`
`In re Patent of: Asghari-Kamrani, et al.
`
`U.S. Patent No.: 8,266,432
`
`Issue Date:
`
`September 11, 2012
`
`Appl. Serial No.: 12/210,926
`
`Filing Date:
`
`September 15, 2008
`
`Title:
`
`CENTRALIZED IDENTIFICATION AND
`
`AUTHENTICATION SYSTEM AND METHOD
`
`
`
`
`
`DECLARATION OF DR. ALFRED C. WEAVER
`
`I, Dr. Alfred C. Weaver, do hereby declare:
`
`1.
`
`I am making this declaration at the request of Patent Owner Nader
`
`Asghari-Kamrani and Kamran Asghari-Kamrani in the matter of CBM2016-00063
`
`and CBM2016-00064, both of which are directed to US Patent 8,266,432.
`
`I.
`
`QUALIFICATIONS AND ENGAGEMENT
`
`2.
`
`I earned a Bachelor of Science in Engineering Science in 1971 from
`
`the University of Tennessee. I also earned a Master of Science in Computer
`
`Science from the University of Illinois at Urbana-Champaign in 1973. Thereafter,
`
`I earned a Ph.D. in Computer Science at the University of Illinois at Urbana-
`
`Champaign in 1976.
`
`3.
`
`I am currently a Professor of Computer Science and the Associate
`
`Chair of the Department of Computer Science at the University of Virginia
`
`
`
`
`1
`
`KAMRANI 2010
`
`
`
`(“UVa”). I have been employed at UVa continuously since 1977. Over the period
`
`of my employment at UVa, I have taught more than 25 different courses, including
`
`electronic commerce, operating systems, computer networks, and various
`
`programming courses. Moreover, I have been the graduate advisor for 69 Ph.D.
`
`and master’s students, all in Computer Science.
`
`4.
`
`In addition to my teaching duties, I am also the Founding Director of
`
`UVa’s Applied Research Institute, a group of faculty engaged in research areas
`
`related to national security and funded by both government and industry. To date,
`
`I have published 16 books and book chapters, 30 refereed journal articles, 139
`
`refereed conference publications, and 80 technical reports. I currently serve on the
`
`Advisory Council of the Editorial Board of IEEE Computer magazine.
`
`5.
`
`As a researcher, I have served as Principal Investigator or co-Principal
`
`Investigator of 130+ research projects funded by the federal government and
`
`private industry. Recent research projects include 3D printing, automated analysis
`
`of published scientific literature, secure mobile computing, crowdsourcing, data
`
`integrity, and trustworthy computing.
`
`6.
`
`I have founded five companies. One of these, Network Xpress, Inc.,
`
`was a spin-off from research work in computer networks funded by the U. S. Navy
`
`at UVa. At its peak, another company, Reliacast, Inc., employed 90 people and
`
`
`
`
`2
`
`KAMRANI 2010
`
`
`
`developed software for secure streaming of multimedia. Reliacast was ultimately
`
`sold to Comcast.
`
`7.
`
`I have served as an expert witness in 20+ patent infringement cases
`
`since 1988. Six of those cases have gone to trial. In the past four years I have
`
`testified in court in two cases:
`
`VS Technologies v. Twitter, Inc., No. 2:11-cv-00043-HCM-TEM in
`
`the United States District Court for the Eastern District of Virginia
`
`(Norfolk). In that case, I testified on behalf of Twitter.
`
`ePlus, Inc. v. Lawson Software, Inc., No. 3:09-cv-00620-REP in the
`
`United States District Court for the Eastern District of Virginia
`
`(Richmond). In that case, I testified on behalf of ePlus.
`
`8.
`
`A complete list of cases in which I have testified at deposition,
`
`hearing or trial in the past 4 years is attached hereto as Exhibit 2012.
`
`9.
`
`I have authored or co-authored 16 books or book chapters in the
`
`computer science field and have authored or co-authored over 169 refereed journal
`
`and conference papers on various topics related to computer science, computer
`
`systems, computer networks, search agents, databases, the Internet and e-
`
`commerce, among other topics. I am a member of the editorial board of the IEEE
`
`Computer magazine.
`
`10.
