`
`EXHIBIT A
`
`TO
`
`PLAINTIFFS’ REBUTTAL BRIEF
`
`ON CLAIM CONSTRUCTION
`
`1
`
`USAA 1048
`USAA v. Asghari-Kamrani et al.
`CBM2016-00063
`CBM2016-00064
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 2 of 9 PageID# 4919
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF VIRGINIA
`NORFOLK DIVISION
`
`NADER ASGHARI-KAMRANI and
`KAMRAN ASGHARI-KAMRANI,
`
`Plaintiffs,
`
`v.
`
`)
`‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`Civil Action No. 2:15-cv-00478-RGD-LRL
`
`Hon. Robert G. Doumar
`
`UNITED SERVICES AUTOMOBILE
`ASSOCIATION,
`
`Defendant.
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH IN SUPPORT OF
`PLAINTIFFS’ REBUTTAL BRIEF ON CLAIM CONSTRUCTION
`
`2
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 3 of 9 PageID# 4920
`
`I, Jeffrey K. Hollingsworth, Ph.D., hereby declare and state:
`
`ENGAGEMENT
`
`1.
`
`I make this Declaration in support of Plaintiffs’ Rebuttal Brief on Claim
`
`Construction that is filed herewith.
`
`2.
`
`Prior to preparing this Declaration, I reviewed various materials, including those
`
`identified in my previously submitted Declaration [Dkt. No. 116-1] and:
`
`(1) Technical references and publications, including but not limited to:
`
`a.
`
`IBM DICTIONARY OF COMPUTING 132 (Int’l ed. 1994) (Ex. C);
`
`b. THE FACTS ON FILE DICTIONARY OF COMPUTER SCIENCE 43 (Rev. ed.
`2006) (Ex. D);
`
`c. MICROSOFT COMPUTER DICTIONARY 105 (4th ed. 1999) (Ex. E);
`
`d. Rotz, Wendy, et al., “A Comparison of Random Number Generators
`Used in Business,” Proceedings of the Annual Meeting of the
`American Statistical Association (August 5-9, 2001) (“Rotz et al.”)
`(Ex. F);
`
`e. Soto, J., “Statistical Testing of Random Number Generators,”
`Proceedings of the 22nd National Information Systems Security
`Conference (1999) (“Soto”) (Ex. G);
`
`f. Securing Your Web Browser, UNITED STATES COMPUTER EMERGENCY
`READINESS TEAM (US-CERT) OF U.S. DEP’T OF HOMELAND SECURITY,
`https://www.us-cert.gov/publications/securing-your-web-browser (last
`visited June 9, 2016) (Ex. H); and
`
`g. 695.712 – Authentication Technologies in Cybersecurity, JOHNS
`HOPKINS UNIVERSITY
`- WHITING SCHOOL OF ENGINEERING,
`https://ep.jhu.edu/programs-and-courses/695.712-authentication-
`technologies-in-cybersecurity (last visited June 2, 2016) (Ex. I).
`
`3.
`
`Unless otherwise expressly stated, the opinions below regarding the perspective
`
`of one of ordinary skill in the art refer to the opinion of one of ordinary skill as it would have
`
`been on the effective filing date of August 29, 2001.
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH, PH.D.
`(CASE NO. 2:15-cv-478-RGD-LRL)
`- 1 -
`
`3
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 4 of 9 PageID# 4921
`
`4.
`
`I will briefly describe some of my experience in the fields of network and
`
`computer security. From the early 1990s, I have served as one of the two principal investigators
`
`on the Dyninst Project. Dynist is a tool to analyze, and modify computer programs. Dyninst has
`
`been used by many research groups around the world for various computer security related
`
`research projects.
`
`5.
`
`Since 2005, I have served as Adjunct Research Staff Member at the Institute for
`
`Defence Analysis Center for Computer Science (CCS). CCS conducts research on critical
`
`national issues for the National Security Agency, and other Federal Agencies. In this role I
`
`conduct research on various aspects of computer and network security. Since all of that work is
`
`classified, I will not describe it further here.
`
`6.
`
`From 2004 to 2006 I served as director of the Center for Human Enhanced Secure
`
`Systems (CHESS). CHESS was the first research center in cyber-security at the University of
`
`Maryland. Its mission was to bring together computer security researchers from across the UMD
`
`campus to increase research in computer security at the University of Maryland.
`
`7.
