`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`APPLE INC.,
`VISA INC., and VISA U.S.A. INC.,
`
`Petitioners,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC
`Patent Owner
`________________
`
`Case CBM2018-000241
`U.S. Patent No. 8,577,813
`________________
`
`PATENT OWNER’S SUR-REPLY
`
`1 Visa Inc. and Visa U.S.A. Inc., which filed a petition in CBM2019-00025
`have been joined as a party to this proceeding.
`
`
`
`TABLE OF CONTENTS
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`Page
`
`I.
`
`II.
`
`C.
`
`C.
`
`THE ’813 PATENT IS NOT CBM ELIGIBLE .............................................. 1
`IBG LLC v. Trading Technologies Int’l, Inc. Requires Dismissal ........ 1
`A.
`B.
`Petitioner Fails To Prove The Claimed Subject Matter As A
`Whole Does Not Recite A Technological Feature That Is Novel
`And Unobvious ...................................................................................... 2
`Petitioner Fails To Prove The Claimed Subject Matter As A
`Whole Does Not Solve A Technological Problem Using A
`Technical Solution ................................................................................. 3
`PETITIONER FAILS TO PROVE THAT MAES IN VIEW OF
`JAKOBSSON RENDERS THE CHALLENGED CLAIMS
`OBVIOUS ........................................................................................................ 4
`A.
`Petitioner Fails to Prove Maes Discloses A “Secure Registry” ............ 4
`B.
`Petitioner Fails To Prove Jakobsson Discloses A “Secure
`Registry” ................................................................................................ 7
`Petitioner Fails To Prove A POSITA Would Have Been
`Motivated To Combine Maes And Jakobsson ...................................... 8
`1.
`Petitioner Fails To Prove Obvious To Try/Reasonable
`Expectation of Success ............................................................... 8
`The Combination Would Change The Principal Of
`Operation ................................................................................... 10
`The Combination Fundamentally Changes Maes ..................... 11
`The Combination Undesirably Requires Providing
`Private User Data To Each Institution ...................................... 13
`The Combination Would Not Increase Security ....................... 14
`5.
`Petitioner Has Failed To Prove Claim 4 Is Invalid ............................. 16
`Petitioner Fails To Prove Maes Discloses Displaying Indicators
`For The Plurality Of Accounts (Claims 13/17) ................................... 18
`Petitioner Fails To Prove Maes Discloses “De-Activating The
`Electronic ID Device” (Claim 18) ....................................................... 19
`Petitioner Fails To Prove Jakobsson Discloses “An Act Of
`Generating A Seed” (Claim 19) .......................................................... 19
`
`2.
`
`3.
`4.
`
`D.
`E.
`
`F.
`
`G.
`
`i
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`III.
`
`2.
`
`IV.
`
`Petitioner Fails To Prove Claim 20 Is Invalid ..................................... 21
`H.
`PETITIONER FAILS TO PROVE CLAIMS 6-10 ARE INVALID ............ 22
`A.
`Petitioner Fails To Prove Not Permitting User Input (Cl. 6-10) ......... 22
`1.
`Petitioner Fails to Prove Maritzen Discloses Not
`Permitting User Input ................................................................ 22
`Petitioner Fails To Prove A POSITA Would Combine
`Maes And Maritzen ................................................................... 22
`PETITIONER FAILS TO PROVE CLAIMS 14-15, 22-23, 25-26
`ARE INVALID .............................................................................................. 23
`A.
`Petitioner Fails To Prove Maes Discloses Displaying Options
`For Purchase/Accepting Selections ..................................................... 23
`Petitioner Fails To Prove A POSITA Would Combine Maes
`and Labrou ........................................................................................... 24
`PETITIONER FAILED TO REBUT EVIDENCE OF SECONDARY
`CONSIDERATIONS OF NON-OBVIOUSNESS ........................................ 25
`VI. CONCLUSION .............................................................................................. 26
`
`B.
`
`V.
