DETAILED ACTION
This is office action on the merits in response to the application filed on 10/30/2025.
Claims 1-28 have been filed by the applicant.
Claims 13-20 were previously canceled.
Claims 1, 3, 5, 8, 23, 26 are currently amended.
Claims 1-12, 21-28 are currently pending and have been examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner note
The claims recites various “modules” and “signing service”. Although some of the “modules” are not interpreted under 112(f), all of the “modules” and “signing service” are interpreted as software. Therefore, any prior art that disclosing a single or combination of multiple hardware capable of doing the recited functions teaches these “modules” and “signing service” without having to discloses the exact same “modules” and “signing service”.
Response to Argument
112(f):
The applicant argues that claims 1, 3, 4 and 11 do not recite means plus function limitations because the claims do not recite “means for” or “step for”. The examiner respectfully disagrees. The claims do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.
112(b):
The examiner agrees that the amendment overcomes previous 112(b) rejection.
Rejection under 103:
The applicant argues that the cited prior arts do not teach the amendment. The examiner respectfully disagrees. The amendment recites “signing service having a hardware security module that signing transaction”. McCauley teaches signing transaction using key [0022-0023].
Cignetti further discloses tearing down isolated environment and deleting, wiping or removing the bastion system, virtual network or HSM [Col 4:62-Col 5:14]. Therefore, Cignetti further teaches deprovisioning the signing service. Cignetti further discloses terminating connection the bastion system and HSM after completing request [Col15: 34-43]. Therefore, Cignetti teaches the amended feature of “creating and discarding second connection between offline output bridge module and online module”.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are:
Claim 1: converting, using the disconnected vault module.
Claim 1: signing, using the signing service
Claims 3 and 10: confirmation module that operates…to verify.
Claims 4 and 11: online module is a final review module, where the final review module operates…to verify.
Claim 8: sign, using the signing service
Claim 26: online confirmation module that operates … to verify.
Claim 27: online confirmation module that operates … to verify.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim 26 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 26 recites “discarding the output bridge module”. As stated above, “modules” are interpreted as software, and in light of the first “discarding” step, it is not clear whether:
the output bridge module (software) is discarded, or
a connection to the output bridge module is discarded.
In addition, on situation a), it is not clear how the software is discarded.
On situation b), it is not clear when the connection is discarded and which connection is discarded (i.e., to offline output bridge module OR online module).
For the purpose of examination, the examiner interpreted the limitation as discarding connection between output bridge module and offline output bridge module.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-2, 5, 7-9, 12, 21-22 and 24-25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cignetti et al. (US 10693638 B1), and further in view of Patil et al. (US 20200226332 A1) and McCauley et al. (US 20190266576 A1) and Cheng al. (US 20180367316 A1).
With respect to claim 1 and 8:
Cignetti teaches (in italic):
receiving, at an input bridge module, a [transaction] order and a corresponding cryptogram via a […] connection; […] transferring, from the […] input bridge module to a disconnected vault module, the [transaction] order and the cryptogram. (the computing resource service provider creates an isolated network environment that includes a bastion computer system connected to an HSM. At block 804, the bastion computer system receives the request to perform a cryptographic operation, and identifies the cryptographic key associated with the request. [Col2: 20-25, Col 13:50-52])
transferring the unsigned [transaction] and cryptogram to an offline signing service having a hardware security module. (At block 808, the bastion computer system provides the protected version of the cryptographic key along with the request to the HSM. the HSM performs the requested cryptographic operation. [Col13:57-59, Col14:25-29])
unwrapping, using the hardware security module, a [seed] from the cryptogram. (The HSM decrypts the protected version of the cryptographic key using the administrator key to remove a layer of decryption from the protected version of the cryptographic key [Col14:2-5])
generating, using the hardware security module and the [seed], a key for signing the [transaction]. (The HSM receives the request to create a new sensitive cryptographic key, and receives 705 the service provider key from a service controlled by the computing service provider. The HSM generates 706 a new sensitive cryptographic key in accordance with any parameters provided with the request. [Col12:5-11])
