Filed on behalf of: VirnetX Inc.
`By:
`
`Joseph E. Palys
`Paul Hastings LLP
`875 15th Street NW
`Washington, DC 20005
`Telephone: (202) 551-1996
`Facsimile: (202) 551-0496
`E-mail: josephpalys@paulhastings.com
`
`
`
`Naveen Modi
`Paul Hastings LLP
`875 15th Street NW
`Washington, DC 20005
`Telephone: (202) 551-1990
`Facsimile: (202) 551-0490
`E-mail: naveenmodi@paulhastings.com
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`
`
`
`
`
`
`
`APPLE INC.
`Petitioner
`
`v.
`
`VIRNETX INC.
`Patent Owner
`
`
`
`
`
`
`
`Case IPR2015-00812
`Patent 8,850,009
`
`
`
`
`
`
`
`
`
`
`Declaration of Fabian Monrose, Ph.D.
`
`
`
`1
`
`
`
`
`
`Page 1 of 55
`
`VIRNETX EXHIBIT 2016
`Apple v. VirnetX
`Trial IPR2015-0081(cid:21)
`
`

`
`Case No. IPR2015-00812
`
`Table of Contents
`
`I.
`
`II.
`
`Introduction ...................................................................................................... 4
`
`Resources Consulted ........................................................................................ 5
`
`III. Background and Qualifications ....................................................................... 5
`
`IV. Level of Ordinary Skill .................................................................................. 10
`
`V.
`
`Claim Terms .................................................................................................. 11
`
`A.
`
`B.
`
`C.
`
`“Encrypted Communication Link” Phrases (Claims 1, 2, 8, 11,
`14, 15, and 23) ..................................................................................... 11
`
`“Provisioning Information” (Claims 1 and 14) ................................... 13
`
`“VPN Communication Link” (Claims 1, 17, and 33) ......................... 14
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`A “VPN Communication Link” Does Not Exist Outside
`of a Virtual Private Network ..................................................... 15
`
`“Authentication” and “Address Hopping” Alone Do Not
`Result in a “Virtual Private Network Communication
`Link” ......................................................................................... 15
`
`A “Virtual Private Network Communication Link” Must
`Be Direct ................................................................................... 17
`
`A VPN Requires a Network of Computers ............................... 17
`
`A VPN Requires Encryption ..................................................... 18
`
`D. Other Terms ......................................................................................... 19
`
`VI. Beser and RFC 2401 ...................................................................................... 21
`
`A.
`
`B.
`
`Beser’s Disclosure ............................................................................... 21
`
`Claims 1 and 14 ................................................................................... 25
`
`1.
`
`“Send[ing] a Domain Name Service (DNS) Request To
`Look Up a Network Address of a Second Network
`
`2
`
`Page 2 of 55
`
`

`
`Case No. IPR2015-00812
`
`Device Based On an Identifier Associated With the
`Second Network Device” .......................................................... 25
`
`2.
`
`3.
`
`“Interception of the DNS Request” .......................................... 28
`
`Beser and RFC 2401 Would Not Have Been Combined
`as the Petition Suggests ............................................................. 31
`
`VII. Conclusion ..................................................................................................... 35
`
`
`
`
`
`3
`
`Page 3 of 55
`
`

