IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`Asghari-Kamrani et al.
`In re Patent of:
`8,266,432
`Attorney Docket No.: 36137-0007IP1
`U.S. Patent No.:
`September 11, 2012
`
`Issue Date:
`Appl. Serial No.: 12/210,926
`
`Filing Date:
`September 10, 2008
`
`Title:
`CENTRALIZED IDENTIFICATION AND AUTHENTICA-
`TION SYSTEM AND METHOD
`
`
`
`
`
`
`Mail Stop Patent Board
`Patent Trial and Appeal Board
`U.S. Patent and Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`PETITION FOR INTER PARTES REVIEW OF UNITED STATES PATENT
`NO. 8,266,432 PURSUANT TO 35 U.S.C. §§ 311–319, 37 C.F.R. § 42
`
`
`
`
`
`
`Asghari-Kamrani et al.
`In re Patent of:
`8,266,432
`Attorney Docket No.: 36137-0007IP1
`U.S. Patent No.:
`September 11, 2012
`
`Issue Date:
`Appl. Serial No.: 12/210,926
`
`Filing Date:
`September 10, 2008
`
`Title:
`CENTRALIZED IDENTIFICATION AND AUTHENTICA-
`TION SYSTEM AND METHOD
`
`
`
`
`
`
`Mail Stop Patent Board
`Patent Trial and Appeal Board
`U.S. Patent and Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`PETITION FOR INTER PARTES REVIEW OF UNITED STATES PATENT
`NO. 8,266,432 PURSUANT TO 35 U.S.C. §§ 311–319, 37 C.F.R. § 42
`
`
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`TABLE OF CONTENTS
`
`I. MANDATORY NOTICES UNDER 37 C.F.R §§ 42.8(a)(1), 42.8(b)(1),
`42.8(b)(2), 42.8(b)(3) AND PAYMENT OF FEES UNDER 37 C.F.R §
`42.103 .............................................................................................................. 1
`
`II. REQUIREMENTS FOR IPR UNDER 37 C.F.R. § 42.104 ....................... 1
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a)................................. 1
`B. Challenge Under 37 C.F.R. § 42.104(b) and Relief Requested ............... 2
`C. Claim Construction under 37 C.F.R. §§ 42.104(b)(3) .............................. 3
`
`III. MANNER OF APPLYING CITED PRIOR ART TO EVERY CLAIM
`FOR WHICH AN IPR IS REQUESTED, THUS ESTABLISHING A
`REASONABLE LIKELIHOOD THAT AT LEAST ONE CLAIM OF
`THE ‘432 PATENT IS UNPATENTABLE ................................................ 6
`A. [GROUND 1] – Brown in view of Myers Renders Obvious Claims 1-55 .
`
` ......................................................................................................... 6
`B. [GROUND 2] – Neuman Anticipates Claims 1-3, 6-28, 31-55 ............. 38
`C. [GROUND 3] – Neuman Renders Obvious Claims 4, 5, 29, and 30 ..... 59
`
`IV. CONCLUSION ............................................................................................ 60
`
`
`
`i
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`EXHIBITS
`
`USAA-1001
`
`U.S. Patent No. 8,266,432 to Asghari-Kamrani et al. (“the ‘432
`Patent” or “‘432”)
`
`USAA-1002
`
`Excerpts from the Prosecution History of the ‘432 Patent (“the
`Prosecution History”)
`
`USAA-1003
`
`Declaration of Dr. Seth Nielson re the ‘432 Patent (“Nielson”)
`
`USAA-1004
`
`Curriculum Vitae of Dr. Seth Nielson
`
`USAA-1005
`
`U.S. Patent No. 7,356,837 (“the ‘837 Patent” or “‘837”), a
`parent of the ‘432 Patent
`
`USAA-1006
`
`RESERVED
`
`USAA-1007
`
`RESERVED
`
`USAA-1008
`
`RESERVED
`
`USAA-1009
`
`RESERVED
`
`USAA-1010
`
`U.S. Patent No. 5,740,361 (“Brown”)
`
`USAA-1011
`
`USAA-1012
`
`Myers, et. al., X.509 Internet Public Key Infrastructure Online
`Certificate Status Protocol – OCSP, RFC 2560, Network
`Working Group (June 1999) (“Myers”)
`
`Neuman, B.C. and Ts’o, T., Kerberos: An Authentication
`Service for Computer Network, ISI Research Report, ISI/RS-
`94-399 (September 1994 (“Neuman”)
`
`USAA-1013
`
`U.S. Patent Application Serial No. 12/210,926 (“the ‘926
`Appln.)
