DETAILED ACTION
This first non-final action is in response to applicants’ filing on 01/25/2024. Claims 1-20 are currently pending and have been considered as follows.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings filed on 01/25/2024 are accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/25/2024 has been placed in the application file, and the information referred therein has been considered as to the merits.
Claim Objections
Claim 20 is objected to because of the following informalities:
Claim 20 line 13 recites “wherein the wherein the” which should be corrected as “wherein the ”;
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 8, 16, and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites a “system for user authentication with a transaction card comprising: an authentication processor… the contactless card configured to:”, but it is unclear and indefinite as to whether “the contactless card” in line 5 are intended to be a part of Claim 1’s system. Given the broadest reasonable interpretation (BRI), Claim 1 only comprises “an authentication processor” and no other elements. The “contactless card configured to:” is not positively recited as part of Claim 1’s system and is extrinsic to the claimed invention. For purposes of examination, the subsequent functions “generate a first time-based cryptogram with a shared secret key and the first timestamp received from the authentication processor; transmit an authentication request comprising the first time-based cryptogram to a second device” are considered outside the scope of the claimed invention because they are performed by the contactless card that is external to Claim 1’s system.
Claim 8 recites the limitation "the authentication" in line 2. There is insufficient antecedent basis for this limitation in the claim.
Claim 16 recites the limitation "the second time interval" in line 1. There is insufficient antecedent basis for this limitation in the claim.
Claim 17 recites the limitations " the second time interval” and “the mercIlincict” in line 2. There is insufficient antecedent basis for these limitations in the claim.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 3, 4, 9, 10-13, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jin et al. (US 20180198820 A1, hereinafter Jin) in view of ILINCIC et al. (US 20210279724 A1, hereinafter Ilincic).
As to Claim 1:
Jin discloses a system for user authentication with a transaction card (e.g. Jin FIG. 1; server computer [0023] and “A “communication device” may be a device that includes one or more electronic components (e.g., an integrated chip) that can communicate with another device. For example, a communication device can be a computing device having at least one processor coupled to a memory... portable communication device may be... in the form of a card (e.g., smart card)” [0022]) comprising: an authentication processor (e.g. Jin server computer’s processor [0023]; authorization server [0039]) configured to:
transmit a first timestamp to a contactless card, the first timestamp corresponding to a first time interval (e.g. Jin “have the access application obtain an authorization network time from the authorization server 180 each time the access credential is generated. Because the authorization network time is provided by authorization server 180, a user would not be able to manipulate this time information received from authorization server 180” [0043]; [0042]; “Communication device 110 may communicate with authorization server 180 via a communications network 182 (e.g., internet, mobile or cellular network, etc.). For example, communication device 110 may communicate with authorization server 180 to download an access application. The access application may allow communication device 110 to interact with an access device to obtain a service associated with the service provider” [0039]; “the access application may communicate with the authorization network (e.g., authorization server) to synchronize the access application and the communication device with the authorization network. For example, the access application may receive an authorization network time from the authorization network when the communication device synchronizes with the authorization network. The authorization network time can be, for example, the current Universal Coordinated Time (UTC), the current local time at the authorization server, or the current time of an arbitrary clock maintained by the authorization server” [0046]; “the access credential may have a limited lifespan and may expire after a time-to-live amount of time. For example, the access credential may have a time-to-live of up to 5 minutes, 10 minutes, 15 minutes, or 30 minutes, etc. from when the access credential is generated, and after which the access credential will no longer be valid. To allow authorization server 180 to verify whether the access credential has expired, the access credential may include timestamp information indicating when the access credential was generated by the access application” [0042]);
the contactless card (e.g. although not recited explicitly as part of the claim 1’s system: Jin FIG. 10 Communication Device may be in the form of a smart card [0022] with contactless interface [0085]) configured to:
generate a first time-based cryptogram with a shared secret key and the first timestamp received from the authentication processor (e.g. Jin “In addition to the timestamp, the access credential generated by the access application may also include account information associated with an account of the user. For example, the account information may include an account identifier or a token that is used as a substitute for a real account identifier. The account credential may also include a cryptogram that is generated by encrypting the account information and/or the timestamp using an encryption key” [0050]);
