DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
Claims 4-8 are directed to a non-elected invention. Applicant has not complied with the requirement for restriction (37 CFR 1.142). The claim was withdrawn from further consideration by the election, subject to reinstatement only in the event the requirement for restriction is withdrawn or overruled. See MPEP § 821.03. Therefore, the amendment to claims 4-8 is not entered. Applicant may pursue the non-elected claims in a divisional application (35 U.S.C. 121) or by filing a petition to traverse the restriction (37 CFR 1.144)
Response to Arguments
On pg. 9, par. 4 of Applicant’s Response, applicant argues that S3-180769 does not disclose transmission of both subscription identifier (~SUCI) and its characteristic (~SUPI) to verification node or verification node binding the received SUPI and SUCI.
Examiner respectfully disagrees with applicant’s argument.
The argued limitation of claim 1 states, “a Verification node (~UDM/ARPF) that receives from the Device Management node (~AUSF) the subscription identifier (~SUCI) and a characteristic of the device (~SUPI)”, wherein the limitation does not require transmission of both SUCI (~subscription identifier) and characteristic (~SUPI) (at the same time), but just one at a time.
In S3-180769 Fig. 6.1.2-1, UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) the subscription identifier (~SUCI)) and a characteristic of the device (Fig. 6.1.2-1, UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) a characteristic of the device (~SUPI (~subscription permanent identifier) - see par. 27 of applicant’s published disclosure defining SUPI as characteristic of a device)).
Par. 27 of Applicant’s published disclosure states, “Two categories of device characteristic are proposed in the present disclosure: behavioural characteristics and permanent identities (~SUPI)”, wherein SUPI is characteristic of a device.
Nevertheless, in Fig. 6.1.2-1, UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) both SUCI and SUPI, since the receiving SUCI contains the SUPI in an encrypted format (see Sect. 6.1.2 stating SUCI is generated with input of SUPI and R).
S3-180769 states, “UE has input SUPI and R into the SUCI generation”, wherein SUCI contains SUPI, wherein SUCI contains SUPI.
On pg. 9, par. 5 of Applicant’s Response, applicant argues that S3-180769 discloses that the SEAF (~core network node) transmits SUCI (~subscription identifier) to AUSF (~Device management node), which in turn transmits the SUCI to UDM/ARPF (~verification node). The diagram 6.1.2-1 clearly describes transmission of SUCI or SUPI in N2 message from SEAF to AUSF, but not both.
Examiner respectfully disagrees with applicant’s argument.
The argued limitation of claim 1 states, “a Verification node (~UDM/ARPF) that receives from the Device Management node (~AUSF) the subscription identifier (~SUCI) and a characteristic of the device (~SUPI)”, wherein the limitation does not require SUCI and SUPI transmission from SEAF to AUSF (in claim 1, transmission of SUCI and SUPI from AUSF to UDM/ARPF only) and does not require transmission of both SUCI (~subscription identifier) and characteristic (~SUPI) (at the same time), but just one at a time.
Nevertheless, in S3-180769 Fig. 6.1.2-1, AUSF (~Device Management node) receives from SEAF (~Core Network node) the subscription identifier (~SUCI)) and a characteristic of the device (Fig. 6.1.2-1, receives from SEAF (~Core Network node) a characteristic of the device (~SUPI (~subscription permanent identifier) - see par. 27 of applicant’s published disclosure defining SUPI as characteristic of a device)).
Par. 27 of Applicant’s published disclosure states, “Two categories of device characteristic are proposed in the present disclosure: behavioural characteristics and permanent identities (~SUPI)”.
Furthermore, in Fig. 6.1.2-1, AUSF (~Device Management node) from SEAF (~Core Network node) both SUCI and SUPI, since the receiving SUCI contains the SUPI in an encrypted format (see Sect. 6.1.2 stating SUCI is generated with input of SUPI and R).
S3-180769 states, “UE has input SUPI and R into the SUCI generation”, wherein SUCI contains SUPI.
On pg. 9, par. 5 of Applicant’s Response, applicant argues that the UDM/ARPF extracts SUPI (~Characteristic) from SUCI, which indicates that the SUPI is already bound to SUCI and SUPI is not initially provided to UDM/ARPF, whereas the present invention discloses that both SUCI and SUPI (~Characteristic) are provided by core network node to device management node and then to verification node, which binds the SUCI to the SUPI opposite to extracting SUPI from SUCI.