`
`USAA-1014
`
`U.S. Patent Application Serial No. 11/239,046 (“the ‘046
`Appln.”)
`
`ii
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`U.S. Patent No. 7,444,676 (“the ‘676 Patent”)
`
`USAA-1015
`
`USAA-1016
`
`U.S. Patent Application Serial No. 09/940,635
`
`
`
`iii
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`United Services Automobile Association (“Petitioner” or “USAA”) petitions
`
`for Inter Partes Review (“IPR”) under 35 U.S.C. §§ 311–319 and 37 C.F.R. § 42 of
`
`claims 1-54 (“the Challenged Claims”) of U.S. Patent No. 8,266,432 (“the ‘432 Pa-
`
`tent”). As explained in this petition, there exists a reasonable likelihood that
`
`USAA will prevail with respect to at least one of the Challenged Claims. The
`
`Challenged Claims are unpatentable based on teachings set forth in at least the ref-
`
`erences presented in this petition. USAA respectfully submits that an IPR should
`
`be instituted, and that the Challenged Claims should be canceled as unpatentable.
`
`I. MANDATORY NOTICES UNDER 37 C.F.R §§ 42.8(a)(1), 42.8(b)(1),
`42.8(b)(2), 42.8(b)(3) AND PAYMENT OF FEES UNDER 37 C.F.R §
`42.103
`Petitioner, USAA is filing this Petition, and is the real party-in-interest.
`
`
`
`USAA is not aware of any disclaimers or reexamination certificates for the ‘432
`
`Patent. USAA designates Michael Zoppo, Reg. No. 61,074, as Lead Counsel and
`
`Thomas Rozylowicz, Reg. No. 50,620, as Backup Counsel, both available for ser-
`
`vice at 3200 RBC Plaza, 60 South Sixth Street, Minneapolis, MN 55402 (T: 202-
`
`783-5070) or via electronic service by email at IPR36137-0007IP1@fr.com.
`
`The Patent and Trademark Office is authorized to charge Deposit Account
`
`No. 06-1050 for the fee set in 37 C.F.R. § 42.15(a).
`
`II. REQUIREMENTS FOR IPR UNDER 37 C.F.R. § 42.104
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a)
`USAA certifies that the ‘432 Patent is available for IPR and is not barred or
`
`1
`
`
`
`estopped from requesting this review challenging the Challenged Claims on the be-
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`low-identified grounds.
`
`B. Challenge Under 37 C.F.R. § 42.104(b) and Relief Requested
`USAA requests an IPR of the Challenged Claims on the grounds set forth in
`
`the table shown below, and requests that each of the Challenged Claims be found
`
`unpatentable. An explanation of how these claims are unpatentable under the stat-
`
`utory grounds identified below is provided in the form of detailed description and
`
`claim charts that follow, indicating where each element can be found in the cited
`
`prior art, and the relevance of that prior art. Additional explanation and support for
`
`each ground of rejection is set forth in Exhibit USAA-1003, the Declaration of Dr.
`
`Seth Nielson (“Nielson Dec.”), referenced throughout this Petition.
`
`Ground
`
`‘432 Patent Claims
`
`Basis for Rejection
`
`Ground 1 1-55
`
`Ground 2 1-3, 6-28, 31-55
`
`Ground 3 4, 5, 29, and 30
`
`Obvious over Brown in view of Myers
`under 35 U.S.C. § 103
`Anticipated by Neuman under 35 U.S.C.