transmit an authentication request comprising the first time-based cryptogram to a second device; wherein the authentication request is forwarded, by the second device, to the authentication processor for validation (e.g. Jin “An “access device” may be any suitable device for interacting with a communication device and for communicating with an authorization server. In some embodiments, an access device may communicate with an authorization server via a merchant computer or transaction processing network. An access device may generally be located in any suitable location, such as at the location of a merchant. An access device may be in any suitable form. Some examples of access devices include POS devices” [0027]; “When the user attempts to access a service using communication device 110, the user may launch the access application on communication device 110, and instruct the access application to generate an access credential that is used for authenticating the user and/or communication device 110 to the service provider. Communication device 110 may interact with access device 160, and provide the access credential to access device 160” [0040]; “The account credential may also include a cryptogram that is generated by encrypting the account information and/or the timestamp using an encryption key. In some embodiments, the encryption key can be a limited-use key that has its own set of usage restrictions. The access credential can then be provided to the access device to request authorization to access the requested service. In some embodiments, the access credential can be transmitted to the access device using a wired or wireless (e.g., NFC, WiFi, Bluetooth, etc.) connection” [0050]; “Access device 160 may send the access credential to authorization sever 180 via authorization network 184 to authenticate the user and/or communication device 110” [0041]);
validate, by the authentication processor, the first time-based cryptogram using the secret key and a second timestamp corresponding to a reception of the time-based cryptogram, wherein the second timestamp falls within the first time interval (e.g. Jin “The authorization sever may also verifying that cryptogram by regenerating the cryptogram using a copy of the encryption key and comparing the regenerated cryptogram with the cryptogram provided in the access credential. The authorization server may also determine whether the access credential has reliable timestamp information (e.g., via the value of the timestamp and/or the timestamp reliability flag)” [0051]; “If the access credential indicates that the timestamp information is reliable, the authorization server may compare the timestamp information with the current authorization network time at the authorization server, and calculate the amount of time that has elapsed since the access credential was generated. The authorization server may then determine whether the access credential is being used within its time-to-live threshold. If the access credential has not expired yet, and the account information and/or cryptogram are verified to be valid, the authorization can then grant authorization for the user and/or the communication device to access the requested service” [0052]);
But Jin does not specifically disclose:
via an intermediary device.
However, the analogous art Ilincic does disclose via an intermediary device (e.g. Ilincic “the contactless card may be tapped to the first mobile device. Doing so instructs the contactless card to transmit the encrypted data to the first mobile device” [0013]; “the system 100 includes one or more contactless cards 101, one or more mobile devices 110, and a server 120” [0017]; “data is exchanged between the contactless card 101 and the server 120 (and/or the contactless card 101 and the mobile device 110). To enable NFC data transfer between the contactless card 101 and the mobile device 110, the account application 113 may communicate with the contactless card 101 when the contactless card 101 is sufficiently close to a card reader 118 of the mobile device 110” [0022]). Jin and Ilincic are analogous art because they are from the same field of endeavor in contactless cards and cryptograms.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin and Ilincic before him or her, to modify the disclosure of Jin with the teachings of Ilincic to include via an intermediary device as claimed. The suggestion/motivation for doing so would have been to provide secure techniques for mobile currency transfer using NFC-enabled mobile devices (Ilincic [0011]). Therefore, it would have been obvious to combine Jin and Ilincic to obtain the invention as specified in the instant claim(s).
As to Claim 3:
Jin in view of Ilincic discloses the system of claim 1, wherein the first timestamp is associated with a real-world time (e.g. Jin “The timestamp can reflect the time at which the access credential was generated” [0019]; [0043]; “The authorization network time can be, for example, the current Universal Coordinated Time (UTC)” [0046]; [0048]).
As to Claim 4:
Jin in view of Ilincic discloses the system of claim 1, wherein the contactless card is further configured to include the first timestamp along with the first time-based cryptogram in the authentication request (e.g. Jin “To allow authorization server 180 to verify whether the access credential has expired, the access credential may include timestamp information indicating when the access credential was generated by the access application” [0042]; “portable communication device 1110 may provide access device 1160 with access credential such as an account identifier (e.g., an alternate account identifier, a token, etc.), and additional information such as limited-use account parameters… the limited-use account parameters included in the access credential may include a transaction cryptogram and a timestamp” [0107]).