`
`Since 1995, I have taught both the Computer Networking and Operating Systems
`
`senior level classes at the University of Maryland. Both of these classes include significant
`
`coverage of various aspects of network and computer system security. In fact, these classes are
`
`two of the five specific senior courses that are required in the University of Maryland’s
`
`Specialization in Cybersecurity within the Computer Science Program.
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH, PH.D.
`(CASE NO. 2:15-cv-478-RGD-LRL)
`- 2 -
`
`4
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 5 of 9 PageID# 4922
`
`THE PERSPECTIVE OF ONE OF ORDINARY SKILL IN THE ART
`
`“dynamic code”
`
`8.
`
`One of ordinary skill would have understood that different methods of generating
`
`the claimed “dynamic code” may generate codes of varying degrees of nonpredictability, and one
`
`of ordinary skill would have selected a degree of nonpredictability that provides the desired
`
`degree of security for a given application. This understanding is corroborated by Rotz et al.
`
`(2001) and Soto (1999), which discuss the idea that different random number generators (RNGs)
`
`produce different degrees of nonpredictability. Soto discusses “metrics . . . to investigate the
`
`randomness of cryptographic RNGs and . . . confidence that random number generators are
`
`acceptable from a statistical point of view.” Soto at 9 (emphasis in original). The term
`
`“substantially nonpredictable” means that one of ordinary skill would have had confidence that
`
`the selected degree of nonpredictability is acceptable from a statistical point of view to achieve a
`
`desired degree of security for a given application.
`
`9.
`
`As a practical matter, a person of ordinary skill would understand that while it is
`
`important for a dynamic code to be unpredictable, it would not be necessary, expected, or even
`
`desirable that the dynamic code be unique and never repeated for all transactions ad infinitum.
`
`10.
`
`As a simple practical example, consider a four digit numeric code: This code only
`
`has 10,000 possible values (0000 to 9999). If it were necessary for the code never to be repeated,
`
`only 10,000 transactions could be supported before the system would no longer operate. A
`
`person of ordinary skill would clearly recognize that such a system would have too short a life to
`
`be practical or useful.
`
`11.
`
`However, if a new code is generated for each transaction, and each time a code is
`
`generated it is substantially nonpredictable, an adversary has only a 1 in 10,000 chance of
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH, PH.D.
`(CASE NO. 2:15-cv-478-RGD-LRL)
`- 3 -
`
`5
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 6 of 9 PageID# 4923
`
`guessing the current code. (If increased security—e.g., consistent with a lower chance of an
`
`unauthorized user guessing the code—is desired, a larger range of numbers can be used. Thus,
`
`security can be increased at the expense of having longer codes to store and transmit.) In such a
`
`system, the same code could be generated at different times and thus reused. Such a system
`
`would be both practical and useful.
`
`12. With reference to ¶ 88 of Dr. Rubin’s Declaration [Dkt. No. 115-1], I agree that
`
`invalidating a dynamic code to prevent future use is a useful security property. However, one of
`
`ordinary skill in the art at the time of the invention would have understood that what the ’432
`
`patent describes is that the invalidation step merely makes the code “invalid,” not that it prevents
`
`that code from ever being generated again in the future. In fact, if codes were never able to be
`
`reused again, it could decrease the security of the system. For example, as codes are used and
`
`discarded, the number of remaining valid codes decreases. Thus a hypothetical attacker might
`
`need to try fewer codes to guess a valid one.
`
`13.
`
`To one of ordinary skill, the term “new code” would indicate that the algorithm to
`
`create a code was invoked and a code was returned. The code that is returned would not
`
`necessarily be unique for all invocations of the function. In this sense, it is a newly allocated
`
`code rather than a globally unique code. This is analogous to how a computer program requests
`
`more memory (for example, in the “C++” programming language, additional memory is
`
`requested through a function called “new”). The memory that is returned is not in fact new
`
`memory that has never been used; it is merely memory that has been allocated for this request
`
`but has likely been used before and will likely be used again in the future.
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH, PH.D.
`(CASE NO. 2:15-cv-478-RGD-LRL)
`- 4 -
`
`6
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 7 of 9 PageID# 4924
`
`“central-entity”
`
`14.
`
`The term “entity” has meaning to one of ordinary skill in the art of the ’432
`
`patent, such as the fields of computer security and computer networking. The ’432 patent refers
`
`to the “central-entity” as a “party.” A “party,” in the context of this patent, is a participant in an
`
`electronic communication or transaction, where the participant may be a software process and/or
`
`hardware.
`
`15.
