DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication filed on 9/16/2025.
Claims 1-7, 9-11,13-20 are subject to examination. Claims 8, 12 are cancelled.
An IDS filed on 1/19/2024 has been fully considered and entered by the Examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 7, 9-11, 13-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Korondi et al. U.S. Patent Publication # 2017/0034133 (hereinafter Korondi) in view of Kozolchyk et al. U.S. Patent Publication # 2016/0352695 (hereinafter Kozolchyk) further in view of Hayashi et al. U.S. Patent Publication # 2017/0308301 (hereinafter Hayashi)
With respect to claim 1, Korondi teaches a method comprising:
-receiving by a tokenization server, a request to process an interaction from a user device, the request including a user identifier associated with a user (i.e. receiving request for authentication of user authentication data A associated with a particular user ID u, by the authentication system)(Paragraph 25);
-generating by the tokenization server, a first token using a first one-way cryptographic hash function based on the user identifier (i.e. registration request comprises a ciphertext C.sub.KP(A) which encrypts the user authentication data A associated with user ID u under the public key K.sub.P of the public/private key pair (K.sub.S, K.sub.P) )(Paragraph 52);
generating by the tokenization server, a second token (i.e. producing second cryptographic token) using a second one- way cryptographic hash function based on the first token (i.e. using secret key K as MAC(K,A’) wherein the second token T.sub.2=MAC(K,A’) is output and the authentication server retrieves from the database the first token T.sub.1 and T.sub.2 to check for equality of the plaintext user authentication data A’ and the user authentication data) (Paragraph 58-59)(Fig. 7); wherein the tokenization server does not transmit the second token to the processing computer (i.e. the authentication server and SP does not send second token back to the computer. In Paragraph 58, crytoprocessor encodes the user authentication data A using the secret key K to produce a second cryptographic token which is then output to authentication server wherein the authentication compares the two token. In Paragraphs 55-58, Korondi teaches the authentication sever generates tokens and does the authentication and then sends registration confirmation message to the SP server. The server then sends a confirmation message to the user computer. Korondi clearly shows tokenization server does not transmit the second token to the processing server.) (Paragraph 58-59)
Korondi does not explicitly teach retrieving by the tokenization server, first information stored in a first data storage associated with the tokenization server based on the second token; and transmitting by the tokenization server, the first token and the first information to a processing computer, wherein the processing computer is programmed to retrieve, from a second data storage associated with the processing computer, second information based on the first token, and execute the interaction based on the first information and the second information.
Kozolchyk teaches retrieving by the tokenization server, first information (i.e. email address/sensitive data) stored in a first data storage (i.e. data storage service) associated with the tokenization server based on the second token (i.e. second token) (Paragraph 27, 39) and transmitting by the tokenization server, the first token and the first information (i.e. sensitive data) to a processing computer (i.e. delivering the token to the entity including sensitive information) (Paragraph 61), wherein the processing computer is programmed to retrieve, from a second data storage associated with the processing computer, second information (i.e. non-sensitive information or second piece of sensitive) based on the first token (Paragraph 61) (claim 15, 18), and execute the interaction based on the first information and the second information (Paragraph 61-65, 15, 21)(claim 15, 18). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kozolchyk’s teaching in Korondi’s teaching to come up with having retrieving first information associated with the tokenization server based on the second token and executing interaction based on the first and the second information. The motivation for doing so would be have access policies that include authorization information that defines the types and amounts of information that each data consumer is able to access, obtain or utilize from each data provider.
Although Korondi teaches wherein the first data storage associated with the tokenization server is not directly coupled to the processing computer (Paragraph 28-29), Korondi and Kozolchyk does not explicitly state wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage.
Hayashi teaches wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage (Paragraph 56, 59-61). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Hayashi’s teaching in Korondi and Kozolychk’s teaching to come up with having processing computer is indirect communication with the second data storage and is not in direct communication with the first data storage. The motivation for doing so would be to increase storing, loading efficiency based on the direct connection as oppose to indirect connection which can higher latency.