`
`I have presented papers at numerous conferences and have served as
`
`Program Chair or Technical Program Chair of a number of conferences around the
`
`
`
`
`3
`
`KAMRANI 2010
`
`
`
`world. For example, I was the Keynote Speaker at the International Workshop on
`
`Privacy, Security, and Trust for Mobile Devices (MobiPST’11), in Maui, Hawaii,
`
`in July 2011 on the topic of “Providing Privacy and Security for Mobile Devices.”
`
`I was the Keynote Speaker at the IEEE International Conference on Industrial
`
`Technology (ICIT’05), in Hong Kong, in December 2005 on the topic of
`
`“Achieving Data Privacy and Security Using Web Services.” I was the Keynote
`
`Speaker at the IEEE International Conference on Emerging Technologies and
`
`Factory Automation (ETFA’05), in Catania, Sicily, Italy, in September 2005 on the
`
`topic of “A Security Architecture for Distributed Data Security.”
`
`11. With my co-authors Sam Dwyer and Kristen Hughes, I wrote chapter
`
`two entitled “Health Insurance Accountability and Portability Act” in the book
`
`Security Issues in the Digital Medical Enterprise, published by the Society for
`
`Computer Applications in Radiology in 2004. I wrote the paper “Secure Sockets
`
`Layer” in Computer in April 2006. With my co-author Andrew Jurik, I wrote
`
`“Securing Mobile Devices with Biotelemetry,” presented at the International
`
`Workshop on Privacy, Security, and Trust in Mobile and Wireless Systems
`
`(MobiPST’11), in Maui, Hawaii, in July, 2011. I presented the NATO Fellowship
`
`Lecture at Bogazici University, in Istanbul, Turkey, in May 2000 on the topic of
`
`“Internet Privacy and Security.” With my master’s student Andrew Snyder, I
`
`wrote “The e-Logistics of Securing Distributed Medical Data,” presented at the
`
`
`
`
`4
`
`KAMRANI 2010
`
`
`
`IEEE International Conference on Industrial Informatics, Banff, Alberta, Canada,
`
`in August 2003. I supervised Andrew Snyder’s master’s thesis on the topic of
`
`“Performance Measurement and Workflow Impact of Securing Medical Data
`
`Using HIPAA Compliant Encryption in a .NET Environment,” in August 2003.
`
`12.
`
`I am a named inventor on U.S. patent 4,217,658 that resulted from my
`
`Ph.D. research at the University of Illinois.
`
`13.
`
`I am a Fellow of the IEEE, an honor awarded to less than two percent
`
`of the IEEE membership.
`
`14.
`
`I have been an invited guest lecturer at numerous meetings sponsored
`
`by various corporations around the world. For example, I spoke on “Reliable
`
`Multicast and Reliable Group Management” for a meeting held at Sun
`
`Microsystems in Palo Alto, California in July, 1999. I gave a presentation entitled
`
`“Xpress Transport Protocol” at a meeting sponsored by General Electric Research
`
`and Development Laboratory, held in Schenectady, New York, in December, 1996.
`
`I was an invited speaker on the topic of “Medical Data Privacy and Security” at the
`
`Microsoft Healthcare Users’ Group meeting in Redmond, Washington in 2006.
`
`15.
`
`I was the Lucian Carr III Professor of Engineering and Applied
`
`Science at the University of Virginia from 2002-2004. I was a member of the
`
`Provost’s Promotion and Tenure Committee of the University of Virginia during
`
`2003-2006. I served as the Chairman of the Department of Computer Science
`
`
`
`
`5
`
`KAMRANI 2010
`
`
`
`during 1984-85 and am now the Associate Chair of my department. In 1996-1999
`
`and again in 2012-2015, I served as a member of the Promotion and Tenure
`
`Committee for the School of Engineering and Applied Science at the University of
`
`Virginia and chaired that committee during 1998-1999 and 2014-2015.
`
`16.
`
`I teach the University of Virginia’s CS 4753 course “Electronic
`
`Commerce Technologies.” This course explains the role of encryption in modern
`
`electronic commerce and teaches the details of the mathematical algorithms that
`
`implement symmetric key encryption, public key encryption, and other encryption
`
`techniques. I was the Principal Investigator for “Secure E-Commerce: A Modular
`
`Course Supported by Virtual Laboratories,” a $500,000 research project funded by
`
`the National Science Foundation to develop a course teaching secure e-commerce.
