.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman user revocation list to the method of Cha in order to confirm the validity of party’s pubic key and preventing access to compromised keys by revoking access when certificates are invalid. Cha in view of Holtzman does not disclose: authenticate human users a user revocation list that identifies human users digital signature of login details of a human user Cha in view of Hwang does discloses authentication through revocation lists and digital signatures, but Cha in view Hwang does not emphasize the limitation of user being human. However, Hwang teaches authenticate human users (¶0008: As one of the representative cryptographic authentication techniques for privacy with accountability, the group signature method is known. The group signature method basically does not expose the identity information or the identity identifier of the signer from the signature value. That is, the signature proves that a user of the group member has created the signature for the message.); a user revocation list that identifies human users (¶0131-0132: That is, the opening server 200 generates a revocation tag using the corresponding information (credential Cre′, corresponding anonymous credential signature value σ) when requesting revocation, and registers the revocation tag in the revocation list.); digital signature of login details of a human user (¶0026-0027: The opening server generates and outputs signer authentication information for confirming a signer of an anonymous credential signature value when the anonymous credential signature value indicating that setting proposition information set is satisfied using the credential from the user who is issued the credential is received. The anonymous credential authentication system may further include a signature verification server that classifies the attribute information combined with the credential into hidden attribute information, direct disclosure attribute information, and attribute information related to a setting function, performs basic verification on the anonymous credential signature value, and then verifies validity of the anonymous credential signature value by verifying the classified attribute information, respectively.); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Hwang with regards to a human user to the method of Cha in view of Holtzman in order enable verification of the user and further protect the system from malicious attacks (Hwang ¶0003) . Cha in view of Holtzman and Hwang does not disclose: providing access by the human user to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; However, Covdy teaches providing access by the human user to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; (¶0067:As seen in Figure 3, the encrypted information can be encrypted using a private key by the authentication system 306. Once the client device 302 receives the encrypted information from the authentication system 306, the client device 302 can provide the encrypted information to the instance 304 to obtain access to the instance 304.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding authenticated login data to the method of Cha in view of Holtzman and Hwang in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). With respect to claim 40, Cha teaches a unconnected processing device that is unconnected over a network (¶0017: Device – A user equipment with a DRM agent. It can be either a connected device or an unconnected device, but this distinction is contextual and variable in nature, since a connected can become an unconnected device when it loses its capability to directly connect to an RI ¶0075: A user, for example, as seen in Figure 1 , may have an OMA DRM compliant portable device (an unconnected device) that has no network connectivity, and an OMA DRM compliant mobile device (a connected device) that has network connectivity. After using the connected device to browse and purchase the DRM content 122 and downloading the DRM content 122 to the connected device, the user then may wish to play the DRM content 122 on the unconnected device) to authenticate human users, comprising: (¶0002-0006: The present invention generally relates to digital rights management (DRM) methods in wireless communication networks. More particularly, the present invention provides methods for enhancing security, integrity, and trustworthiness in systems operating in accordance with the Open Mobile Alliance (OMA) DRM specifications. OMA DRM 2.0 also specifies a set of protocols that together called the Rights Object Acquisition Protocol (ROAP) that comprises various sub-protocols related to mutual authentication and registration between a device and a rights issuer (RI), requesting ROs, response to delivery of ROs or refusal to deliver ROs, and joining and leaving of domains by the device.) a data interface configured to connect to a mobile storage device, (¶0044: Unconnected Device – A device that is capable of connecting to an RI via a connected device using an appropriate protocol over a local connectivity technology e.g., OBEX over IrDA (object exchanged over infrared), Bluetooth, or Universal Serial Bus (USB). An unconnected device may support DRM Time). Cha does not disclose: which stores a user revocation list that identifies human users, a version identification of the user revocation list, and a digital signature digitally signing login details of a human user and the user revocation list; and processing circuitry configured to: receive the digital signature and the user revocation list from the mobile storage device; verify the digital signature responsively to the user revocation list and login data to authenticate the user revocation list and the login data included in the login details; provide access to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; replace use of an old user revocation list stored in a memory of the unconnected processing device with the authenticated user revocation list received from the mobile storage device responsively to the version identification of the authenticated user revocation list indicating that