`
`ii
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`TABLE OF AUTHORITIES
`
`Page(s)
`
`Cases
`Apple, Inc. v. Universal Secure Registry LLC,
` CBM2018-00026 (PTAB Dec. 10, 2018) ............................................................. 1
`Experian Mktg. Solutions, Inc. & Epsilon Data Mgmt. v. Rpost Commc’n Ltd,
` CBM2014-00010 (PTAB. April 22, 2014) ........................................................... 3
`HTC Corp., ZTE (USA), Inc. v. Cellular Comms. Equip., LLC,
` 877 F.3d 1361 (Fed. Cir. 2107) ............................................................................ 5
`IBG LLC v. Trading Technologies Int’l, Inc.,
` 2019 WL 581580 (Fed Cir., Feb. 13, 2019) ..................................................... 1-3
`Universal Secure Registry, LLC v. Apple, Inc.,
` No. 1:17-cv-00585-CFC-SRF (D. Del., Sept. 19, 2018) ...................................... 1
`
`Statutory Authorities
`
`<<so: 000>><<so: 001>>35 U.S.C. §103 ........................................................................................................... 4
`<<so: 003>>
`
`Rules and Regulations
`
`<<so: 008>><<so: 008>>37 C.F.R. § 42.301(b) ................................................................................................ 3
`<<so: 011>>
`
`iii
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`LIST OF EXHIBITS
`
`Description
`Declaration of Markus Jakobsson in Support of Patent
`Owner’s Preliminary Response
`Curriculum Vitae of Markus Jakobsson
`Universal Secure Registry LLC v. Apple Inc., No. 17-585,
`Doc. 77 (D. Del., May 22, 2018)
`Declaration of Alan Schiffman in Support of Patent Owner’s
`Preliminary Response
`Curriculum Vitae of Alan Schiffman
`Declaration ISO of Unopposed Motion for Admission Pro
`Hac Vice of Harold A. Barza
`Declaration ISO of Unopposed Motion for Admission Pro
`Hac Vice of Jordan B. Kaericher
`U.S. Application No. 13/237,184
`U.S. Application No. 12/393,586
`Declaration by Dr. Markus Jakobsson Ph.D. in Support of
`Motion to Amend
`Declaration of Markus Jakobsson in Support of
`Patent Owner’s Response
`N. Asokan, et. al, The State of the Art in Electronic Payment
`Systems, IEEE Computer, Vol. 30, No. 9, pp. 28-35 (IEEE
`Computer Society Press, Sept. 1997)
`M. Baddeley, Using E-Cash in the New Economy: An
`Economic Analysis of Micropayment Systems, J. Electronic
`Commerce Research, Vol. 5, No. 4, pp. 239-253 (Nov. 2004)
`Rough Deposition Transcript of Dr. Victor John Shoup
`Universal Secure Registry, LLC v. Apple, Inc., No. 1:17-cv-
`00585-CFC-SRF, Doc. 137 (D. Del., Sept. 19, 2018)
`Deposition Transcript of Dr. Victor John Shoup
`
`Exhibit #
`2001
`
`2002
`2003
`
`2004
`
`2005
`2006
`
`2007
`
`2008
`2009
`2010
`
`2011
`
`2012
`
`2013
`
`2014
`2015
`
`2016
`
`iv
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`Universal Secure Registry, L.L.C. (“Patent Owner”) submits this Sur-Reply
`
`in opposition to Apple Inc.’s (“Petitioner”) Reply (Paper 31, “Reply”) to PO’s
`
`Response (Paper 26, “Response”). As explained in the Response, and herein,
`
`Petitioner has failed to prove the challenged claims are invalid.
`
`I.
`
`THE ’813 PATENT IS NOT CBM ELIGIBLE
`IBG LLC v. Trading Technologies Int’l, Inc. Requires Dismissal
`
`A.
`
`As set forth in the Response, the Federal Circuit recently clarified the
`
`“technological invention” exception to CBM review. IBG LLC v. Trading
`
`Technologies Int’l, Inc., 2019 WL 581580, *1 (Fed Cir., Feb. 13, 2019) (“IBG”).
`
`Specifically, the Court vacated Board decisions holding four patents with the same
`
`specification were not “technological inventions” where both the Board and
`
`Federal courts had found two patents in the family to be eligible under Section 101
`
`because they were directed to an improvement in computer systems. Id., *1-*3.
`
`The present proceeding presents identical facts: Both the Board and a federal
`
`court have found the ‘813 patent to be eligible because they are directed to an
`
`improvement in the security of mobile devices. See Apple, Inc. v. Universal
`
`Secure Registry LLC, CBM2018-00026 (Paper 11), slip op., 24 (PTAB Dec. 10,
`
`2018); Universal Secure Registry, LLC v. Apple, Inc., No. 1:17-cv-00585-CFC-
`
`SRF, Doc. 137 (D. Del., 2018).