`
`17.
`
`I have also had the opportunity to consult with and/or work in the
`
`commercial sector. For example, I received a $200,000 research grant from
`
`Microsoft for my work in connection with development of a solution to the
`
`problems associated with the privacy and security of medical data. In the past, I’ve
`
`consulted for General Electric, Lockheed Martin, Honeywell, Raytheon, E-
`
`Systems and others. Additionally, I founded five companies of my own which
`
`focused on e-commerce. I was involved in all aspects of the life cycles of these
`
`companies from raising start-up capital funding, to designing and developing
`
`products, to commercializing these products in the marketplace. One of these
`
`
`
`
`6
`
`KAMRANI 2010
`
`
`
`companies, Reliacast, developed secure multimedia distribution software and was
`
`ultimately sold to Comcast.
`
`18. A detailed curriculum vitae showing more of my credentials in these
`
`fields is attached as Exhibit 2011.
`
`19.
`
`I am being compensated for my work in this matter at my standard
`
`hourly rate of $400/hour for consulting services. My compensation for this matter
`
`is not determined by or contingent upon the outcome of this case.
`
`II. MATERIALS REVIEWED AND RELIED UPON
`
`20.
`
`In preparing this Declaration I reviewed and considered all or portions
`
`of the following materials:
`
`Ex. / Doc.
`
`Description
`
`1001 U.S. Patent 8,266,432
`
`1015 U.S. Patent 7,444,676
`
`U.S. Patent 8,281,129
`1005 U.S. Patent 7,356,837
`U.S. Patent 7,356,837
`U.S. Patent 8,266,432 file history
`
`
`
`
`
`
`
`U.S. Patent 8,281,129 file history
`
`Petition for Covered Business Method Patent Review of
`United States Patent No. 8,266,432 Pursuant to 35 U.S.C.
`§ 321 and § 18 of the Leahy-Smith America Invents Act
`(CBM2016-00063)
`
`1003 Declaration of Dr. Seth Nielson
`
`
`
`
`7
`
`KAMRANI 2010
`
`
`
`
`
`
`
`
`
`Petition for Covered Business Method Patent Review of
`United States Patent No. 8,266,432 Pursuant to 35 U.S.C. §
`321 and § 18 of the Leahy-Smith America Invents Act
`(CMB2016-00064)
`
`Decision Granting Institution of Covered Business Method
`
`Patent Review (CBM2016-00063)
`
`Decision Granting Institution of Covered Business Method
`Patent Review (CBM2016-00064)
`
`-
`
`All other documents cited and used in this Declaration.
`
`
`
`21.
`
`
`I have also relied upon my years of education, teaching, research, and
`
`experience concerning software, computer architecture, networks, network
`
`protocols, electronic commerce, privacy and security.
`
`III. STATUS OF THE CLAIMS
`
`A. Grounds of Review in CBM2016-00063
`
`22. The Patent Trials and Appeals Board instituted review of (i) claims 1,
`
`3, 5-8, 12-13, 15-27, 30-42, 44-45, 47-48, 50-52, and 55 under U.S.C. § 102(b) for
`
`being anticipated by U.S. Patent Application Publication No. 2006/0094403
`
`(“Norefors”) (Ex. 1032), and (ii) claims 2, 9-11, 14, 28, 43, 46, 49, and 53 under
`
`U.S.C. 103(a) for being unpatentable over Norefors in view of U.S. Patent No.
`
`5,740,361 (“Brown”) (Ex. 1035).
`
`
`
`
`8
`
`KAMRANI 2010
`
`
`
`B. Grounds of Review in CBM2016-00064
`
`23. The Patent Trials and Appeals Board instituted review of claims 1–3,
`
`5–28, and 30–55 under 35 U.S.C. 103(a) for being unpatentable over US
`
`2007/0022301 Al (“Nicholson”) (Ex. 1034) in view of U.S. Patent No. 5,740,361
`
`(“Brown”) (Ex. 1035).
