Detailed Action
This is a Non-final Office action in response to communications received on 4/16/2025. Claims 4, 9 and 10 were amended via preliminary amendment. Claims 8 and 11 were cancelled via preliminary amendment. Claims 1-7, 9-10 and 12-22 are pending and are examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings, filed 9/19/2024, are acknowledged.
Foreign Priority
The foreign priority date of 4/6/2022 is acknowledged.
Preliminary Amendment
The preliminary amendment, filed 10/1/2024, are acknowledged.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 7, 9-10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Pala (US 20190058713 A1), in view of Brown (US 20120173874 A1).
Regarding claim 1, Pala teaches the limitations of claim 1 substantially as follows:
A network access control method, comprising:
receiving a certificate verification request sent by a terminal, and returning a certificate verification response to the terminal, (Pala; Abstract: The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting request message, authorize access of the electronic entity to the network upon validation of the trust indicators (i.e., receive certificate verification request and returning certificate verification response))
interrupting a network access communication link of the terminal. (Pala; [0004]: the network typically is able to allow or block the entity's ability to access the network based on a security verification)
Pala does not teach the limitations of claim 1 as follows:
wherein the certificate verification response carries a preset server certificate,
the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and
receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and
However, in the same field of endeavor, Brown discloses the limitations of claim 1 as follows:
wherein the certificate verification response carries a preset server certificate, (Brown; [0007]: The client receives a second certificate during a subsequent session (i.e., the certificate verification response carries a preset server certificate))
the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and (Brown; [0007]: The client receives a second certificate during a subsequent session. The second certificate has a second certificate chain to an authority certificate signed by a certificate authority. The client assigns a signature security rating to each chain certificate in the second certificate chain. The client compares the signature security rating of each chain certificate in the first certificate chain with the signature security rating of each corresponding chain certificate in the second certificate chain. The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate))
receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and (Brown; [0007]: The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., security risk))
Brown is combinable with Pala because all are from the same field of endeavor of verification of certificates. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system of Pala to incorporate certificate comparison and notification of discrepancy as in Brown in order to improve the security by comparing a current certificate to a known certificate as a means of authentication or verification.
Regarding claim 9, Pala teaches the limitations of claim 9 substantially as follows:
A non-transitory computer-readable storage medium, wherein an instruction is stored in the computer-readable storage medium, and when the instruction is running on a terminal device, the terminal device is caused to: (Pala; [0019]: software agent, executed by a processor and in communication with a memory)
receive a certificate verification request sent by a terminal, and return a certificate verification response to the terminal, (Pala; Abstract: The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting request message, authorize access of the electronic entity to the network upon validation of the trust indicators (i.e., receive certificate verification request and returning certificate verification response))
interrupting a network access communication link of the terminal. (Pala; [0004]: the network typically is able to allow or block the entity's ability to access the network based on a security verification)
Pala does not teach the limitations of claim 9 as follows:
wherein the certificate verification response carries a preset server certificate,
the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and
receive a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determine that the terminal has a security risk and
However, in the same field of endeavor, Brown discloses the limitations of claim 9 as follows:
wherein the certificate verification response carries a preset server certificate, (Brown; [0007]: The client receives a second certificate during a subsequent session (i.e., the certificate verification response carries a preset server certificate))
the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and (Brown; [0007]: The client receives a second certificate during a subsequent session. The second certificate has a second certificate chain to an authority certificate signed by a certificate authority. The client assigns a signature security rating to each chain certificate in the second certificate chain. The client compares the signature security rating of each chain certificate in the first certificate chain with the signature security rating of each corresponding chain certificate in the second certificate chain. The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate))
receive a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determine that the terminal has a security risk and (Brown; [0007]: The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., security risk))
Brown is combinable with Pala because all are from the same field of endeavor of verification of certificates. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system of Pala to incorporate certificate comparison and notification of discrepancy as in Brown in order to improve the security by comparing a current certificate to a known certificate as a means of authentication or verification.
