Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-15 are pending.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. 18/724,866, filed on January 5, 2022.
Specification
The abstract of the disclosure is objected to because it contains the legal phraseology "comprising". A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b).
Claim Objections
Claims 1-15 are objected to because of the following informalities: the brackets around each claim number should be omitted and a period should be added after each claim number (e.g. "Claim 1.", "Claim 2.", "Claim 3.", etc.). Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 5, 7, 14, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Staufer (US 20230045417 A1, hereinafter referred to as Staufer) in view of Lee (US 20160127897 A1, hereinafter referred to as Lee) in further view of Le Saint (EP 4016920 A1, hereinafter referred to as Le Saint).
Regarding claim 1, Staufer discloses: A method performed by a terminal in a wireless communication system (Staufer: Paragraph [0051] states, "Accordingly, as shown, communication system 100 comprises user equipment (UE) 102 that communicates via an air interface 103 with an access point (gNB) 104." Paragraph [0052] states, "The UE 102 may be a mobile station, and such a mobile station may comprise, by way of example, a mobile telephone, a computer, or any other type of communication device…Such communication devices are also intended to encompass devices commonly referred to as access terminals."), the method comprising: Acquiring configuration information including a certificate of the terminal and a certificate authority (CA) certificate associated with a certificate of a provisioning server (Staufer: Paragraph [0079] states, "the UE receives a set of default credentials including a unique identifier, known as an onboarding SUPI (ON-SUPI), a private key and a corresponding certificate used to cryptographically protect the ON-SUPI." Paragraph [0083] states, "The onboarding UE establishes a connection to the PVS and receives SO-SNPN specific credentials from the PVS." Paragraph [0087] states, "the default credentials deployed on the UE comprise a private key and a certificate issued by the DCO, which can be verified by the ON-SNPN using a certificate issued by a Certificate Authority (CA) used to sign the default certificate of the UE." Paragraph [0095] states, "UE 402 and AUSF 410 start executing primary authentication using Extensible Authentication Protocol—Transport Layer Security (EAP-TLS). However, one or more alternative primary authentication methods may be used. AUSF 410 derives, from an authentication request received from AMF 404, that the onboarding process for UE 402 needs to be executed. In one example, a Home Network Identity (HNI) of the SUCI can be set to a predefined value or an onboarding indication can be sent from AMF 404 to AUSF 410. Alternatively, a dedicated SUPI type can be assigned to indicate onboarding. After UE 402 has verified the server certificate of AUSF 410, UE 402 sends its own UE Certificate." Paragraph [0109] states, "The request from device owner 502 includes the ON-SUPI of the onboarding UE (e.g., UE 302) and the CA Certificate which device owner 502 received from the DCO, as well as the PVS and other information which device owner 502 received from a subscription holder called Subscription Owner SNPN (SO-SNPN)." Examiner's note: it is implied that the UE uses the CA certificate to verify the AUSF server certificate therefore CA certificate is associated with the certificate of the AUSF server.), but fails to explicitly disclose: Identifying that provisioning using a control plane is performed.
However, in the same field of endeavor, Lee discloses: Identifying that provisioning using a control plane is performed (Lee: Paragraph [0049] states, "FIG. 9 illustrates an example of a call flow associated with initial provisioning of a shared key, referred to herein as a K.sub.P-GW key, in the control-plane during a packet data network (PDN) connection setup, and subsequent communication of messages encrypted/authenticated with the K.sub.P-GW key in the user-plane.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Staufer and include the above limitation with the teaching of Lee for "for protecting user-plane messaging in a wireless communications system" (Lee: Paragraph [0002]).
This motivation applies to the remainder of the claim.
Lee fails to explicitly disclose: Generating an ephemeral key pair based on the identification.
However, in the same field of endeavor, Le Saint further discloses: Generating an ephemeral key pair [based on the identification] (Le Saint: Paragraph [0049] states, "The user device 220 may generate a user device ephemeral key pair ("UD Eph. Pub. & Priv. Key Pair") 234 including a user device ephemeral public key and a user device ephemeral private key corresponding to the user device ephemeral public key. At 201, the user device 220 sends the user device ephemeral public key to the provisioning server 260. The user device ephemeral public key may not be used to identify the user device 220 because the user device 220 may only use the user device ephemeral public key for a single communication (e.g., to receive the provisioning server certificate 264).").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Staufer as modified by Lee and include the above limitation with the teaching of Le Saint in order for "maintaining confidentiality of the user device, the provisioning server, and then authentication server" (Le Saint: abstract).