`
`Case No. IPR2015-00812
`
`I, FABIAN MONROSE, declare as follows:
`
`I.
`
`Introduction
`1.
`I have been retained by VirnetX Inc. (“VirnetX”) for this inter partes
`
`review proceeding. I understand that this proceeding involves U.S. Patent No.
`
`8,850,009 (“the ’009 patent”). I understand the ’009 patent is assigned to VirnetX
`
`and that it is part of a family of patents that stems from U.S. provisional
`
`application nos. 60/106,261 (“the ’261 application”), filed on October 30, 1998,
`
`and 60/137,704 (“the ’704 application”), filed on June 7, 1999. I understand that
`
`the ’009 patent is a continuation of U.S. application no. 13/903,788 filed May 28,
`
`2013 (“the ’788 application”), which is a continuation of U.S. application no.
`
`13/336,790 filed December 23, 2011 (now U.S. Patent No. 8,458,341, “the ’341
`
`patent”), which is a continuation of U.S. application no. 13/049,552 filed March
`
`16, 2011 (“the ’552 application), which is a continuation of U.S. application no.
`
`11/840,560 filed August 17, 2007 (now U.S. Patent No. 7,921,211, “the ’211
`
`patent”), which is a continuation of U.S. application no. 10/714,849 filed
`
`November 18, 2003 (now U.S. Patent No. 7,418,504 (“the ’504 patent), which is a
`
`continuation of U.S. application no. 09/558,210 filed April 26, 2000 (“the ’210
`
`application,” abandoned). And I understand the ’210 application is a continuation-
`
`in-part of U.S. application no. 09/504,783 filed February 15, 2000 (now U.S.
`
`Patent 6,502,135, “the ’135 patent”), and that the ’135 patent is a continuation-in-
`
`4
`
`Page 4 of 55
`
`

`
`Case No. IPR2015-00812
`
`part of U.S. application no. 09/429,643 (now U.S. Patent No. 7,010,604) filed
`
`October 29, 1999, which claims priority to the ’261 and ’704 applications.
`
`II. Resources Consulted
`2.
`I have reviewed the ’009 patent, including claims 1-8, 10-20, and 22-
`
`25. I have also reviewed the Petition for Inter Partes Review (Paper No. 1) filed
`
`with the U.S. Patent and Trademark Office (“Office”) by Apple Inc. on March 2,
`
`2015 (Paper No. 1, the “Petition”). I have also reviewed the Patent Trial and
`
`Appeal Board’s (“Board”) decision to institute inter partes review (Paper No. 8,
`
`the “Decision”) of September 11, 2015.
`
`3.
`
`I understand that in this proceeding the Board instituted review of the
`
`’009 patent on one ground: obviousness of claims 1-8, 10-20, and 22-25 over
`
`Beser and RFC 2401. I have reviewed the exhibits and other documentation
`
`supporting the Petition that are relevant to the Decision and the instituted grounds,
`
`and any other material that I reference in this declaration.
`
`III. Background and Qualifications
`4.
`I have a great deal of experience and familiarity with computer and
`
`network security, and have been working in this field since 1993 when I entered
`
`the Ph.D. program at New York University.
`
`5.
`
`I am currently a Professor of Computer Science at the University of
`
`North Carolina at Chapel Hill. I also hold an appointment as the Director of
`
`5
`
`Page 5 of 55
`
`

`
`Case No. IPR2015-00812
`
`Computer and Information Security at the Renaissance Computing Institute
`
`(RENCI). RENCI develops and deploys advanced technologies to facilitate
`
`research discoveries and practical innovations. To that end, RENCI partners with
`
`researchers, policy makers, and technology leaders to solve the challenging
`
`problems that affect North Carolina and our nation as a whole. In my capacity as
`
`Director of Computer and Information Security, I
`
`lead
`
`the design and
`
`implementation of new platforms for enabling access to, and analysis of, large and
`
`sensitive biomedical data sets while ensuring security, privacy, and compliance
`
`with regulatory requirements. At RENCI, we are designing new architectures for
`
`securing access to data (e.g., using virtual private networks and data leakage
`
`prevention technologies) hosted among many different institutions. Additionally, I
`
`serve on RENCI’s Security, Privacy, Ethics, and Regulatory Oversight Committee
`
`(SPOC), which oversees the security and regulatory compliance of technologies,
`
`designed under the newly-formed Data Science Research Program and the Secure
`
`Medical Research Workspace.
`
`6.
`
`I received my B.Sc. in Computer Science from Barry University in
`
`May 1993. I received my MSc. and Ph.D. in Computer Science from the Courant
`
`Institute of Mathematical Sciences at New York University in 1996 and 1999,
`
`respectively. Upon graduating from the Ph.D. program, I joined the Systems
`
`Security Group at Bell Labs, Lucent Technologies. There, my work focused on the
`
`6
`
`Page 6 of 55
`
`

