Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to claims filed on 07/18/2024; the provisional application priority date of 01/22/2018 is considered
Claims 1-20 are pending and rejected; claims 1, 8 and 15 are independent claims.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/19/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-3, 5-6, 8-10, 12-13, 15-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Varadarajan et al. US Pub. No.: 2013/0124855 A1 (hereinafter Varadarajan) in view of Alder et al. US Pub. 2015/0288667 A1 (hereinafter Alder)
Varadarajan discloses
As to claim 1, a method for implementing a security protocol, the method comprising, by a host device (see Fig. 2A and ¶33, a security client/host):
displaying a one-time secret (OTS) to enable a trusted client device to extract information encoded within the OTS (see Varadarajan ¶¶42 51 66 68, scanning/reading a QR code [i.e. one time secret] code displayed by the security client [host] using their 10 mobile phone functionality for decoding transaction information from the QR code 302 after the QR code 302 is scanned or otherwise read with the I/O device 124 of the mobile device 102 [displayed OTS/QR code is scanned/read to extracted/decoded transaction information by the mobile/trusted client]; ¶56, transaction information in the digital signal generated at step 416 and processed at step 418 is transmitted to the key holder 202 for use in recovering the appropriate seed key to authenticate the underlying transaction) ;
receiving at least one message from the trusted client device (see Varadarajan Figs. 3-4 and ¶¶34 39 42, key holder 202 [i.e. trusted client device]… transmitting that OTP with the decoded transaction information to the security client 200 [i.e. receiving by the host device]);
transitioning from displaying the OTS to displaying instructions for verifying an identity of a user of the trusted client device (see Varadarajan Figs. 3-4 and ¶58, the user may be prompted to input a PIN or some other information (e.g., password, answer to a security question, biometric data, etc.) at step 422 to recover the seed key, which also helps ensure that the user actually intends to conduct the underlying transaction [i.e. transitioning displaying the OTS/QR code to prompting the user/displaying instruction for verifying an identity of the trusted client device]… That PIN or other information may be required as part of the key protection technique, or it may be required in response to any challenge that may have been decoded from the QR code 302 at step 418)
receiving credentials from the trusted client device via the communication session, wherein the credentials enable the host device to perform at least one action (see Varadarajan Fig. 4 and ¶56, key holder 202 [i.e. trusted client device] uses that transaction information in combination with some secret information to confirm that the security client 200 wishes to perform the underlying transaction [i.e. wherein the credentials enable the host device/security client to perform at least one action] ; ¶61, step 426, the signed message is transmitted from the key holder 202 to the security client 200 or the security server 204 as authentication information).
Varadarajan does not explicitly discloses but the related art Alder discloses:
negotiating, based on the OTS, an encryption key with the trusted client device (see Alder Fig. 4 and ¶63, pairing protocol defines a specific technique to be used when sharing the session key [i.e. negotiating session/encryption key] between the devices. In an exemplary embodiment, the pairing protocol indicates that a shared secret for deriving the session key is to be displayed in the form of a quick-response (QR) code[i.e. based on OTS] …¶66, the information defining the session key is a shared secret from which the session key can be derived [i.e. based on OTS/shared secret/QR code] .)
establishing, using the encryption key, a communication session with the trusted client device (see Alder ¶96, Once the session information has been stored, the devices can communicate securely [i.e. establishing communication using session key]. For example, in operation 5311, the mobile device can generate a message by encrypting data using the current session key, and sending the encrypted data in the payload of a message which also includes the session identifier [i.e. using session key].); and
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify using QR codes for authenticating users to secure resources for cardless transactions disclosed by Varadarajan to include sharing a session key between devices and method thereof as thought by Alder. A person with ordinary skill in the art would have been motivated to improve security of pairing between a client and a server/host without embedding certificates on either device, because it is potentially dangerous as certificates may be compromised which can support a secure connection between devices, without using an external certificate authority (see Adler ¶6).
As to claim 2, the combination of Varadarajan and Alder discloses the method of claim 1, wherein the OTS is encoded within a representation of a session identifier that is received by the trusted client device via an out-of-band communication channel (see Varadarajan ¶54, electronic signal includes the transaction information encoded in the QR code 302; ¶57, the key holder 202 selects the seed key required to generate the OTP for authenticating the underlying transaction based on the transaction information received at step 418; ¶60, that transaction information may comprise the session identifier generated at step 410 as well as a response to any challenge that may have been decoded from the QR code 302 [i.e. transaction information/seed key/OTS/session identifier is encoded in the QR code and displayed/out-of-bound]; see also Adler ¶63, same motivation to combine)
As to claim 3, the combination of Varadarajan and Alder discloses the method of claim 2, wherein the representation of the session identifier comprises a Quick Response (QR) code that is received by the trusted client device via an application configured to capture an image of the QR code using an image sensor (see Varadarajan ¶50, transaction information is encoded in a two-dimensional digital image, or matrix barcode..;¶60, that transaction information may comprise the session identifier generated at step 410 as well as a response to any challenge that may have been decoded from the QR code 302 [i.e. session identifier is encoded in the QR code and received/scanned/captured by the key holder/mobile device]; see also Adler ¶63, 71, same motivation to combine).