`
`C. Challenged Claims
`
`24. With regard to challenged U.S. Patent No. 8,266,432, I understand
`
`that Patent Owner has previously disclaimed claims 4, 11, 29, 46, 49, and 53.
`
`Accordingly, claims 1-3, 5-10, 12-28, 30-45, 47, 48, 50-52, 54, and 55 remain
`
`under challenge.
`
`IV. LEGAL STANDARDS
`
`25.
`
`I am not an attorney. I have been advised of the following general
`
`principles of patent law to be considered in formulating my opinions set forth
`
`below.
`
` Written Description
`
`26.
`
`It is my understanding that a nonprovisional patent application can
`
`claim benefit to one or more prior-filed copending applications. A patent claim is
`
`entitled to the benefit of the filing date of a prior-filed application only if the
`
`original disclosure of the prior-filed application provides written description
`
`support for the patent claim. I understand that the prior-filed application is not
`
`
`
`
`9
`
`KAMRANI 2010
`
`
`
`required to have in haec verba support in the original specification in order to
`
`satisfy the written description requirement. Rather, I understand that the test for
`
`determining compliance with the written description requirement is whether the
`
`original disclosure of the prior-filed application reasonably would have conveyed
`
`to a POSITA that the inventor had possession of the claimed subject matter at the
`
`time of the prior-filed application’s filing date.
`
` Claim Construction
`
`27.
`
`It is my understanding that in determining whether a patent claim is
`
`anticipated or obvious in view of the prior art, the Patent Office must construe the
`
`claim by giving the claim its broadest reasonable interpretation consistent with the
`
`specification from the standpoint of a person of ordinary skill in the art
`
`(“POSITA”). For the purposes of this review, unless otherwise stated, I have
`
`construed each claim term in accordance with its plain and ordinary meaning
`
`under the required broadest reasonable interpretation of the terms.
`
`
`
`Persons of Ordinary Skill in the Art
`
`28.
`
`I believe that the 432 Patent is addressed to a POSITA, i.e., a person
`
`of ordinary skill in the art, with at least a bachelor’s degree or equivalent in digital
`
`electronics, electrical engineering, computer engineering, computer science, or a
`
`related technical degree, possibly with some additional post-degree work
`
`experience in system engineering (or equivalent). In determining who would be a
`
`
`
`
`10
`
`KAMRANI 2010
`
`
`
`POSITA, I considered at least the following criteria: (a) the type of problems
`
`encountered in the art; (b) prior art solutions to those problems; (c) the rapidity
`
`with which innovations are made; (d) the sophistication of the technology; and (e)
`
`the education level of active workers in the field.
`
`V. BACKGROUND TECHNOLOGY OF THE 432 PATENT
`
`29. The 432 Patent relates to “a system and method provided by a central-
`
`entity for centralized identification and authentication of users and their
`
`transactions to increase security in e-commerce.” Ex. 1001 at 2:52-55. As an
`
`example of an embodiment that is consistent with the 432 Patent, a customer (such
`
`as user 10) can attempt an online transaction with a business (such as external-
`
`entity 20). This scenario is supported by FIG. 2, 3:35-40, 4:44-61, and 5:5-10 in
`
`Ex. 1001. Before such a transaction can be completed, the business 20 can request
`
`a digital identity of the customer to assist with the customer’s 10 authentication.
`
`Id. at 5:10-13. The customer 10 then obtains the digital identity from a central-
`
`entity 30. The digital identity provided by central-entity 30 may be generated by
`
`combining one or more types of information that identify the user (such as an
`
`alphanumeric username or ID or login name or other identification phrase) with a
`
`dynamic, non-predictable, and time-dependent code. The customer 10 then
`
`provides that digital identity to the business 20. Id. at 5:13-27. The external-entity
`
`20 then attempts to authenticate the digital identity with the central-entity 30. If
`
`
`
`
`11
`
`KAMRANI 2010
`
`
`
`the digital identity is correct and unexpired, then the central-entity 30 authenticates
`
`the customer 10 to the business 20, after which the business 20 completes the
`
`electronic transaction. Id. at 5:23-43. After the authentication step the central-
`
`entity 30 may invalidate the digital identity such that it cannot be used for any
`
`other transaction. Id. at 6:7-13.