`
`Case No. IPR2015-00812
`
`analysis of
`
`Internet Security
`
`technologies
`
`(e.g.,
`
`IPsec and client-side
`
`authentication) and applying
`
`these
`
`technologies
`
`to Lucent’s portfolio of
`
`commercial products. In 2002, I joined the Johns Hopkins University as Assistant
`
`Professor in the Computer Science department. I also served as a founding
`
`member of the Johns Hopkins University Information Security Institute (JHUISI).
`
`At JHUISI, I served a key role in building a center of excellence in Cyber Security,
`
`leading efforts in research, education, and outreach.
`
`7.
`
`In July of 2008, I joined the Computer Science department at the
`
`University of North Carolina (UNC) Chapel Hill as Associate Professor, and was
`
`promoted to Full Professor four years later. In my current position at UNC Chapel
`
`Hill, I work with a large group of students and research scientists on topics related
`
`to cyber security. My former students now work as engineers at several large
`
`companies, as researchers in labs, or as university professors themselves. Today,
`
`my research focuses on applied areas of computer and communications security,
`
`with a focus on traffic analysis of encrypted communications (e.g., Voice over IP);
`
`Domain Name System (DNS) monitoring for performance and network abuse;
`
`network security architectures for traffic engineering; biometrics and client-to-
`
`client authentication techniques; computer forensics and data provenance; runtime
`
`attacks and defenses for hardening operating system security; and large-scale
`
`7
`
`Page 7 of 55
`
`

`
`Case No. IPR2015-00812
`
`empirical analyses of computer security incidents. I also regularly teach courses in
`
`computer and information security.
`
`8.
`
`I have published over 75 papers in prominent computer and
`
`communications security publications. My research has received numerous
`
`awards, including the Best Student Paper Award (IEEE Symposium on Security &
`
`Privacy, July, 2013), the Outstanding Research in Privacy Enhancing Technologies
`
`Award (July, 2012), the AT&T Best Applied Security Paper Award (NYU-Poly
`
`CSAW, Nov., 2011), and the Best Paper Award (IEEE Symposium on Security &
`
`Privacy, May, 2011), among others. My research has also received corporate
`
`sponsorship, including two Google Faculty Research Awards (2009, 2011) for my
`
`work on network security and computer forensics, as well as an award from
`
`Verisign Inc. (2012) for my work on DNS.
`
`9.
`
`I am the sole inventor or a co-inventor on three issued US patents and
`
`four pending patent applications, nearly all of which relate to network and systems
`
`security. Over the past 12 years, I have been the lead investigator or a
`
`co-investigator on grants totaling nearly nine million US dollars from the National
`
`Science Foundation (NSF), the Department of Homeland Security (DHS), the
`
`Department of Defense (DoD), and industry. In 2014, I was invited to serve on the
`
`Information Science and Technology (ISAT) study group for the Defense
`
`Advanced Research Projects Agency (DARPA). During my
`
`three year
`
`8
`
`Page 8 of 55
`
`

`
`Case No. IPR2015-00812
`
`appointment, I will assist DARPA by providing continuing and independent
`
`assessment of the state of advanced information science and technology as it
`
`relates to the U.S. Department of Defense.
`
`10.
`
`I have chaired several international conferences and workshops,
`
`including for example, the USENIX Security Symposium, which is the premier
`
`systems-security conference for academics and practitioners alike. Additionally, I
`
`have also served as Program Chair for the USENIX Workshop on Hot Topics in
`
`Security, the Program Chair for the USENIX Workshop on Large-scale Exploits &
`
`Emergent Threats, the local arrangements Chair for the Financial Cryptography
`
`and Data Security Conference, and the General Chair of the Symposium on
`
`Research in Attacks and Defenses. As a leader in the field, I have also served on
`
`numerous technical program committees including the Research in Attacks,
`
`Intrusions, and Defenses Symposium (2012, 2013), USENIX Security Symposium
`
`(2013, 2005-2009), Financial Cryptography and Data Security (2011, 2012),
`
`Digital Forensics Research Conference (2011, 2012), ACM Conference on
`
`Computer and Communications Security (2009-2011, 2013), IEEE Symposium on
`
`Security and Privacy (2007, 2008), ISOC Network & Distributed System Security
`
`(2006—2009), International Conference on Distributed Computing Systems (2005,
`
`2009, 2010), and USENIX Workshop on Large-scale Exploits and Emergent
`
`Threats (2010-2012).
`
`9
`
`Page 9 of 55
`
`

