Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
Office Action is in response to the instant Application 19/056,457 filed on 2/18/2025. Claims 1-20 are pending. This Office Action is Non-Final.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 2/18/2025 and 7/18/2025, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-3, 7-11 and 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 2019/0334718) in view of Violleau et al. (US 2016/0232335).
As per claim 1, Li teaches an electronic device comprising: memory storing instructions; and at least one processor, comprising processing circuitry, connected to the memory, wherein the instructions, when executed by the at least one processor individually and/or collectively (Li, Paragraph 0157 recites “Steps of methods or algorithms described in the embodiments disclosed in this specification may be implemented by hardware, a software module executed by a processor, or a combination thereof. The software module may reside in a random access memory (RAM), a memory, a read-only memory (ROM), an electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.”),
cause the electronic device to: receive a user credential through a first authenticator application executed in a secure area, and perform a user authentication procedure in the first authenticator application in the secure area, based on the user credential (Li, Paragraph 0013 recites “In a possible implementation, the sending, by the at least one second application on the terminal, a second request message to the first application server includes: receiving, by the terminal, user-input personal identification information, and when the terminal determines that the user-input personal identification information is consistent with personal identification information stored in the terminal, sending, by the at least one second application on the terminal, the second request message to the first application server.”),
based on the user authentication procedure being successfully completed in the first authenticator application in the secure area, issue an access token in the first authenticator application in the secure area (Li, Paragraph 0089 recites “For example, step 204 specifically includes: The second application on the terminal sends a fifth request message to the first application, where the fifth request message is used for requesting the first application server to authorize the second application to obtain the resource access permission of the first application server. The fifth request message includes the account of the first application that is bound to the second application. If the first application logs into a plurality of accounts simultaneously, the user may select one of the accounts to generate the fifth request message. The first application checks for an account associated with the first application, to confirm that an access token associated with the account of the first application exists. The first application obtains the service public key (or the service public key and one challenge value) of the first application from the TEE operating environment of the terminal, and generates a digital signature for the access token (or for the access token and the one challenge value) by using the service private key of the first application.”).
But fails to teach transmit the access token issued in the first authenticator application in the secure area to an external electronic device through a second authenticator application executed in a non-secure area.
However, in an analogous art Violleau transmit the access token issued in the first authenticator application in the secure area to an external electronic device through a second authenticator application executed in a non-secure area (Violleau, Paragraph 0087 recites “After the authorization token is generated, the authorization token is transmitted, by the authorization server (716) via the Internet (710), to a trusted application executing in the TEE (706) of the smart phone as a part of a larger Secure Bank application that includes portions in both the TEE (706) and the REE (704) of the smart phone. The authorization token is encrypted before being sent, and therefore includes a digital signature which may be used to decrypt the authorization token.”).
It would have been obvious to a person of ordinary skill in the art, before the earliest effective filing date to use Violleau’s mechanism for enforcing user-specific and device-specific security constraints in an isolated execution environment on a device in view of Li’s Application Program Authorization Method, Terminal, And Server because it offers the advantage of a more secure way of permitting sensitive operations based on verification to be facilitated.
As per claim 2, Li in combination with Violleau teaches the electronic device of claim 1, Violleau further teaches wherein the non-secure area is implemented in a rich execution environment (REE), and the secure area is implemented in a trusted execution environment (TEE) (Violleau, Paragraph 0087 recites “After the authorization token is generated, the authorization token is transmitted, by the authorization server (716) via the Internet (710), to a trusted application executing in the TEE (706) of the smart phone as a part of a larger Secure Bank application that includes portions in both the TEE (706) and the REE (704) of the smart phone. The authorization token is encrypted before being sent, and therefore includes a digital signature which may be used to decrypt the authorization token.”).
It would have been obvious to a person of ordinary skill in the art, before the earliest effective filing date to use Violleau’s mechanism for enforcing user-specific and device-specific security constraints in an isolated execution environment on a device in view of Li’s Application Program Authorization Method, Terminal, And Server because it offers the advantage of a more secure way of permitting sensitive operations based on verification to be facilitated.