`§ 102
`Obvious over Neuman under 35 U.S.C.
`§ 103
`
`The ‘432 Patent claims priority to 09/940,635 (USAA-1016) filed Aug. 29,
`
`2001 (now U.S. Patent No. 7,356,837, USAA-1005). Accordingly, the earliest
`
`possible date to which the ‘432 Patent could claim priority (herein after the
`
`“earliest effective filing date”) is August 29, 2001.
`
`2
`
`
`
`Brown (U.S. Patent No. 5,740,361, Ex. 1010) qualifies as prior art under 35
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`U.S.C. § 102(b). Specifically, Brown issued on April 14, 1998, more than one year
`
`before the earliest effective filing date of the Challenged Claims. Accordingly,
`
`Brown is eligible under AIA § 18(a)(1)(C) as prior art for IPR of the ‘432 Patent.
`
`Myers (non-patent literature, Ex. 1011) qualifies as prior art under 35 U.S.C.
`
`§ 102(b). Specifically, Myers published on June 1999, more than one year before
`
`the earliest effective filing date of the Challenged Claims. Accordingly, Myers is
`
`eligible under AIA § 18(a)(1)(C) as prior art for IPR of the ‘432 Patent.
`
`Neuman (non-patent literature, Ex. 1012) qualifies as prior art under 35
`
`U.S.C. § 102(b). Specifically, Neuman published on September 1994, more than
`
`one year before the earliest effective filing date of the Challenged Claims.
`
`Accordingly, Neuman is eligible under AIA § 18(a)(1)(C) as prior art for IPR
`
`review of the ‘432 Patent.
`
`C. Claim Construction under 37 C.F.R. §§ 42.104(b)(3)
`In accordance with 37 C.F.R. § 42.100(b), claims in an unexpired patent are
`
`given their broadest reasonable construction in light of the specification of the pa-
`
`tent in which it appears. Thus, the broadest reasonable construction is applied to
`
`all terms herein, and further details of how the claims are being interpreted are dis-
`
`cussed in the relevant sections below.
`
`Petitioner expressly reserves the right to advance different constructions in
`
`3
`
`
`
`the matter now pending in the district court, as the applicable claim construction
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`standard for that proceeding (“ordinary and customary meaning”) is different than
`
`the broadest reasonable interpretation standard applied in IPR. Further, due to the
`
`different claim construction standards in the proceedings, Petitioner identifying
`
`any feature in the cited references as teaching a claim term of the ‘432 Patent is not
`
`an admission by Petitioner that that claim term is met by any feature for infringe-
`
`ment purposes, or that the claim term is enabled or meets the requirements for writ-
`
`ten description.
`
` “Central-Entity” and “External-Entity”
`
`1.
`The terms “central-entity” and “external-entity” are recited in independent
`
`claims 1, 25, 48, and 52. The specification of the ‘432 Patent defines the central-
`
`entity as “any party that has user’s personal and/or financial information,
`
`UserName, Password and generates dynamic, non-predictable and time dependable
`
`SecureCode for the user.” ‘432 Patent at 2:13-16. In addition, the external-entity is
`
`defined as “any party offering goods or services that users utilize by directly
`
`providing their UserName and SecureCode as digital identity.” Id. at 2:19-21.
`
`However, Petitioner notes that the BRI of these limitations is further clarified by
`
`the claim language itself.
`
`Specifically, these two terms should be construed broadly enough for the
`
`“central-entity” to perform the operations of the “external-entity” and vice versa,
`
`4
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`because dependent claims 1, 11, 46, 49, and 53 recite “said external-entity and said
`
`external-entity are the same entity” (emphasis added). This interpretation is also
`
`consistent with the specification of the ‘432 Patent, which describes examples of
`
`the central-entity” and the “external-entity that can both be “banks” or “credit card
`
`issuing companies.” ‘432 Patent at 2:13-26; see Nielson Dec., ¶ 31.