Examiner respectfully disagrees with applicant’s argument.
In Fig. 6.1.2-1 of S3-180769, SUCI containing SUPI (see Sect. 6.1.2, “UE has input SUPI and R into the SUCI generation”) is transmitted from SEAF (~Core Network node) to AUSF (~Device Management node) and from AUSF (~Device Management node) to UDM/ARPF (~Verification node).
SUCI and SUPI are binded when UDM/ARPF successfully decrypts (~de-conceals) the SUCI to reveal the original SUPI (S3-180769 Sect. 6.1.2, “UDM/SIDF shall be invoked if a SUCI is received. SIDF (~Subscription Identifier De-concealing Function), as offered as a service by UDM, shall de-conceal SUCI to gain SUPI and R, both input parameters of SUCI generation”).
The successful decryption and verification process in the UDM/ARPF effectively binds the temporary, concealed SUCI to the permanent SUPI in the network's internal database. The network then uses this mapping to manage the subscriber's session and issues a temporary identifier, the 5G Globally Unique Temporary UE Identity (5G-GUTI), for all subsequent communications.
Furthermore, sect. 6.1.3.2 of S3-180769 states, “If SUCI was provided in the Auth-info Req message, the UDM/ARPF generates a verification hash VH* from SUCI, SUPI, and R as input parameters, the latter two are retrieved from SUCI”, wherein SUCI is binded with SUPI.
On pg. 9, par. 5 of Applicant’s Response, applicant argues that accordingly, Applicant submits that S3-180769 failed to disclose or suggest at least, for example, the feature of "a Verification node that receives from the Device Management node the subscription identifier and a characteristic of the device, and to bind the subscription identifier to the characteristic such that the subscription identifier is uniquely associated with the characteristic" as recited in amended independent Claim 1.
Examiner respectfully disagrees with applicant’s argument.
S3-180769 teaches
a Verification node that receives from the Device Management node the subscription identifier (S3-180769 Fig. 6.1.2-1, UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) the subscription identifier (~SUCI)); and
a characteristic of the device (Fig. 6.1.2-1, UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) a characteristic of the device (~SUPI (~subscription permanent identifier) or UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) a characteristic of the device (~SUPI (~subscription permanent identifier) contained in the subscription identifier (~SUCI) - see par. 27 of applicant’s published disclosure defining SUPI as characteristic of a device)), and
to bind the subscription identifier to the characteristic such that the subscription identifier is uniquely associated with the characteristic (In Fig. 6.1.2-1, SUCI containing SUPI (see Sect. 6.1.2, “UE has input SUPI and R into the SUCI generation”) is transmitted from SEAF (~Core Network node) to AUSF (~Device Management node) and from AUSF (~Device Management node) to UDM/ARPF (~Verification node). SUCI and SUPI are binded when UDM/ARPF successfully decrypts (~de-conceals) the SUCI to reveal the original SUPI (~Sect. 6.1.2, “UDM/SIDF shall be invoked if a SUCI is received. SIDF (~Subscription Identifier De-concealing Function), as offered as a service by UDM, shall de-conceal SUCI to gain SUPI and R, both input parameters of SUCI generation”). The successful decryption and verification process in the UDM/ARPF effectively binds the temporary, concealed SUCI to the permanent SUPI in the network's internal database. The network then uses this mapping to manage the subscriber's session and issues a temporary identifier, the 5G Globally Unique Temporary UE Identity (5G-GUTI), for all subsequent communications; sect. 6.1.3.2 of S3-180769 states, “If SUCI was provided in the Auth-info Req message, the UDM/ARPF generates a verification hash VH* from SUCI, SUPI, and R as input parameters, the latter two are retrieved from SUCI”, wherein SUCI is binded with SUPI).
Claim Rejections - 35 USC § 103
7. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
8. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
9. Claims 1-3 are rejected under 35 U.S.C. 103 as being unpatentable over S3-180769 (" SUCI and LI - Verification hash Integrated in 5G AKA", 3GPP TSG SA WG3 (Security) Meeting #90Bis 26 February - 2 March 2018, San Diego (US), pub. date 26 February 2018) in view of Jerichow (US 2019/0149521 A1).