With respect to claim 2, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Korondi further teaches wherein the first one-way cryptographic hash function is different than the second one-way cryptographic hash function (i.e. one-way cryptographic hash functions) (Paragraph 60)
With respect to claim 3, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Korondi further teaches wherein the first information stored in the first data storage associated with the tokenization server is different than the second information stored in the second data storage associated with the processing computer (Paragraph 52, 58-59)
With respect to claim 4, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Kozolchyk further teaches wherein the first information includes at least an email ID of the user or demographic information of the user including an age of the user (driver license information), a gender of the user (i.e. license information), and/or a nationality of the user (Paragraph 25).
With respect to claim 7, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Kozolchyk further teaches wherein the second information is not stored by the tokenization server (Paragraph 61-62)
With respect to claim 9, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Korondi further teaches wherein the first one-way cryptographic hash function and the second one-way cryptographic hash function is one of a secure hash algorithm (SHA- 2) function, or a SHA-3 function (Paragraph 60)
With respect to claim 10, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Korondi further teaches wherein at least one of the first one-way cryptographic hash function and the second one-way cryptographic hash function is a hash message authentication code (HMAC) cryptographic function (i.e. message authentication code with secret key)(Paragraph 57-59)
With respect to claim 11, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Korondi further teaches wherein the HMAC cryptographic function is associated with a secret cryptographic key (i.e. message authentication code with secret key)(Paragraph 57-59)
With respect to claim 13, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Kozolchyk further teaches wherein prior to receiving the request to process the interaction, the tokenization server receives, from the user device, an initialization request to setup an account of the user with respect to the tokenization server and the processing computer (Paragraph 27)
With respect to claim 14, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but Korondi further teaches further comprising: receiving by the tokenization server, the user identifier associated with the user, the first information and the second information (Paragraph 61) (claim 15, 18); sending by the tokenization server, the first token and the second information to the processing computer, the first token being associated with the second information and being stored in the second data storage associated with the processing computer (Paragraph 61) (claim 15, 18); and storing by the tokenization server, the second token and the first information in the first data storage associated with the tokenization server, the second token being associated with the first information (Paragraph 61-65, 15, 21)(claim 15, 18).
With respect to claim 15, Korondi teaches a tokenization server comprising: a processor; and a non-transitory computer readable medium coupled to the processor and comprising code, executable by the processor, for implementing a method comprising
- receiving a request to process an interaction from a user device, the request including a user identifier associated with a user (i.e. receiving request for authentication of user authentication data A associated with a particular user ID u, by the authentication system)(Paragraph 25);
generating a first token using a first one-way cryptographic hash function based on the user identifier (i.e. registration request comprises a ciphertext C.sub.KP(A) which encrypts the user authentication data A associated with user ID u under the public key K.sub.P of the public/private key pair (K.sub.S, K.sub.P) )(Paragraph 52);
generating a second token using a second one-way cryptographic hash function based on the first token (i.e. using secret key K as MAC(K,A’) wherein the second token T.sub.2=MAC(K,A’) is output and the authentication server retrieves from the database the first token T.sub.1 and T.sub.2 to check for equality of the plaintext user authentication data A’ and the user authentication data) (Paragraph 58-59)(Fig. 7).
wherein the tokenization server does not transmit the second token to the processing computer (i.e. the authentication server and SP does not send second token back to the computer. In Paragraph 58, crytoprocessor encodes the user authentication data A using the secret key K to produce a second cryptographic token which is then output to authentication server wherein the authentication compares the two token. In Paragraphs 55-58, Korondi teaches the authentication sever generates tokens and does the authentication and then sends registration confirmation message to the SP server. The server then sends a confirmation message to the user computer. Korondi clearly shows tokenization server does not transmit the second token to the processing server.) (Paragraph 58-59)
Korondi does not explicitly teach retrieving first information stored in a first data storage associated with the tokenization server based on the second token; and transmitting the first token and the first information to a processing computer, wherein the processing computer is programmed to retrieve, from a second data storage associated with the processing computer, second information based on the first token, and execute the interaction based on the first information and the second information.