`
`Case No. IPR2015-00812
`
`11. From 2006 to 2009, I served as an Associate Editor for IEEE
`
`Transactions on Information and Systems Security (the leading technical journal
`
`on cyber security), and currently serve on the Steering Committee for the USENIX
`
`Security Symposium.
`
`12. My curriculum vitae, which is appended, details my background and
`
`technical qualifications. Although I am being compensated at my standard rate of
`
`$450/hour for my work in this matter, the compensation in no way affects the
`
`statements in this declaration.
`
`IV. Level of Ordinary Skill
`13.
`I am familiar with the level of ordinary skill in the art with respect to
`
`the inventions of the ’009 patent as of what I understand is the patent’s early-2000
`
`priority date. Specifically, based on my review of the technology, the educational
`
`level of active workers in the field, and drawing on my own experience, I
`
`believe a person of ordinary skill in art at that time would have had a master’s
`
`degree in computer science or computer engineering, as well as two years of
`
`experience in computer networking with some accompanying exposure to network
`
`security. My view is consistent with VirnetX’s view that a person of ordinary skill
`
`in the art requires a master’s degree in computer science or computer engineering
`
`and approximately two years of experience in computer networking and computer
`
`security. I have been asked to respond to certain opinions offered by Dr. Roberto
`
`10
`
`Page 10 of 55
`
`

`
`Case No. IPR2015-00812
`
`Tamassia, consider how one of ordinary skill would have understood certain claim
`
`tenns, and consider how one of ordinary skill in the art would have understood the
`
`references mentioned above in relation to the claims of the ’009 patent. My
`
`findings are set forth below.
`
`V.
`
`Claim Terms
`
`14.
`
`I understand that in an inter partes review proceeding, the claims of a
`
`patent are construed under the broadest reasonable interpretation in light of the
`
`specification.
`
`I also understand that the parties have proposed constructions for
`
`certain terms of the ’009 patent. Unless otherwise noted, I have used Patent
`
`Owner’s proposed constructions in my analysis.
`
`In my opinion, Patent Owner’s
`
`proposed constructions are consistent with the specification- To the extent Patent
`
`Owner has not proposed a construction for a term, I understand that term to have
`
`its plain and ordinary meaning from the perspective of one of ordinary skill in the
`
`art in light of the specification- I have applied that understanding in my analysis.
`
`A.
`
`“Encrypted Communication Link” Phrases (Claims 1, 2, 8, ll, 14,
`15, and 23)
`
`15.
`
`I understand that the parties and the Board have put forth the following
`
`constructions for purposes of this proceeding:
`
`VirnetX’s Proposed
`
`Construction
`
`Apple’s Proposed
`
`Construction A direct communication
`
`link that is encrypted
`
`A transmission path that No construction proposed
`restricts access to data,
`addresses, or other
`
`Page 11 of 55
`
`11
`
`

`
`Case No. IPR2015-00812
`
`information on the path at
`least by using encryption
`
`16. One of ordinary skill in the art would understand that the ’009 patent
`
`
`
`describes encrypted communications that are direct between a first and second
`
`device. For instance, in one embodiment, the ’009 patent describes the link
`
`between an originating TARP terminal and a destination TARP terminal as direct.
`
`(See, e.g., Ex. 1003, 10:16-25, Fig. 2; see also id. at 34:13-20 (describing a
`
`variation of the TARP embodiments as including a direct communication link);
`
`38:42-45 (describing the embodiment of Figure 24 in which a first computer and
`
`second computer are connected directly).) The ’009 patent similarly describes
`
`direct encrypted communications in later embodiments as well. (See, e.g., id. at
`
`40:45-48, 41:39-42 (describing a virtual private network as being direct between a
`
`user’s computer and target), 42:49-53, 43:42-46 (describing a load balancing
`
`example in which a virtual private network is direct between a first host and a
`
`second host), 49:44-46, 49:55-67 (describing a secure communication link that is
`
`direct between a first computer and a second computer), Figs. 24, 26, 28, 29, 33.)
`
`17.
`
`In each of these embodiments, the ’009 patent specification discloses
`
`that the link traverses a network (or networks) through which it is simply passed or
`
`routed via various network devices such as Internet Service Providers, firewalls,
`
`and routers. (See, e.g., id. at Figs. 2, 24, 28, 29, 33.)
`
`12
`
`Page 12 of 55
`
`