`
`2.
`
`“First Central-Entity Computer” and “Second Central-
`Entity Computer”
`
`The terms “first central-entity computer” and “second central-entity
`
`computer” are recited in independent claims 25 and 52. Under BRI, these terms
`
`should be construed broadly enough to encompass logically separated components
`
`on a single computer-readable medium as dependent claims 11 and 36 recite “said
`
`first central-entity computer and said second central-entity computer are the same”
`
`(emphasis added). See Nielson Dec., ¶ 32.
`
`This interpretation is also consistent with the specification of the ‘432 Patent
`
`specification because the specification of the ‘432 Patent provides no support for
`
`an interpretation of the first central-entity and the second central-entity that
`
`requires physical separation between two computers.
`
`“Authenticating”
`
`3.
`The term “authenticating” is recited in independent claims 1, 25, 48, and 52.
`
`Under BRI, this term should be construed as “a process by which the authenticator
`
`states [an] individual is who the individual says he is,” as included in the file
`
`5
`
`
`
`wrapper of the ‘432 Patent. See Non-Final Office Action of Nov. 12, 2010 at 3-4.
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`“Transaction”
`
`4.
`The term “transaction” is recited in independent claims 1, 25, 48, and 52.
`
`Under BRI, this term should be construed as “where [a] user [] attempts to access a
`
`restricted web site or attempts or buy services or products [] . . . through a standard
`
`interface provided by [an] External-Entity . . . and selects digital identity as his
`
`identification and authorization or payment option” as stated by the specification of
`
`the ‘432 Patent. ‘432, 5:5-22. See Nielson Dec., ¶ 33.
`
`“Dynamic Code”
`
`5.
`The term “dynamic code” is recited in the independent claims 1, 25, 48 and
`
`51. Under BRI, this term should be construed as “any dynamic, non-predictable
`
`and time dependent alphanumeric code, secret code, PIN or other code, which may
`
`be broadcast to the user over a communication network, and may be used as a part
`
`of a digital identity to identify a user as an authorized user” as stated by the specifi-
`
`cation of the ‘432 Patent. ‘432, 2:35-40; see Nielson Dec., ¶ 34.
`
`III. MANNER OF APPLYING CITED PRIOR ART TO EVERY CLAIM
`FOR WHICH AN IPR IS REQUESTED, THUS ESTABLISHING A
`REASONABLE LIKELIHOOD THAT AT LEAST ONE CLAIM OF
`THE ‘432 PATENT IS UNPATENTABLE
`As detailed below, this request shows a reasonable likelihood that the Re-
`
`quester will prevail with respect to the Challenged Claims of the ‘432 Patent.
`
`A.
`
`[GROUND 1] – Brown in view of Myers Renders Obvious Claims
`
`6
`
`
`
`1-55
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`Brown teaches a system that is virtually identical to the one claimed by the
`
`‘432 Patent, in both structure and purpose, but differs in minor design choices such
`
`as the expiration of a password. Such design choices were, at the time of the effec-
`
`tive filing date of the ‘432 Patent, well-known alternatives to those of ordinary
`
`skill in the cryptography art. Petitioner’s secondary reference, Myers, which is
`
`also directed to a system identical in purpose, teaches those design choices explic-
`
`itly. As such, the combination of Brown and Myers renders obvious the claims of
`
`the ‘432 Patent.
`
`Claim 1 – [1.0]: “A method for authenticating a user during an electronic
`transaction between the user and an external-entity, the method comprising:”
`
`In general, Brown teaches a “Remote Passphrase Authentication (RPA),”
`
`which generates a “session key” that is used “for authenticating users and
`
`services communicating over an insecure network.” Brown, Abstract (emphasis
`
`added). Myers teaches an “Online Certificate Status Protocol (OCSP)” that
`
`“specifies [] data that needs to be exchanged between an application checking the
`
`status of a certificate and the server providing that status,” which enables
`
`“applications to determine the (revocation) state of an identified certificate.”