transferring the signed [transaction] to an offline output bridge module. (the HSM performs the requested cryptographic operation. The results of the cryptographic operation are returned to the key administrator via the bastion computer system over a protected communication channel [Col14:25-29])
deprovisioning the offline signing service in response to the transaction being signed. (After the cryptographic operations using the sensitive key 114 are complete, the computing resource service provider tears down the isolated environment. the HSM 110 is removed from the isolated environment 102. The bastion computer system 108 is wiped, and if the bastion computer system 108 is implemented as a virtual computer system, the virtual computer system is deleted. After the bastion computer system 108 is wiped, the isolated environment 102 is deconstructed. If the isolated environment 102 is a virtual network, the virtual network is deleted. [Col 4:62-Col 5:14])
creating a second connection between the offline output bridge module and an online module. (Connections between the administrator and the bastion computer system or HSM are terminated 912. In some implementations, the ceremony environment manager terminates the connections between the administrator and the bastion computer system, and provides a confirmation that the information contained in the isolated network environment has been destroyed. At block 914, the isolated network environment is deconstructed. In some implementations, the isolated network environment is a virtual network which is deleted [Col15: 34-43])
transferring the signed [transaction] from the output bridge module to the online module using the second connection. (At block 824, the bastion computer system relays the results of the cryptographic operation to the key administrator, and the key administrator receives 826 the results of the cryptographic operation on an administrative console [Col14:29-33])
discarding the second connection in response to the transfer of the signed [transaction] and the cryptogram from the output bridge module. (Connections between the administrator and the bastion computer system or HSM are terminated 912. In some implementations, the ceremony environment manager terminates the connections between the administrator and the bastion computer system, and provides a confirmation that the information contained in the isolated network environment has been destroyed. At block 914, the isolated network environment is deconstructed. In some implementations, the isolated network environment is a virtual network which is deleted [Col15: 34-43])
Cignetti does not explicitly teach the following limitations. However,
Patil teaches:
transaction; converting, using the disconnected vault module, the transaction order to an unsigned transaction. (In a step 1020, the integration server forwards this transaction to a control center. Next in a step 1030, the control center validates the transaction by ensuring that it is authorized by the owner. In a step 1040, a command containing instructions to be executed on the HSMs is sent back to the integration server. [0037])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti to convert transaction order to unsigned transaction with the technique as disclosed by Patil to provide command for HSM to execute transaction as Patil suggested.
Cignetti in view of Patil does not explicitly teach the following limitations. However,
McCauley teaches (in italic):
a temporary connection; discarding the temporary connection to the input bridge module in response to receipt of the transaction order […] at the input bridge module for causing the input bridge module to be offline. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
after the temporary connection is discarded, transferring […]. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. Once initiated, the request for a blockchain deposit address is then sent to the online server 2, which receives the request (step 201) and forwards it (step 202) via the relay server 3 to the HSM 5 (which as noted above is isolated from the Internet by the relay server 3). [0019 0022])
signing, […], the unsigned transaction using the key thereby creating a signed transaction. (The HSM 5 then signs (step 205) the blockchain address with the Organization's private key and returns the signed blockchain address to the online server 2. [0022-0023])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
Cignetti in view of Patil and McCauley does not explicitly teach a seed. However,
Cheng teaches a seed. (PCI-e HSM may unwrap (e.g., decrypt) the wrapped seed share two with the unwrapping key RSAPriv back to its original byte materials. Proper attribute settings for the unwrapped seed share two may be set. At 107, a method such as Shamir's Secret Sharing may be utilized (e.g., via a SFTS module) to recover the master private key (e.g., from seed share one and seed share two) for BIP-32 hierarchical deterministic key derivation (e.g., via the SFTS module). At 108, the transaction may be signed using the BIP-32 derived private key (e.g., via the SFTS module). [0080])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley to utilizing a seed for key generation with the technique as disclosed by Cheng to improves security as Cheng suggested [0072].
Claim 8, a computer product with the same scope as claim 1, is rejected.
