DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is a Final Office Action in response to Applicant’s amendment filed on October 16, 2025.
Claims 1-7, and 21-33 have been examined in this application. Claims 8-20 are cancelled.
No new information disclosure statements (IDS) have been filed.
Response to Arguments
Applicant’s arguments, filed 10/16/2025, pages 13-18, regarding claim rejections under 35 U.S.C. 101 have been fully considered but are not persuasive.
Applicant argues that the claims do not fall into one of the enumerated subject matter groupings.
Claims are directed to an abstract idea and the abstract idea is characterized under mental processes, and certain methods of organizing human activity.
Applicant argues that the claims, under Step-2A, Prong I “are not directed to certain methods of organizing human activity,” cites claim 1 as a whole, and states that claim 1 is directed to a secure authentication system that is not within the subject matter groupings; id., 14-15. Applicant notes that because the claims do not fall within any of the groupings, then the claims are deemed patent eligible.
The Examiner respectfully disagrees. First, the Examiner notes that because the “MPEP now incorporates the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG), October 2019 Patent Eligibility Guidance Update (October 2019 Update), and the Berkheimer Memo, all references to those materials should now be directed to the MPEP.”
Under MPEP §2106, the claims are analyzed to determine whether they recite:
(1) any judicial exceptions, including certain groupings of abstract ideas (i.e., mathematical concepts, certain methods of organizing human activity such as a fundamental economic practice, or mental processes) (“Step 2A, Prong One”); and
(2) additional elements that integrate the judicial exception into a practical application (see MPEP § 2106.04(d) and 2106.05(a)-(c), (e)-(h) (9th ed. Rev. 08.2017, Jan. 2018)) (“Step 2A, Prong Two”).
If the claims recite a judicial exception, under section (1), and fail to integrate the abstract idea into a practical application, section (2), then the claims are further analyzed to determine whether they:
(3) add a specific limitation beyond the judicial exception that is not “well-understood, routine, conventional” in the field (see MPEP §2106.05(d)); or
(4) simply appends well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception.
The instant claims are found to be directed to an abstract idea of data validation without significantly more.
The abstract idea is characterized under at least mental processes, including concepts performed in the human mind such as observation, evaluation, judgement, opinion and performing these using a pen and paper. Here the claims can clearly be carried out by a human mind and using a pen and paper. As Applicant argues, citing claim 1, the claim captures a generation of a challenge, which can be done using a human mind and pen and paper. Once the challenge is generated, it is stored in memory; human mind or on paper. The generated challenge is then sent to a user device, or simply a user, and the same entity that sent the generated challenge generates a session key based on a master key. Generating a session key based on a master key requires a human mind, some math, and can be done using pen and paper. The session key is then stored in the same way as above before receiving an encrypted MAC cryptogram from the user; wherein the MAC cryptogram incorporates the authentication challenge. A cryptogram is nothing but a string of digits/letters and can again be generated by the user and send to the entity that the claims are directed via verbal communication or again via pen and paper. Before the MAC cryptogram can be validated, it is decrypted, again done by a human mind/pen and paper. Encryption and decryption methods were first designed using nothing more than pen and paper to capture what a human mind can carry out. Likewise, sending data and storing data is what a human mind can clearly do and if not, then such data can be stored on paper and passed along to a user; thus, transmitting data. Finally, under the broadest reasonable interpretation, the claims can be interpreted as being directed to a mathematical concept grouping because in order to generate the claimed information, and to decrypt and validate information, math is utilized. Mathematical concepts include mathematical relationships, formulas or equations, and calculations. The claims are clearly evident of using calculations and formulas in order for the claimed scope as a whole to be possible.
Applicant further that assuming arguendo that claims are directed to an abstract idea, they claims integrate any alleged abstract idea into a practical application.
Under Step-2A, Prong II, the claims fail to include any additional elements that would amount to a practical application.
Applicant cites the multiple generation claim limitations, the decryption limitation, and validation limitation in their entirety and argues that at least these limitations serve as additional elements that amount to a practical application. Applicant further argues that the “additional elements are recited in claim 1 in a specific technical implementation in a meaningful way;” id. 16-17.
The Examiner respectfully disagrees with Applicant’s arguments. The additional elements identified in claim 1 are: “a server including a processor and a memory,” and “a user device.” These additional elements fail to transform the abstract idea into a practical application. The Applicant lists all of the claim limitations as additional elements, which is incorrect. The claimed “a server including a processor and a memory,” and “a user device” additional elements are recited at a high level of generality, amounting to mere generic computer devices carrying out generic computer functions such as generating data, sending and receiving data, and analyzing data. Each of the additional elements / limitations are no more than mere instructions to apply the exception using generic computer components or a generic device. Accordingly, even in combination, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Elements recited in claim 1 includes specific processes performed by the server to carry out the claim limitations, amounting to improvements to a technology or technical field.
Under Step-2B, the claims fail to amount to significantly more than the abstract idea.