Le Saint fails to explicitly disclose: generating an…key…based on the identification.
However, Lee further discloses: generating an…key…based on the identification (Lee: Paragraph [0049] states, "FIG. 9 illustrates an example of a call flow associated with initial provisioning of a shared key, referred to herein as a K.sub.P-GW key, in the control-plane during a packet data network (PDN) connection setup, and subsequent communication of messages encrypted/authenticated with the K.sub.P-GW key in the user-plane.").
Staufer further discloses: Based on the configuration information and the [ephemeral] key pair, acquiring credentials of a subscription owner-standalone non-public network (SO-SNPN) in the control plane (Staufer: Paragraph [0079] states, "the UE receives a set of default credentials including a unique identifier, known as an onboarding SUPI (ON-SUPI), a private key and a corresponding certificate used to cryptographically protect the ON-SUPI." Paragraph [0083] states, "The onboarding UE establishes a connection to the PVS and receives SO-SNPN specific credentials from the PVS." Paragraph [0109] states, "The request from device owner 502 includes the ON-SUPI of the onboarding UE (e.g., UE 302) and the CA Certificate which device owner 502 received from the DCO, as well as the PVS and other information which device owner 502 received from a subscription holder called Subscription Owner SNPN (SO-SNPN)."), but fails to explicitly disclose: ephemeral key pair.
However, Le Saint further discloses: ephemeral key pair (Le Saint: Paragraph [0049] states, "The user device 220 may generate a user device ephemeral key pair ("UD Eph. Pub. & Priv. Key Pair") 234 including a user device ephemeral public key and a user device ephemeral private key corresponding to the user device ephemeral public key. At 201, the user device 220 sends the user device ephemeral public key to the provisioning server 260. The user device ephemeral public key may not be used to identify the user device 220 because the user device 220 may only use the user device ephemeral public key for a single communication (e.g., to receive the provisioning server certificate 264).").
Regarding claim 5, the combination of Staufer as modified by Lee and Le Saint discloses: The method of claim 1.
Le Saint further discloses: wherein the ephemeral key pair comprises an ephemeral public key of the terminal and an ephemeral private key of the terminal (Le Saint: Paragraph [0032] states, "User devices (e.g., computers and mobile phones)." Paragraph [0049] states, "The user device 220 may generate a user device ephemeral key pair ("UD Eph. Pub. & Priv. Key Pair") 234 including a user device ephemeral public key and a user device ephemeral private key corresponding to the user device ephemeral public key. At 201, the user device 220 sends the user device ephemeral public key to the provisioning server 260. The user device ephemeral public key may not be used to identify the user device 220 because the user device 220 may only use the user device ephemeral public key for a single communication (e.g., to receive the provisioning server certificate 264).").
The same motivation to modify with Le Saint, as in claim 1, applies.
Le Saint fails to explicitly disclose: and wherein the configuration information further includes credentials to be used for mutual authentication with a default credentials server (DCS).
However, Staufer further discloses: and wherein the configuration information further includes credentials to be used for mutual authentication with a default credentials server (DCS) (Staufer: Paragraph [0087] states, "Illustrative embodiments provide solutions which address the above and other challenges associated with existing approaches by providing mutual authentication between an onboarding UE and an onboarding network using default credentials without the need to deploy a DCS." Examiner's note: even though it is stated that the DCS is not deployed, since a mutual authentication is done with the use of default credentials, it is interpreted that the onboarding network plays the role of the default credential server.).
Regarding claim 7, Staufer discloses: A method performed by a provisioning server in a wireless communication system, the method comprising: acquiring configuration information including a certificate of the provisioning server and a certificate authority (CA) certificate associated with a certificate of a terminal (Staufer: Paragraph [0095] states, "After UE 402 has verified the server certificate of AUSF 410, UE 402 sends its own UE Certificate." Paragraph [0099] states, "AUSF 410 verifies the UE Certificate using the CA Certificate supplied by UDM/UDR 412 in step 4.", Examiner's note: since the AUSF server verifies the UE certificate using the CA certificate, it implies that the AUSF server acquired these two certificates), but fails to explicitly disclose: identifying that provisioning using a control plane is performed.
However, Lee discloses: identifying that provisioning using a control plane is performed (Lee: Paragraph [0049] states, "FIG. 9 illustrates an example of a call flow associated with initial provisioning of a shared key, referred to herein as a K.sub.P-GW key, in the control-plane during a packet data network (PDN) connection setup, and subsequent communication of messages encrypted/authenticated with the K.sub.P-GW key in the user-plane.").
