Prosecution Insights
Last updated: July 17, 2026
Application No. 18/764,780

METHOD FOR PROVIDING USER DATA ENCRYPTION KEY PROTECTION IN SIMPLE AUTHENTICATION ENVIRONMENT AND SYSTEM THEREOF

Non-Final OA §103
Filed
Jul 05, 2024
Priority
Sep 14, 2023 — RE 10-2023-0122184
Examiner
CARNES, THOMAS A
Art Unit
2436
Tech Center
2400 — Computer Networks
Assignee
Samsung SDS Co., Ltd.
OA Round
3 (Non-Final)
69%
Grant Probability
Favorable
3-4
OA Rounds
1y 2m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 69% — above average
69%
Career Allowance Rate
53 granted / 77 resolved
+10.8% vs TC avg
Strong +68% interview lift
Without
With
+68.1%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
25 currently pending
Career history
104
Total Applications
across all art units

Statute-Specific Performance

§101
0.4%
-39.6% vs TC avg
§103
94.2%
+54.2% vs TC avg
§102
3.5%
-36.5% vs TC avg
§112
1.2%
-38.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 77 resolved cases

Office Action

§103
DETAILED ACTION This Office Action is in response to the communication filed on 4/9/2026. Claims 1-20 are pending. Claims 1, 12 and 20 have been amended. Claims 1-20 are rejected. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim interpretation The claim limitations recite “the service server being separate from the key management server”. “being separate” can be interpreted broadly because “being separated” can have many meanings in the art. For example, are the servers hardware or software? separate device clusters, separate devices in the same device cluster, separate modules on the same device, separate sub-modules in the same module, separate application in the same sub-module or separate agents in the same application or separate sub-agents of the same agent, ect…? The amendments can reasonably be interpreted very broadly as written. Please note additional prior art made of record and not relied upon is considered pertinent to applicant's disclosure which reads on various unclaimed embodiments in Applicant’s disclosure, specifically relating to “Fast Identity Online (FIDO)”. Response to Arguments Applicant argues (Page 10 of Remarks filed 4/9/2026) that Chen does not teach that the service and key management servers are separated from each other. Examiner disagrees. Chen explicitly teaches at least two devices, one receives the ephemeral decryption key and another generates and sends the ephemeral decryption key to the receiving device, the sending/generating and receiving devices are separate devices. Applicant argues (Page 9 of Remarks filed 4/9/2026) that Chen does not teach a configuration in which a server receives an authentication registration request after the user logs in and generates an authentication key in response to the authentication registration request. This argument has been considered but is moot because the new the newly amended limitation is taught by Zhao and not Chen as specifically challenged in the argument. Examiner cites Zhao for this disclosure. Zhao [Page 9 steps 1-3, Page 9 “The TOKEN token authentication includes:”, Page 9-11 “The generating and storing of the user public and private key certificate comprises:”] Zhao teaches registration management which registers or updates corresponding client information after a client is connected, specifically the “register or update” happens subsequently to “if the login authentication is passed, continuing, otherwise, ending. The dependent claims are rejected based on their dependance on rejected independent claims. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chen (U.S. 20240267224), in view of Zhao (U.S. 111447214). Regarding claims 1, 12 and 20, Chen discloses: A method for protecting a user data encryption, performed by a computing system, the method comprising: (Chen [0002] method and system) encrypting a private key, which is generated through a key management server, based on a password acquired from login information of a user terminal; (Chen [0009-0013, 0034-0053, 0074-0088] when a user enters a password to login (be authenticated) ephemeral decryption keys, which are based on a user identify information, are generated and encrypted, to generate an authentication token which is sent to the cloud server) receiving, by a service server being separate from the key management server, an authentication key, which is generated through the key management server, in response to a authentication registration request of the user terminal; (Chen [0009-0013, 0034-0053, 0074-0088] the server receives the ephemeral decryption key, and the encrypted authentication token, in response to the initial user login request; [Abstract, 0010-0012, 0027-0053] teaches generating/sending of an authentication token by one device and receiving/decrypting the authentication token by a different device) decrypting, by the service server, the encrypted private key based on the password acquired from the login information; (Chen [0009-0013, 0034-0053, 0074-0088] the cloud server decrypts authentication token into an electronic signature; [Abstract, 0010-0012, 0027-0053] teaches generating/sending of an authentication token by one device and receiving/decrypting the authentication token by a different device) transmitting the encrypted private key to the user terminal. (Chen [0009-0013, 0034-0053, 0074-0088] traches transmitting an additional authentication code to the user equipment) While Chen teaches performing encryption/decryption/generation on separate devices, Chen does not explicitly disclose: encrypting, by the service server, the decrypted private key based on the authentication key; and wherein