METHODS AND SYSTEMS FOR FACILITATING SINGLE SIGN-ON AND PASSWORDLESS SIGN-ON

§103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Election/Restrictions The Applicant elected Group I claims 1-11 and 13-19 without traverse. Claims 12 and 20-36 have been cancelled. Claims 1-11 and 13-19 are pending. Information Disclosure Statement The IDSs filed 1/24/2024 and 3/5/2024 have been considered by the Examiner. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-3 and 5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. As to claim 1, the limitation “the first key” (ll.19-20) lacks antecedent basis. As to claim 2, the limitation “the second key” (ll. 3-4) lacks antecedent basis. As to claims 2 and 5, the session is described as an “authorized session” (cl. 2), an “unverified session” (cl. 5) and an “authenticated session” (cl. 5). It is not clear how a single session can have so many modifiers that each have different meanings. It is further unclear how the second key is used to authenticate the session. As to claim 3, it is not clear what is intended by the limitation “chain of keys”. The specification gives some examples of what a chain of keys consists of and what those keys are used for, but it is not clear what is the intended use of the chain of keys. The limitation “the fist key” is read as “the first key”. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1 is rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2021/0266309 to Guccione et al. (hereinafter Guccione). As to claim 1, Guccione teaches: a. Receiving, on a client device, user input to access a cryptographically protected resource provided by a web service provider (logging in via a redirection to an identity provider) (Guccione, [0063 and 0071]). b. Redirecting a user on the client device to perform a login to an identity provider (logging in via a redirection to an identity provider) (Guccione, [0063 and 0071]). c. Receiving, from the identity provider, a response to the login to the identity provider (signed attestation returned to the user) (Guccione, [0071]). d. Sending the response from the identity provider to the web service provider (identity provider signed attestation sent to vault) (Guccione, [0071]). e. After the web service provider confirms validity of the identity of the user by the identity provider, receiving information conveying an encrypted credential bundle corresponding to the user and the client device, wherein the encrypted credential bundle is symmetrically encrypted using a device key previously generated on the client device and corresponding to the user and the client device, the encrypted credential bundle including at least an encrypted first key (symmetrically encrypted data key (EDK) (encrypted credential bundle) sent to user by vault upon confirmation of user identity) (Guccione, [0029, 0036, and 0071]). While Guccione does not explicitly recite that the symmetric key used to encrypt the data key corresponds to the user and the device, it would be obvious to make that assumption as only the user has access to the encryption key. The encryption key is only known to the user and the user device (Guccione, [0029]). Guccione as modified further teaches: f. Retrieving, from local storage on the client device, the device key corresponding to the user and the client device (decryption key (device key) for the EDK is resident on the user device) (Guccione, [0029 and 0037]). g. Decrypting the encrypted credential bundle using the device key to obtain the first key (EDK is decrypted to obtain the data key (DK) equivalent to the first key) (Guccione, [0057]). h. Using the first key to access the cryptographically protected resource provided by the web service provider (DK is used to access encrypted data from the vault) (Guccione, [0057]). As to claim 3 as best understood, Guccione as modified teaches: a. The web service provider is a vault service provider (Guccione, [0023]). b. The cryptographically protected resource is a vault provided by the vault service provider (Guccione, [0023]). c. Using the first key to access the cryptographically protected resource provided by the web service provider comprises using the fi[r]st key to decrypt an encrypted chain of keys to unlock the vault provided by the vault service provider (encrypted data key is decrypted and used to access the user’s secure data) (Guccione, [0029]). As to claim 4, Guccione as modified teaches: a. The encrypted credential bundle is symmetrically encrypted with a symmetric encryption key derived from the device key (symmetrically encrypted data key (EDK) (encrypted credential bundle) sent to user by vault upon confirmation of user identity) (Guccione, [0029, 0036, and 0071]). While Guccione does not explicitly recite that the symmetric key used to encrypt the data key corresponds to the user and the device, it would be obvious to make that assumption as only the user has access to the encryption key. The encryption key is only known to the user and the user device (Guccione, [0029]). b. Deriving a symmetric decryption key using the device key (symmetric encryption key is used to encrypt device key) (Guccione, [0029]). c. Decrypting the encrypted credential bundle with the symmetric decryption key (EDK is decrypted to obtain the data key (DK) equivalent to the first key) (Guccione, [0057]). As to claim 9, Guccione as modified teaches before receiving the encrypted credential bundle from the web service provider, sending a key identifier (ID) to the web service provider for use in identifying the encrypted credential bundle corresponding to the user and the client device, wherein the key ID corresponds to the device key previously