The same motivation to modify with Lee, as in claim 1, applies.
This motivation applies to the remainder of the claim.
Lee fails to explicitly disclose: generating an ephemeral key pair for the provisioning using the control plane.
However, Le Saint discloses: generating an ephemeral key pair [for the provisioning using the control plane] (Le Saint: Paragraph [0049] states, "The user device 220 may generate a user device ephemeral key pair ("UD Eph. Pub. & Priv. Key Pair") 234 including a user device ephemeral public key and a user device ephemeral private key corresponding to the user device ephemeral public key. At 201, the user device 220 sends the user device ephemeral public key to the provisioning server 260. The user device ephemeral public key may not be used to identify the user device 220 because the user device 220 may only use the user device ephemeral public key for a single communication (e.g., to receive the provisioning server certificate 264).").
The same motivation to modify with Le Saint, as in claim 1, applies.
This motivation applies to the remainder of the claim.
Le Saint fails to explicitly disclose: generating a…key…for the provisioning using the control plane.
However, Lee further discloses: generating a…key…for the provisioning using the control plane (Lee: Paragraph [0049] states, "FIG. 9 illustrates an example of a call flow associated with initial provisioning of a shared key, referred to herein as a K.sub.P-GW key, in the control-plane during a packet data network (PDN) connection setup, and subsequent communication of messages encrypted/authenticated with the K.sub.P-GW key in the user-plane.").
Staufer further discloses: and based on the configuration information and the [ephemeral] key pair, generating credentials of a subscription owner-standalone non-public network (SO-SNPN) to be transferred in the control plane (Staufer: Paragraph [0110] states, "portal 504 can be implemented as part of or making use of the NEF of the ON-SNPN, or it can be implemented independent from the NEF of the ON-SNPN, e.g., directly at UDM/UDR 506 or at any other NF." Paragraph [0113] states, "It is to be appreciated that the PVS and other information sent in step 3 may not be the same information as the PVS information received in step 2. Rather, portal 504 may execute intermediate steps to derive new PVS information, which is more suited for interpretation by AMF, SMF, PCF and UPF than using the PVS information received in step 2. For instance, device owner 502 may only provide the name of the SO-SNPN, and portal 504 (or any other entity used by the portal) may translate this name into a list of IP addresses or FQDNs known to the ON-SNPN from pre-integration with the SO-SNPN.", Examiner's note: Since the portal may be part of any of the network functions, the portal is interpreted as being part of the AUSF), but fails to explicitly disclose: ephemeral key pair.
However, Le Saint further discloses: ephemeral key pair (Le Saint: Paragraph [0049] states, "The user device 220 may generate a user device ephemeral key pair ("UD Eph. Pub. & Priv. Key Pair") 234 including a user device ephemeral public key and a user device ephemeral private key corresponding to the user device ephemeral public key. At 201, the user device 220 sends the user device ephemeral public key to the provisioning server 260. The user device ephemeral public key may not be used to identify the user device 220 because the user device 220 may only use the user device ephemeral public key for a single communication (e.g., to receive the provisioning server certificate 264).").
Claim 14 recites features similar to those in claim 1, therefore it is rejected in a similar manner.
Claim 15 recites features similar to those in claim 7, therefore it is rejected in a similar manner.
Claim(s) 2, 3, 8-10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Staufer (US 20230045417 A1, hereinafter referred to as Staufer) in view of Lee (US 20160127897 A1, hereinafter referred to as Lee) in further view of Le Saint (EP 4016920 A1, hereinafter referred to as Le Saint) in further view of Lai (US 20220240210 A1, hereinafter referred to as Lai).
Regarding claim 2, the combination of Staufer as modified by Lee and Le Saint discloses: The method of claim 1, but fails to explicitly disclose: further comprising: receiving broadcast system information, wherein the broadcast system information includes an indicator about whether an onboarding-standalone non-public network (ON-SNPN) supports the provisioning using the control plane.
However, in the same field of endeavor, Lai discloses: further comprising: receiving broadcast system information, wherein the broadcast system information includes an indicator about whether an onboarding-standalone non-public network (ON-SNPN) supports the provisioning using the control plane (Lai: Paragraph [0027] states, "UE 401 performs ON-SNPN discover and selection, based on the received SIB broadcasting. Note that UE 401 may also be pre-configured with ON-SNPN selection information (in step 411), for the purpose of ON-SNPN selection. After the UE has selected an ON-SNPN for onboarding, in step 421, UE 401 initiates the onboarding registration procedure." Paragraph [0030] states, "A UP provisioning procedure is performed over a PDU session, while a CP provision procedure is performed over control plane messages, e.g., using UE parameters Update via UDM Control Procedure as specified in TS 23.502. Note that the ON-SNPN determines the provisioning procedure based on UE capability, as indicated in the registration request in step 421.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Staufer as modified by Lee and Le Saint and include the above limitation with the teaching of Lai in order for verifiable security (Lai: Paragraph [0005]).