As to claim 5, the combination of Varadarajan and Alder discloses the method of claim 1, wherein: the communication session is established through a relay connection implemented by a relay server, and the relay connection is associated with a session identifier provided to the host device by a pairing service (see Varadarajan ¶48, security server 204 utilizes the transaction server 104 to generate transaction information that includes a session identifier that identifies the log on session that requires authentication [i.e. utilizing session identifier pairing to the host device…; ¶62, the security client 200 will then relay that authentication information to the security server 204 [i.e. relay connection for pairing])
As to claim 6, the combination of Varadarajan and Alder discloses the method of claim 1, wherein the trusted client device: encrypts a data payload utilizing the encryption key to produce an encrypted data payload (see Alder ¶96, Once the session information has been stored, the devices can communicate securely [i.e. establishing communication using session key]. For example, in operation 5311, the mobile device can generate a message by encrypting data using the current session key, and sending the encrypted data in the payload of a message which also includes the session identifier [i.e. using session key].); and
transmits the encrypted data payload via the communication session (see Adler ¶96 generate a message by encrypting data using the current session key, and sending the encrypted data in the payload of a message which also includes the session identifier).
Similar rational applied as above to combine the cited prior art references.
As to independent claim 8, this claim is directed to a computer readable storage medium configured to store instructions executing the method of claim 1; therefore it is rejected along similar rationale.
As to independent claim 15, this claim is directed to a host device configured to store instructions executing the method of claim 1; therefore it is rejected along similar rationale.
As to dependent claims 9-10 and 16-17, these claims contain substantially similar subject matter as claims 2-3; therefore they are rejected along the same rationale.
As to dependent claims 12-13 and 19-20, these claims contain substantially similar subject matter as claims 5-6; therefore they are rejected along the same rationale.
Claim(s) 4, 7, 11, 14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Varadarajan in view of Alder as applied above to independent claims 1, 8 and 15; and further in view of Briceno et al. US Pub. No.: 2014/0289833 A1 (hereinafter Briceno)
As to claim 4, the combination of Varadarajan and Alder teaches the method of claim 1, the combination of Varadarajan and Alder does not explicitly teach but the related art Briceno teaches: wherein the at least one action comprises the host device accessing services associated with a user account for a duration of time (see Briceno ¶503, once the user enrollment or user authentication is complete, …the random challenge may be valid for a limited period of time [i.e. duration of time]. …in response, the secure transaction service initiates an out-of-band session with the server 4730 (e.g., an out-of-band transaction) and communicates with the server 4730 using the key provisioning protocol [i.e. accessing user service for duration of time])
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify using QR codes for authenticating users to secure resources for cardless transactions disclosed by Varadarajan and using secure enclaves for decryption in unsecured locations disclosed by Alder, to include the advanced authentication techniques by Briceno. A person with ordinary skill in the art would have been motivated to limit access to computer resources for a duration of time in order prevent unauthorized dissemination of sensitive information to remote computing device (see Briceno ¶27).
As to claim 7, the combination of Varadarajan and Alder teaches the method of claim 1, the combination of Varadarajan and Alder does not explicitly teach but the related art Briceno teaches the method of claim 1, wherein, in response to analyzing the OTS, the trusted client device: verifies the identity of the user using at least one sensor of the trusted client device by collecting biometric data utilizing a fingerprint sensor, collecting biometric data utilizing an image sensor and a depth sensor, interfacing with a secure enclave processor (SEP), or some combination thereof (see Briceno ¶377, the user may perform explicit authentication by swiping a finger on a biometric fingerprint device, capturing a facial image for facial recognition, and/or entering a secret code; ¶¶360 361 434, the user may then authenticate using one or more biometric or other authentication techniques… the new device prepares a response which includes an attestation over the new device public key, a signature generated with the new device private key (e.g., over a challenge), and the signature generated with the trusted device's private key and the associated key ID [i.e. in response to challenge/OTS]; ¶349, security features may be implemented to ensure the security of the configuration data 3050 such as chain of trust technology and Secure Enclaves).
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify using QR codes for authenticating users to secure resources for cardless transactions disclosed by Varadarajan and sharing a session key between devices and method thereof as thought by Alder, to include the advanced authentication techniques by Briceno. A person with ordinary skill in the art would have been motivated to include biometrics authentication in order to enhanced security, convenience, and improved user experience (see Briceno ¶¶90-91).
As to dependent claims 11 and 18, these claims contain substantially similar subject matter as claim 4; therefore they are rejected along the same rationale.
As to dependent claim 14, this claim contains substantially similar subject matter as claim 7; therefore it is rejected along the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cathy Thiaw can be reached at 5712701138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
NEGA . WOLDEMARIAM
Examiner
Art Unit 2407
/N.W/ Examiner, Art Unit 2407
/Catherine Thiaw/ Supervisory Patent Examiner, Art Unit 2407 3/30/2026