With respect to claim 2 and 9:
Patil further teaches wherein the transaction order is verified prior to moving the transaction order to the input bridge module, wherein the input bridge module receives the verified transaction order from a verification module […]. (Next in a step 1030, the control center validates the transaction by ensuring that it is authorized by the owner. In a step 1040, a command containing instructions to be executed on the HSMs is sent back to the integration server. [0037])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system to convert transaction order to unsigned transaction with the technique as disclosed by Patil to ensure data authentication as Patil suggested [0037].
McCauley further teaches the temporary connection. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
Claim 9, a computer product with the same scope as claim 2, is rejected.
With respect to claim 5 and 12:
Cignetti further teaches wherein the disconnected vault module is a stateless single use offline module with a temporary trusted execution environment. (After the cryptographic operations using the sensitive key 114 are complete, the computing resource service provider tears down the isolated environment. the HSM 110 is removed from the isolated environment 102. The bastion computer system 108 is wiped, and if the bastion computer system 108 is implemented as a virtual computer system, the virtual computer system is deleted. After the bastion computer system 108 is wiped, the isolated environment 102 is deconstructed. If the isolated environment 102 is a virtual network, the virtual network is deleted. [Col 4:62-Col 5:14])
McCauley further teaches wherein the temporary connection is a single use, unidirectional temporary connection that is discarded in response to the transaction order and the cryptogram being transferred to the input bridge module and prior to the transferring of the unsigned transaction and cryptogram to the offline hardware security module; and wherein the signed transaction is transferred from the output bridge module to the online module via a single use, unidirectional temporary connection that is discarded in response to the transaction being transferred to the online module. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
Claim 12, a computer product with the same scope as claim 5, is rejected.
With respect to claim 7:
Cignetti further teaches a system, comprising: a processor; and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor, the logic being configured to perform the method of claim 1. (the computing resource service provider creates an isolated network environment that includes a bastion computer system connected to an HSM [Col 2:18-44, Fig. 4])
With respect to claim 21:
Cheng further teaches wherein the seed is a blockchain seed. (In one additional embodiment, the SFTSP includes Deterministic Derivation of Cryptocurrency Signing Keys with Split Master Seed and Enforcement of M-of-N Authentication Policy. This supports the SFTSP with innovations in Bitcoin and Blockchain, new service and product offerings in cryptocurrency. [0070])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system a to utilizing a blockchain seed for key generation with the technique as disclosed by Cheng to improves security as Cheng suggested [0072].
With respect to claim 22:
McCauley further teaches wherein the temporary connection is a single use, unidirectional communications link that is destroyed immediately after the transfer of the transaction order and the cryptogram to the input bridge module. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
With respect to claim 24:
McCauley further teaches
wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module, and comprising discarding the confirmation module after transfer of the transaction order to the input bridge module. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
wherein the transaction request and the cryptogram are only present in one or more of the modules that are offline after discarding the confirmation module and discarding the temporary connection. (The private key for that cryptoasset is stored only in the HSM, which does not permit the key to be read by any entity outside the HSM. [0017])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
With respect to claim 25:
McCauley further teaches comprising discarding the input bridge module in response to the transfer of the transaction order and the cryptogram therefrom. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
Claim(s) 3-4, 10-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Cignetti”, “Patil”, “McCauley” and “Cheng” as applied to claim 1 above, and further in view of Buchheim et al. (US 20160019512 A1).
With respect to claims 3 and 10:
Cignetti further teaches wherein the output bridge module is a single use module that is deprovisioned in response to the transfer of the signed transaction therefrom. (After the cryptographic operations using the sensitive key 114 are complete, the computing resource service provider tears down the isolated environment. the HSM 110 is removed from the isolated environment 102. The bastion computer system 108 is wiped, and if the bastion computer system 108 is implemented as a virtual computer system, the virtual computer system is deleted. After the bastion computer system 108 is wiped, the isolated environment 102 is deconstructed. If the isolated environment 102 is a virtual network, the virtual network is deleted. [Col 4:62-Col 5:14])
Cheng further teaches further comprising discarding the confirmation module and connecting the disconnected vault module to the input bridge module in response to receipt of the transaction order and the cryptogram at the input bridge module. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
Cignetti in view of Patil and McCauley and Cheng does not teach wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module that operates in conjunction with at least one human verifier to verify the transaction order. However,
Buchheim teaches wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module that operates in conjunction with at least one human verifier to verify the transaction order. (Further optionally, the cashier may be instructed to enter some type of validation code into the cash register 52 in order to provide final authorization to complete the transaction. [0059])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng verify transaction data by a person with the technique as disclosed by Buchheim to improve security by providing final authorization as Buchheim suggested.