the authenticated user revocation list is newer than the old user revocation list; and deny access to the unconnected computing resource responsively to the authenticated user revocation list. However, Holtzman teaches which stores a user revocation list that identifies [human] users, a version identification of the user revocation list, (¶0017: Thus in another embodiment, at least one certificate revocation list is stored in a public area of the memory; the memory also stores protected data or content a user or consumer may wish to access. In this manner, the consumer or user will not need to obtain from a certificate authority the certificate revocation list every time access to the content stored in the memory is desired.) and a digital signature digitally signing login details of a [human] user and the user revocation list; (¶0288-0289: The CRL also will need to be verified to be genuine in order for it to serve the purpose of validating certificates. CRLs are signed using the private key of the CA that issued the CRL, and can be verified to be genuine by decrypting the signed CRL using the public key of the CA. One of the characteristics of the CRL scheme is that the validation of the certificate (against the CRL) can be performed separate from obtaining the CRL. CRLs are also signed by the issuers of the pertinent certificates, and are verified in a manner similar to the verification of certificates, using the public keys of CAs that issued the CRLs, in the manner described above. The memory device verifies that the signature is of the CRL and that the issuer of the CRL matches the issuer of the certificate.); and processing circuitry configured to: receive the digital signature and the user revocation list from the mobile storage device; (¶0017: user may simply retrieve at least one certificate revocation list stored in the public area of the memory for authentication for content access) verify the digital signature responsively to the user revocation list and login data to authenticate the user revocation list and the login data included in the login details; (¶0287-0289: The SSA system uses a revocation scheme which involves each CA periodically issuing a signed data structure called a Certificate Revocation List (CRL). One of the characteristics of the CRL scheme checks certificate (for verifying host's identity) the device not only checks the certificate signature (validity) but also verifies against list of serial numbers received through CRL (verify)). replace use of an old user revocation list stored in a memory of the unconnected processing device with the authenticated user revocation list received from the mobile storage device responsively to the version identification of the authenticated user revocation list indicating that the authenticated user revocation list is newer than the old user revocation list; and (¶00295-0298: The host reads the public area of the memory device the CRL that pertains to certificate the host will present to the memory device for authentication. CRL contains in its field a time for the next update illustrated in Figure 32 the SSA thus preferably checks both theme of the next update as well as CET against the current time when the CRL is received by the memory). deny access to the unconnected computing resource responsively to the authenticated user revocation list. (¶0291-0293: Host devices, on the other hand, have been used to connect to CAs to obtain CRLs, so that when memory device 10 is to be authenticated by host devices, the memory device need not present CRLs to the host devices along with their certificates or certificate chains. (authenticated user revocation list) The authenticating entity then verifies the authenticity of the certificate and of the certificate revocation list received. The authenticating entity checks whether the certificate is on the revocation list by checking whether an identification of the certificate, such as a serial number of the certificate, is present on the list.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Holtzman user revocation list to the method of Cha in order to verify the genuinely of party’s pubic key and preventing access to compromised keys by revoking access when certificates are invalid. Cha in view of Holtzman does not disclose: authenticate human users a user revocation list that identifies human users digital signature digitally signing login details of a human user Cha in view of Hwang does discloses authentication through revocation lists and digital signatures, but Cha in view Hwang does not emphasize the limitation of user being human. However, Hwang teaches authenticate human users (¶0008: As one of the representative cryptographic authentication techniques for privacy with accountability, the group signature method is known. The group signature method basically does not expose the identity information or the identity identifier of the signer from the signature value. That is, the signature proves that a user of the group member has created the signature for the message.); a user revocation list that identifies human users (¶0131-0132: That is, the opening server 200 generates a revocation tag using the corresponding information (credential Cre′, corresponding anonymous credential signature value σ) when requesting revocation, and registers the revocation tag in the revocation list.); digital signature digitally signing login details of a human user (¶0026-0027: The opening server generates and outputs signer authentication information for confirming a signer of an anonymous credential signature value when the anonymous credential signature value indicating that setting proposition information set is satisfied using the credential from the user who is issued the credential is received. The anonymous credential authentication system may further include a signature verification server that classifies the attribute information combined with the credential into hidden attribute information, direct disclosure attribute information, and attribute information related to a setting function, performs basic verification on the anonymous credential