Kozolchyk teaches retrieving first information (i.e. email address/sensitive data) stored in a first data storage (i.e. data storage service) associated with the tokenization server based on the second token (i.e. second token) (Paragraph 27, 39) and transmitting the first token and the first information (i.e. sensitive data) to a processing computer (i.e. delivering the token to the entity including sensitive information) (Paragraph 61), wherein the processing computer is programmed to retrieve, from a second data storage associated with the processing computer, second information (i.e. non-sensitive information or second piece of sensitive) based on the first token (Paragraph 61) (claim 15, 18), and execute the interaction based on the first information and the second information (Paragraph 61-65, 15, 21)(claim 15, 18). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kozolchyk’s teaching in Korondi’s teaching to come up with having retrieving first information associated with the tokenization server based on the second token and executing interaction based on the first and the second information. The motivation for doing so would be have access policies that include authorization information that defines the types and amounts of information that each data consumer is able to access, obtain or utilize from each data provider.
Although Korondi teaches wherein the first data storage associated with the tokenization server is not directly coupled to the processing computer (Paragraph 28-29), Korondi and Kozolchyk does not explicitly state wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage.
Hayashi teaches wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage (Paragraph 56, 59-61). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Hayashi’s teaching in Korondi and Kozolychk’s teaching to come up with having processing computer is indirect communication with the second data storage and is not in direct communication with the first data storage. The motivation for doing so would be to increase storing, loading efficiency based on the direct connection as oppose to indirect connection which can higher latency.
With respect to claim 16, Korondi, Kozolchyk and Hayashi teaches the tokenization server of claim 15, but Korondi teaches wherein each of the first one-way cryptographic hash function and the second one-way cryptographic hash function is a hash message authentication code (HMAC) cryptographic function, and wherein the first one-way cryptographic hash function is different than the second one-way cryptographic hash function (i.e. one-way cryptographic hash functions) (Paragraph 60)
With respect to claim 17, Korondi, Kozolchyk and Hayashi teaches the tokenization server of claim 15, but Korondi teaches the first one-way cryptographic hash function is a hash message authentication code (HMAC) cryptographic function, and the second one-way cryptographic hash function is non-HMAC cryptographic function (i.e. message authentication code with secret key)(Paragraph 57-59)
With respect to claim 18, Korondi, Kozolchyk and Hayashi teaches the tokenization server of claim 15, but Korondi teaches wherein a first location of the first data storage associated with the tokenization server is different than a second location of the second data storage associated with the processing computer (Paragraph 27-28, 32, 60)
With respect to claim 19, Korondi teaches a method comprising:
-obtaining by a processing computer, a first token from a tokenization server, the first token being generated based on a user identifier associated with a user (i.e. registration request comprises a ciphertext C.sub.KP(A) which encrypts the user authentication data A associated with user ID u under the public key K.sub.P of the public/private key pair (K.sub.S, K.sub.P) )(Paragraph 52);
-verifying by the processing computer, whether a copy of the first token is stored in a first data storage associated with the processing computer (i.e. storing token T.sub.1 for the user ID u in the database) (Paragraph 52)
-retrieving by the processing computer, in response to a successful verification, first information associated with the first token, from the first data storage associated with the processing computer (Paragraph 53)
wherein the tokenization server does not transmit the second token to the processing computer (i.e. the authentication server and SP does not send second token back to the computer. In Paragraph 58, crytoprocessor encodes the user authentication data A using the secret key K to produce a second cryptographic token which is then output to authentication server wherein the authentication compares the two token. In Paragraphs 55-58, Korondi teaches the authentication sever generates tokens and does the authentication and then sends registration confirmation message to the SP server. The server then sends a confirmation message to the user computer. Korondi clearly shows tokenization server does not transmit the second token to the processing server.) (Paragraph 58-59)
Korondi does not explicitly teach obtaining by the processing computer, second information from a second data storage associated with the tokenization server, wherein the second information is associated with a second token that is generated by the tokenization server based on the first token; and processing an interaction request issued by the user based on the first information and the second information.