Claim 10, a computer product with the same scope as claim 3, is rejected.
With respect to claims 4 and 11:
Cignetti in view of Patil and McCauley and Cheng does not teach wherein the online module is a final review module, wherein the final review module operates in conjunction with at least one human verifier to verify the signed transaction. However,
Buchheim teaches wherein the online module is a final review module, wherein the final review module operates in conjunction with at least one human verifier to verify the signed transaction. (Further optionally, the cashier may be instructed to enter some type of validation code into the cash register 52 in order to provide final authorization to complete the transaction. [0059])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng verify transaction data by a person with the technique as disclosed by Buchheim to improve security by providing final authorization as Buchheim suggested.
Claim 11, a computer product with the same scope as claim 4, is rejected.
Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Cignetti”, “Patil”, “McCauley” and “Cheng” as applied to claim 1 above, and further in view of Cheng et al. (US 11468435 B1).
With respect to claim 6:
Cignetti in view of Patil and McCauley and Cheng does not teach wherein the hardware security module is located in a cloud. However,
Cheng teaches wherein the hardware security module is located in a cloud. (In different embodiments, the required quorum private keys for one account are stored in different areas and with a hybrid cloud of HSM service providers, in addition to the on-premises HSM deployment described above. In this way, keys required for one quorum are never in one area or available to one HSM service provider/vendor [Col3:38-44])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng verify transaction data by a person with the technique as disclosed by Cheng to improve system flexibility as Cheng suggested.
Claim(s) 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Cignetti”, “Patil”, “McCauley” and “Cheng” as applied to claim 1 above, and further in view of Fitzpatrick et al. (US 20030133449 A1) and Cheng et al. (US 11468435 B1).
With respect to claim 23:
Cignetti further teaches wherein the output bridge module is a single use module that is deprovisioned in response to the transfer of the signed transaction therefrom. (After the cryptographic operations using the sensitive key 114 are complete, the computing resource service provider tears down the isolated environment. the HSM 110 is removed from the isolated environment 102. The bastion computer system 108 is wiped, and if the bastion computer system 108 is implemented as a virtual computer system, the virtual computer system is deleted. After the bastion computer system 108 is wiped, the isolated environment 102 is deconstructed. If the isolated environment 102 is a virtual network, the virtual network is deleted. [Col 4:62-Col 5:14])
McCauley further teaches wherein the hardware security module is located in a cloud, wherein the temporary connection is a single use, unidirectional communications link that is destroyed immediately after the transfer of the transaction order and the cryptogram to the input bridge module. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
Cignetti in view of Patil and McCauley and Cheng does not teach wherein the hardware security module is located in a cloud. However,
Cheng teaches wherein the hardware security module is located in a cloud. (In different embodiments, the required quorum private keys for one account are stored in different areas and with a hybrid cloud of HSM service providers, in addition to the on-premises HSM deployment described above. In this way, keys required for one quorum are never in one area or available to one HSM service provider/vendor [Col3:38-44])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng verify transaction data by a person with the technique as disclosed by Cheng to improve system flexibility as Cheng suggested.
Cignetti in view of Patil and McCauley and Cheng does not teach wherein the temporary connection is a single use, unidirectional internal Queued Direct I/O point-to- point in-memory communications connection. However,
Fitzpatrick teaches wherein the temporary connection is a single use, unidirectional internal Queued Direct I/O point-to- point in-memory communications connection. (The HiperSockets feature enables TCP/IP messages to be exchanged between images using memory-to-memory transfers for packet transmission, effectively putting a virtual internal network within the z900 system. [0032])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng verify transaction data by a person with the technique as disclosed by Fitzpatrick to improve transmission effectiveness as Fitzpatrick suggested.