`
`VI. CLAIM CONSTRUCTION
`
` Central-Entity
`
`30. The Background section of the 432 Patent discloses:
`
`As used herein, a “Central-Entity” is any party [(i.e., any entity)] that
`
`has user’s personal and/or financial information, UserName, Password
`
`and generates dynamic, non-predictable and time dependable
`
`SecureCode for the user.
`
`Id. at 2:13-18 and 2:56-3:26.
`
`31. Using the broadest reasonable interpretation standard, a POSITA
`
`would not interpret the “central-entity,” as claimed, to have all of the particular
`
`information described in the above passage of the Background section. For
`
`example, the claims of the 432 Patent do not require “financial information.”
`
`Instead, for example, independent claim 1 recites, “user-specific information.”
`
`And, dependent claim 15 recites, “user information comprises one or more of the
`
`following: an alphanumeric name, an ID, a login name, and an identification
`
`phrase.” Thus, I believe that “central-entity” means “a party that has at least some
`
`
`
`
`12
`
`KAMRANI 2010
`
`
`
`of a user’s personal information, financial information, UserName, and/or
`
`Password, and generates a dynamic, non-predictable and time-dependent code for
`
`the user.”
`
`32. Additionally, using the broadest reasonable interpretation standard, a
`
`POSITA would interpret the claimed “central-entity” to include one or more
`
`computing systems. Each of independent claims 1, 25, 48, and 52 recite at least
`
`one “computer.” Claims 25 and 48 each recite more than one computer. For
`
`example, claim 25 recites:
`
`a first central-entity computer adapted to … generate a dynamic
`
`code for the user in response to a request during the electronic
`
`transaction, wherein the dynamic code is valid for a predefined time
`
`and becomes invalid after being used; and
`
`a second central-entity computer adapted to … validate a digital
`
`identity in response to an authentication request from the external-
`
`entity …
`
`
`33. A POSITA would understand that the Central-Entity 30 disclosed in
`
`the 432 Patent may include one or more computing devices. For example, FIG. 2
`
`(a portion of which is reproduced below for reference) illustrates the Central-Entity
`
`30 as including a computing device (e.g., a server connected to a user 10 and an
`
`External-Entity 20 via a communications network 50). See, also, FIG. 1. FIG. 2
`
`illustrates the computing system of the Central-Entity performing functions,
`
`
`
`
`13
`
`KAMRANI 2010
`
`
`
`including “Account Creation,” “SecureCode Generation,” and “Digital Identity
`
`Comparison.”
`
`
`
`
`
`34. A POSITA would understand that the functions of the “computing
`
`systems” recited in the claims of the 432 Patent, and disclosed in the 432 Patent,
`
`could be performed by separate computer software processes (e.g., a code
`
`generation process and a separate digital identity comparison process), or by
`
`separate computing devices (e.g., a random number generation device and a
`
`separate digital identity authentication device). Such functions could be combined
`
`into a single software application (e.g., one combined identification and
`
`authentication process) or into a single computer (e.g., one combined identification
`
`and authentication device).
`
`35. For the above reasons, when the term is given its broadest reasonable
`
`interpretation in light of the entire specification, I believe that “central-entity”
`
`means “a party comprising one or more computing devices, that has a user’s
`
`
`
`
`14
`
`KAMRANI 2010
`
`
`
`personal, financial, identification information, UserName, and/or Password, and
`
`that provides dynamic, non-predictable and time-dependent codes for the user.”
`
` Authenticating
`
`36. The purpose of authentication is to determine whether an individual
`
`actually is the individual that the individual purports to be. “Ideally, a secure
`
`identification and authorization system 1 would identify legitimate users 10 and
`
`unauthorized users 10. This would increase the user’s trust, which leads to more
`
`sales and cash flow for merchants/service providers. Id. at 4:48-52. Given its
`
`broadest reasonable interpretation in light of the entire specification, I believe that
`
`“authenticating” means “verifying the identity of a user.”
`
` Transaction
`
`37.
