SYSTEMS AND METHODS FOR AUTHENTICATION OF ACCESS TOKENS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Response to Arguments In communications filed on 11/14/2025, claims 28, 29, 31-48 are presented for examination. Claims 28, 38, and 46 are independent. Amended claim(s): 28, 29, 38, 43, 44, 46. Applicants’ arguments, see Applicant Arguments/Remarks filed 11/14/2025, with respect to claim(s) rejected under prior art have been fully considered but are not persuasive. Contrary to Applicant’s arguments, Jay explicitly teaches the communications protocol wherein the private key and a unique user identifier are associated with the user including a unique session (i.e., login) key (Jay: Fig. 2, Table 2, pages 114-116. See also, Mitra: Fig. 8, ¶2, ¶49, ¶107) Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 28, 29, 31-44, 46, 47 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jayasinghe, Danushka, et al. "Enhancing EMV Tokenisation with Dynamic Transaction Tokens." International Workshop on Radio Frequency Identification: Security and Privacy Issues. Springer, Cham, 2016 (hereinafter ‘Jay’) in view of US 20190303945 A1 (hereinafter ‘Mitra’) As regards claim 28, Jay in combination with Mitra (US 20190303945 A1) teaches: A contactless card, comprising (Jay: Fig. 1, pages 108-109, i.e., the EMV protocol for contactless cards and mobile payment systems. See also, Mitra, Figs 1-2, i.e., the contactless universal smartcard for payments) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jay to include the contactless smartcard as taught by Mitra with the motivation to make payments based on EMV standard (Mitra: ¶2): a memory storing an applet and one or more unique identifiers associated with a user and a private key; (Jay: Fig. 2, Table 2, pages 114-115, i.e., the SE i.e., the card, storing applets, credentials including private key wherein the TATC i.e., running on SE communicates with TATC (i.e., application) of TSP and is associated with user. See also, Mitra: ¶2, ¶49) a communication interface; and (Jay: pages, 115-117. Mitra: Fig. 2) one or more processors in communication with the applet stored in the memory and the communication interface, wherein the one or more processors are configured to: (Jay: Fig. 2, Table 2, pages 114-115, i.e., the SE i.e., the card, storing applets, credentials wherein the TATC i.e., running on SE communicates with TATC (i.e., application) of TSP and is associated with user. See also, Mitra: ¶49-¶50) execute the applet to generate a cryptogram comprising the one or more unique identifiers, (Jay: page 116, i.e., Message 4, i.e., SE requesting a token from the TSP using a cryptogram wherein the cryptogram comprises IDs and encrypted with a key. See also, Mitra: Figs 1-2, ¶89) receive, from a receiving device via the communication interface, an access token in response to a verification of the cryptogram by the receiving device, wherein (Jay: page 116, i.e., Message 5, i.e., the TSP verifies the received cryptogram and generates and sends a token to the SE wherein the token is encrypted. See also, Mitra: Figs 1,2, 6-8, ¶89) the access token includes an access identifier tied to a login session, (Jay: Fig. 2, Table 2, pages 114-116, i.e., the SE i.e., the card, storing applets, credentials including private key wherein the TATC i.e., running on SE communicates with TATC (i.e., application) of TSP and is associated with user and the session. See also, Mitra: Fig. 8, ¶2, ¶49, ¶107) decrypt the access token using the private key, and (Jay: pages 115-116, i.e., the SE receiving the encrypted nt (i.e., the challenge test), Certso(T) which includes the public key of T, and SE decrypts the encrypted values and sends back the response to T that includes the decrypted values) store the access token (Jay: pages 115-117, i.e., the SE deciphers and verifies the encrypted token), the access token being transmittable, via the communication interface, to the second system. (Jay: pages 115-116, i.e., the contactless transaction authentication wherein the terminal responds to mobile device by sending encrypted certificate i.e., access token. See also, Mitra: Figs 1,2, 6-8, 10, ¶70, ¶87-¶90) Claims 38 and 46 recite substantially the same features recited in claim 28 above and are rejected based on the aforementioned rationale discussed in the rejection. As regards claim 29, Jay et al combination teaches the contactless card of claim 28, wherein the one or more processors are further configured to decrypt the access token prior to storing the access token in the memory. (Jay: pages 115-116, i.e., the SE receiving the encrypted nt (i.e., the challenge test), Certso(T) which includes the public key of T, and SE decrypts the encrypted values and sends back the response to T that includes the decrypted values) As regards claim 31, Jay et al combination teaches the contactless card of claim 28, wherein: the memory further stores at least one key and a counter value, and the one or more processors are further configured to create the cryptogram using the at least one key and counter value. (Jay: Table 2, pages 114-116) As regards claim 32, Jay et al combination teaches the contactless card of claim 31, wherein: the memory further stores transmission data, and wherein the cryptogram includes the counter value and the transmission data. (Jay: Table 2, pages 114-116) As regards claim 33, Jay et al combination teaches the contactless card of claim 28, wherein the one or more processors are further configured to transmit, to the second system after entry of the communication interface into a