DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 09/27/2024 has been considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-8, 10-13, 15-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Davis et al. US 2017/0111336 (hereinafter Davis), in view of Mandyam et al. US 2017/0289197 (hereinafter Mandyam).
As per claim 1, Davis teaches a method, comprising: receiving, by a first server, a request for a customer device to access a second server, the request including input data and a token, the token generated by the first server to permit the customer device access to the second server (Davis paragraph [0044]-[0045], [0052], [0083], [0086], gateway receives a request from a client to access resource. The request includes data and a token that was generated by the gateway);
validating, by the first server, the token in the request (Davis paragraph [0092], verify the token);
sending, by the first server, the input data of the request to the second server, responsive to validating the token (Davis paragraph [0096]-[0097], gateway send the request to resource server);
receiving, by the first server, a response including output data generated by the second server based on the input data (Davis paragraph [0050], [0065], [0098], gateway receives response from the resource server); and
transmitting, by the first server, the response including the output data with the token to the customer device (Davis paragraph [0050], [0065], [0098], gateway sends response to client).
Davis does not explicitly disclose token comprising an encryption key;
validating using the encryption key used to generate at least a portion of the token.
Mandyam teaches token comprising an encryption key (Mandyam paragraph [0075], access token includes key);
validating using the encryption key used to generate at least a portion of the token (Mandyam paragraph [0075], [0081], validating using the key included in the access token).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Davis of issuing an access token and authenticating the access token to gain access to resources with the teachings of Mandyam to include an access token comprising a key and validating using the key in order to provide multiple factors for authenticating the access token.
As per claim 2, Davis in view of Mandyam teaches the method of claim 1, further comprising: receiving, by the first server, a second request for a second customer device to access the second server, the request including a second token comprising a second encryption key generated by the first server to grant the second customer device access to the second server (Davis paragraph [0044]-[0045], [0052], [0083], [0086], gateway receives a request from a client to access resource. The request includes data and a token that was generated by the gateway; Mandyam paragraph [0075], access token includes key);
determining, by the first server, that the second token in the request is not validated using the second encryption key used to generate at least a portion of the second token (Davis paragraph [0092], verify the token and determine token is not valid; Mandyam paragraph [0075], [0081], validating using the key included in the access token); and
restricting, by the first server, the customer device from accessing the second server, responsive to determining that the second token is not validated (Davis paragraph [0092], gateway rejects the request).
As per claim 3, Davis in view of Mandyam teaches the method of claim 1, wherein receiving the request further comprises receiving the request at least partially encrypted using a second encryption key for communications between the first server and the customer device, decrypting, by the first server, the request using a third encryption key associated with the second encryption key; and wherein validating the token further comprises validating the token in the decrypted request using the encryption key used to generate at least a portion of the token (Davis paragraph [0044]-[0045], [0052], [0083], [0086], gateway receives a request from a client to access resource. Davis paragraph [0092], verify the token; Mandyam paragraph [0075], [0081], validating using the key included in the access token. Mandyam paragraph [0075], [0076], communications between client and server is encrypted and decrypted using corresponding public and private keys).
As per claim 5, Davis in view of Mandyam teaches the method of claim 1, wherein receiving the request further comprises receiving the request including the token comprising a policy, the policy defining a lifetime period in which the token is valid relative to the generation of the token; and wherein validating the token further comprises determining that the token is valid based on a current time being within the lifetime period defined by the policy (Davis paragraph [0092], token includes an expiration time, verify if the token is expired or not).
As per claim 6, Davis in view of Mandyam teaches the method of claim 1, wherein sending the input data further comprises sending the request to invoke a function of the second server, and wherein receiving the response further comprises receiving the response including the output data in accordance with the function (Davis paragraph [0044]-[0045], [0050], [0065], [0096]-[0098], gateway send the request to resource server. Resource server performs the requested operation and provides output data).
As per claim 7, Davis in view of Mandyam teaches the method of claim 1, wherein sending the input data further comprises sending the request to store the input data on the second server, and wherein receiving the response further comprises receiving the response indicating storage of the input data by the second server (Davis paragraph [0044]-[0045], [0050], [0065], [0096]-[0098], perform requested operation such as writing data to storage and output a result of the operation).
As per claim 8, Davis in view of Mandyam teaches the method of claim 1, wherein sending the input data further comprises removing the token from the request prior to sending the input data to the second server, and wherein transmitting the response further comprises adding the token to the response prior to forwarding the response with the output data to the customer device (Davis paragraph [0050], [0065], [0092], [0096]-[0098], gateway send the request to resource server and sends response to client).
As per claim 10, Davis in view of Mandyam teaches the method of claim 1, further comprising: generating, by the first server, the token to be used to encrypt and decrypt data communicated between the customer device and the first server, and transmitting, by the first server, to the customer device, a second response including the token to be used for accessing the second server via the first server (Davis paragraph [0083]-[0084], gateway generates token and sends it to the client).
As per claims 11-13, 15-18 and 20, the claims claim a system essentially corresponding to the method claims 1-3, 5-8 and 10 above, and they are rejected, at least for the same reasons.
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Davis in view of Mandyam, and further in view of Laurie et al. US 2010/0325441 (hereinafter Laurie).
As per claim 4, Davis in view of Mandyam teaches the method of claim 1.
Davis in view of Mandyam does not explicitly disclose wherein receiving request further comprises receiving the request including token comprising a signature previously generated by first server to authenticate customer device; and wherein validating the token further comprises determining that the token is valid based on the portion of the token corresponding to the signature.
Laurie teaches wherein receiving request further comprises receiving the request including token comprising a signature previously generated by first server to authenticate customer device; and wherein validating the token further comprises determining that the token is valid based on the portion of the token corresponding to the signature (Laurie paragraph [0087], [0090], sign and issue token. Receive request with token and verify signature of the token).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Davis in view of Mandyam of issuing an access token and authenticating the access token to gain access to resources with the teachings of Laurie to include signing a token and verifying the signature of the token in order to provide integrity protection and verification of the access token.
As per claim 14, the claim claims a system essentially corresponding to the method claim 4 above, and is rejected, at least for the same reasons.
Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Davis in view of Mandyam, and further in view of Choi USPN 11,070,532.
As per claim 9, Davis in view of Mandyam teaches the method of claim 1, wherein transmitting the response further comprises transmitting the response including the output data (Davis paragraph [0050], [0065], [0098], gateway sends response to client).
Davis in view of Mandyam does not explicitly disclose transmitting over session-less communications between a client device and a server.
Choi teaches transmitting over session-less communications between a client device and a server (Choi col 3 lines 45-50, sessionless communication between server and client).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Davis in view of Mandyam of communications between a client device and a server with the teachings of Choi to include a sessionless communication between server and client because the results would have been predictable and resulted in a sessionless communication between the client device and server.
As per claim 19, the claim claims a system essentially corresponding to the method claim 9 above, and is rejected, at least for the same reasons.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 9am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HENRY TSANG/Primary Examiner, Art Unit 2495