Regarding claim 1, S3-180769 teaches a system for managing a communication network subscription identifier associated with a device, the system comprising (Fig. 6.1.2-1, managing SUCI (~communication network subscription identifier associated with UE (~device))):
a Core Network node that provides a subscription identifier for the device to a Device Management node with management responsibility for the device (Fig. 6.1.2-1, SEAF (~Core Network node) provides SUCI (~subscription identifier for the device) to AUSF (~Device Management node));
a Verification node that receives from the Device Management node the subscription identifier (Fig. 6.1.2-1, UDM/ARPF (~Verification node) configured to receive from AUSF (~Device Management node) the SUCI (~subscription identifier)) and a characteristic of the device (Fig. 6.1.2-1, UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) a characteristic of the device (~SUPI (~subscription permanent identifier) or UDM/ARPF (~Verification node) receives from AUSF (~Device Management node) a characteristic of the device (~SUPI (~subscription permanent identifier) contained in the subscription identifier (~SUCI) - see par. 27 of applicant’s published disclosure defining SUPI as characteristic of a device); par. 27 of Applicant’s published disclosure states, “Two categories of device characteristic are proposed in the present disclosure: behavioural characteristics and permanent identities (~SUPI), and
to bind the subscription identifier to the characteristic such that the subscription identifier is uniquely associated with the characteristic (SUCI (~subscription identifier) is bound to SUPI (~characteristic) since the SUCI (~subscription identifier) contains the SUPI (~characteristic) in an encrypted form; sect. 6.1.3.2, “If SUCI (~subscription identifier) is used, the UDM/ARPF does this by first extracting (or de-concealing) the SUPI (~characteristic) and R from the SUCI (~subscription identifier)”, wherein the SUCI (~subscription identifier) is bounded to the SUPI (~characteristic); Sect. 6.1.2, “UE has input SUPI and R into the SUCI generation”) is transmitted from SEAF (~Core Network node) to AUSF (~Device Management node) and from AUSF (~Device Management node) to UDM/ARPF (~Verification node). SUCI and SUPI are binded when UDM/ARPF successfully decrypts (~de-conceals) the SUCI to reveal the original SUPI (~Sect. 6.1.2, “UDM/SIDF shall be invoked if a SUCI is received. SIDF (~Subscription Identifier De-concealing Function), as offered as a service by UDM, shall de-conceal SUCI to gain SUPI and R, both input parameters of SUCI generation”). The successful decryption and verification process in the UDM/ARPF effectively binds the temporary, concealed SUCI to the permanent SUPI in the network's internal database. The network then uses this mapping to manage the subscriber's session and issues a temporary identifier, the 5G Globally Unique Temporary UE Identity (5G-GUTI), for all subsequent communications; sect. 6.1.3.2 of S3-180769 states, “If SUCI was provided in the Auth-info Req message, the UDM/ARPF generates a verification hash VH* from SUCI, SUPI, and R as input parameters, the latter two are retrieved from SUCI”, wherein SUCI is binded with SUPI)); and
a Network Access node that obtains the subscription identifier from the device (Fig. 6.1.2-1, SEAF obtains SUCI (~subscription identifier) from UE (~device) via a base station (~network access node) and thus, the base station (~network access node) obtains the SUCI (subscription identifier) from the UE (~device));
wherein the Verification node, Network Access node, and Core Network node verify that the device from which the Network Access node obtained the subscription identifier is in possession of the characteristic that is bound to the subscription identifier (Fig. 6.1.3.2-1, UDM/ARPF (~Verification node), a base station (~Network Access node) and SEAF (~Core Network node) cooperates to verify that UE (~device) from which a base station (~Network Access node) obtained SUCI (~subscription identifier) is in possession of the characteristic (~SUPI) that is bound to the subscription identifier (~SUCI); VH and VH’ are compared to verify that SUPI (~characteristic that is bound to the SUCI (~subscription identifier)) is the same as the SUPI (~characteristic that is in the possession of the UE (~device); sect. 6.1.3.2, “SEAF … calculate a VH' = hash(SUCI, SUPI, R) itself, and compare the outcome with VH as received from UE. If there is a mismatch between the reported VH (~cryptographic calculation) from UE and the VH’ calculation (~cryptographic calculation) by the serving network, the SEAF shall reject the UE. NOTE1: The verification hash VH for SUPI identity proof was introduced for the attacking scenario, that UE works as specified and has no functional additions while the HPLMN UDM may be assumed to be cheating. Thus, the underlying assumption of the verification hash solution is that the UE is not cheating or cooperating in cheating with the UDM. Without this assumption, any proprietary application layer scheme between the UE and the UDM, with the aim of lying to the AMF/SEAF about the true SUPI, could be realized, even without SUPI concealment. This would have been possible in EPS already. If the verification hash comparison and the authentication was successful, the SUPI is stored by the SEAF”).