communication field, the access token for access to one or more resources. (Halvor: Figs. 1-2, ¶5, ¶19, i.e., the key/token in the contactless device to unlock a physical door i.e., second system distinct from the reader and the device) As regards claim 34, Jay et al combination teaches the contactless card of claim 28, wherein the one or more processors are further configured to receive, from the receiving device via the communication interface, a challenge, and the challenge includes a public key and an encrypted test. (Jay: pages 115-116, i.e., the SE receiving the encrypted nt (i.e., the challenge test), Certso(T) which includes the public key of T, and SE decrypts the encrypted values and sends back the response to T that includes the decrypted values) As regards claim 35, Jay et al combination teaches the contactless card of claim 34, wherein the one or more processors are further configured to generate a decrypted test by decrypting the encrypted test. (Jay: pages 115-116, i.e., the SE receiving the encrypted nt (i.e., the challenge test), Certso(T) which includes the public key of T, and SE decrypts the encrypted values and sends back the response to T that includes the decrypted values) As regards claim 36, Jay et al combination teaches the contactless card of claim 35, wherein the one or more processors are further configured to include the decrypted test in a challenge response transmitted via the communication interface. (Jay: pages 115-116, i.e., the SE receiving the encrypted nt (i.e., the challenge test), Certso(T) which includes the public key of T, and SE decrypts the encrypted values and sends back the response to T that includes the decrypted values) As regards claim 37, Jay et al combination teaches the contactless card of claim 34, wherein the one or more processors are further configured to encrypt the access token using the public key. (Jay: pages 115-116, i.e., the contactless transaction authentication wherein the terminal responds to mobile device by sending encrypted certificate i.e., access token) As regards claim 39, Jay et al combination teaches the method of claim 38, wherein each entry of the communication interface into a communication field of the receiving generates a challenge. (Jay: pages 115-116, i.e., the SE receiving the encrypted nt (i.e., the challenge test), Certso(T) which includes the public key of T) As regards claim 40, Jay et al combination teaches the method of claim 39, further comprising transmitting, via the communication interface and responsive to the challenge, a challenge response. (Jay: pages 115-116, i.e., the SE responds back to the challenge) As regards claim 41, Jay et al combination teaches the method of claim 38, further comprising invalidating the access token after expiration of a predetermined time period. (Mitra: Fig. 4, ¶57-¶58) As regards claim 42, Jay et al combination teaches the method of claim 38, further comprising invalidating the access token after a one-time use. (Mitra: Fig. 4, ¶57-¶58) As regards claim 43, Jay et al combination teaches the method of claim 38, wherein: the access identifier is configured to allow the user to be identified across a plurality of systems. (Jay: pages 115-116, msg 1, 2, establishing the identities) As regards claim 44, Jay et al combination teaches the method of claim 43, wherein the access identifier is unique to the user. (Jay: pages 115-116) As regards claim 47, Jay et al combination teaches the non-transitory computer-readable medium of claim 46, the procedures further comprising transmitting, to the second system after entry of the communication interface into a communication field, the access token for access to one or more resources. (Halvor: Figs. 1-2, ¶5, ¶19, i.e., the key/token in the contactless device to unlock a physical door i.e., second system distinct from the reader and the device) Claim(s) 45 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jay in view of Mitra in view of in view of US 20230239151 A1 (hereinafter ‘Neil’). As regards claim 45, Jay et al combination teaches the method of claim 43. However, Jay et al do not but in analogous art, Neil (US 20230239151 A1) teaches: wherein the access identifier comprises a group of identifiers that identify the user as belonging to one or more access groups. (Neil: Abstract, ¶56-¶57, i.e., identities belong to a specific access group) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jay et al to include providing identities that belong to a specific access group as taught by Neil with the motivation to perform access control to resources (Neil: Abstract, ¶56-¶57) Claim(s) 48 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jay in view of Mitra in view of in view of in view of US 20140145823 A1 (hereinafter ‘Halvor’). As regards claim 48, Jay et al combination teaches the contactless card of claim 28. However, Jay et al do not but in analogous art, Halvor (US 20140145823 A1) teaches: wherein the second system that is distinct from the contactless card and the receiving device. (Halvor: Figs. 1-2, ¶5, ¶19, i.e., the key/token in the contactless device to unlock a physical door i.e., second system distinct from the reader and the device) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jay et al to include providing access to a second, distinct system such as access to a hotel room using a key/token stored in a contactless device as taught by Halvor with the motivation to perform access control (Halvor: Figs. 1-2, ¶5, ¶19) Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SYED A ZAIDI/ Primary Examiner, Art Unit 2432