As to Claim 9:
Jin in view of Ilincic discloses the system of claim 4, wherein the intermediary device corresponds to a user communication device with near-field communication (NFC) connectivity to the contactless card and a network connectivity to the authentication processor (e.g. Ilincic “The contactless cards 101 may comprise one or more chips (not depicted), such as a radio frequency identification (RFID) chip, configured to communicate with the mobile devices 110 via NFC, the EMV standard, or other short-range protocols in wireless communication, or using NFC Data Exchange Format (NDEF) tags” [0017]; “the mobile device 110 may then transmit the encrypted data to the server 120 via the network 130” [0024]).
As to Claim 10:
Jin discloses a method for user authentication with a transaction card (e.g. Jin “A process for generating an access credential by a communication device” [Abstract]; smart card [0022]) comprising:
transmitting, by a first device, a first timestamp to a contactless card wherein the first timestamp is associated with a first time interval (e.g. Jin “have the access application obtain an authorization network time from the authorization server 180 each time the access credential is generated. Because the authorization network time is provided by authorization server 180, a user would not be able to manipulate this time information received from authorization server 180” [0043]; [0042]; “Communication device 110 may communicate with authorization server 180 via a communications network 182 (e.g., internet, mobile or cellular network, etc.). For example, communication device 110 may communicate with authorization server 180 to download an access application. The access application may allow communication device 110 to interact with an access device to obtain a service associated with the service provider” [0039]; “the access application may communicate with the authorization network (e.g., authorization server) to synchronize the access application and the communication device with the authorization network. For example, the access application may receive an authorization network time from the authorization network when the communication device synchronizes with the authorization network. The authorization network time can be, for example, the current Universal Coordinated Time (UTC), the current local time at the authorization server, or the current time of an arbitrary clock maintained by the authorization server” [0046]; “the access credential may have a limited lifespan and may expire after a time-to-live amount of time. For example, the access credential may have a time-to-live of up to 5 minutes, 10 minutes, 15 minutes, or 30 minutes, etc. from when the access credential is generated, and after which the access credential will no longer be valid. To allow authorization server 180 to verify whether the access credential has expired, the access credential may include timestamp information indicating when the access credential was generated by the access application” [0042]);
generating, by contactless card, a first time-based cryptogram using a secret key shared with the first device and the first timestamp received from the first device (e.g. Jin “In addition to the timestamp, the access credential generated by the access application may also include account information associated with an account of the user. For example, the account information may include an account identifier or a token that is used as a substitute for a real account identifier. The account credential may also include a cryptogram that is generated by encrypting the account information and/or the timestamp using an encryption key” [0050]);
transmitting, by the contactless card, an authentication request comprising the first time-based cryptogram to a second device, wherein the authentication request is forwarded, by the second device to the first device (e.g. Jin “An “access device” may be any suitable device for interacting with a communication device and for communicating with an authorization server. In some embodiments, an access device may communicate with an authorization server via a merchant computer or transaction processing network. An access device may generally be located in any suitable location, such as at the location of a merchant. An access device may be in any suitable form. Some examples of access devices include POS devices” [0027]; “When the user attempts to access a service using communication device 110, the user may launch the access application on communication device 110, and instruct the access application to generate an access credential that is used for authenticating the user and/or communication device 110 to the service provider. Communication device 110 may interact with access device 160, and provide the access credential to access device 160” [0040]; “The account credential may also include a cryptogram that is generated by encrypting the account information and/or the timestamp using an encryption key. In some embodiments, the encryption key can be a limited-use key that has its own set of usage restrictions. The access credential can then be provided to the access device to request authorization to access the requested service. In some embodiments, the access credential can be transmitted to the access device using a wired or wireless (e.g., NFC, WiFi, Bluetooth, etc.) connection” [0050]; “Access device 160 may send the access credential to authorization sever 180 via authorization network 184 to authenticate the user and/or communication device 110” [0041]); and
validating, by the first device, the first time-based cryptogram using the secret key and a second timestamp associated with a reception of the time-based cryptogram by the first device, wherein the second timestamp falls within the first time interval (e.g. Jin “The authorization sever may also verifying that cryptogram by regenerating the cryptogram using a copy of the encryption key and comparing the regenerated cryptogram with the cryptogram provided in the access credential. The authorization server may also determine whether the access credential has reliable timestamp information (e.g., via the value of the timestamp and/or the timestamp reliability flag)” [0051]; “If the access credential indicates that the timestamp information is reliable, the authorization server may compare the timestamp information with the current authorization network time at the authorization server, and calculate the amount of time that has elapsed since the access credential was generated. The authorization server may then determine whether the access credential is being used within its time-to-live threshold. If the access credential has not expired yet, and the account information and/or cryptogram are verified to be valid, the authorization can then grant authorization for the user and/or the communication device to access the requested service” [0052]);
But Jin does not specifically disclose:
via an intermediary device.