signature value, and then verifies validity of the anonymous credential signature value by verifying the classified attribute information, respectively.); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Hwang with regards to a human user to the method of Cha in view of Holtzman in order enable verification of the user and further protect the system from malicious attacks (Hwang ¶0003) . Cha in view of Holtzman and Hwang does not disclose: provide access by the human user to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; However, Covdy teaches provide access by the human user to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; (¶0067:As seen in Figure 3, the encrypted information can be encrypted using a private key by the authentication system 306. Once the client device 302 receives the encrypted information from the authentication system 306, the client device 302 can provide the encrypted information to the instance 304 to obtain access to the instance 304.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding authenticated login data to the method of Cha in view of Holtzman and Hwang in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). Claims 20 and 42 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Hwang et al. (US PGPub No.20210160223-A1), Dare et al. (US PGPub No. 20140201519-A1), and Covdy et al. (US PGPub No. 20180302400-A1). With respect to claim 20, Cha teaches a method to authenticate [human] users to use an unconnected computing resource (¶0002-0006: The present invention generally relates to digital rights management (DRM) methods in wireless communication networks. More particularly, the present invention provides methods for enhancing security, integrity, and trustworthiness in systems operating in accordance with the Open Mobile Alliance (OMA) DRM specifications. OMA DRM 2.0 also specifies a set of protocols that together called the Rights Object Acquisition Protocol (ROAP) that comprises various sub-protocols related to mutual authentication and registration between a device and a rights issuer (RI), requesting ROs, response to delivery of ROs or refusal to deliver ROs, and joining and leaving of domains by the device.) of an unconnected processing device that is unconnected over a network, (¶0017: Device – A user equipment with a DRM agent. It can be either a connected device or an unconnected device, but this distinction is contextual and variable in nature, since a connected can become an unconnected device when it loses its capability to directly connect to an RI). the method comprising: connecting a mobile storage device to the unconnected processing device, (¶0044: Unconnected Device – A device that is capable of connecting to an RI via a connected device using an appropriate protocol over a local connectivity technology e.g., OBEX over IrDA (object exchanged over infrared), Bluetooth, or Universal Serial Bus (USB). An unconnected device may support DRM Time ¶0075: A user, for example, as seen in Figure 1 , may have an OMA DRM compliant portable device (an unconnected device) that has no network connectivity, and an OMA DRM compliant mobile device (a connected device) that has network connectivity. After using the connected device to browse and purchase the DRM content 122 and downloading the DRM content 122 to the connected device, the user then may wish to play the DRM content 122 on the unconnected device.). the mobile storage device storing: a digital signature generated responsively to a first private key for verification responsively to a first public key, (¶0005: A device compliant with OMA DRM 2.0 has an individual certificate based on a DRM public key infrastructure (PKI), i.e., each device has a public key, a corresponding private key, and a certificate verifying this fact. Each rights object (RO) is protected for both confidentiality (by encryption) and integrity (by digital signatures). Further in ¶0110: This digital signature is made using the device's private key. Including the digital signature provides some integrity protection of the associated ROAP messages.). Cha does not disclose: authenticate human users Cha does discloses authentication, but Cha does not emphasize the limitation of user being human. However, Hwang teaches authenticate human users (¶0008: As one of the representative cryptographic authentication techniques for privacy with accountability, the group signature method is known. The group signature method basically does not expose the identity information or the identity identifier of the signer from the signature value. That is, the signature proves that a user of the group member has created the signature for the message.); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Hwang with regards to a human user to the method of Cha in order enable verification of the user and further protect the system from malicious attacks (Hwang ¶0003) . Cha in view of Hwang does not disclose: a second public key, the digital signature digitally signing login details and the second public key; receiving, by the unconnected processing device, the digital signature and the second public key from the mobile storage device; verifying, by the unconnected processing device, the digital signature responsively to the first public key to authenticate the second public key and login data included in the login details; providing access to the unconnected computing resource responsively to the authenticated login data; and verifying, by the unconnected processing device, additional digital signatures with the second public key responsively to the second public key being authenticated. However, Dare teaches a second public key, the digital signature digitally signing login details and the second public key; (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)). receiving, by the unconnected processing device, the digital signature and the second public key from the mobile storage device; (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)) verifying, by the unconnected processing device, the digital signature responsively to the first public key to authenticate the second public key and login data included in the login details; (¶105-106: validating digital certificate includes a method of first entity signing the electronic property using a private key of a public/private key (first public key) corresponding public key or indication of its which can include the public/ private key of the second entity (second public key)). verifying, by the unconnected processing device, additional digital signatures with the second public key responsively to the second public key being authenticated. (¶0112-0118: in an example for verifying multiple digital signature using public/ private key pair (second public key) of the authentication body that can be the second entity). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Dare of second public key to the method of Cha in view of Hwang in order to further protect the system by providing verification public keys for assurance of the digital signature (Dare ¶0029). Cha in view of Hwang and Dare does not disclose: providing access by the human user to the unconnected computing resource responsively to the authenticated login data; and However, Covdy teaches providing access by the human user to the unconnected computing resource responsively to the authenticated login data; and(¶0067:As seen in Figure 3, the encrypted information can be encrypted using a private key by the authentication system 306. Once the client device 302 receives the encrypted information from the authentication system 306, the client device 302 can provide the encrypted information to the instance 304 to obtain access to the instance 304.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding authenticated login data to the method of Cha in view of Hwang and Dare in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). With respect to claim 42, Cha teaches a unconnected processing device that is unconnected over a network (¶0044: Unconnected Device – A device that is capable of connecting to an RI via a connected device using an appropriate protocol over a local connectivity technology e.g., OBEX over IrDA (object exchanged over infrared), Bluetooth, or Universal Serial Bus (USB). ¶0075: A user, for example, as seen in Figure 1 , may have an OMA DRM compliant portable device (an unconnected device) that has no network connectivity, and an OMA DRM compliant mobile device (a connected device) that has network connectivity. After using the connected device to browse and purchase the DRM content 122 and downloading the DRM content 122 to the connected device, the user then may wish to play the DRM content 122 on the unconnected device.) to authenticate users that are [human] users, comprising: (Abstract: The present invention discloses several methods to strengthen the integrity entities, messages, and processing related to content distribution as defined by the Open Mobile Alliance (OMA) Digital Rights Management (DRM). The methods use techniques related to the Trusted Computing Group (TCG) specifications. ¶0002-0006: OMA DRM 2.0 also specifies a set of protocols that together called the Rights Object Acquisition Protocol (ROAP) that comprises various sub-protocols related to mutual authentication and registration between a device and a rights issuer (RI), requesting ROs, response to delivery of ROs or refusal to deliver ROs, and joining and leaving of domains by the device.); a data interface configured to connect to a mobile storage device, (¶0044: Unconnected Device – A device that is capable of connecting to an RI via a connected device using an appropriate protocol over a local connectivity technology e.g., OBEX over IrDA (object exchanged over infrared), Bluetooth, or Universal Serial Bus (USB). An unconnected device may support DRM Time). which stores: a digital signature generated responsively to a first private key for verification responsively to a first public key, (¶0005: A device compliant with OMA DRM 2.0 has an individual certificate based on a DRM public key infrastructure (PKI), i.e., each device has a public key, a corresponding private key, and a certificate verifying this fact. Each rights object (RO) is protected for both confidentiality (by encryption) and integrity (by digital signatures). Further in ¶0110: This digital signature is made using the device's private key. Including the digital signature provides some integrity protection of the associated ROAP messages.). Cha does not disclose: authenticate human users Cha does disclose authentication, but Cha does not emphasize the limitation of user being human. However, Hwang teaches authenticate human users (¶0008: As one of the representative cryptographic authentication techniques for privacy with accountability, the group signature method is known. The group signature method basically does not expose the identity information or the identity identifier of the signer from the signature value. That is, the signature proves that a user of the group member has created the signature for the message.); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the known teachings of Hwang with regards to a human user to the method of Cha in order enable verification of the user and further protect the system from malicious attacks (Hwang ¶0003) . Cha in view of Hwang does not disclose: a second public key, the digital signature digitally signing login details of a human users and the second public key; and processing circuitry configured to: receive the digital signature and the second public key from the mobile storage device; verify the digital signature responsively to the first public key to authenticate the second public key and login data included in the login details; provide access to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; and verify additional digital signatures with the second public key responsively to the second public key being authenticated. However, Dare teaches a second public key, the digital signature digitally signing login details and the second public key; and (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)). processing circuitry configured to: receive the digital signature and the second public key from the mobile storage