`
`Case No. IPR2015-00812
`
`B.
`
`“Provisioning Information” (Claims 1 and 14)
`
`18.
`
`I understand that the parties and the Board have put forth the following
`
`constructions for purposes of this proceeding:
`
`VirnetX’s Proposed
`Construction
`
`Apple’s Proposed
`Construction
`
`Decision’s Construction
`
`No construction proposed
`
`network uses enc tion
`
`Information that is used
`to establish an encrypted
`communication link
`
`Information that enables
`communication in a
`virtual private network,
`where the virtual private
`
`19.
`
`In my opinion, Patent Owner’s construction is consistent with the
`
`general notion that provisioning refers to setting up or establishing a connection or
`
`service.
`
`One dictionary explains
`
`that provisioning is
`
`“[s]etting up a
`
`telecommunications service for a particular customer,” and that “[c]ommon
`
`carriers provision circuits by programming their computers to switch customer
`
`lines into the appropriate networks.”
`
`(Ex. 2007 at 6, McGraw-Hill Computer
`
`Desktop Encyclopedia (9th ed. 2001).) Applying these principles to provisioning
`
`in the context of the ’O09 patent, encrypted communications channel provisioning
`
`refers to setting up or establishing an encrypted communication channel. Thus, in
`
`the context of the ’009 patent, the “provisioning information” is “information that
`
`is used to establish an encrypted communications charmel.”
`
`20.
`
`In my opinion, in the context of the ’009 patent, one of ordinary skill in
`
`the art would not understand provisioning information to encompass any and all
`
`Page 13 of55
`
`13
`
`

`
`Case No. IPR2015-00812
`
`information that merely “enables or aids in” communication using an encrypted
`
`communications channel, as that
`
`information may have nothing to do with
`
`provisioning.
`
`For example,
`
`information that
`
`simply enabled or aided in
`
`communication using an encrypted communications channel would encompass
`
`source and destination information for individual packets of data that are traveling
`
`over a pre—existing channel. One of ordinary skill in the art would not have
`
`understood a charmel to be provisioned every time a data packet is sent across it.
`
`C.
`
`“VPN Communication Link” (Claim 8)
`
`21.
`
`I understand that the parties and the Board have put forth the following
`
`constructions for purposes of this proceeding:
`
`VimetX’s Proposed
`
`Construction
`
`Apple’s Proposed
`
`Construction
`
`A communication path
`between two devices in a
`
`A transmission path
`between two devices that
`
`No construction proposed
`
`virtual private network
`
`restricts access to data,
`addresses, or other
`information on the path,
`generally using
`obfuscation methods to
`
`hide infonnation on the
`
`path, including, but not
`limited to, one or more of
`
`authentication,
`encryption, or address
`ho o o in 1
`
`Page 14 of 55
`
`14
`
`

`
`Case No. IPR2015-00812
`
`1.
`
`A “VPN Communication Link” Does Not Exist Outside of a
`Virtual Private Network
`22. The ’009 patent discloses that a VPN communication link is a
`
`communication path between computers in a virtual private network. When a
`
`secure domain name service (SDNS) receives a query for a secure network
`
`address, it “accesses VPN gatekeeper 3314 for establishing a VPN communication
`
`link between software module 3309 [at the querying computer 3301] and secure
`
`server 3320.” (Ex. 1003 at 52:7-9.) Then, “VPN gatekeeper 3314 provisions
`
`computer 3301 and secure web server computer 3320 . . . thereby creating the
`
`VPN” between the devices. (Ex. 1001 at 52:10-13, emphasis added.) Notably, the
`
`secure server 3320 “can only be accessed through a VPN communication link.”
`
`(Ex. 1001 at 52:9-10.)
`
`2.
`
`“Authentication” and “Address Hopping” Alone Do Not
`Result in a “Virtual Private Network Communication Link”
`23. Petitioner’s proposed construction is technically incorrect. Of the
`
`obfuscation methods in the proposed construction—authentication, encryption, and
`
`address hopping—only encryption restricts access to “data, addresses, or other
`
`information on the path,” as required by the first portion of the construction. The
`
`other techniques alone do not “hide information on the path,” as Petitioner’s
`
`construction requires.
`
`15
`
`Page 15 of 55
`
`