generated on the client device (registering client device) (Guccione, [0076]). As to claim 10, Guccione as modified teaches: a. Receiving a communication from the web service provider confirming validation of the identity of the user by the identity provider (user authenticated) (Guccione, [0029, 0036, and 0071]). b. Sending, to the web service provider, a request to provide the encrypted credential bundle corresponding to the user and the client device previously generated on the client device (upon authentication, vault service provider sends EDK to user) (Guccione, [0029, 0036, and 0071]). As to claim 11, Guccione as modified teaches the encrypted credential bundle corresponds to the user, the client device and a specific account of the user, the method further comprising sending an account identifier to the web service provider for use in identifying the encrypted credential bundle corresponding to the user, the client device and the specific account of the user (user accounts are used to insure that proper authentication procedures are followed to allow the user to access their protected data) (Guccione, [0027-0029]). As to claim 13, Guccione as modified teaches: a. Receiving, on the client device, user input to access the cryptographically protected resource provided by the web service provider (logging in via a redirection to an identity provider) (Guccione, [0063 and 0071]). b. Redirecting the user on the client device to perform a login to the identity provider (logging in via a redirection to an identity provider) (Guccione, [0063 and 0071]). c. Receiving, from the identity provider, a response to the login to the identity provider (signed attestation returned to the user) (Guccione, [0071]). d. Sending the response from the identity provider to the web service provider (identity provider signed attestation sent to vault) (Guccione, [0071]). e. After the web service provider confirms validity of the identity of the user by the identity provider, generating the device key corresponding to the user and the client device (symmetrically encrypted data key (EDK) (encrypted credential bundle) sent to user by vault upon confirmation of user identity) (Guccione, [0029, 0036, and 0071]). g. Generating the first key (data key) (Guccione, [0036]). h. Encrypting the first key using the device key to generate the encrypted credential bundle (symmetrically encrypted data key (EDK) (encrypted credential bundle) sent to user by vault upon confirmation of user identity) (Guccione, [0029, 0036, and 0071]). i. Sending the encrypted credential bundle to the web service provider for storage in association with the user and the client device (upon authentication, vault service provider sends EDK to user) (Guccione, [0029, 0036, and 0071]). As to claim 14, Guccione as modified teaches: a. Deriving a symmetric encryption key using the device key (symmetrically encrypted data key (EDK) (encrypted credential bundle) (Guccione, [0029, 0036, and 0071]). b. Encrypting the first key with the symmetric encryption key to generate the encrypted credential bundle (symmetric encryption key is used to encrypt device key) (Guccione, [0029]). Claims 2 are rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2021/0266309 to Guccione et al. (hereinafter Guccione) as applied to claim 1 above, and further in view of US PG Pub. No. 2007/0006231 to Barari et al. (hereinafter Barari). As to claim 2, Guccione as modified teaches receiving multiple session tokens from the vault service provider to enable secure communication and connection to the vault service provider (Guccione, at least [0076]), but does not expressly mention a second key. However, in an analogous art, Barari teaches: a. Decrypting the encrypted credential bundle using the device key to obtain the second key (encrypted session key is sent to the user via a Ticket Granting Ticket (TGT) (encrypted credential bundle) to enable secure communication between the parties) (Barari, [0027]). Therefore, one of ordinary skill in the art before the effective filing date of the instant application would have been motivated to implement the single sign on scheme of Guccione with the inclusion of an encrypted session key (second key) of Barari in order to perform a more secure single sign on scheme as suggested by Barari (Barari, [0011]). Guccione as modified further teaches: b. Using the second key to establish an authorized session for communication between the web service provider and the client device (session key is decrypted and used to establish secure communication with the server) (Barari, [0005]). As to claim 5, Guccione as modified teaches after the web service provider confirms validity of the identity of the user by the identity provider, receiving information from the web service provider conveying a session identifier corresponding to an unverified session between the web service provider and the client device, wherein using the second key to establish an authenticated session for communication with the web service provider comprises using the second key to authenticate the unverified session corresponding to the session identifier received from the web service provider (session key is the identifier and is used in authenticating a communication session between the server and the user) (Barari, [0006]). As to claim 15, Guccione as modified teaches before redirecting the user on the client device to perform the login to the identity provider, performing an enrollment process to register the client device with the web service provider as a trusted device for SSO for the user, comprising: a. Generating a verifier using the second key (session key is used as a verifier and identifier and is used in authenticating a communication session between the server and the user) (Barari, [0006]). b. Sending the verifier to the web service provider for storage in associated with the user and the client device for use in establishing the authenticated session for communication between the web service provider and the client device (session key is used as a verifier and identifier and is used in authenticating a communication session between the server and the user) (Barari, [0006]). Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2021/0266309 to Guccione et al. (hereinafter Guccione) in view of US PG Pub. No. 2007/0006231 to Barari et al. (hereinafter Barari) as applied to claim 2 above, and further in view of US Patent No. 10,382,413 to Friel et al. (hereinafter Friel). As to claim 6, Guccione as modified teaches using the second key to establish an authenticated session for communication with the web service provider comprises using the first key in a password authenticated key exchange (PAKE) to establish the authenticated session for communication with the web service provider without revealing the first key to the web service provider (PAKE handshake used to establish secure session) (Friel, 4:28-45) and (vault has no access to data key) (Guccione, [0023]). Therefore, one of ordinary skill in the art before the effective filing date of the instant application would have been motivated to implement the single sign on scheme of Guccione as modified with the use of the PAKE protocol of Friel in order to “establish an ephemeral, secure, encrypted channel” as suggested by Friel (Friel, 4:28-45). As to claim 7, Guccione as modified teaches using the second key in the PAKE to establish the authenticated session for communication with the web service provider comprises establishing a shared session key for the end-to-end encrypted communication with the web service provider (PAKE handshake used to establish secure session) (Friel, 4:28-45). As to claim 8, Guccione as modified teaches the PAKE is based on a secure remote password (SRP) protocol utilizing a verifier previously generated using the second key, wherein the verifier is stored on the web service provider (SRP) (Friel, 4:28-45). As to claim 16, Guccione as modified teaches: a. Receiving a notification from the web service provider indicating a second client device has requested to be registered with the web service provider as a trusted device for the user (approval/registration of additional devices) (Guccione, [0034-0045 and 0103]). b. Establishing a shared secret with the second client device (Guccione, [0036]). Guccione as modified does not expressly mention using PAKE. However, in an analogous art, Friel teaches: c. Using the shared secret in a password authenticated key exchange (PAKE) with the second client device to establish a session key for end-to-end encrypted communication with the second client device via the web service provider, wherein neither the shared secret nor the session key is revealed to the web service provider (PAKE handshake used to establish secure session) (Friel, 4:28-45). Therefore, one of ordinary skill in the art before the effective filing date of the instant application would have been motivated to implement the single sign on scheme of Guccione as modified with the use of the PAKE protocol of Friel in order to “establish an ephemeral, secure, encrypted channel” as suggested by Friel (Friel, 4:28-45). d. Encrypting a copy of the credential bundle using the session key (Guccione, [0029, 0036, and 0071]). e. Sending the encrypted copy of the credential bundle to the web service provider for retrieval by the second client device (Guccione, [0029, 0036, and 0071]). As to claim 17, Guccione as modified teaches: a. Deriving a symmetric encryption key using the session key (symmetrically encrypted data key (EDK) (encrypted credential bundle) (Guccione, [0029, 0036, and 0071]). b. Encrypting the copy of the credential bundle with the symmetric encryption key derived using the session key (symmetrically encrypted data key (EDK) (encrypted credential bundle) (Guccione, [0029, 0036, and 0071]). As to claim 18, Guccione as modified teaches: a. The shared secret comprises a code generated on the first client device (code is used as an additional authentication factor (out of band authentication) (Guccione, [0027]). b. Establishing the shared secret with the second client device comprises displaying the code on a display of the first client device with a prompt to enter the code on the second client device (code is used as an additional authentication factor (out of band authentication) code is displayed in an email for example) (Guccione, [0027]). c. Using the shared secret in the PAKE with the second client device comprises performing a PAKE handshake process with the second device via the web service provider using the code to establish the session key (code is used as an additional authentication factor (out of band authentication) code is displayed in an email for example) (Guccione, [0027]). As to claim 19, Guccione as modified teaches the PAKE is based on a balanced composable PAKE protocol (using a particular old and well known commercially available protocol is not considered patentably distinct) (PAKE handshake used to establish secure session) (Friel, 4:28-45). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S POWERS whose telephone number is (571)272-8573. The examiner can normally be reached M-F 7:30-17:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L Ortiz-Criado can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /WILLIAM S POWERS/ Primary Examiner, Art Unit 2496