Regarding claim 3, the combination of Staufer as modified by Lee, Le Saint, and Lai discloses: The method of claim 2.
Lai further discloses: selecting the ON-SNPN based on the broadcast system information (Lai: Paragraph [0027] states, "UE 401 performs ON-SNPN discover and selection, based on the received SIB broadcasting. Note that UE 401 may also be pre-configured with ON-SNPN selection information (in step 411), for the purpose of ON-SNPN selection. After the UE has selected an ON-SNPN for onboarding, in step 421, UE 401 initiates the onboarding registration procedure." Paragraph [0030] states, "A UP provisioning procedure is performed over a PDU session, while a CP provision procedure is performed over control plane messages, e.g., using UE parameters Update via UDM Control Procedure as specified in TS 23.502. Note that the ON-SNPN determines the provisioning procedure based on UE capability, as indicated in the registration request in step 421."); and transmitting a request message for registration with the ON-SNPN, wherein the request message includes an indicator indicating whether the terminal supports the provisioning using the control plane (Lai: Paragraph [0027] states, "UE 401 performs ON-SNPN discover and selection, based on the received SIB broadcasting. Note that UE 401 may also be pre-configured with ON-SNPN selection information (in step 411), for the purpose of ON-SNPN selection. After the UE has selected an ON-SNPN for onboarding, in step 421, UE 401 initiates the onboarding registration procedure." Paragraph [0030] states, "A UP provisioning procedure is performed over a PDU session, while a CP provision procedure is performed over control plane messages, e.g., using UE parameters Update via UDM Control Procedure as specified in TS 23.502. Note that the ON-SNPN determines the provisioning procedure based on UE capability, as indicated in the registration request in step 421." Paragraph [0032] states, "In step 601, a base station broadcasts an indication in a stand-alone non-public network (SNPN). The indication indicates that Onboarding is enabled by the SNPN. In step 602, the base station receives a registration request from a user equipment (UE). The registration request indicates an Onboarding Registration type and one or more remote provisioning procedures supported by the UE.").
The same motivation to modify with Lai, as in claim 2, applies.
Regarding claim 8, the combination of Staufer as modified by Lee and Le Saint discloses: The method of claim 7, but fails to explicitly disclose: wherein the configuration information further includes information about whether a default credentials server (DCS) supports the provisioning using the control plane and information about whether the terminal supports the provisioning using the control plane.
However, Lai discloses: wherein the configuration information further includes information about whether a default credentials server (DCS) supports the provisioning using the control plane and information about whether the terminal supports the provisioning using the control plane (Lai: Paragraph [0027] states, "UE 401 performs ON-SNPN discover and selection, based on the received SIB broadcasting. Note that UE 401 may also be pre-configured with ON-SNPN selection information (in step 411), for the purpose of ON-SNPN selection. After the UE has selected an ON-SNPN for onboarding, in step 421, UE 401 initiates the onboarding registration procedure." Paragraph [0030] states, "A UP provisioning procedure is performed over a PDU session, while a CP provision procedure is performed over control plane messages, e.g., using UE parameters Update via UDM Control Procedure as specified in TS 23.502. Note that the ON-SNPN determines the provisioning procedure based on UE capability, as indicated in the registration request in step 421.").
The same motivation to modify with Lai, as in claim 2, applies.
Regarding claim 9, the combination of Staufer as modified by Lee and Le Saint discloses: The method of claim 7, but fails to explicitly disclose: receiving a notification message; wherein the notification message includes at least one indicator among an indicator about whether an onboarding-standalone non-public network (ON-SNPN) supports the provisioning using the control plane, an indicator about whether the terminal supports the provisioning using the control plane, or an indicator about whether a default credentials server (DCS) supports the provisioning using the control plane.