`
`Technical dictionaries define a “computer system” as (1) “[a] functional unit,
`
`consisting of one or more computers and associated software . . .”; (2) “[a] self-contained set of
`
`computing equipment consistent of a computer, or possibly several computers, together with
`
`associated software”; or (3) “[t]he configuration that includes all functional components of a
`
`computer and its associated hardware.” See Exs. C, D, E.
`
`16.
`
`As confirmed by these technical dictionaries’ definitions of “computer system,” it
`
`would have made sense to one of ordinary skill to speak about “a computer associated with a
`
`computer system.”
`
`17.
`
`In the context of the ’432 patent, there is no apparent technical reason to limit the
`
`meaning of the claim term “entity” to the legal concept of a corporate personality such as a
`
`company name. Besides being corroborated by the definitions of “entity” in several technical
`
`references in the fields of computing and computer security, which I discussed in my previous
`
`Declaration [Dkt. No. 116-1], it is also corroborated by the use of the term “entity” by Johns
`
`Hopkins University, where Dr. Rubin teaches, in describing a course on “Authentication
`
`Technologies in Cybersecurity.” See Ex. I. That course description describes an “entity” thus:
`
`“An entity can be, but is not limited to, software, firmware, physical devices, and humans.” Ex. I.
`
`
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH, PH.D.
`(CASE NO. 2:15-cv-478-RGD-LRL)
`- 5 -
`
`7
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 8 of 9 PageID# 4925
`
`“external-entity”
`
`18.
`
`The specification of the ’432 patent also contradicts USAA’s attempt to limit an
`
`“entity” to the legal (and non-technical) concept of a corporate personality. For example, the
`
`specification of the ’432 patent describes examples in which:
`
`[T]he user 10 attempts to access a restricted web site or attempts to buy
`services or products 110, as illustrated in FIG. 4, through a standard
`interface provided by the External-Entity 20.
`
` .
`
` . .
`
`
`The External-Entity 20 displays the access or purchase authorization
`form requesting the user 10 to authenticate himself using his UserName
`and SecureCode as digital identity.
`
` .
`
` . .
`
`
`The External-Entity 20 might also display the identification and
`authentication response to the user 10.
`
`[Dkt. No. 70-1 at 5:5–8, 5:10–13, 5:41–43 (emphasis added).] One of ordinary skill would have
`
`understood that a computer system, not a corporate personality, “provide[s]” a “standard
`
`interface” and “displays” a form or response to a user.
`
`19.
`
`One of ordinary skill would have understood a “pre-existing relationship” with a
`
`computer system to make sense. For example, in the field of computer security, there exists (and
`
`existed on the effective filing date) a notion of a “trust relationship” between computers or
`
`between a user account and a computer.
`
`20.
`
`An example of how the term “relationship” is used in the field of computer
`
`security is demonstrated on the “Securing Your Web Browser” webpage (Ex. H) of the United
`
`States Computer Emergency Readiness Team (US-CERT) of the U.S. Department of Homeland
`
`Security, which is publicly accessible at <<https://www.us-cert.gov/publications/securing-your-
`
`web-browser>>. That webpage describes that “Cross-Site Scripting, often referred to as XSS, is
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH, PH.D.
`(CASE NO. 2:15-cv-478-RGD-LRL)
`- 6 -
`
`8
`
`
`
`Case 2:15-cv-00478-RGD-LRL Document 127-1 Filed 06/09/16 Page 9 of 9 PageID# 4926
`
`a vulnerability in a website that permits an attacker to leverage the trust relationship that you
`
`have with that site” (emphasis added). In this example, the “relationship” is between a user
`
`(“you”) and an online website (“that site”).
`
`21.
`
`One of ordinary skill would have understood that “physical or logical separation”
`
`is called for between the “central-entity” and the “external-entity” since either physical or logical
`
`separation can serve the goal of separation in the computer security context.
`
`Other Topics
`
`22.
`
`One of ordinary skill would have understood that an “algorithmic combination”
`
`could be, for example, concatenation or hashing.
`
`I declare under penalty of perjury that the foregoing is true and correct to the best of my
`
`knowledge, and, as to matters stated on information and belief, I believe them to be true.
`
`
`
`Dated: June 9, 2016
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Jeffrey K. Hollingsworth, Ph.D.
`
`DECLARATION OF JEFFREY K. HOLLINGSWORTH, PH.D.
`(CASE NO. 2:15-cv-478-RGD-LRL)
`- 7 -
`
`9