DETAILED ACTION
This non-final office action is in response to claims 1-27 filed August 18, 2023 for examination. Claims 1-27 are being examined and are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Preliminary Amendment
Preliminary amendments, filed 08/18/2023 has been acknowledged.
Information Disclosure Statement
The information disclosure statement filed 08/18/2023, 02/01/2024, has been placed in the application file and the information referred to therein has been considered as to the merits.
Drawings
The drawings filed on 08/18/2023 have been accepted.
Claim Rejections - 35 USC § 112
Claims 1-27 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1. A method for authenticating a user to an application program installed on a mobile terminal, wherein an operating system is installed on the terminal, wherein the operating system is configured to control at least one authentication sensor of the terminal for detecting at least one authentication factor of the user, wherein the terminal comprises a first security element associated with the operating system, wherein the first security element comprises cryptographic means for executing a challenge-response method, wherein a private cryptographic key of an asymmetric key pair of the first security element is stored in a protected memory area of the first security element, wherein there is further provided a security element associated with the application program, which is independent of the first security element, wherein the second security element comprises cryptographic means for executing a challenge response method, wherein the method comprises: in response to an authentication request from the application program, authenticating the user by the operating system using the authentication sensor and the first security element, executing a challenge-response method between the first security element and the second security element, wherein the challenge-response method comprises generating a response by the first security element and validating the response by the second security element, wherein generating the response comprises encrypting a challenge of the second security element by the first security element using the private cryptographic key of the first security element, and wherein validating the response comprises decrypting the response of the first security element by the second security element using a public cryptographic key of the asymmetric key pair of the first security element, wherein successful execution of the challenge-response method confirms successful authentication of the user by the operating system, upon successful execution of the challenge-response method, confirming successful authentication of the user to the application program by the second security element.
Independent claim 1 recites
“the terminal” lacks antecedent basis.
“…wherein the secondary security element comprises…” lacks antecedent basis.
two instances “a challenge response method” earlier in the claim, the recitation of “the challenge response method” in the same or subsequent claim would be unclear where it is uncertain which of the two challenge response methods was intended (must be first or second challenge response method).
Claim 1 recites “decrypting the response of the first security element” but the response of the first security element wasn’t encrypted before as per claim limitation which makes the claim limitation vague and unclear.
Claim 22. A system, wherein the system comprises a mobile terminal for authenticating a user to an application program installed on a mobile terminal, wherein the mobile terminal comprises a processor, wherein an operating system is installed on the terminal, wherein the operating system is configured to control at least one authentication sensor of the terminal for detecting at least one authentication factor of the user, wherein the terminal comprises a first security element associated with the operating system, wherein the first security element comprises cryptographic means for executing a challenge-response method, wherein a private cryptographic key of an asymmetric key pair of the first security element is stored in a protected memory area of the first security element, wherein the system further comprises a second security element independent of the first security element, wherein the second security element comprises cryptographic means for executing a challenge-response method, wherein the processor is configured to execute a method for authenticating a user to an application program installed on a mobile terminal, the method comprising: in response to an authentication request from the application program, authenticating the user by the operating system using the authentication sensor and the first security element, executing a challenge-response method between the first security element and the second security element, wherein the challenge-response method comprises generating a response by the first security element for validation by the second security element, wherein generating the response comprises encrypting a challenge of the second security element by the first security element using the private cryptographic key of the first security element for validation by decrypting the response of the first security element by the second security element using a public cryptographic key of the asymmetric key pair of the first security element, wherein successful execution of the challenge-response method confirms successful authentication of the user by the operating system, upon successful execution of the challenge-response method, confirming successful authentication of the user to the application program by the second security element.
Independent claim 22 recites
two instances of “a mobile terminal” earlier in the claim, the recitation of “the mobile terminal” in the same or subsequent claim would be unclear where it is uncertain which of the two mobile terminals was intended (must be first or second mobile terminal).
“the terminal” lacks antecedent basis.
two instances “a challenge response method” earlier in the claim, the recitation of “the challenge response method” in the same or subsequent claim would be unclear where it is uncertain which of the two challenge response methods was intended (must be first or second challenge response method).
Claim 22 recites “decrypting the response of the first security element” but the response of the first security element wasn’t encrypted before as per claim limitation which makes the claim limitation vague and unclear.
Dependent claims 2-21 and 23-27 do not cure the deficiencies set for the above.
Allowable Subject Matter
Claims 1-27 would be allowable if rewritten or amended to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action.