`
`Case No. IPR2015-00812
`
`24.
`
`In my opinion, authentication merely ensures the recipient that a
`
`message originated from the expected sender, which is consistent with the
`
`definition of authentication in a dictionary the ’009 patent refers to. (Ex. 2008 at 3,
`
`Glossary for the Linux FreeS/WAN Project.) Authentication does not prevent an
`
`eavesdropper from accessing data transmitted over an unsecure communication
`
`link. The specification is also consistent with my understanding, as it describes at
`
`least one scenario where an authenticated transmission occurs “in the clear”—i.e.,
`
`over an unsecured communication link:
`
`SDNS [secure domain name service] 3313 can be accessed
`through secure portal 3310 “in the clear”, that is, without using
`an administrative VPN communication link. In this situation,
`secure portal 3310 preferably authenticates the query using any
`well-known technique, such as a cryptographic technique,
`before allowing the query to proceed to SDNS [3313].
`
`(Ex. 1003 at 52:21-26.)
`
`25. Address hopping alone also does not provide the claimed security, as
`
`there is nothing inherent in moving from address to address that hides information
`
`on the path or precludes an eavesdropper from reading the details of a
`
`communication. This is why the ’009 patent discloses embodiments that use
`
`encryption in conjunction with address hopping to protect, for example, the next
`
`address in a routing scheme from being viewed by eavesdroppers. (See, e.g., Ex.
`
`16
`
`Page 16 of 55
`
`

`
`Case No. IPR2015-00812
`
`1003 at 3:40-54, stating in part that “[e]ach TARP packet’s true destination is
`
`concealed behind a layer of encryption generated using a link key.”) It is the
`
`encryption that hides information on the path while moving from address to
`
`address. (See, e.g., Ex. 1003 at 3:20-4:44.)
`
`26. While authentication and address hopping may be used in conjunction
`
`with encryption as an “obfuscation method,” this fact does not make them
`
`sufficient by themselves to “hide information on the path,” as Petitioner’s
`
`construction requires.
`
`3.
`
`A “Virtual Private Network Communication Link” Must Be
`Direct
`
`27.
`
`In my opinion, one of skill would understand that a “virtual private
`
`network communication link” in the context of the ’009 patent describes a “direct”
`
`link, as discussed above in Section V.A.
`
`A VPN Requires a Network of Computers
`
`4.
`In my opinion, the Petitioner’s construction eliminates the “network”
`
`28.
`
`from a virtual private network and a virtual private network communication link.
`
`One of ordinary skill in the art would understand the plain meaning of a VPN
`
`communication link to mean that the link must exist in a VPN and therefore must
`
`be between computers in a network. Consistent with my understanding, in
`
`describing a VPN, the ’009 patent refers to the “FreeS/WAN” project, which has a
`
`glossary of terms. (Ex. 1003 at 40:7 and bibliographic data showing references
`
`17
`
`Page 17 of 55
`
`