However, the analogous art Ilincic does disclose via an intermediary device (e.g. Ilincic “the contactless card may be tapped to the first mobile device. Doing so instructs the contactless card to transmit the encrypted data to the first mobile device” [0013]; “the system 100 includes one or more contactless cards 101, one or more mobile devices 110, and a server 120” [0017]; “data is exchanged between the contactless card 101 and the server 120 (and/or the contactless card 101 and the mobile device 110). To enable NFC data transfer between the contactless card 101 and the mobile device 110, the account application 113 may communicate with the contactless card 101 when the contactless card 101 is sufficiently close to a card reader 118 of the mobile device 110” [0022]). Jin and Ilincic are analogous art because they are from the same field of endeavor in contactless cards and cryptograms.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin and Ilincic before him or her, to modify the disclosure of Jin with the teachings of Ilincic to include via an intermediary device as claimed. The suggestion/motivation for doing so would have been to provide secure techniques for mobile currency transfer using NFC-enabled mobile devices (Ilincic [0011]). Therefore, it would have been obvious to combine Jin and Ilincic to obtain the invention as specified in the instant claim(s).
As to Claim 11:
Jin in view of Ilincic discloses the method of claim 10, wherein the first timestamp corresponds to current time maintained by the first device (e.g. Jin “the access application obtain an authorization network time from the authorization server 180 each time the access credential is generated. Because the authorization network time is provided by authorization server 180, a user would not be able to manipulate this time information received from authorization server 180” [0043]; “FIG. 2 illustrates a timing diagram of a technique to generate a reliable timestamp for use in an access credential” [0044]; “the access application may receive an authorization network time from the authorization network when the communication device synchronizes with the authorization network. The authorization network time can be, for example, the current Universal Coordinated Time (UTC), the current local time at the authorization server” [0046]).
As to Claim 12:
Jin in view of Ilincic discloses the method of claim 10, wherein the authentication request further comprises a unique customer identifier retrieved from a memory of the contactless card (e.g. Jin “the access credential generated by the access application may also include account information associated with an account of the user. For example, the account information may include an account identifier or a token that is used as a substitute for a real account identifier” [0050]; “Access device 1160 or a merchant computer coupled to access device 1160 may generate an authorization request message including the account identifier” [0108]; see also Ilincic “a memory 102 of the contactless card includes card data 103, a counter 104, a master key 105, a diversified key 106, and a unique customer identifier 107” [0018]; “The contactless card 101 may then encrypt the data (e.g., the customer identifier 107 and any other data) using the diversified key 106. The contactless card 101 may then transmit the encrypted data to the account application 113 of the mobile device 110 (e.g., via an NFC connection” [0024]). The Examiner supplies the same rationale for the combination of references Jin and Ilincic as in Claim 10 above.
As to Claim 13:
Jin in view of Ilincic discloses the method of claim 10, wherein the contactless card is further configured to include the first timestamp, along with the first time-based cryptogram, in the authentication request transmitted to the second device. (e.g. Jin “To allow authorization server 180 to verify whether the access credential has expired, the access credential may include timestamp information indicating when the access credential was generated by the access application” [0042]; “portable communication device 1110 may provide access device 1160 with access credential such as an account identifier (e.g., an alternate account identifier, a token, etc.), and additional information such as limited-use account parameters… the limited-use account parameters included in the access credential may include a transaction cryptogram and a timestamp” [0107]).