Kozolchyk teaches obtaining by the processing computer, second information from a second data storage associated with the tokenization server (paragraph 61), wherein the second information (i.e. non-sensitive information or second piece of sensitive) is associated with a second token that is generated by the tokenization server based on the first token (i.e. first token) (Paragraph 61) (claim 15, 18)and processing an interaction request issued by the user based on the first information and the second information. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kozolchyk’s teaching in Korondi’s teaching to come up with having retrieving first information associated with the tokenization server based on the second token and executing interaction based on the first and the second information. The motivation for doing so would be have access policies that include authorization information that defines the types and amounts of information that each data consumer is able to access, obtain or utilize from each data provider.
Although Korondi teaches wherein the first data storage associated with the tokenization server is not directly coupled to the processing computer (Paragraph 28-29), Korondi and Kozolchyk does not explicitly state wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage.
Hayashi teaches wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage (Paragraph 56, 59-61). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Hayashi’s teaching in Korondi and Kozolychk’s teaching to come up with having processing computer is indirect communication with the second data storage and is not in direct communication with the first data storage. The motivation for doing so would be to increase storing, loading efficiency based on the direct connection as oppose to indirect connection which can higher latency.
Claim(s) 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Korondi et al. U.S. Patent Publication # 2017/0034133 (hereinafter Korondi) in view of Kozolchyk et al. U.S. Patent Publication # 2016/0352695 (hereinafter Kozolchyk) further in view of Hayashi further in view of Kapoor et al. U.S. Patent # 8,812,482 (hereinafter Kapoor)
With respect to claim 20, Korondi, Kozolchyk and Hayashi teaches method of claim 19, wherein the processing of the interaction request further comprises: transmitting by the processing computer, the first information and the second information to an information processing server that is programmed but does not explicitly teaches to generate a report based on the first information and the second information, the report being transmitted to the user.
Kapoor teaches transmitting by the processing computer, the first information and the second information to an information processing server that is programmed to generate a report based on the first information and the second information, the report being transmitted to the user (column 52 lines 55-67)(column 53 lines 1-33). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kapoor’s teaching in Korondi and Kozolchyk’s teaching to come up with generating a report based on the first and second information and transmitting the report to the user. The motivation for doing so would be so to make aware the user of sensitive and non-sensitive data that is being stored in the database.
Claim(s) 5-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Korondi et al. U.S. Patent Publication # 2017/0034133 (hereinafter Korondi) in view of Kozolchyk et al. U.S. Patent Publication # 2016/0352695 (hereinafter Kozolchyk) further in view of Hayashi further in view of Sheets et al. U.S. Patent Publication # 2019/0050865 (hereinafter Sheets)
With respect to claim 5, Korondi, Kozolchyk and Hayashi teaches the method of claim 1, but fails to further teaches wherein the second information includes at least biometric information of the user. Sheets teaches wherein the second information includes at least biometric information of the user (paragraph 30, 98, 100). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Sheets’s teaching in Korondi, Kozolchyk and Hayashi’s teaching to come up with having second information including at least biometric information of the user. The motivation for doing so would be to authenticate a user for a transaction.
With respect to claim 6, Korondi, Kozolchyk, Hayashi and Sheets teaches the method of claim 5, but Sheets further teaches wherein the biometric information includes at least a fingerprint scan, an iris scan, a retina scan, a voice sample, or a facial scan of the user (Paragraph 98)
Response to Arguments
Applicant's arguments filed 3/3/2026 have been fully considered but they are not persuasive.
A). Applicant states Korondi does not teach “first token is generated by hashing the user identifier using a one was cryptographic hash algorithm…wherein the tokenization server does not transmit the second token to the processing computer”.