`
`Case No. IPR2015-00812
`
`cited.) The FreeS/WAN glossary defines a VPN as “a network which can safely be
`
`used as if it were private, even though some of its communication uses insecure
`
`connections. All traffic on those connections is encrypted.” (Ex. 2008 at 24,
`
`Glossary for the Linux FreeS/WAN Project.) According to this glossary, a VPN
`
`includes at least the requirement of a “network of computers.”
`
`29. The specification further describes a VPN as including multiple
`
`“nodes.” (See, e.g., Ex. 1003 at 17:36-40, referring to “each node in the network”
`
`and “vastly increasing the number of distinctly addressable nodes,” 22:11, “nodes
`
`on the network”; see also id. 19:61-63, 19:24:59.) More specifically, the network
`
`allows “each node . . . to communicate with other nodes in the network.” (Ex.
`
`1003 at 17:40-42.) So a device within a VPN is able to communicate with the
`
`other devices within that same VPN. In addition, the specification distinguishes
`
`point-to-point queries from those carried on a VPN communication link, stating
`
`that they occur “without using an administrative VPN communication link.” (See,
`
`e.g., Ex. 1003 at 52:21-23, 26-29.)
`
`A VPN Requires Encryption
`
`5.
`In my opinion, in view of the specification, a virtual private network
`
`30.
`
`requires encryption. For instance, the ’009 patent specification’s “TARP”
`
`embodiments describe a “unique two-layer encryption format” where “[e]ach
`
`TARP packet’s true destination address is concealed behind a layer of encryption”
`
`18
`
`Page 18 of 55
`
`

`
`Case No. IPR2015-00812
`
`(first
`
`layer) and “[t]he message payload is hidden behind an inner layer of
`
`encryption” (second layer).
`
`(Ex. 1003 at 3:21-23.)
`
`In addition, the FreeS/WAN
`
`glossary of terms in the ’009 patent’s prosecution history explains that a VPN is “a
`
`network which can safely be used as if it were private, even though some of its
`
`communication uses insecure connections. All traffic on those connections is
`
`encrypted.”
`
`(Ex. 2008 at 24, Glossary for the Linux FreeS/WAN Project.)
`
`Another contemporaneous computing dictionary also states that “VPNs enjoy the
`
`security of a private network via access control and encryption .
`
`.
`
`.
`
`(Ex. 2007 at
`
`8, McGraw-Hill Computer Desktop Encyclopedia (9th ed. 2001).)
`
`D.
`
`Other Terms
`
`31.
`
`I understand that the parties and Board have provided the following
`
`constructions for purposes of this proceeding.
`
`I agree that the claim language
`
`encompasses the features described in each of VimetX’s constructions.
`
`“Domain Name Service INS R vuest” Claims 1, 12-14, 24 and 2
`
`Construction A request for a resource
`
`VirnetX’s Proposed
`
`Construction
`
`corresponding to a
`domain name
`
`Apple’s Proposed
`
`A request for a resource
`corresponding to a
`domain name
`
`No construction proposed
`
`Page 19 of 55
`
`19
`
`

`
`Case No. IPR2015-00812
`
`“Interce - tion of the DNS Re uest” Claims 1, 12-14, 24, and 25
`VirnetX’s Proposed
`Apple’s Proposed
`Board’s Construction
`Construction
`Construction
`
`Receiving a DNS request No construction proposed
`No construction
`pertaining to a first entity
`necessary; alternatively,
`receiving a request to look at another entity
`up an intemet protocol
`address and, apart from
`resolving it into an
`address, perfonning an
`evaluation on it related to
`
`establishing an encrypted
`communication link
`
`“Secure Communications Service” Claims 1-3 10 12 14-16 22 and 24
`
`VimetX’s Proposed
`Construction
`
`The functional
`configuration of a
`network device that
`
`Apple’s Proposed
`Construction
`
`The functional
`configuration of a
`network device that
`
`enables it to participate in
`a secure communications
`
`enables it to participate in
`a secure communications
`
`link with another network
`
`link with another
`
`device
`
`com uter or device
`
`Board’s Construction
`
`No construction proposed
`
`“Indication” Claims 1 10 14 and 22
`
`VimetX’s Proposed
`Construction
`
`Apple’s Proposed
`Construction
`
`Board’s Construction
`
`No construction necessary Something that shows the No construction proposed
`probable presence or
`existence or nature of
`
`“Domain Name” Claims 7 and 20
`
`VimetX’s Proposed
`Construction
`
`Apple’s Proposed
`Construction
`
`Board’s Construction
`
`A name corresponding to A name corresponding to No construction proposed
`a network address
`an IP address
`
`Page 20 of 55
`
`20
`
`