`
`Myers, pg. 2. Taken together, Brown teaches an authentication protocol that
`
`includes transmitting an authentication message including a generated session key
`
`between entities, which is then used to authenticate a user, and Meyers teaches a
`
`7
`
`
`
`protocol that limits the use such an authentication message for a particular period
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`of time. Put another way, the combination of Brown and Myers teaches an
`
`authentication protocol that: (1) includes transmitting an authentication message
`
`including a generated session key between entities, which is then used to
`
`authenticate a user, and (2) limits the use such an authentication message for a
`
`particular period of time. Both Brown and Myers share the common goal of
`
`improving transaction security by preventing unauthorized use of the digital
`
`identity. See Nielson Dec., ¶ 37.
`
`Specifically, Brown teaches that an RPA system, includes an authentication
`
`deity (a central-entity) that uses a “user name/pass-phrase and service/pass-phrase
`
`pairs . . . that support[] a particular realm . . . for retrieval during the authentication
`
`process.” Brown, 6:66-67. The authentication deity receives an authentication
`
`request from a user, and in response to the authentication request, generates a
`
`session key (a dynamic code), which used by the user during a transaction with the
`
`service (an external-entity). See Id., 4:30-58.
`
`FIG. 1 of Brown represents the authentication deity (the central entity), the
`
`service (the external entity), and the user connected over a computer network:
`
`8
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`Central Entity
`
`Users
`
`External Entity
`
`Brown, FIG. 1 (annotated)
`
`
`
`Reasons to combine Brown and Myers
`
`
`
`One of ordinary skill in the art, as of the effective filing date of the ‘432
`
`Patent, would have been motivated to modify the teachings of Brown, such as the
`
`use of an authentication message that includes the session key, to additionally
`
`include the teachings of Myers, such as the use of a nonce as an extension to
`
`“cryptographically bind[] a request and a response to prevent replay attacks.”
`
`Myers, pg. 12 (emphasis added); see Nielson Dec., ¶ 38. The results of such a
`
`combination would have been predictable, because modifying the authentication
`
`protocol message of Brown to include the nonce amounts to the use of a known
`
`cryptographic technique to improve security during a user authentication process
`
`by preventing unauthorized use of the authentication message, which was both
`
`9
`
`
`
`well-known and well-established at the time of the effective filing date of the ‘432
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`Patent. See Brown, 1:41-62 (stating that “security in global network . . . may be
`
`difficult to achieve” because “communication is often accomplished via inherently
`
`insecure facilities. . .”); see also Nielson Dec., ¶ 38.
`
`
`
`Indeed, one of ordinary skill in the art would have understood and
`
`appreciated that cryptographic techniques all but require a nonce to ensure that
`
`authentication messages are not used multiple times without appropriate
`
`authorization. See Nielson Dec. at ¶ 39. Moreover, because generating the session
`
`key that is included in the authentication message, as taught by Brown, describes a
`
`cryptographic technique, modification of the session key to include a nonce would
`
`have been a natural combination within the field of cryptography. Id. Since
`
`commercial systems that simply transmit passwords, keys, or encrypted pins were
`
`known within the art even before the effective filing date of the ‘432 Patent, one of
`
`ordinary skill in the art would have considered such a combination as teaching a
`
`natural extension to an existing technology through the addition of another existing
`
`technology and aimed at preventing unauthorized users from performing “replay
`
`attacks” of authentication message transmissions as described by Myers. See
`
`Nielson Dec., ¶ 40.
`
`
`
`In addition, one of ordinary skill in the art would have also been motivated
`
`to modify the authentication message of Brown to also include an “expiration
`
`10
`
`
`
`date,” as taught by Myers, to prevent unlimited authentication. Myers, pg. 14; see
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`Nielson Dec., ¶ 41. The results of such a combination would have been
`
`predictable, because this principal has been well understood within the field of
`
`cryptography since even before the effective filing dates of both Brown and Myers.