With respect to remark A, Examiner respectfully disagrees with the applicant because in Paragraph 52, Korondi teaches generating by the tokenization server, a first token using a first one-way cryptographic hash function based on the user identifier (i.e. registration request comprises a ciphertext C.sub.KP(A) which encrypts the user authentication data A associated with user ID u under the public key K.sub.P of the public/private key pair (K.sub.S, K.sub.P) )(Paragraph 52). Korondi clearly states that ciphertext which encrypts the user authentication data A associated with user ID under the public key of the public/private key pair. The authentication server receives the registration request via the network. The authentication server supplies the ciphertext in the registration request to the secure cryptoprocessor. Hence, Korondi clearly teaches generating a first token using first one-way cryptographic hash function based on the user identifier.
In Paragraph 58-59, Korondi teaches generating by the tokenization server, a second token (i.e. producing second cryptographic token) using a second one- way cryptographic hash function based on the first token (i.e. using secret key K as MAC(K,A’) wherein the second token T.sub.2=MAC(K,A’) is output and the authentication server retrieves from the database the first token T.sub.1 and T.sub.2 to check for equality of the plaintext user authentication data A’ and the user authentication data) (Paragraph 58-59)(Fig. 7); wherein the tokenization server does not transmit the second token to the processing computer (i.e. the authentication server and SP does not send second token back to the computer. In Paragraph 58, crytoprocessor encodes the user authentication data A using the secret key K to produce a second cryptographic token which is then output to authentication server wherein the authentication compares the two token. In Paragraphs 55-58, Korondi teaches the authentication sever generates tokens and does the authentication and then sends registration confirmation message to the SP server. The server then sends a confirmation message to the user computer. Korondi clearly shows tokenization server does not transmit the second token to the processing server.) (Paragraph 58-59)
Korondi does not explicitly teach retrieving by the tokenization server, first information stored in a first data storage associated with the tokenization server based on the second token; and transmitting by the tokenization server, the first token and the first information to a processing computer, wherein the processing computer is programmed to retrieve, from a second data storage associated with the processing computer, second information based on the first token, and execute the interaction based on the first information and the second information.
Kozolchyk teaches retrieving by the tokenization server, first information (i.e. email address/sensitive data) stored in a first data storage (i.e. data storage service) associated with the tokenization server based on the second token (i.e. second token) (Paragraph 27, 39) and transmitting by the tokenization server, the first token and the first information (i.e. sensitive data) to a processing computer (i.e. delivering the token to the entity including sensitive information) (Paragraph 61), wherein the processing computer is programmed to retrieve, from a second data storage associated with the processing computer, second information (i.e. non-sensitive information or second piece of sensitive) based on the first token (Paragraph 61) (claim 15, 18), and execute the interaction based on the first information and the second information (Paragraph 61-65, 15, 21)(claim 15, 18). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kozolchyk’s teaching in Korondi’s teaching to come up with having retrieving first information associated with the tokenization server based on the second token and executing interaction based on the first and the second information. The motivation for doing so would be have access policies that include authorization information that defines the types and amounts of information that each data consumer is able to access, obtain or utilize from each data provider.
Although Korondi teaches wherein the first data storage associated with the tokenization server is not directly coupled to the processing computer (Paragraph 28-29), Korondi and Kozolchyk does not explicitly state wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage.
Hayashi teaches wherein the processing computer is in direct communication with the second data storage and is not in direct communication with the first data storage (Paragraph 56, 59-61). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Hayashi’s teaching in Korondi and Kozolychk’s teaching to come up with having processing computer is indirect communication with the second data storage and is not in direct communication with the first data storage. The motivation for doing so would be to increase storing, loading efficiency based on the direct connection as oppose to indirect connection which can higher latency.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A). Holland et al. U.S. Patent Publication # 2014/0082749
B). Galitsky et al. U.S. Patent Publication # 2009/0089252
C). Entschew et al. U.S. Patent Publication # 2013/0318354
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DHAIRYA A PATEL whose telephone number is (571)272-5809. The examiner can normally be reached M-F 7:30am-4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached at 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
DHAIRYA A. PATEL
Primary Examiner
Art Unit 2453
/DHAIRYA A PATEL/ Primary Examiner, Art Unit 2453