As to Claim 19:
Jin in view of Ilincic discloses the method of claim 13, wherein the intermediary device corresponds to a user communication device with near-field communication (NFC) connectivity to the contactless card and a network connectivity to the first device, the first device corresponding to an authentication processor associated with the contactless card (e.g. Ilincic “The contactless cards 101 may comprise one or more chips (not depicted), such as a radio frequency identification (RFID) chip, configured to communicate with the mobile devices 110 via NFC, the EMV standard, or other short-range protocols in wireless communication, or using NFC Data Exchange Format (NDEF) tags” [0017]; “the mobile device 110 may then transmit the encrypted data to the server 120 via the network 130” [0024]).
As to Claim 20:
Jin discloses a non-transitory computer readable medium containing computer executable instructions that, when executed by a computer hardware arrangement, cause the computer hardware arrangement to perform procedures (e.g. Jin “Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor... software code may be stored as a series of instructions, or commands on a computer readable medium” [0114]) comprising:
transmitting, by a first device, a first timestamp to a contactless card wherein the first timestamp is associated with a first time interval (e.g. Jin “have the access application obtain an authorization network time from the authorization server 180 each time the access credential is generated. Because the authorization network time is provided by authorization server 180, a user would not be able to manipulate this time information received from authorization server 180” [0043]; [0042]; “Communication device 110 may communicate with authorization server 180 via a communications network 182 (e.g., internet, mobile or cellular network, etc.). For example, communication device 110 may communicate with authorization server 180 to download an access application. The access application may allow communication device 110 to interact with an access device to obtain a service associated with the service provider” [0039]; “the access application may communicate with the authorization network (e.g., authorization server) to synchronize the access application and the communication device with the authorization network. For example, the access application may receive an authorization network time from the authorization network when the communication device synchronizes with the authorization network. The authorization network time can be, for example, the current Universal Coordinated Time (UTC), the current local time at the authorization server, or the current time of an arbitrary clock maintained by the authorization server” [0046]; “the access credential may have a limited lifespan and may expire after a time-to-live amount of time. For example, the access credential may have a time-to-live of up to 5 minutes, 10 minutes, 15 minutes, or 30 minutes, etc. from when the access credential is generated, and after which the access credential will no longer be valid. To allow authorization server 180 to verify whether the access credential has expired, the access credential may include timestamp information indicating when the access credential was generated by the access application” [0042]);
generating, by contactless card, a first time-based cryptogram using a secret key shared with the first device and the first timestamp received from the first device (e.g. Jin “In addition to the timestamp, the access credential generated by the access application may also include account information associated with an account of the user. For example, the account information may include an account identifier or a token that is used as a substitute for a real account identifier. The account credential may also include a cryptogram that is generated by encrypting the account information and/or the timestamp using an encryption key” [0050]);
transmitting, by the contactless card, an authentication request comprising the first time-based cryptogram to a second device, wherein the authentication request is forwarded, by the second device to the first device (e.g. Jin “An “access device” may be any suitable device for interacting with a communication device and for communicating with an authorization server. In some embodiments, an access device may communicate with an authorization server via a merchant computer or transaction processing network. An access device may generally be located in any suitable location, such as at the location of a merchant. An access device may be in any suitable form. Some examples of access devices include POS devices” [0027]; “When the user attempts to access a service using communication device 110, the user may launch the access application on communication device 110, and instruct the access application to generate an access credential that is used for authenticating the user and/or communication device 110 to the service provider. Communication device 110 may interact with access device 160, and provide the access credential to access device 160” [0040]; “The account credential may also include a cryptogram that is generated by encrypting the account information and/or the timestamp using an encryption key. In some embodiments, the encryption key can be a limited-use key that has its own set of usage restrictions. The access credential can then be provided to the access device to request authorization to access the requested service. In some embodiments, the access credential can be transmitted to the access device using a wired or wireless (e.g., NFC, WiFi, Bluetooth, etc.) connection” [0050]; “Access device 160 may send the access credential to authorization sever 180 via authorization network 184 to authenticate the user and/or communication device 110” [0041]); and
validating, by the first device, the first time-based cryptogram using the secret key and a second timestamp associated with a reception of the time-based cryptogram by the first device, received from the contactless card, wherein the wherein the second timestamp falls within the first time interval (e.g. Jin “The authorization sever may also verifying that cryptogram by regenerating the cryptogram using a copy of the encryption key and comparing the regenerated cryptogram with the cryptogram provided in the access credential. The authorization server may also determine whether the access credential has reliable timestamp information (e.g., via the value of the timestamp and/or the timestamp reliability flag)” [0051]; “If the access credential indicates that the timestamp information is reliable, the authorization server may compare the timestamp information with the current authorization network time at the authorization server, and calculate the amount of time that has elapsed since the access credential was generated. The authorization server may then determine whether the access credential is being used within its time-to-live threshold. If the access credential has not expired yet, and the account information and/or cryptogram are verified to be valid, the authorization can then grant authorization for the user and/or the communication device to access the requested service” [0052]);
But Jin does not specifically disclose:
via an intermediary device.