the authentication registration request is received after a login of the user terminal However, in the same field of endeavor Zhao discloses: encrypting, by the service server, the decrypted private key based on the authentication key; and (Zhao [Abstract, Page 3 paragraph 2; Page 5 paragraph 3] teaches encrypting the ephemeral keys using authentication keys) wherein the authentication registration request is received after a login of the user terminal (Zhao [Abstract, Page 3, 7, 9-11, 13] teaches registration management which registers or updates corresponding client information after a client is connected, specifically the “register or update” happens subsequently to “if the login authentication is passed, continuing, otherwise, ending”) Chen and Zhao are analogous art because they are from the same field of endeavor passwordless login. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Chen and Zhao before him or her. In Chen, the separate devices performing separate steps improve security but the final authentication result is sent in the clear Zhao teaches encrypting data before sending it to a user because it will allow the authenticated private information to be transmitted in a secure manner. Therefore, it would be obvious that encrypting information before transmission it would provide a cybersecurity improvement. The motivation for doing so would be [“to ensure the privacy of the user by protecting personal data and privacy information of the user”] (Page 12, fourth paragraph and Page 13, first paragraph by Zhao)]. Therefore, it would have been obvious to combine Chen and Zhao to obtain the invention as specified in the instant claim. Claim 12 additionally discloses: A system for protecting a user data encryption key in a authentication environment, the system comprising: (Chen [0002] method and system) Claim 20 additionally discloses: A non-transitory a computer-readable recording medium storing a computer program, wherein the computer program is executable by at least one processor to perform: (Chen [0025, 0085] hardware processor) Regarding Claims 2 and 13, Chen in view of Zhao disclose: The method of claim 1, wherein the encrypting the private key based on the password includes: converting the password acquired from the login information into a first password; and (Chen [0009-0013, 0034-0053, 0074-0088] teaches converting (transforming) the password, which was acquired from login information, into ephemeral keys) encrypting the private key, generated through the key management server, by using the first password. (Chen [0009-0013, 0034-0053, 0074-0088] teaches the second ephemeral decryption key is used to encrypt the electronic digital signature to generate an authentication token) Regarding Claim 3, Chen in view of Zhao disclose: The method of claim 1, wherein the receiving the authentication key includes: receiving an authentication registration request signal of the user terminal; (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches In the first and second embodiments, when a user wishes to log in to an Internet application, one user must first enter his or her own authentication information including a username and a password) receiving a credential ID from an authentication server in response to the authentication registration request signal of the user terminal; and (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches that the username and password information is uploaded to the network application serving device after being encrypted in response to a user request) requesting the key management server to generate the authentication key based on the credential ID, and receiving the authentication key from the key management server generated based on the credential ID. (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches transmitting an additional authentication code to the user equipment which is generated based on the user’s request; [0072] authorizing an access right for the user device to proceed with subsequent access after the identity authentication is complete) Regarding Claim 4, Chen in view of Zhao disclose: The method of claim 3, wherein the credential ID is stored in the authentication server, and the authentication key is stored in the key management server. (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches the username, the password, the passcode, the electronic digital signature, the authentication token, the ephemeral strings and the token index can be stored in the cloud server for a period of time) Regarding Claim 5, Chen in view of Zhao disclose: The method of claim 1, further comprising storing the private key encrypted based on the authentication key in the user terminal. (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches the username, the password, the passcode, the electronic digital signature, the authentication token, the ephemeral strings and the token index can be stored in the user equipment for a period of time) Regarding Claims 6 and 14, Chen in view of Zhao disclose: The method of claim 1, further comprising: receiving an authentication request from the user terminal; (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches a user request to log in to an Internet application) performing a user verification process through the user terminal in response to the authentication request; (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches a multi-party and multi-factor dynamic strong encryption authentication method performed to verify a user in response to an authentication request) receiving, based on the user verification process being successful, the private