`
`In the Decision to Institute, the Board construed the term
`
`“transaction” as “a single electronic transaction between the user and the external
`
`entity.” Paper 14, pp. 24-25. However, a POSITA would understand that the term
`
`“single” in the Board’s construction of “transaction” is superfluous and
`
`unnecessarily confuses the meaning of the term because a transaction can involve
`
`more than one sub-transaction. For example, a POSITA would understand that
`
`transferring funds between accounts (e.g., a checking account and a savings
`
`account) would involve debiting a first account and crediting a second account.
`
`This funds transfer would be within the scope of the example illustrated, e.g., in
`
`
`
`
`15
`
`KAMRANI 2010
`
`
`
`FIG. 2 of the 432 Patent, in which the External-Entity 30 could be a bank
`
`performing a banking service for a user 10. See, e.g., Ex. 1001 at 2:23-26.
`
`Accordingly, I believe that “transaction” means “an electronic transaction between
`
`the user and the external entity.”
`
`D. During the Transaction
`
`38. While the 432 Patent does not explicitly define “during the
`
`transaction,” it does provide a description of a transaction in Ex. 1001 at FIGS. 2,
`
`4, 5, and 5:5-22. A transaction phase may begin when a user 10 attempts to access
`
`a restricted web site or attempts to buy services or products 110 of an External-
`
`Entity 20. Id. at 5:5-22. Thereafter, an authentication phase must be completed
`
`before the external-entity completes the attempted transaction. Id. at 5:23-41.
`
`According to my understanding of the 432 Patent, the External-Entity 20 must
`
`receive a message from the Central-Entity 30 approving the transaction based on a
`
`result of the authentication before completing the transaction phase. Id. Thus, I
`
`believe that the phrase “during the transaction” means “a period after the initiation
`
`of a transaction between a user and an external-entity and before the transaction is
`
`completed.”
`
`E. Dynamic Code
`
`39.
`
`In the 432 Patent, the claimed “dynamic code” corresponds to the
`
`disclosed “SecureCode.” For example, the 432 Patent states:
`
`
`
`
`16
`
`KAMRANI 2010
`
`
`
`The term “SecureCode” is used herein to denote any dynamic,
`
`non-predictable and time dependent alphanumeric code, secret
`
`code, PIN or other code, which may be broadcast to the user over
`
`a communication network, and may be used as part of a digital
`
`identity to identify a user as an authorized user. Ex. 1001 at 2:35-
`
`40.
`
`40.
`
`In its Decision, the Board construed the term “dynamic code” as “an
`
`alphanumeric code that is non-predictable and time dependent, which may be
`
`broadcast to the user over a communication network, and may be used as a part of
`
`a digital identity to identify a user as an authorized user.” Paper 14 at p. 18.
`
`However, the Board’s construction is not consistent with BRI because the 432
`
`Patent does not require that the SecureCode be alphanumeric. Rather, as evident in
`
`the passage above, it can also be “… a secret code, PIN or other code.”
`
`Additionally, the term “may be” in the above passage of the 432 Patent, as in “may
`
`be broadcast to the user over a communication network, and may be used as part of
`
`a digital identity to identify a user as an authorized user,” is optional language that
`
`does not limit the meaning of the term “dynamic code” when the term is given its
`
`broadest reasonable interpretation. Accordingly, I believe that the term “dynamic
`
`code” means “a code that is non-predictable and time-dependent.”
`
`VII. WRITTEN DESCRIPTION SUPPORT IN THE 129 PATENT
`
`41. To provide my opinions that the original disclosure of a prior-filed
`
`application no. 11/333,400 (“the 400 application”) provides written description
`
`
`
`
`17
`
`KAMRANI 2010
`
`
`
`support for the 432 Patent claims, I herein cite to the disclosure of the 129 Patent
`
`issued from the 400 application for convenience because the original disclosure of
`
`the 400 application is substantially identical to that of the 129 Patent.
`
`A. User vs. Individual
`
`42. The 129 Patent discloses the meaning of the term “individual” as:
`
`[B]roadly refer[ing] to a person, company or organization that has
`
`established a trusted relationship with a trusted-authenticator 30. Ex.
`
`2004 at 7:51-53.
`
`43. Thus the definition of “individual” is tied to a trusted relationship
`
`rather than to a single human. The “individual” may be a person, or a company, or
`
`an organization. Further, the 129 Patent discloses that an individual 10 can be,
`
`e.g., a customer 10 of a business 20, such as a website, car dealership or creditor.