However, the analogous art Ilincic does disclose via an intermediary device (e.g. Ilincic “the contactless card may be tapped to the first mobile device. Doing so instructs the contactless card to transmit the encrypted data to the first mobile device” [0013]; “the system 100 includes one or more contactless cards 101, one or more mobile devices 110, and a server 120” [0017]; “data is exchanged between the contactless card 101 and the server 120 (and/or the contactless card 101 and the mobile device 110). To enable NFC data transfer between the contactless card 101 and the mobile device 110, the account application 113 may communicate with the contactless card 101 when the contactless card 101 is sufficiently close to a card reader 118 of the mobile device 110” [0022]). Jin and Ilincic are analogous art because they are from the same field of endeavor in contactless cards and cryptograms.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin and Ilincic before him or her, to modify the disclosure of Jin with the teachings of Ilincic to include via an intermediary device as claimed. The suggestion/motivation for doing so would have been to provide secure techniques for mobile currency transfer using NFC-enabled mobile devices (Ilincic [0011]). Therefore, it would have been obvious to combine Jin and Ilincic to obtain the invention as specified in the instant claim(s).
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Jin in view of Ilincic as applied to Claim 1, and further in view of Liu et al. (US 20140325225 A1, hereinafter Liu).
As to Claim 2:
Jin in view of Ilincic discloses the system of claim 1, but does not specifically disclose:
to encrypt the first timestamp with the shared secret key prior to transmission (although Jin does discloses transmitting the timestamp to the contactless card [0076]).
However, the analogous art Liu does disclose to encrypt the first timestamp with the shared secret key prior to transmission (e.g. Liu “encrypting sender's ID and timestamp by using the private key of the coupled public and private keys, and obtains the first ciphertext of the sender's ID valid period” [Abstract]; “wherein the self-authenticated process is conducted between sender and receiver with timestamp, which consists of valid period authentication and identity authentication” [0013]). Jin, Ilincic, and Liu are analogous art because they are from the same field of endeavor in cryptographic network communication.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin, Ilincic, and Liu before him or her, to modify the combination of Jin and Ilincic with the teachings of Liu to include to encrypt the first timestamp with the shared secret key prior to transmission as claimed. The suggestion/motivation for doing so would have been to provide a self-authenticated system with timestamp and solve the problem of the distributed key is irrevocable in the existing self-authenticated system (Liu [0012]). Therefore, it would have been obvious to combine Jin, Ilincic, and Liu to obtain the invention as specified in the instant claim(s).
Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Jin in view of Ilincic as applied to Claim 1, and further in view of VILMOS (US 20200274866 A1).
As to Claim 5:
Jin in view of Ilincic discloses the system of claim 4, but does not specifically disclose:
wherein the second device is configured to verify the first timestamp falls within a second time interval, prior to forwarding (although Jin does discloses forwarding the time-based cryptogram to the authentication processor [0027]; [0040]; [0041]; [0050]).
However, the analogous art VILMOS does disclose wherein the second device is configured to verify the first timestamp falls within a second time interval, prior to forwarding (e.g. VILMOS “expiration is verified based on the timestamp 214, current time and a pre-set expiry value, e.g. 1 minutes. The gateway 30 checks whether or not the pre-set expiry value had already expired since the timestamp 214 was applied, if yes the command 204 will not be forwarded to the second (protected) device 42” [0082]). Jin, Ilincic, and VILMOS are analogous art because they are from the same field of endeavor in authentication over a network.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin, Ilincic, and VILMOS before him or her, to modify the combination of Jin and Ilincic with the teachings of VILMOS to include wherein the second device is configured to verify the first timestamp falls within a second time interval, prior to forwarding as claimed. The suggestion/motivation for doing so would have been to assure the protection of a remotely operable second device (which may even be a complex system as well) without the need to carry out major modifications on the device itself (VILMOS [0010]). Therefore, it would have been obvious to combine Jin, Ilincic, and VILMOS to obtain the invention as specified in the instant claim(s).