`
`See Nielson Dec., ¶ 41 (citing a seminal publication from 1981 that states “key
`
`distribution protocols with timestamps prevent replays of compromised keys”
`
`among other teachings).
`
`
`
`Furthermore, the modification of the authentication message of Brown to
`
`include the expiration date of Myers would improve the teachings of Brown
`
`because, without an expiration date, the authentication message may be used to
`
`reauthenticate a user with a service for an arbitrary number of times. See Nielson
`
`Dec. ¶ 41. As such, one of ordinary skill in the art would have clearly understood
`
`and appreciated that such modification would not only improve the security of the
`
`authentication message, but also limit the amount of potential damage resulting
`
`from an unauthorized use of the authentication message by reducing the number of
`
`times the authentication message may be used for an unauthorized authentication
`
`after the expiration date. Id.
`
`
`
`Accordingly, Brown in view of Myers discloses a “method for
`
`authenticating a user during an electronic transaction between the user and an
`
`external-entity.”
`
`11
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`[1.1]: “receiving electronically a request for a dynamic code for the user by a
`computer associated with a central-entity during the transaction between the
`user and the external-entity;”
`
`Brown teaches an authentication process (the transaction) where “a user
`
`attempts to access a service,” “choose[s] a realm in which he has an identity” and
`
`then is authenticated to the realm that the service supports. Brown, 8:31-44. In
`
`addition to the authentication process, Brown also teaches a reauthentication
`
`process where “a user and service . . . may again authenticate one another” by
`
`“prov[ing] to each other that they both possess [the] . . . session key . . . derived
`
`during the authentication process.” Brown, 9:65-10:12. Specifically, Brown
`
`describes that the reauthentication process as “essentially an ordinary challenge-
`
`response mechanism in which the session key is used as a pass-phrase” similar to
`
`the original authentication process. Brown, 10:10-12 (emphasis added); see
`
`Nielson Dec., ¶ 44.
`
`As discussed previously, under the broadest reasonable interpretation,
`
`“transaction” as recited in the claim should be construed as “where [a] user []
`
`attempts to access a restricted web site or attempts or buy services or products [] . .
`
`. through a standard interface provided by [an] External-Entity . . . and selects
`
`digital identity as his identification and authorization or payment option” as stated
`
`by the specification of the ‘432 Patent. ‘432, 5:5-22. Thus, under the broadest
`
`reasonable interpretation, because the authentication process and the subsequent
`
`12
`
`
`
`reauthentication process both involve the user accessing the same service using the
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`same session key, the combined authentication process and the reauthentication
`
`process together corresponds to a single “transaction between the user and the
`
`external-entity.” See Nielson Dec., ¶¶ 42-44.
`
`Brown also teaches that the authentication deity (the central-entity) receives
`
`a request for a “user name/pass-phrase,” which is associated with the user, and
`
`“service/pass-phrase pairs” for services (the external-entity), “for retrieval during
`
`the authentication process.” Brown, 6:26-36 (emphasis added). Specifically, the
`
`authentication deity and the service use “a message passing scheme for
`
`communication between entities, [which] may be comprised of network node
`
`computers 24 that route messages through the network.” Id., 6:66-7:9. FIG. 2 of
`
`Brown represents the authentication process between the user, the service, and the
`
`authentication deity:
`
`Request to generate
`Dynamic Code
`
`Generated
`Dynamic Code
`
`
`
`
`
`Brown, FIG. 2 (annotated)
`
`13
`
`
`
`As shown, during the authentication process (the transaction), the user sends
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`
`
`a request for access to the service, which is then sent to the authentication deity as
`
`an authentication request.