key encrypted based on the authentication key from the user terminal; and (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches verifying a user as part of the authentication process, such as checking a message is valid, has not been altered or the user successfully satisfies a challenge phrase or challenge message) receiving the authentication key from the key management server and decrypting the encrypted private key based on the authentication key. (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches the server receives the ephemeral decryption, and the encrypted authentication token, in response to the initial user login request and the cloud server decrypts authentication token into an electronic signature)) Regarding Claims 7 and 15, Chen in view of Zhao disclose: The method of claim 6, wherein the performing the user verification process includes: transmitting a credential ID received from an authentication server to the user terminal; and (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches transmitting an additional authentication code to the user equipment which is generated based on the user’s request; [0072] authorizing an access right for the user device to proceed with subsequent access after the identity authentication is complete) performing the user verification process through the user terminal by using the credential ID. (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches transmitting an additional authentication code to the user equipment which is generated based on the user’s request; [0072] authorizing an access right for the user device to proceed with subsequent access after the identity authentication is complete Regarding Claims 8 and 16, Chen in view of Zhao disclose: The method of claim 6, further comprising: receiving user data including a personal information of a user from the user terminal; (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches when a user wishes to log in to an Internet application, one user must first enter his or her own authentication information including a username and a password first) encrypting the user data based on a content key; (Chen [0009-0013, 0028-0031, 0034-0053, 0062-0066, 0074-0088] teaches using public/private keys (PKI) for encryption/decryption purposes and that the keys can be stored in the cloud server for a period of time) encrypting the content key based on a public key generated through the key management server; and storing the encrypted content key. (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches randomly generating keys based on seed values and that the keys can be stored in the cloud server for a period of time and generating using public/private keys (PKI) for encryption/decryption purposes and that the keys can be stored in the cloud server for a period of time) Regarding Claims 9 and 17, Chen in view of Zhao disclose: The method of claim 8, wherein the encrypting the user data includes: generating and storing the content key; (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches randomly generating keys based on seed values and that the keys can be stored in the cloud server for a period of time) encrypting the user data received from the user terminal by using the stored content key; and storing the encrypted user data. (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches randomly generating keys based on seed values and that the keys can be stored in the cloud server for a period of time and using public/private keys (PKI) for encryption/decryption purposes and that the keys can be stored in the cloud server for a period of time) Regarding Claims 10 and 18, Chen in view of Zhao disclose: The system of claim 16, wherein the encrypting the content key includes: requesting the key management server to transmit the generated public key; and (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches the keys, which can include public keys, being retrieved by the cloud in response to a request) encrypting the content key based on the public key received from the key management server, and wherein the content key encrypted with the public key is decrypted with the private key generated through the key management server. (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches randomly generating keys based on seed values and that the keys can be stored in the cloud server for a period of time and using public/private keys (PKI) for encryption/decryption purposes and that the keys can be stored in the cloud server for a period of time) Regarding Claims 11 and 19, Chen in view of Zhao disclose: The method of claim 8, further comprising: decrypting the encrypted content key by using the private key decrypted based on the authentication key; (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches randomly generating keys based on seed values and that the keys can be stored in the cloud server for a period of time and using public/private keys (PKI) for encryption/decryption purposes and that the keys can be stored in the cloud server for a period of time) decrypting the encrypted user data by using the decrypted content key; and (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches randomly generating keys based on seed values and that the keys can be stored in the cloud server for a period of time and using public/private keys (PKI) for encryption/decryption purposes and that the keys can be stored in the cloud server for a period of time) transmitting the decrypted user data to the user terminal. (Chen [0007-0013, 0028-0031, 0034-0053, 0062-0068, 0074-0088] teaches unencrypted, unsecured, or untrusted transmission