As to Claim 6:
Jin in view of Ilincic and VILMOS discloses the system of claim 5, wherein the authentication request is rejected by the second device if the first timestamp does not fall within the second time interval (e.g. VILMOS “expiration is verified based on the timestamp 214, current time and a pre-set expiry value, e.g. 1 minutes. The gateway 30 checks whether or not the pre-set expiry value had already expired since the timestamp 214 was applied, if yes the command 204 will not be forwarded to the second (protected) device 42” [0082]; “the request to transmit the command 204 is rejected without further verification” [0084]). The Examiner supplies the same rationale for the combination of references Jin, Ilincic, and VILMOS as in Claim 5 above.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Jin in view of Ilincic and VILMOS as applied to Claim 5, and further in view of Agrawal et al. (US 20220215391 A1, hereinafter Agrawal).
As to Claim 7:
Jin in view of Ilincic and VILMOS discloses the system of claim 6, but does not specifically disclose:
wherein the second time interval is predetermined by a client associated with the second device.
However, the analogous art Agrawal does disclose wherein the second time interval is predetermined by a client associated with the second device (e.g. Agrawal “FSP system 130 may, in response to the request, associate a transaction rule with the user's payment account in step 720. The transaction rule may define a condition... For example, the condition may specify a window of time within with a foreign transaction authorization request can be approved, and the condition is met when the foreign transaction authorization request is received within the time window.” [0088]). Jin, Ilincic, VILMOS, and Agrawal are analogous art because they are from the same field of endeavor in authorizing transactions.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin, Ilincic, VILMOS, and Agrawal before him or her, to modify the combination of Jin, Ilincic, and VILMOS with the teachings of Agrawal to include wherein the second time interval is predetermined by a client associated with the second device as claimed. The suggestion/motivation for doing so would have been for greatly enhancing the utility of the payment card while preventing or deterring fraudulent activities (Agrawal [0003]; [0004]). Therefore, it would have been obvious to combine Jin, Ilincic, VILMOS, and Agrawal to obtain the invention as specified in the instant claim(s).
Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jin in view of Ilincic as applied to Claims 1 and 10, and further in view of Liu and Ting (US 20020174348 A1).
As to Claim 8:
Jin in view of Ilincic discloses the system of claim 4, but does not specifically disclose:
wherein the first timestamp is encrypted with a private key, stored on the contactless card, prior to inclusion in the authentication, and validated by a corresponding public key stored in the second device.
However, the analogous art Liu does disclose wherein the first timestamp is encrypted with a private key prior to inclusion in the authentication (e.g. Liu “encrypting sender's ID and timestamp by using the private key of the coupled public and private keys, and obtains the first ciphertext of the sender's ID valid period” [Abstract]; “wherein the self-authenticated process is conducted between sender and receiver with timestamp, which consists of valid period authentication and identity authentication” [0013]; sender encrypts timestamp with private key prior to sending it in the authentication message to the receiver [0034]-[0038]). Furthermore, the analogous art Ting does disclose a private key, stored on the contactless card and validated by a corresponding public key stored in the second device (e.g. Ting “Once the smart card is opened for read access, the agent module 148 reads out the private key associated with the smart card and uses the private key to sign the challenge string to produce the response. The response code is then returned to the server 108 for validation. The network interface 124 receives the resulting response and using the public key associated with the subscriber (stored in module 135), the network interface 124 applies the public key to the signature to validate the response which could only be generated using the private key in the smart card” [0044]). Jin, Ilincic, Liu, and Ting are analogous art because they are from the same field of endeavor in cryptographic validation.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin, Ilincic, Liu, and Ting before him or her, to modify the combination of Jin and Ilincic with the teachings of Liu and Ting to include wherein the first timestamp is encrypted with a private key, stored on the contactless card, prior to inclusion in the authentication, and validated by a corresponding public key stored in the second device as claimed. First suggestion/motivation for doing so would have been to provide a self-authenticated system with timestamp and solve the problem of the distributed key is irrevocable in the existing self-authenticated system (Liu [0012]). Second suggestion/motivation for doing so would have been to utilize strong authentication to offer highly reliable authentication that creates links that cannot be repudiated for transactions initiated within the context of an authenticated session (Ting [0006]). Therefore, it would have been obvious to combine Jin, Ilincic, Liu, and Ting to obtain the invention as specified in the instant claim(s).