`
`1
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`While the Reply attempts to distinguish IBG on grounds that eligibility has
`
`not been “upheld by any final…determination,” that distinction is inapposite. See
`
`Reply, 3-4. The gravamen of IBG is that eligible patents directed to an
`
`improvement in computer systems are also “technological inventions.” IBG, *2.
`
`The decisions of the Board and a district court—holding the ‘813 patent to be
`
`eligible because it is directed to an improvement in the security of mobile
`
`devices—are “instructive to the technological invention question;” indeed,
`
`according to IBG, it would be “internally inconsistent” to conclude the ‘813 patent
`
`to not be a “technological invention.” See IBG, *1-*3.
`
`Petitioner further argues that IBG is distinguishable because the USPTO has
`
`rejected other claims in other pending applications as ineligible. Reply, 4. This
`
`alleged distinction is misplaced because both the Board and a district court have
`
`addressed the identical patent and claims presented here and found them to be
`
`eligible.
`
`B.
`
`Petitioner Fails To Prove The Claimed Subject Matter As A
`Whole Does Not Recite A Technological Feature That Is Novel
`And Unobvious
`
`As explained in the Response, the Petition should also be dismissed because
`
`the claims solve a “technical problem using a technical solution.” The Reply
`
`argues PO’s expert admits “that all the technology used by the ‘813 patent—from
`
`hardware components, to the communication interface, to the database and
`
`2
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`encryption techniques—was known.” Reply, 1-2. However, this argument is
`
`inapposite.
`
`It is insufficient to simply conclude that the claims use “known” features.
`
`37 C.F.R. §42.301(b) requires consideration of “the claimed subject matter as a
`
`whole”—not hardware/software implementation of individual steps. See, e.g.,
`
`Experian Mktg. Sol’ns, Inc. v. RPost Commc’ns Ltd., CBM2014-0010 (Paper 20)
`
`slip op., 9 (PTAB Apr. 22, 2014) (petitioner incorrectly analyzed steps instead of
`
`examining each claim as a whole). Here, the specification and claims make clear
`
`that neither the individual recited components nor individual claimed steps are the
`
`invention; rather, the claims as a whole were the revolutionary advancement for
`
`which the USPTO granted the ‘813 patent. As in IBG, the claims are not subject to
`
`CBM review because they address a specific technical problem and set forth a
`
`“specific implementation of a solution to a problem in the software arts.” IBG, *2.
`
`C.
`
`Petitioner Fails To Prove The Claimed Subject Matter As A
`Whole Does Not Solve A Technological Problem Using A
`Technical Solution
`
`Petitioner also fails to prove the claimed subject matter does not provide
`
`technical solutions to solve technical problems.
`
`In its Reply, Petitioner failed to adequately address PO’s explanations, set
`
`forth in its Response, that Petitioner (1) ignores the software contribution in the
`
`claims, (2) fails to address the claimed invention as a whole, (3) fails to address
`
`3
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`any of the claim language, or (4) mischaracterized the problem to be solved and the
`
`claimed solution. Instead, Petitioner merely recycled arguments from pages 16 to
`
`18 of its Petition. See Reply, 2-3. For the reasons set forth in the Response, the
`
`Petition should be denied because Petitioner has failed to prove the claimed subject
`
`matter does not provide technical solutions to solve technical problems.
`
`II.
`
`PETITIONER FAILS TO PROVE THAT MAES IN VIEW OF
`JAKOBSSON RENDERS THE CHALLENGED CLAIMS OBVIOUS
`
`A.
`
`Petitioner Fails to Prove Maes Discloses A “Secure Registry”
`
`Petitioner contends Maes’ financial server 70 operates as a “secure registry.”
`
`Reply, 4. As explained in the Response, this is incorrect and can only be alleged
`
`by divorcing the limitation from its plain meaning, the specification and the
`
`context of the claim as a whole. See 35 U.S.C. §103 (“differences between the
`
`claimed invention and prior art are such that the claimed invention as a whole
`
`would have been obvious”) (emphasis added).