`
`[1.2]: “generating by the central-entity during the transaction a dynamic code
`for the user in response to the request, wherein the dynamic code is valid for a
`predefined time and becomes invalid after being used;”
`
`Brown teaches that the authentication deity, after verifying both the user’s
`
`and service’s identity, “creates a random, 128-bit session key, Kus, for use by the
`
`user and service” for “session encryption.” Brown, 9:22-41. The authentication
`
`deity also generates “two obscured copies of the session key,” Kuss and Kusu and
`
`“a pair of authentication ‘proofs’,” Au and As. Id., 9:27-35. Thus, the session key
`
`that is generated by the authentication deity, as described by Brown, corresponds
`
`to the “dynamic code” as recited in the claim because it “identifies the user as an
`
`authorized user.” See Nielson Dec., ¶ 45.
`
`Brown does not explicitly teach that the session key is valid for a predefined
`
`time. However, Myers teaches an authentication protocol that protects public key
`
`management with the use of “X.509 version 3 certificates” with an “expiration
`
`date” in a manner that is analogous. See Myers, pg. 11-14; see also Nielson Dec., ¶
`
`47. For example, given the rationale provided by Myers to use the authentication
`
`protocol “to obtain timely information regarding the revocation status of a
`
`certificate” and “specif[ying] the data that needs to be exchanged between an
`
`14
`
`
`
`application checking the status of a certificate,” one of ordinary skill in the art
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`would have understood that the expiration date of the certificates indicates that
`
`they are valid for a predefined time period. Myers, pg. 2 (emphasis added); see
`
`Nielson Dec., ¶ 47. Furthermore, because both Brown and Myers disclose similar
`
`teachings that are related to enhancing transaction security in insecure
`
`environments, one of ordinary skill in the art would have been motivated to modify
`
`the session key to include an expiration date to ensure that the authentication
`
`protocol of Brown similarly obtains timely information regarding the status of the
`
`session key. Id. Thus, Brown in view of Myers teaches that the session key may be
`
`“valid for a predefined time.”
`
`In addition, while Brown does not explicitly teach that the session key is
`
`invalid after being used, Myers teaches the use of nonces as “standard extensions
`
`employed in X.509 version 3 certificates” to “prevent replay attacks,” which refer
`
`to unauthorized attempts to use valid authentication credentials. Myers, pgs. 11-12;
`
`see Nielson Dec., ¶ 48. As defined within the cryptography field, nonces represent
`
`“time-variant parameters which serve to distinguish one protocol instance from
`
`another.” See Nielson Dec., ¶ 49 (emphasis added). Although Myers does not
`
`explicitly state that the nonce enables a certificate to be “invalid after being used,”
`
`one of ordinary skill would appreciate that the use of a nonce within an
`
`authentication processes is effectively limited to a single use because its “value [is]
`
`15
`
`
`
`used no more than once for the same purpose.” See Nielson Dec., ¶ 50 (emphasis
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`added). Furthermore, because replay attacks are pervasive security concerns
`
`among various types of digital transactions, including those discussed by Brown,
`
`one of ordinary skill in the art would have been motivated to modify the session
`
`key of Brown to include a nonce such that its use is also similarly limited to a
`
`single use, which effectively makes it invalid after use. Id. Thus, Brown in view of
`
`Myers teaches that the session key may include a nonce, which would make it
`
`“invalid after being used.”
`
`Accordingly, modifying the session key generated by the authentication
`
`deity of Brown to include i) an expiration date to provide timely information about
`
`user requests, and ii) a nonce to limit its use to prevent replay attacks during an
`
`authentication process discloses these limitations of the claim.
`
`[1.3]: “providing by the computer associated with the central-entity said
`generated dynamic code to the user during the transaction;”
`
`Brown teaches that the authentication deity transmits the generated session
`
`key and the pair of authentication proofs “As, and Au” to the service, which then
`
`“forwards Kusu and Au to the user.” Brown, 9:40-54; see Nielson Dec., ¶ 51.
`
`Accordingly, since Kusu merely represents an obscured copy of the session key,
`
`the authentication deity forwarding Kusu to the user discloses these limitations of
`
`the claim.