However, Lai discloses: receiving a notification message (Lai: Paragraph [0027] states, "UE 401 performs ON-SNPN discover and selection, based on the received SIB broadcasting. Note that UE 401 may also be pre-configured with ON-SNPN selection information (in step 411), for the purpose of ON-SNPN selection. After the UE has selected an ON-SNPN for onboarding, in step 421, UE 401 initiates the onboarding registration procedure." Paragraph [0030] states, "A UP provisioning procedure is performed over a PDU session, while a CP provision procedure is performed over control plane messages, e.g., using UE parameters Update via UDM Control Procedure as specified in TS 23.502. Note that the ON-SNPN determines the provisioning procedure based on UE capability, as indicated in the registration request in step 421."); wherein the notification message includes at least one indicator among an indicator about whether an onboarding-standalone non-public network (ON-SNPN) supports the provisioning using the control plane, an indicator about whether the terminal supports the provisioning using the control plane, or an indicator about whether a default credentials server (DCS) supports the provisioning using the control plane (Paragraph [0027] states, "UE 401 performs ON-SNPN discover and selection, based on the received SIB broadcasting. Note that UE 401 may also be pre-configured with ON-SNPN selection information (in step 411), for the purpose of ON-SNPN selection. After the UE has selected an ON-SNPN for onboarding, in step 421, UE 401 initiates the onboarding registration procedure." Paragraph [0030] states, "A UP provisioning procedure is performed over a PDU session, while a CP provision procedure is performed over control plane messages, e.g., using UE parameters Update via UDM Control Procedure as specified in TS 23.502. Note that the ON-SNPN determines the provisioning procedure based on UE capability, as indicated in the registration request in step 421.").
The same motivation to modify with Lai, as in claim 2, applies.
Regarding claim 10, the combination of Staufer as modified by Lee, Le Saint, and Lai discloses: The method of claim 9.
Lai further discloses: wherein the identifying that the provisioning using the control plane is performed comprises, in case that the terminal, the ON-SNPN, the DCS, and the provisioning server all support the provisioning using the control plane, based on at least one of the configuration information or the notification message, determining to provide the credentials of the SO-SNPN to the terminal by using the control plane (Lai: Paragraph [0027] states, "UE 401 performs ON-SNPN discover and selection, based on the received SIB broadcasting. Note that UE 401 may also be pre-configured with ON-SNPN selection information (in step 411), for the purpose of ON-SNPN selection. After the UE has selected an ON-SNPN for onboarding, in step 421, UE 401 initiates the onboarding registration procedure." Paragraph [0030] states, "A UP provisioning procedure is performed over a PDU session, while a CP provision procedure is performed over control plane messages, e.g., using UE parameters Update via UDM Control Procedure as specified in TS 23.502. Note that the ON-SNPN determines the provisioning procedure based on UE capability, as indicated in the registration request in step 421.").
The same motivation to modify with Lai, as in claim 2, applies.
Claim(s) 4, 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Staufer (US 20230045417 A1, hereinafter referred to as Staufer) in view of Lee (US 20160127897 A1, hereinafter referred to as Lee) in further view of Le Saint (EP 4016920 A1, hereinafter referred to as Le Saint) in further view of Jalkanen (US 20220078741 A1, hereinafter referred to as Jalkanen).
Regarding claim 4, the combination of Staufer as modified by Lee and Le Saint discloses: The method of claim 1.
Le Saint further discloses: acquiring an indicator [indicating that the provisioning using the control plane is performed] and a nonce value generated by the provisioning server (Le Saint: Paragraph [0050] states, "the provisioning server 260 may generate a provisioning server blinding factor (e.g., a cryptographic nonce), and use the provisioning server public key and the provisioning server blinding factor to generate a blinded provisioning server public key." Paragraph [0096] states, "The user device 520 may receive the blinded provisioning server certificate and the encrypted authentication request." Paragraph [0100] states, "The provisioning server 560 may provide provisioning data the user device 520 based on whether the signed authentication challenge is verified. For instance, if the provisioning server 560 does not receive an indication from the authentication server 540 that the signature of the signed authentication challenge is valid, then the provisioning server 560 may not provide provisioning data to the user device 520.").
The same motivation to modify with Le Saint, as in claim 1, applies.
This motivation applies to the remainder of the claim.
Le Saint fails to explicitly disclose: acquiring an indicator indicating that the provisioning using the control plane is performed.
However, in the same field of endeavor, Jalkanen discloses: acquiring an indicator indicating that the provisioning using the control plane is performed (Jalkanen: Paragraph [0045] states, "The request generated by the terminal device 110 may be generated by the terminal device 110 so that it carries data indicating that the terminal device 110 requests provisioning so that provisioning related data shall be delivered over a control plane to the terminal device 110.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Staufer as modified by Lee and Le Saint and include the above limitation with the teaching of Jalkanen in order to mitigate maloperation (Jalkanen: Paragraphs [0004-0005]).