`
`As set forth in the Response, for example, the language of claim 1
`
`unambiguously establishes
`
`the properties of a “secure registry”: (1) In
`
`communication with a “communication interface” (1[c]); (2) Receives “encrypted
`
`authentication information” (1[g]) that is generated “from the non-predictable
`
`value, information associated with at least a portion of the biometric input, and the
`
`secret information” (1[f]); and (3) “[C]onfigured to receive at least a portion of the
`
`4
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`encrypted authentication information from the POS device.” (1[g]).2 As Petitioner
`
`admits, Maes does not disclose
`
`the claimed “encrypted authentication
`
`information;” the Petition relies entirely on Jakobsson for this element. See Pet.,
`
`42-47. Indeed, Maes alone cannot teach a “secure registry” when the claim is
`
`considered as a whole.
`
`Furthermore, Petitioner has failed to prove that financial institution 70
`
`necessarily has access restrictions, which is required because Petitioner proffers an
`
`inherency argument. See Pet., 32-33; accord HTC Corp., ZTE (USA), Inc. v.
`
`Cellular Comms. Equip., LLC, 877 F.3d 1361, 1368-1369 (Fed. Cir. 2107) (party
`
`seeking to establish inherency must show POSITA would recognize that missing
`
`descriptive matter in a prior art reference is “nevertheless necessarily present.”)
`
`Contrary to Petitioner’s naked assertion, a POSITA would understand that a
`
`database with access restrictions is not necessary for Maes to function. See
`
`Markus Decl., ¶62. Indeed, there any number of methodologies that could be
`
`implemented without using access restrictions on financial institution 70. Id.
`
`Therefore, Petitioner has failed to meet its burden.
`
`2 This is in addition to being a “database with access restrictions,” assuming
`
`arguendo Petitioner’s construction.
`
`5
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`In Reply, Petitioner argues Patent Owner has failed to identify any such
`
`methodologies. Reply, 5. That is not Patent Owner’s burden. This is an inherency
`
`argument; the burden is the Petitioner’s. In any event, one such methodology
`
`would be to utilize dedicated communication lines between central server 60 and
`
`financial institution 70.
`
`The Reply further argues 70 is a “secure registry” “because it restricts
`
`database access to authorized users by authenticating encrypted information.”
`
`Reply, 5. This is incorrect. First, while Maes encrypts digital certificates before
`
`being sent by central server 60 to the PDA 10, this is an instance of encrypting
`
`authentication
`
`information (namely
`
`the digital certificate) as opposed
`
`to
`
`authenticating encrypted
`
`information
`
`(which
`
`is distinct
`
`from encrypting
`
`authenticated information). Moreover, even if the encrypted digital certificate of
`
`Maes corresponded to authenticated encrypted information, which it does not, this
`
`data is sent from the central server 60 to the PDA 10, as opposed to the alleged
`
`secure registry, namely financial server 70. Also, the card information that is sent
`
`to the financial server is not encrypted authentication information, nor is it
`
`authenticated. See, e.g., Maes, 11:27-40. Petitioner fails to identify any
`
`authentication of encrypted information transmitted to the financial server 70.
`
`Petitioner also fails to identify any encrypted authentication information (which is
`
`6
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`distinct from authenticated encrypted information) that is sent to financial server
`
`70.3
`
`B.
`
`Petitioner Fails To Prove Jakobsson Discloses A “Secure
`Registry”
`
`Petitioner alternatively contends Jakobsson discloses a “secure registry”
`
`because “verifier 105 restricts access to authorized users.” Reply, 5 (arguing
`
`authentication is an access restriction; alleging Dr. Jakobsson provides no support
`
`or explanation otherwise). However, as explained in the Response, mere
`
`authentication is not an access restriction. Indeed, in an attempt to find support
`
`that Jakobsson discloses a secure registry, Petitioner is conflating authentication
`
`with authorization. An access restriction is an authorization control relative to a
`
`resource. While access control mechanisms can,
`
`in some cases, utilize
`
`authentication, that does not imply that authorization is the same as authentication.
`
`For example, a message authentication code or a digital signature (both of which
`
`are examples of authentication methods) can be used to permit detection of
`
`tampering of stored information. By verifying the authentication value associated
`
`3 In arguing that Jakobsson and Maes discloses “encrypted authentication
`
`information,” the Reply also asserts server 60 is an example of a “secure registry”
`
`as found by the Board. Reply, 6. For the reasons set forth in the Response, this
`
`unsupported allegation is wrong.