To further clarify that the gNB (~Network Access node) is present for communications between the UE (~device) and the SEAF (~Core Network node), Jerichow is combined with S3-180769 wherein Jerichow teaches a gNB (~Network Access node) present as an intermediary between a UE (~device) and a SEAF (Fig. 1, gNB 104 (~Network Access node) is an intermediary node between UE (~device) 102 and SEAF (~Core Network node) 106).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Jerichow with the teaching of S3-180769 in order to provide an initial point of connection for the UE to the core network via a radio interface that allows the UE to connect to the core network by transmitting and receiving data such as authentication requests and responses between the UE and the core network.
Regarding claim 2, S3-180769 in view of Jerichow teaches the system as claimed in claim 1,
wherein the Verification node, Network Access node, and Core Network node verify that the device from which the Network Access node obtained the subscription identifier is in possession of the characteristic that is bound to the subscription identifier (S3-180769 Fig. 6.1.3.2-1, UDM/ARPF (~Verification node), a base station (~Network Access node) and SEAF (~Core Network node) cooperates to verify that UE (~device) from which a base station (~Network Access node) obtained SUCI (~subscription identifier) is in possession of the characteristic (~SUPI) that is bound to the subscription identifier (~SUCI); VH and VH’ are compared to verify that SUPI (~characteristic that is bound to the SUCI (~subscription identifier)) is the same as the SUPI (~characteristic that is in the possession of the UE (~device); sect. 6.1.3.2, “SEAF … calculate a VH' = hash(SUCI, SUPI, R) itself, and compare the outcome with VH as received from UE. If there is a mismatch between the reported VH (~cryptographic calculation) from UE and the VH’ calculation (~cryptographic calculation) by the serving network, the SEAF shall reject the UE. NOTE1: The verification hash VH for SUPI identity proof was introduced for the attacking scenario, that UE works as specified and has no functional additions while the HPLMN UDM may be assumed to be cheating. Thus, the underlying assumption of the verification hash solution is that the UE is not cheating or cooperating in cheating with the UDM. Without this assumption, any proprietary application layer scheme between the UE and the UDM, with the aim of lying to the AMF/SEAF about the true SUPI, could be realized, even without SUPI concealment. This would have been possible in EPS already. If the verification hash comparison and the authentication was successful, the SUPI is stored by the SEAF”) by performing at least one of:
obtaining an observed characteristic of the device and comparing the observed characteristic to the characteristic that is bound to the subscription identifier; or
performing a cryptographic calculation using the characteristic that is bound to the subscription identifier (S3-180769 Fig. 6.1.3.2-1 sect. 6.1.3.2, “14. If the authentication was successful, the SEAF does know the SUPI, shall calculate a VH' = hash(SUCI (~subscription identifier), SUPI (~characteristic that is bound to the SUCI (~subscription identifier)), R)”), causing the device to perform a corresponding cryptographic calculation using a characteristic in its possession (sect. 6.1.3.2, “and compare the outcome with VH as received from UE … The verification hash VH for SUPI (~characteristic) identity proof (in its possession) was introduced for the attacking scenario, that UE works as specified and has no functional additions while the HPLMN UDM may be assumed to be cheating”), and
using the results of the cryptographic calculations to verify that the characteristic that is bound to the subscription identifier is the same as the characteristic that is in the possession of the device (S3-180769 VH (~cryptographic calculation) and VH’ (~cryptographic calculation) are compared to verify that SUPI (~characteristic that is bound to the SUCI (~subscription identifier)) is the same as the SUPI (~characteristic that is in the possession of the UE (~device); Fig. 6.1.3.2-1 sect. 6.1.3.2, “14. If the authentication was successful, the SEAF does know the SUPI, shall calculate a VH' = hash(SUCI, SUPI, R) (~performing a cryptographic calculation using the characteristic (~SUPI) that is bound to the subscription identifier (~SUCI)) itself, and compare the outcome with VH as received from UE. If there is a mismatch between the reported VH from UE and the VH’ calculation by the serving network, the SEAF shall reject the UE”).