Claim(s) 27 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Cignetti”, “Patil”, “McCauley” and “Cheng” as applied to claim 1 above, and further in view of Manamohan et al. (US 20210233192 A1).
With respect to claim 27:
Cignetti in view of Patil and McCauley and Cheng does not teach wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module that operates in conjunction with at least three human verifiers to verify the transaction order based on a quorum of the verifiers. However,
Manamohan teaches wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module that operates in conjunction with at least three human verifiers to verify the transaction order based on a quorum of the verifiers. (In the verification phase, a group of peer nodes or participants can challenge another peer's/participant's reward claim. In some embodiments, a quorum or some minimum number of peer nodes or participants perform the challenge, and it should be understood that the more challengers/verifiers, the stronger the evidence that a reward claim is valid/invalid [0090])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng to verify transaction data by a group of people with the technique as disclosed by Manamohan to have strong validation as Manamohan suggested.
Claim(s) 26 and 28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cignetti et al. (US 10693638 B1), and further in view of Patil et al. (US 20200226332 A1) and McCauley et al. (US 20190266576 A1) and Cheng al. (US 20180367316 A1) and Manamohan et al. (US 20210233192 A1).
With respect to claim 26:
Cignetti teaches (in italic):
receiving, at an input bridge module, a [transaction] order and a corresponding cryptogram via a […] connection; […] transferring, from the […] input bridge module to a disconnected vault module, the [transaction] order and the cryptogram. (the computing resource service provider creates an isolated network environment that includes a bastion computer system connected to an HSM. At block 804, the bastion computer system receives the request to perform a cryptographic operation, and identifies the cryptographic key associated with the request. [Col2: 20-25, Col 13:50-52])
transferring the unsigned [transaction] and cryptogram to an offline hardware security module. (At block 808, the bastion computer system provides the protected version of the cryptographic key along with the request to the HSM [Col13:57-59])
unwrapping, using the hardware security module, a [seed] from the cryptogram. (The HSM decrypts the protected version of the cryptographic key using the administrator key to remove a layer of decryption from the protected version of the cryptographic key [Col14:2-5])
generating, using the hardware security module and the [seed], a key for signing the [transaction]. (The HSM receives the request to create a new sensitive cryptographic key, and receives 705 the service provider key from a service controlled by the computing service provider. The HSM generates 706 a new sensitive cryptographic key in accordance with any parameters provided with the request. [Col12:5-11])
transferring the signed [transaction] to an offline output bridge module. (the HSM performs the requested cryptographic operation. The results of the cryptographic operation are returned to the key administrator via the bastion computer system over a protected communication channel [Col14:25-29])
transferring the signed [transaction] from the output bridge module to an online module. (At block 824, the bastion computer system relays the results of the cryptographic operation to the key administrator, and the key administrator receives 826 the results of the cryptographic operation on an administrative console [Col14:29-33])
discarding the output bridge module in response to the transfer of the signed [transaction] and the cryptogram therefrom. (Connections between the administrator and the bastion computer system or HSM are terminated 912. In some implementations, the ceremony environment manager terminates the connections between the administrator and the bastion computer system, and provides a confirmation that the information contained in the isolated network environment has been destroyed. At block 914, the isolated network environment is deconstructed. In some implementations, the isolated network environment is a virtual network which is deleted [Col15: 34-43])
Cignetti does not explicitly teach the following limitations. However,
Patil teaches:
transaction; converting, using the disconnected vault module, the transaction order to an unsigned transaction. (In a step 1020, the integration server forwards this transaction to a control center. Next in a step 1030, the control center validates the transaction by ensuring that it is authorized by the owner. In a step 1040, a command containing instructions to be executed on the HSMs is sent back to the integration server. [0037])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti to convert transaction order to unsigned transaction with the technique as disclosed by Patil to provide command for HSM to execute transaction as Patil suggested.
