SYSTEMS AND METHODS FOR ACCESS CONTROL

§102 §103

DETAILED ACTION Claims 1-20 have been examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Priority The current application claims foreign priority to 2022902758, filed 09/23/2022. Information Disclosure Statement The information disclosure statement (IDS) submitted on 09/15/2023 has been considered by the examiner. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-7, 15-18, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by United States Patent Application Publication No. US 20220121765 A1 to Foong et al., hereinafter Foong. Regarding claim 1, Foong discloses a system for access control, the system comprising: an access authority configured to: receive an access request associated with a user (Figure 1, paragraphs 80 and 125, “the user-device engagement circuitry 502 requests that the user device 102 transmit user data attributes”); determine whether the user is authorised to be granted access (paragraph 160, “allow the user to control the processor platform 1400”, and paragraphs 169 and 178); in response to determining that the user is authorised to be granted access, digitally sign access authorisation data comprising a cryptographic key of the user (paragraph 31, “crypto-signature”, paragraphs 32, 51, 52, 64, 65, and 82, “the key generated by the example key generator 414 that is used to cryptographically sign the proof of authenticity token”); and send the signed access authorisation data to a user device associated with the user (paragraphs 31 and 81, “transmits the encrypted and signed user data to the data operator 104 via the secure communication channel”); and an access controller configured to: receive from the user device signed authentication data comprising the signed access authorisation data (paragraphs 51, 64, and 81, “transmits the encrypted and signed user data to the data operator 104”); verify access criteria comprising: verifying of the signature of the signed access authorisation data (paragraphs 52 and 64, “verifying the cryptographic signature”, and paragraphs 69 and 89); and verifying the signature of the signed authentication data using the cryptographic key of the user (paragraph 52, “performs the verification by using a public key to verify the cryptographic signature”, paragraph 65, “uses the public key to verify the cryptographic signature”, and paragraph 89); and, in response to verifying the access criteria, grant the access request (paragraph 60, “used to gain access to the user data”, paragraph 66, “The data compute agent 106 uses the first key, PK1, to unlock the data permit and thereby gain access to the user data attributes and any additional information included in the data permit”, and paragraph 85, “obtain permission to access the user data and to obtain a set of attributes from the user device 102”). Regarding claim 2, Foong discloses wherein the access controller is configured to verify the signature of the signed authentication data through public-key cryptography (paragraph 30, “public/private key encryption method(s)”), wherein the cryptographic key of the user is a user public key (paragraph 48, “public key”, paragraphs 52, 64, 65, and 89, “uses the public key to verify the proof of authenticity token…verifying the proof of authenticity token includes verifying a crypto-signature used to sign the proof of authenticity token”), and wherein the access controller is configured to verity that the signature of the signed authentication data was generated with a user private key (paragraphs 47 and 51, “cryptographically signed with a private key”, and paragraphs 53 and 64), wherein the user public key and the user private key form a cryptographic key pair (paragraph 30, “key pairs”). Regarding claim 3, Foong discloses wherein the access controller is configured to verify the signature of the signed access authorisation data through public-key cryptography (paragraph 30, “public/private key encryption method(s)”), wherein the access authority is configured to generate the signature of the signed access authorisation data with an authority private key (paragraphs 47 and 51, “cryptographically signed with a private key”, and paragraphs 53 and 64), and wherein the access controller is configured to access an authority public key and to verify the signature of the signed access authorisation data using the authority public key (paragraph 48, “public key”, paragraphs 52, 64, 65, and 89, “uses the public key to verify the proof of authenticity token…verifying the proof of authenticity token includes verifying a crypto-signature used to sign the proof of authenticity token”), wherein the authority public key and the authority private key form a cryptographic key pair (paragraph 30, “key pairs”). Regarding claim 4, Foong discloses wherein the access authority is configured to generate the cryptographic key pair comprising the authority public key and the authority private key (paragraphs 30, 48, and 51). Regarding claim 5, Foong discloses wherein the access controller is configured to receive the authority public key from the access authority, and to store the authority public key in a memory of the access controller (paragraphs 51, 64, and 65). Regarding claim 6, Foong discloses wherein the access authorisation data comprises a location identifier indicative of a location which the user is authorised to access, and wherein the access criteria further comprise verifying that the location identifier corresponds to a location associated with the access controller (paragraph 28, “a geographic location at which the date may be operated on”, paragraph 34, “permitting the data operator 104 to access the user data for a limited purpose and for a limited time and at a limited location”, and paragraph 35, “when the user device 102 is on the premises of the data operator 104, the data operator 104 can collect user data from the user device 102 and process the user data. In the same such examples, the