connection) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Cizer 2021-04-29 (U.S. 20220353256) Usage-limited passcodes support authentication when onboarding new employees, when recovering access after an enrolled device is lost or temporarily unavailable, or when registering passwordless authentication methods for new devices during an out of the box setup, among other scenarios. Usage-limited passcodes are also referred to as “temporary access passes” or TAPs. TAP usage may be limited to a specific number of uses, particular kinds of uses, certain time periods, or a combination thereof. A TAP includes a code string and an implementation of corresponding tokens, rights, and other identity aspects within an enhanced access control infrastructure. TAP usage may supplement or replace other authentication, and in particular may replace authentication through a username and password combination, thereby enhancing both usability and security. Self-service identity confirmation may be used to obtain a TAP. Redirection to a federated domain identity provider may be avoided during TAP authentication. Bennison 2021-11-18 (U.S. 11405189) A method, system, and digital recording medium provides for convenient and trustworthy user authentication with a computing device combining four authentication factors through use of a remote authentication system (RAS). An identity token (Device-ID) cryptographically bound to the user's computing device is generated as a first authentication factor. A password known only to the user is a second factor. Cryptographic signatures generated from the user's biometric minutiae is a third factor. A random challenge received from the RAS is a fourth factor. An encryption key-generation key is created cryptographically using the Device-ID and stored locally, which together with the user's cryptographic signatures are encrypted with a one-time-pad encryption key obtained from the RAS on a communication channel different from that used for other communication between the device and the RAS to provide perfect secrecy, then transmitted from the device to the RAS on a connection therebetween to register said shared-secrets. Hutchinson 2021-05-19 (US 20210367765 ) According to an aspect of the present disclosure, a method performed by a verification platform for authorizing a user incapable of providing digital consent comprises: receiving sensitive user information and a unique supervisor identifier; encrypting the sensitive user information using an encryption scheme with an associated encryption key to generate encrypted user information; sending an authorization request message to a supervisor device associated with the unique supervisor identifier, wherein the authorization request message comprises the encryption key and a request for authorization in response; discarding the sensitive user information and the encryption key, such that the verification platform cannot access the sensitive user information; and, if the verification platform receives an authorization response message from the supervisor device comprising a received encryption key, decrypting the encrypted user information using the received encryption key, such that the verification platform can successfully access the sensitive user information. Avetisov 2021-08-19 (US 20210258308) Provided is a process that affords out-of-band authentication for confirmation of physical access or when a device utilized for out-of-band authentication lacks connectivity to a network. An asymmetric cryptographic key-pair is established, a first device obtaining a key operable to decrypt data. A remote server obtaining a key operable to encrypt data and associating that key with an identifier of an identity or account associated with a user. An access attempt from the second device is received in association with the identifier of the identity associated with the user. A notification including data encrypted by the encryption key is generated by the remote server and transmitted to the second device. The first device obtains the notification data from the second device and decrypts the data to determine a notification response which is returned to the remote server for verification to permit or deny the access attempt of the second device. Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can normally be reached Monday-Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. THOMAS A. CARNES Examiner Art Unit 2436 /THOMAS A CARNES/ Examiner, Art Unit 2436
Read full office action

Prosecution Timeline

Jul 05, 2024
Application Filed
Oct 21, 2025
Non-Final Rejection mailed — §103
Dec 04, 2025
Response Filed
Feb 11, 2026
Final Rejection mailed — §103
Apr 09, 2026
Response after Non-Final Action
May 05, 2026
Request for Continued Examination
May 13, 2026
Response after Non-Final Action
Jun 17, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682116
Trust Monitoring for Input to Messaging Group
4y 9m to grant Granted Jul 14, 2026
Patent 12675589
TIME-DELAY-BASED ACCESS CONTROL FOR CONTINUOUS INTEGRATION PIPELINES
3y 5m to grant Granted Jul 07, 2026
Patent 12619693
User credential authentication using blockchain and machine learning
3y 6m to grant Granted May 05, 2026
Patent 12619753
DYNAMIC TIME-BASED DATA ACCESS POLICY DEFINITION AND ENFORCEMENT
2y 12m to grant Granted May 05, 2026
Patent 12615281
MACHINE LEARNED ALERT CLASSIFICATION SYSTEM
1y 8m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
69%
Grant Probability
99%
With Interview (+68.1%)
3y 3m (~1y 2m remaining)
Median Time to Grant
High
PTA Risk
Based on 77 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month