Applicant argues the “claimed invention recites limitations that provide improvements to a technology or technical field… directed to systems and methods for the secure authentication of contactless cards… securing data transmission… with the benefit of preventing replay attacks…” id, 18.
The Examiner respectfully disagrees. First, the claims fail to include any use of or recitation of near-field communication or how such communication amounts to an improvement in a technical field. The claims also fail to recite use of a contactless card mainly because the claims are directed to a server and what a server does. If the claims included such contactless card, it again would be a high-level incorporation of an additional element into the claims, and further would be regarded as outside the scope since it does not relate to the server. Applicant has clearly argued that all the limitations claimed are carried out by the server; citing various portions of the Specification. Id., 10-12.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to merely instructions to apply the exception using generic computer components. The claim limitations do not improve another technology or technical field, improve the functioning of a computer itself, apply the abstract idea with, or by use of, a particular machine (not a generic computer, not adding the words "apply it" or words equivalent to "apply the abstract idea", not mere instructions to implement an abstract idea on a computer, adding insignificant extra solution activity to the judicial exception, generally linking the user of the judicial exception to a particular technological environment or field of use), effects a transformation or reduction of a particular article to a different state or thing, or adds meaningful limitations that amount to more than generally linking the use of the abstract idea to a particular technological environment. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept.
The dependent claims further describe the abstract idea and fail to include additional elements that would amount to a practical application.
The claims are not patent eligible; therefore, the rejection is maintained.
Claim Objections
Claim 31 is directed to a non-transitory computer readable medium. The claim fails to recite appropriate Beauregard language; i.e. a non-transitory computer readable medium storing instructions, when executed by a computer hardware arrangement, the computer hardware arrangement performs operations comprising…” Currently the claim at issue recites that the “instructions configure the computer hardware arrangement to perform procedures…” Instructions are just that, code stored in memory and; therefore, they are not capable of causing any element of entity to perform any procedures or functions. Instead, a processor or in this case computer hardware arrangement would be the element that can cause functions to be carried out in response to executing instructions. Claim 1, directed to a system, also fails to include appropriate Beauregard language as explained above. Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-7, and 21-33 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claims 1-7, and 21-33 fall within at least one of the four categories of patent eligible subject matter (process, machine, manufacture, or composition of matter).
Claims 1-7, and 21-33 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea of data validating without significantly more.
The abstract idea is characterized under at least mental processes, including concepts performed in the human mind such as observation, evaluation, judgement, opinion and performing these using a pen and paper. The claims, under the broadest reasonable interpretation, capture limitations that a human mind can carry out; generating data, storing data, sending and receiving data, and generating additional data before validation of data. Generating a code, cryptogram, and decrypting a code can be done using pen and paper and a human mind. The claims capture these elements at a high level of generality.
Claim 1, in pertinent part, recites:
A secure authentication system… configured to:
generate an authentication challenge;
store the authentication challenge in the memory;
transmit the authentication challenge to a user device;
generate a session key based on a master key;
store the session key in the memory;
receive from the user device, an encrypted message authentication code (MAC) cryptogram incorporating the authentication challenge;
decrypt the encrypted MAC cryptogram using one or more cryptographic algorithms and the session key; and
validate the authentication challenge received from the user device.
The judicial exception is not integrated into a practical application. The claims recite the following additional elements: a server including a processor and a memory. The additional elements are recited at a high level of generality, wherein the claims merely amount to an abstract idea that is implemented using generic computers, performing generic computer functions such as generating data, storing data, sending and receiving data, analyzing the data, and determining an outcome. Each of the additional elements / limitations are no more than mere instructions to apply the exception using generic computer components or a generic device. Accordingly, even in combination, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to merely instructions to apply the exception using generic computer components. The claim limitations do not improve another technology or technical field, improve the functioning of a computer itself, apply the abstract idea with, or by use of, a particular machine (not a generic computer, not adding the words "apply it" or words equivalent to "apply the abstract idea", not mere instructions to implement an abstract idea on a computer, adding insignificant extra solution activity to the judicial exception, generally linking the user of the judicial exception to a particular technological environment or field of use), effects a transformation or reduction of a particular article to a different state or thing, or adds meaningful limitations that amount to more than generally linking the use of the abstract idea to a particular technological environment. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept.
The dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea. The dependent claims fail to recite additional elements that would amount to a practical application or amount to significantly more than the judicial exception as discussed above. The dependent claims further describe the abstract idea.
The claims are not patent eligible.
References
United States Patent Application Publication 2020/0265427 to Osborn et al. (Osborn) teaches systems and methods for data transmission between a contactless card and a client device in support of a FIDO authentication are provided. In an embodiment, upon receipt of a challenge issued by a server in connection with a pending transaction, the contactless card may authorize the client device to utilize a FIDO private key to respond to the challenge. If the response to the challenge is successful, the FIDO authentication may proceed and the transaction may be completed. Osborn utilizes challenges to authenticate data received by a server from a user device. Also, Osborn teaches utilizing session keys and other keys to aid in the encryption and validation of data. Furthermore, Osborn teaches verification and processing of the MAC is simplified because 2-byte diversification is directly supported in the MAC authentication functions of payment HSMs. Decryption of the cryptogram is performed prior to verification of the MAC. The session keys are independently derived at the one or more servers, resulting in a first session key (the ENC session key) and a second session key (the MAC session key). The second derived key (i.e., the ENC session key) may be used to decrypt the data, and the first derived key (i.e., the MAC session key) may be used to verify the decrypted data.