Regarding claim 10, Pala teaches the limitations of claim 10 substantially as follows:
A network access control device, comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements, when executing the computer program: (Pala; [0019]: software agent, executed by a processor and in communication with a memory)
receiving a certificate verification request sent by a terminal, and returning a certificate verification response to the terminal, (Pala; Abstract: The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting request message, authorize access of the electronic entity to the network upon validation of the trust indicators (i.e., receive certificate verification request and returning certificate verification response))
interrupting a network access communication link of the terminal. (Pala; [0004]: the network typically is able to allow or block the entity's ability to access the network based on a security verification)
Pala does not teach the limitations of claim 10 as follows:
wherein the certificate verification response carries a preset server certificate,
the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and
receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and
However, in the same field of endeavor, Brown discloses the limitations of claim 10 as follows:
wherein the certificate verification response carries a preset server certificate, (Brown; [0007]: The client receives a second certificate during a subsequent session (i.e., the certificate verification response carries a preset server certificate))
the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and (Brown; [0007]: The client receives a second certificate during a subsequent session. The second certificate has a second certificate chain to an authority certificate signed by a certificate authority. The client assigns a signature security rating to each chain certificate in the second certificate chain. The client compares the signature security rating of each chain certificate in the first certificate chain with the signature security rating of each corresponding chain certificate in the second certificate chain. The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate))
receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and (Brown; [0007]: The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., security risk))
Brown is combinable with Pala because all are from the same field of endeavor of verification of certificates. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system of Pala to incorporate certificate comparison and notification of discrepancy as in Brown in order to improve the security by comparing a current certificate to a known certificate as a means of authentication or verification.
Regarding claims 7 and 17, Pala and Brown teach the limitations of claims 1 and 9.
Pala and Brown teach the limitations of claims 7 and 17 as follows:
before interrupting the network access communication link of the terminal, in a case where the verification result indicates that the certificate verification succeeds, sending an alarm message to the terminal. (Brown; [0008]: the client may provide to a user a warning of an impersonation danger for the second certificate associated with a lowered signature security rating)
The same motivation to combine as in claims 1, and 9 are applicable to the instant claims.
Claims 2-4, 12-14 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pala (US 20190058713 A1), in view of Brown (US 20120173874 A1), as applied to independent claims, further in view of Scahill (US 20140325615 A1).
Regarding claims 2, 12 and 18, Pala and Brown teach the limitations of claims 1, 9 and 10.
Pala and Brown do not teach the limitations of claims 2, 12 and 18 as follows:
in response to determining that verification of the terminal for the preset server certificate fails, re-initiating a network access authentication process for the terminal.
However, in the same field of endeavor, Scahill discloses the limitations of claims 2, 12 and 18 as follows:
in response to determining that verification of the terminal for the preset server certificate fails, re-initiating a network access authentication process for the terminal. (Scahill; [0063]: Once this new association has been established, the hotspot will again forward data requests to the PAC gateway 105 which redirect the user to the log in page. Once the user has again logged in and their credentials have been verified, then the browsing session can continue)
Scahill is combinable with Pala and Brown because all are from the same field of endeavor of authentication. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified system of Pala and Brown to incorporate rerouting a user to login using credentials again as in Scahill in order to improve the security of the system by requiring reauthentication before granting access.
Regarding claims 3, 13 and 19, Pala, Brown and Scahill teach the limitations of claims 2, 12 and 18.
Pala, Brown and Scahill teach the limitations of claims 3, 13 and 19 as follows:
wherein in response to determining that the verification of the terminal for the preset server certificate fails, re-initiating the network access authentication process for the terminal, comprises: in a case where the verification result indicates that the certificate verification fails, or in response to determining that the verification result for the preset server certificate is not received from the terminal within a preset duration, re-initiating the network access authentication process for the terminal, wherein the preset duration is used for indicating a duration from a moment at which the certificate verification response is sent to the authentication server to a current moment. (Pala; [0034]: the message header further includes one or more of: (i) the message format version; (ii) a nonce value (i.e., not repeated by the device) functional to tie the network access granting request with a subsequent response provided by server 106, and which further serves to provide protection against reply attacks in the case where server 106 memorizes used nonces; (iii) a date and time, if available, when entity 104 generated the network access granting request (e.g., in step S120); and (iv) a validity period (e.g., a number of seconds, minutes, hours, etc.) after which the network access granting request shall not be considered valid, and may or shall be discarded by server)
Regarding claims 4, 14 and 20, Pala and Brown teach the limitations of claims 1, 9 and 10.