Le Saint further discloses: and signing the nonce value with a private key corresponding to the certificate of the terminal and transmitting the signed nonce value (Le Saint: Paragraph [0050] states, "the provisioning server 260 may generate a provisioning server blinding factor (e.g., a cryptographic nonce), and use the provisioning server public key and the provisioning server blinding factor to generate a blinded provisioning server public key." Paragraph [0096] states, "The user device 520 may receive the blinded provisioning server certificate and the encrypted authentication request. The user device 520 may generate the shared secret using the blinded provisioning server public key and the user device ephemeral private key corresponding to the user device ephemeral public key. The user device 520 may use the shared secret to decrypt the encrypted authentication request to obtain the authentication request. The user device 520 may processes the authentication request. Processing the authentication request may include adding additional data to the authentication challenge included in the authentication request, verifying a user of the user device 520, and signing the authentication challenge using the user device authentication private key stored by the user device 520." Paragraph [0097] states, "The user device 520 may generate an authentication response including the signed authentication challenge. At 505, the user device 520 sends an encrypted authentication response to provisioning server 560.").
Claim 11 recites features to those in claim 4, therefore they are rejected in a similar manner.
Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Staufer (US 20230045417 A1, hereinafter referred to as Staufer) in view of Lee (US 20160127897 A1, hereinafter referred to as Lee) in further view of Le Saint (EP 4016920 A1, hereinafter referred to as Le Saint) in further view of Yang (US 20170093565 A1, hereinafter referred to as Yang).
Regarding claim 6, the combination of Staufer as modified by Lee and Le Saint discloses: The method of claim 1.
Staufer further discloses: Verifying the certificate of the provisioning server based on the CA certificate (Staufer: Paragraph [0095] states, "UE 402 and AUSF 410 start executing primary authentication using Extensible Authentication Protocol—Transport Layer Security (EAP-TLS). However, one or more alternative primary authentication methods may be used. AUSF 410 derives, from an authentication request received from AMF 404, that the onboarding process for UE 402 needs to be executed. In one example, a Home Network Identity (HNI) of the SUCI can be set to a predefined value or an onboarding indication can be sent from AMF 404 to AUSF 410. Alternatively, a dedicated SUPI type can be assigned to indicate onboarding. After UE 402 has verified the server certificate of AUSF 410, UE 402 sends its own UE Certificate." Paragraph [0109] states, "The request from device owner 502 includes the ON-SUPI of the onboarding UE (e.g., UE 302) and the CA Certificate which device owner 502 received from the DCO, as well as the PVS and other information which device owner 502 received from a subscription holder called Subscription Owner SNPN (SO-SNPN)."), but fails to explicitly disclose: generating a first ephemeral key for encryption and a second ephemeral key for integrity protection, based on an ephemeral private key of the terminal and an ephemeral public key of the provisioning server.
However, Lee further discloses: generating a first ephemeral key for encryption and a second ephemeral key for integrity protection, [based on an ephemeral private key of the terminal and an ephemeral public key of the provisioning server] (Lee: Paragraph [0111] states, "During an authorization session between the client device and the core network, the USIM and the AuC may each independently derive an Integrity Key (IK) and a Cypher Key (CK), referred to herein collectively as the IK, CK key 704, based on the K key 702 that they each respectively have in their possession. The IK, CK key 704 may be referred to as a session key and more specifically as an authorization session key." Paragraph [0120] states, "Using the K.sub.eNB key 714, the client device and the access node may independently derive four different keys. The four possible keys include a user-plane integrity key, which is denoted as the K.sub.UPint key 716, a user-plane encryption key, which is denoted as the K.sub.UPenc key 718, a control-plane integrity key, which is denoted as the K.sub.RRCint key 720, and a control-plane encryption key, which is denoted as the K.sub.RRCenc key 722.").
The same motivation to modify with Lee, as in claim 1, applies.
This motivation applies to the remainder of the claim.
Lee fails to explicitly disclose: Generating…based on an ephemeral private key of the terminal and an ephemeral public key of the provisioning server.
However, Le Saint further discloses: Generating…based on an ephemeral private key of the terminal and an [ephemeral] public key of the provisioning server (Le Saint: Paragraph [0052] states, "The user device 220 may generate the same first shared secret generated by the provisioning server 260, using the blinded provisioning server public key and the user device ephemeral private key. The user device 220 may generate the first session key using the first shared secret. The user device 220 may use the first session key to decrypt the encrypted provisioning server certificate to obtain the provisioning server certificate.").
The same motivation to modify with Le Saint, as in claim 1, applies.