United States Patent 11764966 to Essam et al. (Essam) teaches method of performing out-of-band user authentication includes, by a service electronic device associated with a service a request to initiate a session of the service, generating an authentication token, encrypting the authentication token to generate an encrypted authentication token, and transmitting the encrypted authentication token to the electronic device. FIG. 4 illustrates an example single-step out-of-band user revocation process according to an embodiment. As illustrated by FIG. 4, an electronic device may receive 400 an indication from a user that the user wishes to terminate a session of a service. The electronic device may read 402 ST and/or the KL identifier from storage of the electronic device. The electronic device may transmit 404 the KL identifier and/or ST to a server electronic device. The server electronic device may receive 406 the KL identifier and/or ST. The server electronic device may verify 408 that ST corresponds to information stored at KL. Depending on the result of the verification, the server electronic device may return 410 an indication of sign out. For example, if ST matches information that is stored at KL, the server electronic device may return 410 an indication of a successful sign out to the electronic device. If ST does not match information stored at KL, the server electronic device may return 410 an indication that sign out was not successful. The electronic device may receive 412 the indication of sign out. See also Claim 7.
Chinese Patent Application Publication 118378289 to Jin-Song et al. (Jin) teaches a safe access method and system of teaching data, the method comprises: the client device establishes communication connection with at least one data server, receives the storage address pushed by the data server and generates the storage address list by the received storage address; the client device responds to the access request information of the access teaching data and reports the access authentication information to the authentication server; the authentication server responds to the access authentication information sent by the client device and determines the authority index of the client device according to the access authentication information; the authentication server selects the storage address with the security level lower than the authority index from the storage address list, and sends the selected storage address to the client device after forming the authorization address list; the client device obtains the teaching data according to the authorization address list; The invention can improve the safety of teaching data access control. The client device establishes communication connection with at least one data server, and receives the storage address pushed by the data server. generating a storage address list from the received storage address, wherein the storage address list comprises: S110, the client device establishes a communication connection with the data server, and receives a first public key generated by the data server using an asymmetric encryption algorithm; S130, the client device encrypts the device identification code of the client device by using the first public key, and sends the encrypted device identification code to the data server; S130, the data server uses the first private key generating the first public key to decrypt the encrypted device identification code, if the device identification code is matched in the address access table, then the attribute value of each storage address in the address access table is set to be true, pushing to the client device; if the device identification code is not matched in the address access table, setting the attribute values of all the storage addresses in the data server as false, pushing to the client device; S140, the client device divides the received storage address according to the security level to generate the storage address list.
U.S. Patent Application Publication 2019/0319939 to Hamel et al. (Hamel) teaches system for credential authentication includes and interface and a processor. The interface is configured to receive a request for authorization to access from an application. The processor is configured to determine a set of credentials that can enable authorization to access; generate a proof request challenge; receive a proof response; determine that the proof response is valid based at least in part on information stored in a distributed ledger; generate a token; and provide the token. In some embodiments, the process of FIG. 4F implements 4E08 of FIG. 4E. In the example shown, in 4F00, a request is provided comprising an encrypted session key and authentication token to an authentication device via a proximity radio system. For example, the authentication token comprises a raw challenge that the DCIAMS sent via U2F to the browser on the user device and is being provided to the authentication device so it can be signed. In 4F02, the decrypted authentication token is received signed with the session key and encrypted with the user device public key via the proximity radio system. For example, the authentication device decrypts the session key, signs the challenge, and encrypts the challenge to send back to the user device. In 4F04, the authentication token is decrypted. In 4F06, it is determined whether the device key signature is valid. For example, the In the event it is determined that the device key signature is not valid, the process ends. In the event it is determined that the device key signature is valid, control passes to 4F08. In 4F08, the authentication token is provided to the DCIAMS. For example, the user device then replies via the U2F protocol to the DCIAMS, which determines that the challenge is signed correctly and matches the session key and then indicates to the application that access is authorized.
The above references and those considered / cited fail to disclose the entirety of the claim limitations from a server’s perspective and wherein the server not only generates and sends the challenge to the user device, but also generates a session key based on a master key, and decrypts the MAC using the session key in order to obtain the challenge and authenticate the challenge. Those the limitations are not novel individually, the combination of all the limitations being carried out from the perspective of one entity versus multiple entities results in the claims being non-obvious over prior art.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on for PTO-892.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EL MEHDI OUSSIR whose telephone number is (571)270-0191. The examiner can normally be reached M-F 9AM - 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEHA PATEL can be reached on 571-270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Sincerely,
/EL MEHDI OUSSIR/Primary Examiner, Art Unit 3699