`
`7
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`with such a stored value, one can determine whether the stored value has been
`
`tampered with, and therefore, whether it can be safely used. As this example
`
`shows, authentication does not imply authorization; analogously, authentication
`
`also does not
`
`imply access restriction.
`
` Whereas Jakobsson discloses
`
`authentication, Petitioner fails to show that it also discloses authorization.
`
`C.
`
`Petitioner Fails To Prove A POSITA Would Have Been Motivated
`To Combine Maes And Jakobsson
`Petitioner Fails To Prove Obvious To Try/Reasonable
`Expectation of Success
`
`1.
`
`The Reply alleges it would have been obvious to combine Jakobsson’s
`
`disclosure of “encrypted authentication
`
`information” with Maes because
`
`Jakobsson’s “authentication codes provide a robust security alternative to Maes’
`
`encrypted information message.” Reply, 6. Petitioner is incorrect.
`
`To begin with, it is well understood that encryption is used to hide
`
`information, whether while stored or communicated; authentication codes, in
`
`contrast, are a form of authentication method that is used to determine an identity
`
`relative to knowledge of some secret information. These are two distinct tasks,
`
`and an authenticated message can be accessible without knowledge of a secret, and
`
`an encrypted message can fail to authenticate its originator.
`
`For example, a digitally signed message (comprising a message and a digital
`
`signature) does not stop a party with access to the digitally signed message from
`
`8
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`determining what the message is. Moreover, a message that has been encrypted
`
`using the public key of an intended recipient of the encrypted message does not
`
`have any indication of what party performed the encryption, nor does this process
`
`require any secret information. Therefore, using authentication codes in place of
`
`Maes’ encrypted information message drastically alters what is achieved.
`
`Additionally, even if authentication codes were to solve the same problem as
`
`encrypted information messages, which they do not, Petitioner’s proposed
`
`modification is not meaningful. The encrypted information messages of Maes are
`
`transmitted from the user device to the merchant, and from the merchant directly to
`
`the financial institution; they are never transmitted to an entity that corresponds to
`
`a secure registry. Jakobsson, moreover, discloses the use of a single verifier, but
`
`Maes relies on a multiplicity of financial institutions. Petitioner does not explain
`
`how the authentication code of Jakobsson can be used for a multiplicity of
`
`verifiers. In fact, Jakobsson discloses the use of symmetric keys stored both by the
`
`user device and the verifier. Thus, the use of multiple verifiers would require the
`
`use of multiple keys stored and managed by the user device in Jakobsson, or
`
`require trust between all financial institutions in the system. The former would
`
`required further changes to the already modified Maes, and would have required
`
`undue experimentation. The latter would significantly degrade the assurances of
`
`the resulting system.
`
`9
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`2.
`
`The Combination Would Change The Principal Of Operation
`
`The Reply alleges a POSITA would be motivated to combine Maes with
`
`Jakobsson because both references use the same encryption and decryption model.
`
`Reply, 7-8 (arguing Jakobsson discloses a block cipher, allegedly an encryption
`
`process), 8 (citing [00058] of Jakobsson, allegedly disclosing decryption). This is
`
`plainly wrong.
`
`Jakobsson’s use of the block cipher is as a building block to create a one-
`
`way function. This is supported by [00135] of Jakobsson, where it is described
`
`that the verifier needs to determine a multiplicity of tentative authentication codes,
`
`each corresponding to a different tentative event state, comparing the tentative
`
`authentication codes to the received authentication codes in order to determine a
`
`match. Once a match is found, Jakobsson’s verifier knows that the event state used
`
`to generate the correctly matched authentication code is the event state of the user
`
`device. This iteration would not have been necessary if Jakobsson indeed used the
`
`encrypt-decrypt model the Reply suggests, as opposed to the one-way-function-
`
`and-compare model Jakobsson actually discloses.
`
`It is also worth noting that Jakobsson at [00136] discloses a method to avoid
`
`the iteration that involves conveying event states in the open. This would, of
`
`course, not be the preferred solution if it were possible to simply decrypt the
`
`received values in order to perform the verification. Petitioner has no credible
`
`10
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`explanation of why Jakobsson would disclose an encryption-decryption model in
`
`this context.
`
`The Reply further argues there is no needless computational overhead with
`
`the combination (as explained by the Response), allegedly because Jakobsson’s
`
`verifier need not separately derive its own authentication code or store “private”
`
`data for each user. Reply at 8. Again, Petitioner is incorrect.