data operator 104 is obligated to stop collecting and processing the user data when the user leaves the premises of the data operator 104”). Regarding claim 7, Foong discloses wherein the access authority is further configured to: determine a request time indicative of the time when the access request is received (paragraphs 34, 35, and 41, “time frame”, paragraphs 43 and 55, “the agent time attribute can specify a time period or timeframe (or a quality of service level) within which the data compute agent will process user data. A user data time attribute can specify a timeframe within which the user data is to be processed or can specify an expiration time after which the user data can longer be processed” and paragraph 56, “provided that a first time equal to the turnaround time plus a current time at which the user data is to be sent to the data compute agent is equal to a second time that occurs before the expiration time, the data operator 104 can be assured that the agent time attribute satisfies the user data time attribute”); and, in response to determining that the request time is outside an access period, set the access authorisation data to indicate an invalid status (paragraph 35, “to limit any processing of the user data to within a time frame during which the user (and, therefore, the user device 102) will be at the premises of the data operator 104”, paragraph 41, “time frame”, and paragraph 73, “The data compute agent 106 can communicate this refusal by not sending an R BID or by sending a message indicating that the second batch of user data was transmitted outside of the user data timeframe attribute (see encircled 11B) and cannot, therefore, be processed”); and wherein the access criteria further comprise verifying that the status of the authorisation data is not invalid (paragraph 43, “a tamper proof source of time” and paragraph 56, “provided that a first time equal to the turnaround time plus a current time at which the user data is to be sent to the data compute agent is equal to a second time that occurs before the expiration time, the data operator 104 can be assured that the agent time attribute satisfies the user data time attribute”). Regarding claim 15, Foong discloses wherein, to determine whether a user is authorised to be granted access, the access authority is configured to receive access credentials of the user, and to determine a validity of the access credentials (paragraph 29, “the data processing entity can use the user data attribute-based data protection protocol to ensure that a user device (or any other device) that is supplying the data is trustworthy so that the data processing entity can be assured that the data is valid (e.g., not corrupt, virus free, not spoofed, etc.)”, paragraphs 48 and 92, “verify of validate any identity bids received from any of the example compute agents 106A, 106B, 106C in accordance with the user data attribute-based data protection protocol”, and paragraph 93). Regarding claim 16, Foong discloses wherein the access authorisation data further comprises timing data, and wherein the access criteria further comprise verifying that the signed access authorisation data is not expired based on the timing data of the signed access authorisation data (paragraph 55, “A user data time attribute can specify a timeframe within which the user data is to be processed or can specify an expiration time after which the user data can no longer be processed. In some examples, when the data operator 104 determines that the timeframe specified in the agent time attribute falls within the timeframe or before the expiration time specified in the user data time attribute, the agent time attribute is determined to satisfy the user data time attribute.”, and paragraph 56, “the agent time attribute can indicate an amount of time within which user data received at the data compute agent will be processed (e.g., a data processing turnaround time), and the user data time attribute can specify an expiration time (also referred to as an end-processing time) by which all processing of user data is to be complete. In some such examples, provided that a first time equal to the turnaround time plus a current time at which the user data is to be sent to the data compute agent is equal to a second time that occurs before the expiration time, the data operator 104 can be assured that the agent time attribute satisfies the user data time attribute”). Regarding claim 17, Foong discloses wherein the signed authentication data further comprises timing data, wherein the access criteria further comprise verifying that the signed authentication data is not expired based on the timing data of the signed authentication data (paragraph 55, “A user data time attribute can specify a timeframe within which the user data is to be processed or can specify an expiration time after which the user data can no longer be processed. In some examples, when the data operator 104 determines that the timeframe specified in the agent time attribute falls within the timeframe or before the expiration time specified in the user data time attribute, the agent time attribute is determined to satisfy the user data time attribute.”, and paragraph 56, “the agent time attribute can indicate an amount of time within which user data received at the data compute agent will be processed (e.g., a data processing turnaround time), and the user data time attribute can specify an expiration time (also referred to as an end-processing time) by which all processing of user data is to be complete. In some such examples, provided that a first time equal to the turnaround time plus a current time at which the user data is to be sent to the data compute agent is equal to a second time that occurs before the expiration time, the data operator 104 can be assured that the agent time attribute satisfies the user data time attribute”). Regarding claim 18, Foong discloses wherein the signed