device; (¶0046-0047: wherein data may include one more public keys the second certificate signed with an electronic signature by second signing entity and including one or more attributes of described entity including the data (second public key)) verify the digital signature responsively to the first public key to authenticate the second public key and login data included in the login details; (¶105-106: validating digital certificate includes a method of first entity signing the electronic property using a private key of a public/private key (first public key) corresponding public key or indication of its which can include the public/ private key of the second entity (second public key)). verify additional digital signatures with the second public key responsively to the second public key being authenticated. (¶0112-0118: in an example for verifying multiple digital signature using public/ private key pair (second public key) of the authentication body that can be the second entity). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Dare of second public key to the method of Cha in view of Hwang in order to further protect the system by providing verification public keys for assurance of the digital signature (Dare ¶0029). Cha in view of Hwang and Dare does not disclose: provide access by the human user to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; and However, Covdy teaches provide access by the human user to an unconnected computing resource of the unconnected processing device responsively to the authenticated login data; and (¶0067:As seen in Figure 3, the encrypted information can be encrypted using a private key by the authentication system 306. Once the client device 302 receives the encrypted information from the authentication system 306, the client device 302 can provide the encrypted information to the instance 304 to obtain access to the instance 304.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Covdy regarding authenticated login data to the method of Cha in view of Hwang and Dare in order to additional layer of security and prevent unauthorized access (Covdy ¶0019 & ¶0376). Claims 21 and 43 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Hwang et al. (US PGPub No. 20210160223-A1), Dare et al. (US PGPub No. 20140201519-A1) and Covdy et al. (US PGPub No. 20180302400-A1). With respect to claim 21, the combination of Cha in view of Hwang, Dare, and Covdy teaches the method of claim 20 (see rejection of claim 20 above) but does not disclose wherein the mobile storage device stores a new public key list including the first public key and the second public key, and a version identification of the new public key list, the method further comprising replacing use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Ahn teaches wherein the mobile storage device stores a new public key list including the first public key and the second public key, and (¶0036: the service device may create a list of public keys used for persistently storing user cluster devices, and the list of public keys is used for storing public keys and identification codes of user cluster devices that have made a request to access the service device). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Ahn with regards to the public key lists to the method of Cha in view of Hwang, Dare, and Covdy in order to improve authentication efficiency (Ahn: ¶0005-0007 & 0036). Cha in view of Hwang, Dare, Covdy, and Ahn does not disclose: a version identification of the new public key list, the method further comprising replacing use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Sasselli teaches a version identification of the new public key list, (¶0040: A decoder with version 2 software cannot directly decrypt the signature (H(P))PK5 of the new version 5 because the key available in the list of public keys is that of the version immediately higher, namely the key K3. (identifying a version of public key list)); the method further comprising replacing use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. (¶0033 &0053: The solution consists in transmitting a data flow containing the patch P for updating the software of the decoder to version 5 signed with the key PK5 to which a plurality of messages M1, M2, M3, M4 are added, each encrypted with a private key PK1, PK2, PK3, PK4 taken from the key list. The RAM memory stores these messages as well as the patch P with its signature (H(P))PK5. The version of the decoder being 2, the updating key of version 1 to 2 is already deactivated by the first update. (wherein the old public key list is rendered useless and is replaced by new public key list)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Sasselli with regards identification list and replacing older list with a newer list method of Cha in view of Hwang, Dare, Covdy, and Ahn in order to better adapt to the increasing demands of the user by improving the adaptation to changes in the software environment (Sasselli: ¶0002-0003). With respect to claim 43, the combination of Cha in view of Hwang, Dare, and Covdy teaches the method of claim 42 (see rejection of claim 42 above) but does not disclose wherein: the mobile storage device stores a new public key list including the first public key and the second public key, and a version identification of the new public key list; and the processing circuitry is configured to replace use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Ahn teaches wherein: the mobile storage device stores a new public key list including the first public key and the second public key, and (¶0036: the service device may create a list of public keys used for persistently storing user cluster devices, and the list of public keys is used for storing public keys and identification codes of user cluster devices that have made a request to access the service device). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Ahn with regards to the public key lists to the method of Cha in view of Hwang, Dare, and Covdy in order to improve authentication efficiency (Ahn: ¶0005-0007 & 0036). Cha in view of Hwang, Dare, Covdy, and Ahn does not disclose: a version identification of the new public key list; and the processing circuitry is configured to replace use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. However, Sasselli teaches a version identification of the new public key list; (¶0040: A decoder with version 2 software cannot directly decrypt the signature (H(P))PK5 of the new version 5 because the key available in the list of public keys is that of the version immediately higher, namely the key K3. (identifying a version of public key list)); and the processing circuitry is configured to replace use of an old public key list stored in a memory of the unconnected processing device with the new public key list responsively to the version identification of the new public key list indicating that the new public key list is newer than the old public key list. (¶0033 &0053: The solution consists in transmitting a data flow containing the patch P for updating the software of the decoder to version 5 signed with the key PK5 to which a plurality of messages M1, M2, M3, M4 are added, each encrypted with a private key PK1, PK2, PK3, PK4 taken from the key list. The RAM memory stores these messages as well as the patch P with its signature (H(P))PK5. The version of the decoder being 2, the updating key of version 1 to 2 is already deactivated by the first update. (wherein the old public key list is rendered useless and is replaced by new public key list)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Sasselli with regards identification list and replacing older list with a newer list method of Cha in view of Hwang, Dare, Covdy, and Ahn in order to better adapt to the increasing demands of the user by improving the adaptation to changes in the software environment (Sasselli: ¶0002-0003). Claim 46 is rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Holtzman et al. (US PGPub No. 20080010452-A1), Hwang et al. (US PGPub No. 20210160223-A1), Covdy et al. (US PGPub No. 20180302400-A1), and Lim et al. (US PGPub No. 20090044278-A1 ). With respect to claim 46, the combination of Cha in view of Holtzman, Hwang, and Covdy teaches the method of claim 40 (see rejection of claim 40) but does not disclose wherein the mobile storage device comprises a flash disk, a compact disc, a digital versatile disc, or a secure digital disk. However, Lim teaches wherein the mobile storage device comprises a flash disk, a compact disc, a digital versatile disc, or a secure digital disk. ( ¶0020: According to the method of providing DRM content, mobile storage, such as a USB memory stick, which has no security function and has a simple storage function, can be used to transfer DRM content to another external device. Of course, the possibility that mobile storage, such as a Secure Digital (SD) card, which has a security function, can be used is not excluded.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Lim with regards identification list and replacing older list with a newer list method of Cha in view of Hwang, Holtzman, and Covdy in order to provide to transmit content through a widely distributed and inexpensive means while being protected (Lim : ¶0006 & ¶0020). Claim 47 is rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (US PGPub No. 20080046758-A1) in view of Hwang et al. (US PGPub No. 20210160223-A1), Dare et al. (US PGPub No. 20140201519-A1), Covdy et al. (US PGPub No. 20180302400-A1), and Lim et al. (US PGPub No. 20090044278-A1 ). With respect to claim 47, Cha in view of Hwang, Dare, and Covdy teaches the method claim 42 (see rejection of claim 42 above) but does not disclose wherein the mobile storage device comprises a flash disk, a compact disc, a digital versatile disc, or a secure digital disk. However, Lim teaches wherein the mobile storage device comprises a flash disk, a compact disc, a digital versatile disc, or a secure digital disk. ( ¶0020: According to the method of providing DRM content, mobile storage, such as a USB memory stick, which has no security function and has a simple storage function, can be used to transfer DRM content to another external device. Of course, the possibility that mobile storage, such as a Secure Digital (SD) card, which has a security function, can be used is not excluded.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings Lim with regards identification list and replacing older list with a newer list method of Cha in view of Hwang, Dare, and Covdy in order to provide to transmit content through a widely distributed and inexpensive means while being protected (Lim : ¶0006 & ¶0020). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAYLOR P VU whose telephone number is (703)756-1218. The examiner can normally be reached MON - FRI (7:30 - 5:00). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /T.P.V./ Examiner, Art Unit 2437 /MENG LI/ Primary Examiner, Art Unit 2437
Read full office action

Prosecution Timeline

Show 4 earlier events
Dec 16, 2024
Response Filed
Feb 26, 2025
Final Rejection mailed — §103
May 27, 2025
Response after Non-Final Action
Jun 05, 2025
Request for Continued Examination
Jun 12, 2025
Response after Non-Final Action
Sep 30, 2025
Non-Final Rejection mailed — §103
Feb 06, 2026
Response Filed
Jul 01, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12652530
SECURE TRANSACTION USING POINT-OF-USER-INTERACTION APPARATUS AND METHOD THEREOF
3y 11m to grant Granted Jun 09, 2026
Patent 12652301
MULTI-PROCESS SHARED-MEMORY MESSAGE COMMUNICATION
3y 4m to grant Granted Jun 09, 2026
Patent 12639425
THWARTING CONTROL PLANE ATTACKS WITH DISPLACED AND DILATED ADDRESS SPACES
4y 3m to grant Granted May 26, 2026
Patent 12632540
SECURITY DEFENDING METHOD AND ELECTRONIC APPARATUS
3y 4m to grant Granted May 19, 2026
Patent 12619737
A METHOD AND SYSTEM FOR SECURITY RISK IDENTIFICATION AND CONTROLLING RELEASE MANAGEMENT OF SOFTWARE APPLICATION WITH VULNERABLE CODES
2y 11m to grant Granted May 05, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

6-7
Expected OA Rounds
71%
Grant Probability
87%
With Interview (+16.2%)
3y 3m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 31 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month