As to Claim 18:
Jin in view of Ilincic discloses the method of claim 13, but does not specifically disclose:
wherein the first timestamp is encrypted with a private key, stored on the contactless card, prior to inclusion in the authentication request, and validated by a corresponding public key stored on the second device.
However, the analogous art Liu does disclose wherein the first timestamp is encrypted with a private key prior to inclusion in the authentication request (e.g. Liu “encrypting sender's ID and timestamp by using the private key of the coupled public and private keys, and obtains the first ciphertext of the sender's ID valid period” [Abstract]; “wherein the self-authenticated process is conducted between sender and receiver with timestamp, which consists of valid period authentication and identity authentication” [0013]; sender encrypts timestamp with private key prior to sending it in the authentication message to the receiver [0034]-[0038]). Furthermore, the analogous art Ting does disclose a private key, stored on the contactless card and validated by a corresponding public key stored on the second device (e.g. Ting “Once the smart card is opened for read access, the agent module 148 reads out the private key associated with the smart card and uses the private key to sign the challenge string to produce the response. The response code is then returned to the server 108 for validation. The network interface 124 receives the resulting response and using the public key associated with the subscriber (stored in module 135), the network interface 124 applies the public key to the signature to validate the response which could only be generated using the private key in the smart card” [0044]). Jin, Ilincic, Liu, and Ting are analogous art because they are from the same field of endeavor in cryptographic validation.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Jin, Ilincic, Liu, and Ting before him or her, to modify the combination of Jin and Ilincic with the teachings of Liu and Ting to include wherein the first timestamp is encrypted with a private key, stored on the contactless card, prior to inclusion in the authentication request, and validated by a corresponding public key stored on the second device as claimed. First suggestion/motivation for doing so would have been to provide a self-authenticated system with timestamp and solve the problem of the distributed key is irrevocable in the existing self-authenticated system (Liu [0012]). Second suggestion/motivation for doing so would have been to utilize strong authentication to offer highly reliable authentication that creates links that cannot be repudiated for transactions initiated within the context of an authenticated session (Ting [0006]). Therefore, it would have been obvious to combine Jin, Ilincic, Liu, and Ting to obtain the invention as specified in the instant claim(s).
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Jin in view of Ilincic as applied to Claim 10, and further in view of VILMOS and Miryala et al. (US 20180060863 A1, hereinafter Miryala).
As to Claim 14:
Jin in view of Ilincic discloses the method of claim 13 further comprising: a merchant associated with the second device (e.g. Jin “an access device may communicate with an authorization server via a merchant computer or transaction processing network. An access device may generally be located in any suitable location, such as at the location of a merchant” [0027]; “portable communication device 1110 by interacting with a contactless reader 1162 of an access device 1160 (e.g., at a merchant location). Components of access device 1160 may include point-of-sale (POS) terminal 1164 and/or electronic cash register 1166. In some embodiments, access device 1160 can be a web server associated with a merchant” [0104]), but does not specifically disclose:
verifying, by the second device, that the first timestamp falls within a second time interval prior to forwarding (although Jin does discloses forwarding the time-based cryptogram to the first device [0027]; [0040]; [0041]; [0050]);
wherein the second time interval is predetermined by a merchant.
However, the analogous art VILMOS does disclose verifying, by the second device, that the first timestamp falls within a second time interval prior to forwarding (e.g. VILMOS “expiration is verified based on the timestamp 214, current time and a pre-set expiry value, e.g. 1 minutes. The gateway 30 checks whether or not the pre-set expiry value had already expired since the timestamp 214 was applied, if yes the command 204 will not be forwarded to the second (protected) device 42” [0082]). Furthermore, the analogous art Miryala does disclose wherein the second time interval is predetermined by a merchant (e.g. Miryala “a merchant can define a validity period of the unique transaction code by setting a predetermined validity period. The predetermined validity period provides a time period that the unique transaction code is considered valid” [0065]). Jin, Ilincic, VILM