`
`In this context, it is unclear whether Petitioner uses the term “private” to
`
`mean “associated only with” or “not accessible by non-authorized parties.”
`
`Assuming the former, one would observe that Jakobsson’s verifier must store
`
`different private data for each user device it is to authenticate. If it were not to
`
`store different data for each user device, but instead data that corresponds to
`
`multiple user devices, then the verifier would not be able to distinguish these user
`
`devices and their associated authentication codes from each other. Assuming
`
`instead that Petitioner meant “private” to mean the latter, it is also clear that if the
`
`data is not kept private, but is instead accessible to anybody, then anybody would
`
`be able to impersonate user devices.
`
`3.
`
`The Combination Fundamentally Changes Maes
`
`Petitioner argues the combination involves applying a known technique
`
`(Jakobsson’s cryptographic combination function) to known devices and methods
`
`(Maes’ PDA that uses remote authentication) ready for improvement (as Maes
`
`11
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`already collects biometric data and generates authentication information on validity
`
`of such data) to yield predictable results (enhanced remote authentication). Pet.,
`
`48-49. The Response explained how the proffered combination fundamentally
`
`changes the operation of Maes. See Response 47-51. For instance, adding
`
`Jakobsson’s authentication codes to Maes runs contrary to an object of the
`
`invention (providing a PDA device that is compatible with the current
`
`infrastructure) as
`
`the
`
`financial
`
`institution cannot process
`
`Jakobsson’s
`
`authentication code unless there are significant modifications.
`
`The Reply disagrees, arguing Maes suggests only that physical components
`
`should remain compatible, and not software, which is all that is required to add
`
`Jakobsson. Reply, 9. Similarly, the Reply argues that, as the only change is
`
`software, there is no significant or expensive modification required. Id. at 10.
`
`This is incorrect.
`
`For one thing, a POSITA would have recognized that maintaining the same
`
`data format and communication protocol between users and merchants, as well as
`
`between merchants and financial institutions, would have been part of being
`
`“compatible with all credit card and/or smartcard electronic fund transfer systems.”
`
`Accordingly, Maes discloses a system that supports the very specific format of
`
`credit card numbers and authorization numbers already in use. Changing the
`
`format or increasing the amount of data to be communicated would have been very
`
`12
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`costly, since this would have required altering merchant terminal systems.
`
`Whereas many systems today are built with the express purpose of allowing
`
`patching and over-the-air updates, this is not how the traditional credit card
`
`infrastructure was built. In fact, prior generation credit card merchant devices
`
`were intentionally designed to be difficult to update for reasons of security, as
`
`these devices would otherwise be at risk of being tampered with, exposed to
`
`malware, or having other undesirable modifications made.
`
`4.
`
`The Combination Undesirably Requires Providing Private User
`Data To Each Institution
`
`As explained in the Response, a POSITA would recognize that to use
`
`Jakobsson’s authentication code at Maes’ financial institution, as alleged, a user
`
`would have to provide their private data (i.e., their biometric information) to each
`
`financial institution for which they have an account because Jakobsson’s verifier
`
`authorizes upon a comparison of the transmitted code with a recreated code drawn
`
`from the stored private data. A POSITA would not make such a combination.
`
`The Reply counters that there does not need to be multiple financial
`
`institutions; a user could have multiple accounts at one institution. Reply at 11.
`
`And, the Reply argues, even if required, data could be stored on a central server as
`
`in Maes. Id.
`
`13
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`These assumptions contradict the teachings of Maes. First, Maes discloses a
`
`system that aims to remain compatible with the existing credit card system; since
`
`this, as is well known, incorporates multiple issuers and financial institutions, so
`
`would the system of Maes. Second, Maes explicitly refers to multiple financial
`
`institutions
`
`(e.g., “to obtain verification
`
`from
`
`the appropriate
`
`financial
`
`institution.”). Maes, 7:17-18; 11:39-40.
`
`5.
`
`The Combination Would Not Increase Security
`
`The Reply contends a POSITA would be motivated to make the alleged
`
`combination as it would increase security because Jakobsson’s authentication
`
`codes would supplement Maes’ digital certificate. Reply, 13. However, as
`
`explained in the Response, such combination would eviscerate the purpose of a
`
`digital certificate. In reply, Petitioner argues that Maes alone makes such a
`
`combination. Reply at 13 (citing 13:22-25, 13:35-39, 13:19-24). This is incorrect.