authentication data further comprises authentication information of the user (paragraphs 51, 64, and 81, “transmits the encrypted and signed user data to the data operator 104”). Regarding claim 20, Foong teaches a method for access control, the method comprising: receiving an access request associated with a user (Figure 1, paragraphs 80 and 125, “the user-device engagement circuitry 502 requests that the user device 102 transmit user data attributes”); determining whether the user is authorised to be granted access (paragraph 160, “allow the user to control the processor platform 1400”, and paragraphs 169 and 178); in response to determining that the user is authorised to be granted access, generating an authority signature by digitally signing access authorisation data comprising a cryptographic key of the user (paragraph 31, “crypto-signature”, paragraphs 32, 51, 52, 64, 65, and 82, “the key generated by the example key generator 414 that is used to cryptographically sign the proof of authenticity token”); sending the signed access authorisation data to a user device associated with the user (paragraphs 31 and 81, “transmits the encrypted and signed user data to the data operator 104 via the secure communication channel”); receiving, from the user device, signed authentication data comprising the signed access authorisation data (paragraphs 51, 64, and 81, “transmits the encrypted and signed user data to the data operator 104”); verifying access criteria comprising: verifying the authority signature of the signed access authorisation data (paragraphs 52 and 64, “verifying the cryptographic signature”, and paragraphs 69 and 89); and verifying that the signature of the signed authentication data is a digital signature of the user using the cryptographic key of the user (paragraph 52, “performs the verification by using a public key to verify the cryptographic signature”, paragraph 65, “uses the public key to verify the cryptographic signature”, and paragraph 89); and, in response to verifying the access criteria, granting the access request (paragraph 60, “used to gain access to the user data”, paragraph 66, “The data compute agent 106 uses the first key, PK1, to unlock the data permit and thereby gain access to the user data attributes and any additional information included in the data permit”, and paragraph 85, “obtain permission to access the user data and to obtain a set of attributes from the user device 102”). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 8 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Foong as applied to independent claim 1 above, and further in view of United States Patent Application Publication No. US 20220014918 A1 to Mastenbrook et al, hereinafter Mastenbrook. Foong discloses the claimed invention, as cited above. However, Foong is not relied upon to disclose the claim limitations pertaining to “wherein the access controller comprises an image sensor configured to read one or more optical labels from a display device of the user device, wherein the one or more optical labels represent the signed authentication data”. Mastenbrook discloses these claim limitations, as cited below, via the claimed “optical labels” being broadly interpreted to pertain to the disclosed “QR Code” within Mastenbrook. Regarding claim 8, Mastenbrook discloses wherein the access controller comprises an image sensor configured to read one or more optical labels from a display device of the user device, wherein the one or more optical labels represent the signed authentication data (paragraph 45, “The manager device 110 captures an image of the QR code 112 using the camera, and decodes the identity key of DSD 100 from the QR code. In one example, the QR code encodes a Uniform Resource Locator (URL). In that case, a generic app can capture the QR code, which then automatically directs the phone to an application store where the app can be downloaded. The URL also includes the identity key so that the app can decode that identifier once the app is installed.”, paragraph 48, “The manager device 110 itself may have received the public key from the user device 111 via email, by scanning a QR code displayed on the user device 111 or any other way.”, and paragraph 103). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Mastenbrook with the teachings of Foong “for securing a wireless communication channel between a client device and a server device” via an “Access controller 102 then calculates 502 based on the random value and the identity key a message authentication code. As set out above, the identity key is readable by manager device 110 in response to being in proximity of the data storage device 100. The identity key is readable out of band of the wireless communication channel. This means that the identity key is obtained over a channel that is different from the wireless communication channel. For example, the manager device 110 may obtain the identity key by reading a QR code or interrogating an NFC chip” (Mastenbrook – paragraph 103). In assessing whether a claim to a combination of prior art elements/steps would have been obvious, the question to be asked is whether the improvement of the claim is more than the predictable use of prior art elements or steps according to their established functions. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). “[T]he analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ.” Id. at 418. It is well established that in evaluating references it is proper to take into account not only the specific teachings of the references but also the inferences which one skilled in the art would reasonably be expected to draw therefrom. In re Preda, 401 F.2d 825, 826 (CCPA 1968). Foong discloses the claimed invention, as cited above. However, Foong is not relied upon to disclose the claim limitations pertaining to “wherein each of the optical labels is a matrix barcode”. Mastenbrook discloses these claim limitations, as cited below, via the claimed “optical labels” being broadly interpreted to pertain to the disclosed “QR Code” within Mastenbrook. Regarding claim 14, Mastenbrook discloses wherein each of the optical labels is a matrix barcode (paragraph 45, “The manager device 110 captures an image of the QR code 112 using the camera, and decodes the identity key of DSD 100 from the QR code. In one example, the QR code encodes a Uniform Resource Locator (URL). In that case, a generic app can capture the QR code, which then automatically directs the phone to an application store where the app can be downloaded. The URL also includes the identity key so that the app can decode that identifier once the app is installed.”, paragraph 48, “The manager device 110 itself may have received the public key from the user device 111 via email, by scanning a QR code displayed on the user device 111 or any other way.”, and paragraph 103). [Paragraph 13 of the Applicant’s Specification states that “the matrix barcode is a quick response (QR) code”; thus the “QR Code” disclosed within Mastenbrook discloses this aspect of the Applicant’s claimed invention.] Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Mastenbrook with the teachings of Foong “for securing a wireless communication channel between a client device and a server device” via an “Access controller 102 then calculates 502 based on the random value and the identity key a message authentication code. As set out above, the identity key is readable by manager device 110 in response to being in proximity of the data storage device 100. The identity key is readable out of band of the wireless communication channel. This means that the identity key is obtained over a channel that is different from the wireless communication channel. For example, the manager device 110 may obtain the identity key by reading a QR code or interrogating an NFC chip” (Mastenbrook – paragraph 103). In assessing whether a claim to a combination of prior art elements/steps would have been obvious, the question to be asked is whether the improvement of the claim is more than the predictable use of prior art elements or steps according to their established functions. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). “[T]he analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ.” Id. at 418. It is well established that in evaluating references it is proper to take into account not only the specific teachings of the references but also the inferences which one skilled in the art would reasonably be expected to draw therefrom. In re Preda, 401 F.2d 825, 826 (CCPA 1968). Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Foong as applied to independent claim 1 above, and further in view of United States Patent Application Publication No. US 20200100108 A1 to Everson et al., hereinafter Everson. Foong discloses the claimed invention, as cited above. However, Foong is not relied upon to disclose the claim limitations pertaining to “wherein the access controller is operatively coupled to a lock, and wherein the access controller is configured to grant the access request by unlocking the lock”. Everson discloses said claim limitations via the process of unlocking a lock upon successful authentication, as cited below. Regarding claim 19, Everson discloses wherein the access controller is operatively coupled to a lock, and wherein the access controller is configured to grant the access request by unlocking the lock (paragraph 3, “transmitting, by the mobile device, the encrypted and signed credential message to the access control edge device, decrypting, by the access control edge device and using the shared cryptographic key, the encrypted and signed credential message to extract the encrypted credential blob, decrypting, by the access control edge device and using the symmetric cryptographic key, the encrypted credential blob to extract the wireless access credential, and unlocking a lock mechanism of an electronic lock associated with the access control edge device in response to successful authentication of the wireless access credential”, paragraph 17, “unlock the lock mechanism in response to successful authentication of the wireless access credential”, paragraph 41, “The access control edge system may be to receive the BLE access credential from the mobile device via the BLE communication circuitry and unlock the lock mechanism in response to successful authentication of the BLE access credential”, and paragraphs 51). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Everson with the teachings of Foong to be able to enable a locking mechanism to be wirelessly, unlocked upon successful authentication of the provided access credentials (Everson – paragraph 17, “unlock the lock mechanism in response to successful authentication of the wireless access credential”). In assessing whether a claim to a combination of prior art elements/steps would have been obvious, the question to be asked is whether the improvement of the claim is more than the predictable use of prior art elements or steps according to their established functions. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). “[T]he analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ.” Id. at 418. It is well established that in evaluating references it is proper to take into account not only the specific teachings of the references but also the inferences which one skilled in the art would reasonably be expected to draw therefrom. In re Preda, 401 F.2d 825, 826 (CCPA 1968). Allowable Subject Matter Claims 9-13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The references cited on form PTO-892 are cited to further show the state of the art with respect to access control. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMIAH L AVERY whose telephone number is (571)272-8627. The examiner can normally be reached M-F 8:30am -5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JEREMIAH L AVERY/Primary Examiner, Art Unit 2431