Reason for indicating allowable subject matter:
Prior art US Patent # 10,778,450 (Griffin et al.) taught a method for gesture-based multi-factor authentication includes receiving a gesture password (i.e. authentication factor) from a user. The gesture password is mapped to a first substitution string. A cryptographic key is generated using the substitution string as an input to a password authenticated key exchange (“PAKE”) protocol. A challenge response (i.e. first security element) is encrypted with the cryptographic key to generate an encrypted challenge response (i.e. cryptographic means). A user identifier and the encrypted challenge question are transmitted to a relying party (i.e. second security element). The encrypted challenge response can be verified by the relying party by retrieving the first substitution string based on the user identifier, generating the cryptographic key using the first substitution string as an input to the PAKE protocol, decrypting the encrypted challenge response using the cryptographic key, and verifying the challenge response so as to authenticate the user. Abstract. Griffin Further taught a securely stored associated substitution string (Col. 7, lines 58-60.). At 24, the substitution string, associated with the gesture-based password and securely stored on the user device (col. 8, lines 48-49.) The substitution string used as an input to the PAKE protocol may be R'WJ$Pq57]mbTk#QsWK}um< k3D%hLNSaCF#<'A!U2whl={H04<"% A. At 26, a symmetric key is created using the substitution string via an agreed-upon encryption algorithm (Col. 9, lines 1-9). The second challenge question can be a request for the relying party to provide its credentials to the user, and the second challenge response can include the relying party's credentials. In another arrangement, the second challenge question may be an integer N that is encrypted with the cryptographic key. The second challenge response may be a variant of the integer N, such as N+1, which is also encrypted with the cryptographic key (Col. 9, lines 58-65.)
Prior art US Patent # 10,579,984 B2 (Alattar et al.) taught a method for making a transaction of a contactless application secure, said contactless application (11) being stored in the mobile terminal (10), said transaction being executed between the mobile terminal and a contactless reader (12), said mobile terminal comprising a security element (14), said method comprising the following steps: sending, by the contactless application to the contactless reader, a token representing a sensitive piece of data and a first authentication value associated with the token during said transaction between the mobile terminal and the contactless reader, receiving, by the security element, the token and the first authentication value from the contactless reader, calculating, by the security element, a second authentication value on the basis of the received token, comparing, by the security element, the first and the second authentication values to obtain a result of the comparison, and sending, by the security element, the result of the comparison to the contactless reader, wherein said contactless reader terminating the transaction based on the result of the comparison, wherein the contactless application is executed by an operating system of the mobile terminal independent of the security element. Claim 1.
US 20150126153 A1 (Spitz et al.) taught [0024] The underlying basic method is known per se in this instance. For example, a challenge-response method known per se is used. In this case, a random number is generated or otherwise provided and is sent as a challenge to the security element. The security element verifies the challenge with the verification key. For example, the end device encrypts the random number with a secret key of an asymmetric key pair and sends the cipher to the security element. The security element decrypts the cipher with the corresponding public key of the key pair. Alternatively, the end device encrypts with the public key as a secret key and the security element decrypts with the private key as a verification key. This is only possible for the security element that the correct public or private key and that is thus bound to the end device. Alternatively, the end device and security element use the same symmetric key. The end device encrypts the random number and the security element decrypts it with the symmetric key.
None of the prior arts taken alone anticipate the claimed invention. The prior arts also do not provide sufficient motivation to be combined and to be modified in such a way as to render obvious the claimed features “…the terminal comprises a first security element associated with the operating system… a security element associated with the application program, which is independent of the first security element… executing a challenge-response method between the first security element and the second security element, wherein the challenge-response method comprises generating a response by the first security element and validating the response by the second security element, wherein generating the response comprises encrypting a challenge of the second security element by the first security element using the private cryptographic key of the first security element, and wherein validating the response comprises decrypting the response of the first security element by the second security element using a public cryptographic key of the asymmetric key pair of the first security element, wherein successful execution of the challenge-response method confirms successful authentication of the user by the operating system, upon successful execution of the challenge-response method, confirming successful authentication of the user to the application program by the second security element.” in combination with other limitations within the context of the claimed invention as a whole without the usage of impermissible hindsight reasoning. Therefore, the examiner found the invention as claimed to be allowable.
Dependent claims 2-21 and 23-27 are also allowable due to their dependency on independent allowable claims 1 and 22.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAWNCHOY RAHMAN whose telephone number is (571)270-7471. The examiner can normally be reached Monday - Friday 8:30A-5P ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached at 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Shawnchoy Rahman/Primary Examiner, Art Unit 2438