To further clarify that the gNB (~Network Access node) is present for communications between the UE (~device) and the SEAF (~Core Network node), Jerichow is combined with S3-180769 wherein Jerichow further teaches a gNB (~Network Access node) present as an intermediary between a UE (~device) and a SEAF (Fig. 1, gNB 104 (~Network Access node) is an intermediary node between UE (~device) 102 and SEAF (~Core Network node) 106).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Jerichow with the teaching of S3-180769 as modified by Jerichow in order to provide an initial point of connection for the UE to the core network via a radio interface that allows the UE to connect to the core network by transmitting and receiving data such as authentication requests and responses between the UE and the core network.
Regarding claim 3, S3-180769 in view of Jerichow teaches the system as claimed in claim 2,
wherein the Verification node, Network Access node, and Core Network node perform a cryptographic calculation using the characteristic that is bound to the subscription identifier (S3-180769 Fig. 6.1.3.2-1, UDM/ARPF (~Verification node), base station (~network access node) and SEAF (~Core Network node) are configured to perform a cryptographic calculation (~ VH, VH’) using the characteristic (~SUPI) that is bound to the subscription identifier (~SUCI); sect. 6.1.3.2, “VH' = hash(SUCI (~subscription identifier), SUPI (~characteristic that is bound to the SUCI (~subscription identifier)), R)”),
cause the device to perform a corresponding cryptographic calculation using a characteristic in its possession (S3-180769 sect. 6.1.3.2, “and compare the outcome with VH as received from UE … The verification hash VH for SUPI (~characteristic) identity proof (in its possession) was introduced for the attacking scenario, that UE works as specified and has no functional additions while the HPLMN UDM may be assumed to be cheating”), and
use the results of the cryptographic calculations to verify that the characteristic that is bound to the subscription identifier is the same as the characteristic that is in the possession of the device during a network authentication procedure for the device (S3-180769 VH and VH’ are compared to verify that SUPI (~characteristic that is bound to the SUCI (~subscription identifier)) is the same as the SUPI (~characteristic that is in the possession of the UE (~device) during a network authentication procedure for the device; sect. 6.1.3.2, “SEAF … calculate a VH' = hash(SUCI, SUPI, R) itself, and compare the outcome with VH as received from UE. If there is a mismatch between the reported VH (~cryptographic calculation) from UE and the VH’ calculation (~cryptographic calculation) by the serving network, the SEAF shall reject the UE. NOTE1: The verification hash VH for SUPI identity proof was introduced for the attacking scenario, that UE works as specified and has no functional additions while the HPLMN UDM may be assumed to be cheating. Thus, the underlying assumption of the verification hash solution is that the UE is not cheating or cooperating in cheating with the UDM. Without this assumption, any proprietary application layer scheme between the UE and the UDM, with the aim of lying to the AMF/SEAF about the true SUPI, could be realized, even without SUPI concealment. This would have been possible in EPS already. If the verification hash comparison and the authentication was successful, the SUPI is stored by the SEAF”).
To further clarify that the gNB (~Network Access node) is present for communications between the UE (~device) and the SEAF (~Core Network node), Jerichow is combined with S3-180769 wherein Jerichow further teaches a gNB (~Network Access node) present as an intermediary between a UE (~device) and a SEAF (Fig. 1, gNB 104 (~Network Access node) is an intermediary node between UE (~device) 102 and SEAF (~Core Network node) 106).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Jerichow with the teaching of S3-180769 as modified by Jerichow in order to provide an initial point of connection for the UE to the core network via a radio interface that allows the UE to connect to the core network by transmitting and receiving data such as authentication requests and responses between the UE and the core network.
Conclusion
10. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER J. YI whose telephone number is (571)270-7696. The examiner can normally be reached Monday thru Friday: 8:00AM to 5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jinsong Hu can be reached at (571)272-3965. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ALEXANDER J YI/Examiner, Art Unit 2643
/JINSONG HU/ Supervisory Patent Examiner, Art Unit 2643
Prosecution Insights