`
`Adding an authentication code to the digital certificate would dramatically
`
`change the manner in which the system operates, and would not result in any
`
`benefit. In Jakobsson, the authentication code is generated by the user device and
`
`verified by the verifier. In Maes, however, the digital certificate is generated by
`
`the central server and verified by the digital certificate processor module 20 of the
`
`PDA. Petitioner does not even attempt to address this significant difference, nor
`
`14
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`does Petitioner explain how Jakobsson—a password replacement method—would
`
`have been a meaningful addition to Maes.
`
`Petitioner also does not explain what it would mean to add the authentication
`
`code of Jakobsson (generated by a user device and verified by a central verifier) to
`
`the digital certificate of Maes (generated by the central server and verified by the
`
`user device). Assuming that Petitioner intended to use Jakobsson’s authentication
`
`code to authenticate a user device to a server, Petitioner does not explain why it
`
`would do so; Maes already discloses using biometric methods for the central server
`
`to authenticate users, prior to transmitting a digital certificate to the user
`
`device/PDA of Maes.
`
`Assuming instead that Petitioner meant that the central server would
`
`generate the authentication code of Jakobsson and transmit it to the PDA for this to
`
`verify it, Petitioner does not explain how a POSITA would have performed this
`
`combination without undue experimentation, nor does Petitioner explain what
`
`improved functionality this would result in.
`
`Further, when modifying Maes with Jakobsson’s authentication code, to
`
`interpret the authentication code a POSITA would need to modify Maes to have
`
`Jakobsson’s verifier technology. However, Jakobsson states the verifier cannot be
`
`used with multiple independent services due to security and sharing of keys.
`
`15
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`Specifically, the ’813 patent’s secure registry is a centralized system that
`
`stores information for a plurality of accounts that may be associated with different
`
`entities (e.g., Visa and Mastercard). However, Jakobsson incorporates by
`
`reference U.S. Patent No. 6,985,583 at 2:41-51, which states that a single
`
`authentication device can only be used with a verifier specific to a single entity and
`
`service (e.g., Visa or Mastercard), but not both, due to security concerns relating to
`
`sharing of secrets. Accordingly, a POSITA would not be motivated to combine
`
`these references.
`
`D.
`
`Petitioner Has Failed To Prove Claim 4 Is Invalid
`
`The Reply argues a POSITA would be motivated to combine Maes and
`
`Jakobsson to teach claim 4’s limitation of “wherein the secret information includes
`
`the identifying information” because Jakobsson discloses that any input can be
`
`used in combination function 230 to create authentication information. Reply, 14.
`
`Petitioner is wrong.
`
`To begin with, Petitioner incorrectly identifies Jakobsson’s “device secret
`
`(K)” as “an electronic serial number of the electronic ID device.” A POSITA
`
`would not have understood a device secret (K) to be the same as an electronic
`
`serial number of the electronic ID device. Electronic serial numbers are typically
`
`assigned according to a predictable pattern—typically serially—while a POSITA
`
`16
`
`
`
`Case No. CBM2018-00024
`U.S. Patent No. 8,577,813
`
`would have wanted to generate a device secret unpredictably, e.g., using a random
`
`generator or a pseudo-random generator.
`
`Furthermore, RSA SecurID devices, which are the type of technology that
`
`Jakobsson improves upon (Jakobsson at [0042]), have 10-digit serial numbers,
`
`corresponding to fewer than 34 bits. Based upon the use in Jakobsson, a POSITA
`
`would have known that this is not a sufficient length for a device secret.
`
`Moreover, if a SecurID device were to malfunction, the user could call an
`
`administrator and identify the SecurID token by reading the serial number from the
`
`back of the token to the administrator, allowing them to temporarily change the
`
`manner in which a user would log in using the associated account. A POSITA
`
`would know that it is common that serial numbers are printed on labels affixed to
`
`devices, or engraved into the surface of the device. In contrast, the device secret
`
`(K) of Jakobsson is “manufactured into and stored inside the device 120 such
`
`that it is very difficult to extract the secret (K) from the device.” This
`
`makes it clear that the device secret (K) is not the electronic serial number of
`
`the electronic ID device. Moreover, Jakobsson [0062] describes the use of a