`
`16
`
`
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`[1.4]: “receiving electronically by the central-entity a request for authenticat-
`ing the user from a computer associated with the external-entity based on a
`user-specific information and the dynamic code as a digital identity included
`in the request which said dynamic code was received by the user during the
`transaction and was provided to the external-entity by the user during the
`transaction; and”
`
`Brown describes that, during a reauthentication process, the service receives
`
`an authentication message including a user response, Ru, which is calculated based
`
`on a cryptographic hash function represented by “Ru =
`
`MD5(Kus+Z+Ns+Nu+Nr+Cs+Ca+Kus),” where Kus and Nu refer to the session
`
`key and the user’s user name, respectively. Brown, 10:15-17 (emphasis added).
`
`Thus, because Ru identifies the user based on the user’s user name and is derived
`
`based at least on the session key, Ru corresponds to “a user-specific information
`
`and dynamic code as a digital identity.”
`
`Brown teaches that, instead of the authentication deity receiving an
`
`authentication request, the service receives the authentication request for the user.
`
`Although this difference in topology is inconsequential to the results of the
`
`authentication process since the session key is used to authenticate the user to the
`
`17
`
`
`
`service, Myers remedies this particular distinction in Brown.1 Specifically, Myers
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`teaches an authentication protocol where an OSCP Responder (the central-entity)
`
`receives a “service request” from an OSCP client (the external-entity) to “provide
`
`the requested service,” which is commonly used to authenticate a user. See Myers,
`
`pg. 2; see Nielson Dec., ¶ 53. Specifically, the service request includes a “target
`
`certificate identifier,” which enables the responder to “determine the . . . state of
`
`[the] identified certificate” included in the request. Id.
`
`As discussed previously, Brown and Myers disclose analogous teachings
`
`that are commonly directed to preventing replay attacks. See Ground 1, [1.0], [1.2],
`
`supra. For example, Myers describes that “it may be necessary to obtain timely
`
`information regarding the revocation status of a certificate” prior to “return[ing] a
`
`definitive response.” Myers, pg. 2 (emphasis added). As such, one of ordinary
`
`skill in the art would have been motivated to modify the authentication protocol of
`
`Brown such that, during the reauthentication process, the service sends an
`
`additional authentication message including the user response, Ru, and the
`
`
`1 Petitioner notes that under the BRI, the “central-entity” and “external-entity” can
`
`be the same entity. In that scenario, there is no distinction between Brown’s topol-
`
`ogy and the claimed one. Petitioner cites Myers as evidence that even a narrower
`
`view of the claims is rendered obvious.
`
`18
`
`
`
`certificate of Myers to the authentication deity in order to determine timely
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`information about the user’s authorization status to prevent a replay attack. See
`
`Nielson Dec., ¶¶ 55-56. Thus, Brown in view of Myers teaches that the
`
`authentication deity may receive an authentication message that includes a user
`
`response, Ru and a certificate indicating information related to the user’s
`
`authorization to authenticate. Id.
`
`Accordingly, the authentication deity receiving an additional authentication
`
`message from the service during the reauthentication process that includes, i) the
`
`user response, Ru, and ii) the certificate including timely information related to the
`
`user’s authorization to authenticate discloses these limitations of the claim.
`
`[1.5]: “authenticating by the central-entity the user and providing a result of
`the authenticating to the external-entity during the transaction if the digital
`identity is valid.”
`
`As discussed previously, Brown teaches that, instead of the authentication
`
`deity authenticating the user, the service authenticates the user to the service. See
`
`Ground 1, [1.4], supra. Although this difference in topology is inconsequential to
`
`the results of the authentication process since the session key is still used to au-
`
`thenticate the user to the service, Myers remedies this particular design distinction
`
`19
`
`
`
`in Brown.2 Specifically, Myers teaches an authentication protocol where an OSCP
`
`Attorney Docket No. 36137-0007IP1
`IPR of U.S. Patent No. 8,266,432
`
`
`Responder (the central-entity) receives a “service request” from an OSCP client
`
`(the external-entity) to “provide the requested service,” which is commonly used to
`
`authenticate a user. See Ground 1, [1.0], [1.4], supra; see
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