As per claim 3, Li in combination with Violleau teaches the electronic device of claim 1, Violleau further teaches wherein the instructions, when executed by the at least one processor individually and/or collectively, cause the electronic device to receive an authentication request message from the external electronic device through the second authenticator application in the non-secure area (Violleau, Paragraph 0086 recites “Once the authorization server (716) receives the request from Secure Bank (712), the authorization server then generates the authorization token (not shown). The authorization token includes a binding code constraint that includes the binding code, which may be encrypted, that was received from Secure Bank and which was provided to the authenticated user by Secure Bank.”).
It would have been obvious to a person of ordinary skill in the art, before the earliest effective filing date to use Violleau’s mechanism for enforcing user-specific and device-specific security constraints in an isolated execution environment on a device in view of Li’s Application Program Authorization Method, Terminal, And Server because it offers the advantage of a more secure way of permitting sensitive operations based on verification to be facilitated.
As per claim 7, Li in combination with Violleau teaches the electronic device of claim 1, Li further teaches wherein the first authenticator application in the secure area includes: an App user interface (UI) module comprising circuitry and/or instructions executed by the circuitry configured to provide a UI; an authentication module comprising circuitry and/or instructions executed by the circuitry configured to perform the user authentication procedure; a token generation module comprising circuitry and/or instructions executed by the circuitry configured to issue the access token; and a resource server module comprising circuitry and/or instructions executed by the circuitry configured to transmit user information and the access token to an external server (Li, Paragraph 0060 recites “FIG. 1 is a diagram of an application scenario according to an embodiment of the present invention. As shown in FIG. 1, this embodiment of the present invention relates to a terminal 10, and a plurality of applications (APP) may be installed simultaneously on the terminal. The terminal may communicate with a server of an installed application or a server of another installed application by using the application. For example, the applications installed on the terminal are an APP1, an APP2, and an APPS, and corresponding application servers are an application server 11, an application server 12, and an application server 13. After the APP1 logs into the server 11 by using an account and a password, the APP1 may authorize the APP2 to log into the server 12 by using the account and the password of the APP1, and allow the APP2 to access some resources of the server 11. Likewise, the APP1 may also authorize the APP3 to log into the server 13 by using the account and login status information of the APP1, and allow the APP3 to access some resources of the server 11.”).
As per claim 8, Li in combination with Violleau teaches the electronic device of claim 1, Violleau further teaches wherein the user credential includes at least one of a password, a fingerprint, a face, voice, an iris, a palm, or a finger vein pattern, identifying an owner of the user credential (Violleau, Paragraph 0045 recites “In one or more embodiments disclosed herein, a trusted UI (236) session is configured to query the user for user credentials and can be customized per and by a given service provider and/or authorizing entity. User credentials may be a username/password, a one-time password (OTP), biometric information such as a fingerprint scan or retina scan, or any other suitable information that may be used to identify and authenticate the user of the device.”).
It would have been obvious to a person of ordinary skill in the art, before the earliest effective filing date to use Violleau’s mechanism for enforcing user-specific and device-specific security constraints in an isolated execution environment on a device in view of Li’s Application Program Authorization Method, Terminal, And Server because it offers the advantage of a more secure way of permitting sensitive operations based on verification to be facilitated.
Regarding claims 9 and 17, claims 9 and 17 are directed to a method and a non-transitory computer-readable storage medium associated with the device of claim 1. Claims 9 and 17 are of similar scope to claim 1, and are therefore rejected under similar rationale.
Regarding claims 10 and 18, claims 10 and 18 are directed to a method and a non-transitory computer-readable storage medium associated with the device of claim 2. Claims 10 and 18 are of similar scope to claim 2, and are therefore rejected under similar rationale.
Regarding claims 11 and 19, claims 11 and 19 are directed to a method and a non-transitory computer-readable storage medium associated with the device of claim 3. Claims 11 and 19 are of similar scope to claim 3, and are therefore rejected under similar rationale.
Regarding claim 15, claim 15 is directed to a similar method associated with the device of claim 7 respectively. Claim 15 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale.
Regarding claim 16, claim 16 is directed to a similar method associated with the device of claim 8 respectively. Claim 16 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale.
Claim(s) 4, 12 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 2019/0334718) and Violleau et al. (US 2016/0232335) and in further view of Amar (US 2020/0311299).
As per claim 4, Li in combination with Violleau teachest he electronic device of claim 1, but fails to teach wherein the first authenticator application in the secure area includes at least one of an integrity measurement value, a public key of a service provider, or a certificate chain for a public key of a certified authority (CA).