`
`Id. at Abstract, 1:12-15, 3:25-28, 4:67-5:4, 7:54-58, 8:59-67, 9:1-12, and 11:24-31.
`
`44.
`
`In the 432 Patent:
`
`For convenience, the term “user” is used throughout to represent both
`
`a typical person consuming goods and services as well as a business
`
`consuming good and services. Ex. 1001 at 2:10-12.
`
`45. Thus, a POSITA would understand that the description of the
`
`individual 10 in the 129 Patent provides sufficient written description support for
`
`the “user” in the 432 Patent.
`
`
`
`
`18
`
`KAMRANI 2010
`
`
`
`B. Central-Entity vs. Trusted-Authenticator
`
`46. The Abstract of the 129 Patent discloses that “The proposed method
`
`enables businesses to determine whether the customer is truly the person who he
`
`says he is by adopting a new two-factor authentication technique and
`
`authenticating customer’s identity utilizing trusted authenticator.” As illustrated
`
`in, e.g., FIGS. 2a and 2b of the 129 Patent, the trusted-authenticator 30 includes at
`
`least one computing device. Also, according to my understanding, the trusted-
`
`authenticator 30 can be a bank or other financial institution. 129 Patent at 4:11-16.
`
`Therefore, the trusted-authenticator 30 possesses an individual’s 10 personal or
`
`financial information. And, because the trusted-authenticator 30 maintains the
`
`static key, it follows that the trusted-authenticator 30 possesses an individual’s 10
`
`password, name, UserName, SSN, alias, account number, customer number, etc.
`
`Id. at 6:45-67 and 8:4-12. Further, the actions illustrated in Figure 2a and
`
`described at lines 9:13-10:20 of the 129 Patent are mirrored by similar descriptions
`
`in the 432 Patent’s claim terms. Thus, a POSITA would understand that the
`
`trusted authenticator 30 of the 129 Patent provides sufficient written description
`
`support for the “central-entity” in the 432 Patent.
`
`C. External-Entity vs. Business
`
`47. The 129 Patent describes a “business” 20 as follows:
`
`
`
`
`19
`
`KAMRANI 2010
`
`
`
`Furthermore, as used herein, “business” 20 broadly refers to a
`
`company or organization (online or offline) that has established a
`
`trusted relationship with a trusted-authenticator 40 and that needs to
`
`authenticate the identity of the individual 10. Ex. 2004 at 7:54-58.
`
`48. As shown in Figures 2a and 2b, the business 20 is a party or entity
`
`that needs to authenticate an Individual’s 10 digital identity in an e-commerce
`
`transaction. From this description it is clear that the Business 20 of the 129 Patent
`
`performs substantially the same functionality as the “external-entity 20” of the 432
`
`Patent. For example, looking at the 129 Patent’s Figure 2a, the business 20 sends
`
`120 an authentication (request) message to trusted-authenticator 30 for
`
`authenticating a user 10 and receives 126 a confirmation or denial message in
`
`return; looking at the 432 Patent’s Figure 2, the external-entity 20 sends the
`
`central-entity 30 an authentication request at step “J” and receives a “valid” or
`
`“failed” authorization message in return. Thus, a POSITA would understand that
`
`the Business 20 of the 129 Patent provides sufficient written description support
`
`for the “external-entity” recited in the 432 Patent.
`
`D. During the Transaction
`
`49. While the 129 Patent does not explicitly state which functions occur
`
`“during the transaction” (as they are enumerated in the claims of the 432 Patent), a
`
`POSITA would reasonably conclude that the functions described in the 432 Patent
`
`are disclosed by the 129 Patent.
`
`
`
`
`20
`
`KAMRANI 2010
`
`
`
`50. Figure 2 of the 432 Patent discloses a process in which the central-
`
`entity 30 authenticates a user during a period of time before a transaction can be
`
`completed between the user 10 and external-entity 20. Figure 2a of the 129 Patent
`
`discloses that the trusted-authenticator 30 authenticates an individual 10 before a
`
`transaction can be completed between the individual 10 and the business 20.
`
`51. This process is detailed in the 129 Patent as shown in the table below.