Le Saint fails to explicitly disclose: ephemeral public key of the provisioning server.
However, in the same field of endeavor, Yang discloses: ephemeral public key of the provisioning server (Yang: Paragraph [0056] states, "the public-private key pair associated with the provisioning server 102 can be an ephemeral key pair that can be generated for one-time use for provisioning the eSIM to the eUICC 120.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Staufer as modified by Lee and Le Saint and include the above limitation with the teaching of Yang in order to "address scalability issues" (Yang: Paragraph [0006]).
Staufer further discloses: And acquiring the credentials of the SO-SNPN [based on the first ephemeral key and the second ephemeral key] (Staufer: Paragraph [0103] states, "restricted user plane connectivity is established using the PVS information and any additional information mentioned above as input, and UE 402 connects to the PVS and receives a regular SO-SNPN subscriber profile from the PVS."), but fails to explicitly disclose: acquiring…based on the first ephemeral key and the second ephemeral key.
However, Lee further discloses: acquiring…based on the first ephemeral key and the second ephemeral key (Lee: Paragraph [0120] states, "The K.sub.UPint key 716 and K.sub.UPenc key 718 are used for integrity protection and encryption, respectively, of user-plane data for messages transferred over-the-air between the client device and the access node. They may be used to encrypt/integrity protect messages in the PDCP layer between the client device and access node. The K.sub.RRCint key 720 and K.sub.RRCenc key 722 are used for integrity protection and encryption, respectively, of radio resource control (RRC) data.").
Claim(s) 12, 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Staufer (US 20230045417 A1, hereinafter referred to as Staufer) in view of Lee (US 20160127897 A1, hereinafter referred to as Lee) in further view of Le Saint (EP 4016920 A1, hereinafter referred to as Le Saint) in further view of Jalkanen (US 20220078741 A1, hereinafter referred to as Jalkanen) in further view of Yang (US 20170093565 A1, hereinafter referred to as Yang).
Regarding claim 12, the combination of Staufer as modified by Lee, Le Saint, and Jalkanen discloses: The method of claim 11.
Staufer further discloses: further comprising: receiving the certificate of the terminal and an identifier of the terminal (Staufer: Paragraph [0108] states, "while the description of steps in signaling flow 500 assume use of an ON-SUPI for identification of the onboarding record, another identifier can be used in alternative embodiments." Paragraph [0109] states, "device owner 502 (or any other entity which is in charge of onboarding a UE) connects with portal 504 of the ON-SNPN (e.g., communication network 310 in FIG. 3). The request from device owner 502 includes the ON-SUPI of the onboarding UE (e.g., UE 302) and the CA Certificate which device owner 502 received from the DCO, as well as the PVS and other information which device owner 502 received from a subscription holder called Subscription Owner SNPN (SO-SNPN)."); finding the credentials of the SO-SNPN by matching the received identifier of the terminal to an identifier of the terminal included in the configuration information (Staufer: Paragraph [0111] states, "portal 504 authorizes the incoming onboarding request. This includes checking if the requestor (e.g., device owner 502) is entitled and trusted to make the request. For instance, the requestor may be an employee of the ON-SNPN operator or a trusted business partner of the ON-SNPN. The authorization also includes checking if the provided PVS information is in line with policies of the ON-SNPN. For instance, onboarding requests may only be authorized, if ON-SNPN and SNPN (for example, SO-SNPN), which the PVS or other information refers to, have a business agreement in place and executed technical or business related integration steps."); verifying the received certificate of the terminal based on the CA certificate (Staufer: Paragraph [0114] states, "UDM/UDR 504 adds a new onboarding record for the ON-SUPI(s) including the CA Certificate, the PVS and other information." Paragraph [0099] states, "AUSF 410 verifies the UE Certificate using the CA Certificate supplied by UDM/UDR 412."), but fails to explicitly disclose: and generating a first ephemeral key for encryption and a second ephemeral key for integrity protection, based on an ephemeral public key of the terminal and an ephemeral private key of the provisioning server, wherein the credentials of the SO-SNPN are configured by an encrypted value based on the first ephemeral key and an integrity-protected value obtained by hashing the encrypted value based on the second ephemeral key.