`
`Case No. IPR2015-00812
`
`“Modulation” Claims 4, 5, 17, and 18
`
`carrier si ; al.
`
`VirnetX’s Proposed
`
`Construction
`
`No construction
`necessary, alternatively,
`the process of encoding
`data for transmission over
`a medium by varying a
`
`Apple’s Proposed
`
`Construction
`
`The process of encoding
`data for transmission over
`a medium by varying a
`carrier signal
`
`No construction proposed
`
`VI. Beser and RFC 2401
`
`A.
`
`Beser’s Disclosure
`
`32. Beser “relates to communications in data networks,” (Ex. 1007 at 1:8-
`
`9), and the fact that “the Internet is not a very secure network,” (id. at 1:26-27).
`
`Prior art methods attempted to secure communications by “encrypt[ing]
`
`the
`
`information inside the IP packets before transmission.” (Id. at 1:54-56.) Beser
`
`teaches that
`
`this method is not secure because a determined hacker could
`
`accumulate enough packets from a source to decrypt the message. (Id. at 1:56-58.)
`
`Nor, as Beser teaches, is this method practicable, especially in the context of voice
`
`and audio data, because encryption at the source and decryption at the destination
`
`are computationally intensive. (Id. at 1:58-67, 2:8-17.) Beser therefore identifies a
`
`need for a more secure system that prevents a hacker from intercepting media flow
`
`without the computational burden associated with encryption. (Id. at 2:36-40.)
`
`33.
`
`Instead of using encryption, Beser teaches a “tunneling association”
`
`that hides
`
`the originating and terminating ends of
`
`the
`
`tunnel during
`
`Page 21 of55
`
`21
`
`

`
`Case No. IPR2015-00812
`
`communications on a public network. (Id. at 3:1-9.) Because the source is hidden,
`
`hackers are prevented from intercepting communications, resulting in “increase[d]
`
`[] security of communication without an increased computational burden.” (Id. at
`
`2:36-40, 3:4-9 (emphasis added).) One of ordinary skill in the art would have
`
`understood that Beser teaches away from encryption and that its proposed solution
`
`avoids encryption.
`
`34. Beser’s solution involves “initiating a tunnelling association between
`
`an originating end [24] and a terminating end [26]” facilitated by an intermediary,
`
`trusted-third-party network device 30. (Id. at 1:45-67, 7:62-64.) Figure 1 of Beser
`
`illustrates this solution:
`
`(Id. at Fig. 1.)
`
`22
`
`
`
`Page 22 of 55
`
`

`
`Case No. IPR2015-00812
`
`35. When an originating end device 24 in Beser wants to communicate
`
`with a terminating end device 26, it sends a tunnel initiation request 112 to first
`
`network device 14. (Id. at 7:65-67.) This request “includes a unique identifier for
`
`the terminating end of the tunnelling association.” (Id. at 8:1-3.) One of ordinary
`
`skill in the art would not understand this request (even containing a “unique
`
`identifier”) to be a “request to look up an internet protocol (IP) address of the
`
`second network device.”
`
`(Id. at Fig. 6.)
`
`
`
`23
`
`Page 23 of 55
`
`

`
`Case No. IPR2015-00812
`
`36. The first network device 14 then sends an inform message 114 with
`
`tunnel initiation request 112 to trusted-third-party network device 30 by
`
`constructing one or more IP packets 58. (Id. at 8:3-4, 11:9-25.) The trusted-third-
`
`party network device 30 associates a public IP address of a second network device
`
`16 with the unique identifier of terminating telephony device 26. (Id. at 8:4-7,
`
`11:26-32.) The first and second network devices 14 and 16 then “negotiate”
`
`private IP addresses through the public network 12. (Id. at 8:9-15, 11:58, Fig. 6
`
`(step 118).) This “negotiation” assigns a first private network address to the
`
`originating device 24 and a second private network address to the terminating
`
`device 26. (Id. at 12:2-4.)
`
`37. Once assigned, the private network address of originating device 24
`
`and the public IP address of first network device 14 are communicated to the
`
`second network device 14. (Id. at 13:33-48.) Similarly, the private network
`
`address of the terminating device 26 and the public IP address of the second
`
`network device 16 are co