`
`Actions to be performed before
`transaction can be completed
`
`Support in 129 Patent
`
`Business 20 requests validation of
`individual 10
`
`Figure 2a, step 110, 9:15-18
`
`Individual 10 requests dynamic key
`from trusted-authenticator 30
`
`Figure 2a, step 100, 9:19-22
`
`Trusted-authenticator 30 calculates a
`dynamic key, sends it to individual
`10, and retains copy
`
`Figure 2a, step 102, 9:23-25
`
`Individual 10 provides dynamic key
`and static key to business 20
`
`Figure 2a, step 112, 9:29-31
`
`Business 20 sends authentication
`(request) message to trusted-
`authenticator 30 to validate
`individual 10
`
`Trusted-authenticator 30
`authenticates individual 10 by
`comparing static and dynamic keys
`against stored copies
`
`Trusted-authenticator 30 sends a
`confirmation or denial message to
`business 20
`
`Figure 2a, step 120, 9:29-31
`
`Figure 2a, 9:29-31
`
`Figure 2a, step 125, 9:37-46
`
`
`
`
`21
`
`KAMRANI 2010
`
`
`
`
`
`52. Thus a POSITA would understand that the functions and actions
`
`described in the 432 Patent have adequate written description support from the 129
`
`Patent’s description of functions and actions occurring “during the transaction,” as
`
`shown in Figure 2a and lines 9:13-46.
`
`E. Dynamic Code vs. Dynamic Key
`
`53. The central-entity of the 432 Patent and the trusted-authenticator of
`
`the 129 Patent both generate dynamic codes (the same or similar to dynamic keys)
`
`as part of the trust-enforcement algorithm. The 432 Patent calls this dynamic code
`
`a “SecureCode” and describes it as being “any dynamic, non-predictable and time
`
`dependent alphanumeric code, secret code, PIN or other code … and may be used
`
`as part of a digital identity to identify a user as an authorized user.” Ex. 1001 at
`
`2:35-40. The 129 Patent describes the dynamic key as a SecureCode “which is a
`
`key or information that is variable and is provided to the individual 10 by the
`
`individual’s trusted-authenticator 30 at the time it is needed for authentication.
`
`The dynamic key is an alphanumeric code and will have a different value each
`
`time the individual 10 receives it from his/her trusted-authenticator 40 for
`
`authorization purposes. To increase security a dynamic key may have a non-
`
`repeating value, may be time dependent (valid for some period of time) and may be
`
`in encrypted format.” Ex. 2004 at 8:13-22. Accordingly, a POSITA would
`
`
`
`
`22
`
`KAMRANI 2010
`
`
`
`understand that the “dynamic key,” as disclosed in the 676 Patent, provides
`
`sufficient written description support for the claimed “dynamic code” of the 432
`
`Patent.
`
`F.
`
`Standard Interface
`
`54. Claim 19 of the 432 Patent recites, “said request is initiated by said
`
`user through a standard interface provided to said user.” The 432 does not define
`
`this term. It merely says, “a standard interface provided by the External-Entity 20,
`
`similar to what exists today …” Ex. 1001 at 5:5-9. It does, however, disclose
`
`communicating over the Internet and mentions using a Website. Similarly, the
`
`129 Patent describes: “An email would contain a link that takes the customer to an
`
`authentication screen on the trusted authenticator's website.” Ex. 2004 at 4:52-53.
`
`“When an individual is on a business's site (offline or online), for
`
`successful direct authentication, the business requires the individual to
`
`provide his/her static and dynamic keys. The individual requests a
`
`dynamic key from his/her trusted-authenticator (using any
`
`communication network such as Internet or wireless) …” Id. at 7:3-8.
`
`55.
`
`Internet communications use standard communication protocols
`
`(internet protocol or IP) and standard languages interpretable by browsers (e.g.,
`
`HTML) to render websites as computer-user interfaces. Thus, a POSITA would
`
`interpret “standard interface” to be a standard authentication screen at a website.
`
`
`
`
`23
`
`KAMRANI 2010
`
`
`
`G.
`
` Comparing
`
`56. Claim 2 of the 432 Patent recites, “comparing the combined dynamic
`
`code and user specific information with a rec