Cignetti in view of Patil does not explicitly teach the following limitations. However,
McCauley teaches (in italic):
a temporary connection; discarding the temporary connection to the input bridge module in response to receipt of the transaction order […] at the input bridge module for causing the input bridge module to be offline. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. [0019])
after the temporary connection is discarded, transferring […]. (The relay server 3 functions as a virtual air gap to isolate the HSM 5 from the public computer network 9. The relay server 3 disconnects itself from the secure network while communicating with the online server 1, and disconnects itself from all external networks while communicating with the HSM 5, such that no interactive sessions with those devices can be established from the outside. This provides virtual “air gap” security to critical infrastructure. Once initiated, the request for a blockchain deposit address is then sent to the online server 2, which receives the request (step 201) and forwards it (step 202) via the relay server 3 to the HSM 5 (which as noted above is isolated from the Internet by the relay server 3). [0019 0022])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil to establish temporary connection and discard afterward with the technique as disclosed by McCauley to provide air-gaped security as McCauley suggested.
Cignetti in view of Patil and McCauley does not explicitly teach a seed. However,
Cheng teaches a seed. (PCI-e HSM may unwrap (e.g., decrypt) the wrapped seed share two with the unwrapping key RSAPriv back to its original byte materials. Proper attribute settings for the unwrapped seed share two may be set. At 107, a method such as Shamir's Secret Sharing may be utilized (e.g., via a SFTS module) to recover the master private key (e.g., from seed share one and seed share two) for BIP-32 hierarchical deterministic key derivation (e.g., via the SFTS module). At 108, the transaction may be signed using the BIP-32 derived private key (e.g., via the SFTS module). [0080])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley to utilizing a seed for key generation with the technique as disclosed by Cheng to improves security as Cheng suggested [0072].
Cignetti in view of Patil and McCauley and Cheng does not teach wherein […] receives the transaction order […] from an online confirmation module that operates in conjunction with at least two human verifiers to verify the transaction order. However,
Manamohan teaches wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module that operates in conjunction with at least two human verifiers to verify the transaction order. (In the verification phase, a group of peer nodes or participants can challenge another peer's/participant's reward claim. In some embodiments, a quorum or some minimum number of peer nodes or participants perform the challenge, and it should be understood that the more challengers/verifiers, the stronger the evidence that a reward claim is valid/invalid [0090])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng to verify transaction data by a group of people with the technique as disclosed by Manamohan to have strong validation as Manamohan suggested.
With respect to claim 28:
Cignetti in view of Patil and McCauley and Cheng does not teach wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module that operates in conjunction with at least two human verifiers to verify the transaction order. However,
Manamohan teaches wherein the input bridge module receives the transaction order and the cryptogram from an online confirmation module that operates in conjunction with at least two human verifiers to verify the transaction order. ((In the verification phase, a group of peer nodes or participants can challenge another peer's/participant's reward claim. In some embodiments, a quorum or some minimum number of peer nodes or participants perform the challenge, and it should be understood that the more challengers/verifiers, the stronger the evidence that a reward claim is valid/invalid [0090])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system as disclosed by Cignetti in view of Patil and McCauley and Cheng to verify transaction data by a group of people with the technique as disclosed by Manamohan to have strong validation as Manamohan suggested.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20180330369 A1: A system includes a computing device and a first external signing device wirelessly communicatively coupled to the computing device. The computing device is configured to: receive a request to initiate payment from a mobile wallet; and wirelessly transmit unsigned transaction details to the first external signing device. The first external signing device is configured to: determine whether the unsigned transaction details meet restrictions set by any removable permission module inserted into the first external signing device; and when the unsigned transaction details meet the restrictions set by any removable permission module inserted into the first external signing device: wirelessly transmit a first signature to the computing device.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZESHENG XIAO whose telephone number is (571)272-6627. The examiner can normally be reached 10:00am-4:30pm M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Z.X./Examiner, Art Unit 3685
/PATRICK MCATEE/Supervisory Patent Examiner, Art Unit 3698
Prosecution Insights