However, in an analogous art Amar teaches wherein the first authenticator application in the secure area includes at least one of an integrity measurement value, a public key of a service provider, or a certificate chain for a public key of a certified authority (CA) (Amar, Paragraph 0049 recites “The Identity and Profiling System 120 would receive that request from the bank. In some embodiments, the Identity and Profiling System 120 may authenticate the bank by verifying the entity identifier. For instance, the entity identifier can be sent to a certificate authority to verify (e.g., if the entity identifier is a public key). The Identity and Profiling System 120 may then check to see if the user's phone number exists in the records of the Identity and Profiling System 120 (e.g., if it exists in a data store). If the user's phone number exists in the records, that means the user has already signed up with the Identity and Profiling System 120 and the requested information has likely been collected and stored.”)
It would have been obvious to a person of ordinary skill in the art, before the earliest effective filing date to use, Amar’s Secure identity and profiling system with Li’s Application Program Authorization Method, Terminal, And Server because using a Certificate Authority (CA) enhances online security, builds trust, and ensures the authenticity of digital communications.
Regarding claims 12 and 20, claims 12 and 20 are directed to a method and a non-transitory computer-readable storage medium associated with the device of claim 4. Claims 12 and 20 are of similar scope to claim 4, and are therefore rejected under similar rationale.
Claim(s) 5 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 2019/0334718) and Violleau et al. (US 2016/0232335) and in further view of Juriasingani (US 2018/0144146).
As per claim 5, Li in combination with Violleau teachest he electronic device of claim 1, but fails to teach further comprising a remote monitoring and management (RMM) implemented in the secure area, configured to manage a stage page table for the secure area, and manage a CPU context of a realm.
However, in an analogous art Juriasingani teaches further comprising a remote monitoring and management (RMM) implemented in the secure area, configured to manage a stage page table for the secure area, and manage a CPU context of a realm (Juriasingani, Paragraph 0012 recites “Also, in some embodiments, one or more of the unique private keys can also be established/loaded after manufacturing outside of the factory (e.g., by the customer, or by a Remote Monitoring and Management (RMM) server component (hereinafter referred to as a “customer identity”). Accordingly, a customer can supplement the at factory or manufacturer identity with their own customer identity.”).
It would have been obvious to a person of ordinary skill in the art, before the earliest effective filing date to use Juriasingani’s printer identity and security with Li’s Application Program Authorization Method, Terminal, And Server because it offers the advantage of being able to manage secure memory areas remotely.
Regarding claim 13, claim 13 is directed to a similar method associated with the device of claim 5 respectively. Claim 13 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale.
Claim(s) 6 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 2019/0334718) and Violleau et al. (US 2016/0232335) and in further view of Sahita et al. (US 2022/0222358).
As per claim 6, Li in combination with Violleau teachest he electronic device of claim 1, but fails to teach wherein the memory includes a first storage and a second storage, wherein the first storage includes a sealing key, and wherein the second storage includes a user credential, a subscription status, a user profile, and an encryption key, encrypted based on the sealing key.
However, in an analogous art Sahita teaches wherein the memory includes a first storage and a second storage, wherein the first storage includes a sealing key, and wherein the second storage includes a user credential, a subscription status, a user profile, and an encryption key, encrypted based on the sealing key (Sahita, Paragraph 0035 recites “As illustrated in FIG. 3, a system 300 includes global orchestration (such operations by an orchestrator) 302 and virtual machine manager (VMM) 308 for a system 300. In some embodiments, the system 300 further includes a cloning and escrow service (CES) trust domain (TD) 304, including an escrow and cloning policy, to enable a hibernated state of a TD or enclave, to perform operations including quote verification and generating sealing keys for TDs and enclaves, and to perform escrow and cloning policy enforcement in connection with the cloning of TEEs. For simplicity of illustration, FIG. 3 generally refers to trust domains (TDs), but embodiments also include secure enclaves.”).
It would have been obvious to a person of ordinary skill in the art, before the earliest effective filing date to use Sahita’s scalable cloning and replication for trusted execution environments with Li’s Application Program Authorization Method, Terminal, And Server because it offers the advantage of securing and protecting data within a trusted execution environment (TEE).
Regarding claim 14, claim 14 is directed to a similar method associated with the device of claim 6 respectively. Claim 14 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
RODERICK . TOLENTINO
Examiner
Art Unit 2439
/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439