However, Lee further discloses: and generating a first ephemeral key for encryption and a second ephemeral key for integrity protection, [based on an ephemeral public key of the terminal and an ephemeral private key of the provisioning server,] wherein the credentials of the SO-SNPN are configured by an encrypted value based on the first ephemeral key and an integrity-protected value obtained by hashing the encrypted value based on the second ephemeral key (Lee: Paragraph [0099] states, "In Long Term Evolution (LTE) networks, for example, the access node 512 may be referred to as an evolved Node B (eNodeB). By way of example, a single LTE access node may serve one or more E-UTRAN 502 cells." Paragraph [0111] states, "During an authorization session between the client device and the core network, the USIM and the AuC may each independently derive an Integrity Key (IK) and a Cypher Key (CK), referred to herein collectively as the IK, CK key 704, based on the K key 702 that they each respectively have in their possession. The IK, CK key 704 may be referred to as a session key and more specifically as an authorization session key." Paragraph [0120] states, "Using the K.sub.eNB key 714, the client device and the access node may independently derive four different keys. The four possible keys include a user-plane integrity key, which is denoted as the K.sub.UPint key 716, a user-plane encryption key, which is denoted as the K.sub.UPenc key 718, a control-plane integrity key, which is denoted as the K.sub.RRCint key 720, and a control-plane encryption key, which is denoted as the K.sub.RRCenc key 722." Paragraph [0133] states, "it is understood that work is being conducted on “re-locatable” MMEs. These types of MMEs may be located close to access nodes to support fast handover. Consequently, this may mean that the re-locatable MMEs might be located in public areas, which would increase their vulnerability to attack. For these and other reasons, it may be desirable to treat the MME 810 as a less trusted entity. This may be another reason for introducing the SKME 809, which may be utilized for key derivation and key management (e.g., maintenance, storage). It is noted that key derivation functions may include a hash message authentication code (HMAC) of length X (HMAC-X), where X is a key length.").
The same motivation to modify with Lee, as in claim 1, applies.
Lee fails to explicitly disclose: generating…based on an ephemeral public key of the terminal and an ephemeral private key of the provisioning server.
However, Le Saint further discloses: generating…based on an ephemeral public key of the terminal and an [ephemeral] private key of the provisioning server (Le Saint: Paragraph [0051] states, "The provisioning server 260 may generate a first shared secret using the user device ephemeral public key, the provisioning server private key, and the provisioning server blinding factor. The provisioning server 260 may use the first shared secret to generate a first session key for communicating with the user device 220.").
The same motivation to modify with Le Saint, as in claim 1, applies.
Le Saint fails to explicitly disclose: ephemeral private key of the provisioning server.
However, Yang discloses: ephemeral private key of the provisioning server (Yang: Paragraph [0056] states, "the public-private key pair associated with the provisioning server 102 can be an ephemeral key pair that can be generated for one-time use for provisioning the eSIM to the eUICC").
The same motivation to modify with Yang, as in claim 6, applies.
Regarding claim 13, the combination of Staufer as modified by Lee, Le Saint, Jalkanen, and Yang discloses: The method of claim 12.
Staufer further discloses: transmitting the credentials of SO-SNPN [configured by the encrypted value and the integrity-protected value in the control plane] (Staufer: Paragraph [0103] states, "restricted user plane connectivity is established using the PVS information and any additional information mentioned above as input, and UE 402 connects to the PVS and receives a regular SO-SNPN subscriber profile from the PVS."), but fails to explicitly disclose: SO-SNPN configured by the encrypted value and the integrity-protected value in the control plane.
However, Lee further discloses: SO-SNPN configured by the encrypted value and the integrity-protected value in the control plane (Lee: Paragraph [0120] states, "The K.sub.UPint key 716 and K.sub.UPenc key 718 are used for integrity protection and encryption, respectively, of user-plane data for messages transferred over-the-air between the client device and the access node. They may be used to encrypt/integrity protect messages in the PDCP layer between the client device and access node. The K.sub.RRCint key 720 and K.sub.RRCenc key 722 are used for integrity protection and encryption, respectively, of radio resource control (RRC) data." Paragraph [0133] states, "it is understood that work is being conducted on “re-locatable” MMEs. These types of MMEs may be located close to access nodes to support fast handover. Consequently, this may mean that the re-locatable MMEs might be located in public areas, which would increase their vulnerability to attack. For these and other reasons, it may be desirable to treat the MME 810 as a less trusted entity. This may be another reason for introducing the SKME 809, which may be utilized for key derivation and key management (e.g., maintenance, storage). It is noted that key derivation functions may include a hash message authentication code (HMAC) of length X (HMAC-X), where X is a key length.").
The same motivation to modify with Lee, as in claim 1, applies.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHREYAJ RAM BHANDARI whose telephone number is (571)272-0727. The examiner can normally be reached 7:30-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHREYAJ RAM BHANDARI/ Examiner, Art Unit 2434
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434