Pala and Brown do not teach the limitations of claims 4, 14 and 20 as follows:
before returning the certificate verification response to the terminal, acquiring historical certificate verification information corresponding to the terminal, wherein the historical certificate verification information comprises a historical certificate verification result, and the historical certificate verification result is used for identifying a latest verification result of the terminal for the preset server certificate; and returning the certificate verification response to the terminal correspondingly comprises: in a case where it is determined that the historical certificate verification result is a first result, returning the certificate verification response to the terminal, wherein the first result is used for identifying that the latest verification result of the terminal for the preset server certificate is that the certificate verification succeeds.
However, in the same field of endeavor, Scahill discloses the limitations of claims 4, 14 and 20 as follows:
before returning the certificate verification response to the terminal, acquiring historical certificate verification information corresponding to the terminal, wherein the historical certificate verification information comprises a historical certificate verification result, and the historical certificate verification result is used for identifying a latest verification result of the terminal for the preset server certificate; and returning the certificate verification response to the terminal correspondingly comprises: in a case where it is determined that the historical certificate verification result is a first result, returning the certificate verification response to the terminal, wherein the first result is used for identifying that the latest verification result of the terminal for the preset server certificate is that the certificate verification succeeds. (Scahill; [0029]: Once this is complete the laptop 11a issues an Address Resolution Protocol (ARP) request in order to obtain the layer 2 MAC address for the PAC gateway IP address. The ARP response contains the MAC address of the PAC gateway 5 for the hotspot. The laptop then updates its routing table so that packets are forwarded to the hotspot 3a via the PAC gateway 5 (i.e., table maintains historical certificate information))
Scahill is combinable with Pala and Brown because all are from the same field of endeavor of authentication. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified system of Pala and Brown to incorporate maintaining information in a routing table as in Scahill in order to improve the security of the system by maintaining historical network access information.
Allowable Subject Matter
Claims 5-6, 15-16 and 21-22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:
As to claims 5, 15 and 21, it contains allowable subject matter when the claim is taken as a whole. See the italicized text indicating aspects that in combination with the remainder of the claim differentiate it from prior art.
wherein the historical certificate verification information further comprises a certificate verification time corresponding to the historical certificate verification result; the method further comprises: after acquiring the historical certificate verification information corresponding to the terminal, in a case where it is determined that the historical certificate verification result is a second result, determining whether a time difference between the certificate verification time corresponding to the historical certificate verification result and the current moment is greater than a preset time threshold value, wherein the second result is used for identifying that the latest verification result of the terminal for the preset server certificate is that the certificate verification fails; and returning the certificate verification response to the terminal correspondingly comprises: in response to determining that the time difference between the certificate verification time corresponding to the historical certificate verification result and the current moment is greater than the preset time threshold value, returning the certificate verification response to the terminal.
As to claims 6, 16 and 22, it contains allowable subject matter when the claim is taken as a whole. See the italicized text indicating aspects that in combination with the remainder of the claim differentiate it from prior art.
wherein acquiring the historical certificate verification information corresponding to the terminal comprises: searching for, from a hash table and based on a terminal identifier of the terminal, historical certificate verification information corresponding to the terminal identifier, wherein a correspondence between terminal identifiers and historical certificate verification information is stored in the hash table, and the hash table is obtained by pre-loading a local file stored with the historical certificate verification information.
Prior Art Considered But Not Relied Upon
Guzner (US 20100186086 A1) which teaches scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates.
Hockey (US 20230353564 A1) which teaches mutual authentication accomplished using a certificate of the application that matches a naming system name used for the application.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BLAKE ISAAC NARRAMORE whose telephone number is (303)297-4357. The examiner can normally be reached on Monday - Friday 0700-1700 MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BLAKE I NARRAMORE/Primary Examiner, Art Unit 2438