`Attorney Docket No. IQAMR002USO
`
`Certification Under 37 C.F.R.
`
`1.8
`
`I hereby certify that on March 1, 2012 this correspondence is being: (a) deposited with the
`United States Postal Service in an envelope addressed to Commissioner for Patents, P.O.
`Box 1450, Alexandria, Virginia 22313-1450; or (b) transmitted via facsimile to facsimile
`number 571-273-8300; or (c) electronically filed with the U.S. Patent Office.
`
`
`Date: March 1 2012
`
`Signature:
`
`/Michael P. Fortkort/
`Michael P. Fortkort
`
`(Reg. No. 35,141)
`
`IN THE UNITED STATES PATENT & TRADEMARK OFFICE
`
`APPLICANT: NADER ASGHARI-KAMRANI and IQAMRAN ASGHARI-KAMRANI
`
`SERIAL NO.: 12/210,926
`
`FILING DATE: September 15, 2008
`
`EXAMINER: Mr. Abdulhakim Nobahar
`
`ART UNIT: 2432
`
`TITLE: CENTRALIZED IDENTIFICATION AND AUTHENTICATION SYSTEM AND
`METHOD
`
`ATTORNEY DOCKET: KAMR002USO
`
`CONFIRMATION NO.: 7516
`
`VIA ELECTRONIC FILING SYSTEM
`ASSISTANT COMMISSIONER FOR PATENTS
`
`WASHINGTON, D.C. 20231
`
`AFFIDAVIT UNDER RULE 132
`
`Applicants hereby submit this affidavit in support of their response to the Office
`
`Action mailed January 6, 2012 which rejected the pending claims.
`
`This affidavit is being provided as testimony in the prosecution of U.S. Serial No.
`
`12/210,926, and pursuant to the provisions of 37 C.F.R. § 1.132. The witness hereby avers
`
`and testifies as follows:
`
`
`
`98009.
`
`1.
`
`2.
`
`I am Abolfazl Hosseinzadeh, with address of PO Box 3043, Bellevue, WA
`
`I am an electrical engineer with more than 20 years ofproven technical
`
`leadership and mu1ti—discipIined experience in the area of systems engineering and
`
`development, program management information security and e~com.merce.
`
`3.
`
`I am familiar with the specification and pending claims of the present
`
`Application.
`
`4.
`
`I have reviewed U.S. Patent Publication No. 201010100724 A1 by Kaliski, Jr.
`
`(“Ka!i.9h', Jr. ”).
`
`Nance Net Equivalent to Securecode
`
`5.
`
`One of skill in the authentication art would understand that an identifier is
`
`non secret information such as a name or label that identifies an entity. And in the world of
`
`authentication an identifier is only used for identification of an entity and not for
`
`authentication of the entity.
`
`6.
`
`One of skill in the authentication art would understand that in Ka!iski,:Jr. , a
`
`nonce is a session identifier. “The authentication server 730 returns the blinded result R to
`
`the client 715, along with a nonce or other session identifier 772." Kcdisld, J:-., ‘ll [0 ll 1]
`
`(emphasis supplied).
`
`A cryptographic nonce is an arbitrary number used to establish the uniqueness or
`
`discreteness ofan operation. That is, an operation such as a data request is accompanied by
`name in order to demonstrate that the request is not a repeat or replay ofa previous request.‘
`
`A session is a series of information exchanges between two communicating parties,
`
`usually involving an initiation protocol and more than one message in each direction.
`
`In Kaliski, Jr. a nonee is used for identification of a user’s session. In the
`
`client/server world, a session refers to all the requests that a single client makes to a server. A
`
`l'.00/ T.D0'd 953
`
`O#
`
`GWEII
`
`500?:/9t/to
`
`
`
`U.S. Patent Application No. 12/2l0,926
`Attorney Docket No. KAMRODZUSO
`
`session is specific to each user and for each user a new session is created to track all the
`
`requests from that user. Every user has a separate session and separate session identifier is
`
`associated with that session.
`
`7.
`
`One of skill in the authentication art would understand that the nonce in
`
`Knlisla’, Jr. is not cquivaicnt to the SecureCode ofthe present application- A name is a
`
`session idernifier associated with a user's session, but a noncc is not used. for authentication
`
`of a user, as is the Securecodc recited in the claims oflfamrani.
`
`8.
`
`One of skill in the authentication art would understand that the statement “the
`
`notice conrmponds to the recited dynamic Sccurecode” is inaccurate. In Kaliski, Jr. the web
`
`server receives the nonce and hardened password from the chem and authenticates the user
`
`based on successful decryption cfa digital signature associated with the hardened password.
`
`Kali‘.-Ha’, Jr., 11 [0109] and [M12]. The notice is used by the web server to identify the user
`
`and the hardened password used in the authentication process of authenticating the user. In
`
`Karm-am‘, a dynamic code authenticates a user whereas in Kalilrki, Jr. a nonce is a session
`identifier. Therefore the argument that “the norm: corresponds to the recited dynamic codel’
`is invalid.
`
`No Authentication Request Message
`
`9.
`
`One of skill in the authentication art would understand that in the system of
`
`Kaliski, Jr. there is nothing equivalent to a Central Entity receiving an authentication request
`
`message, as recited in the claims at issue. The Olfice Action equates the claimed
`
`authentication request message to message 776 of Kaltrki. Jr. Bur, message 776 that the
`
`authentication sewer in FIG 7 ofKahfski, Jr. receives is NOT an authentication request
`
`message. Rather, message 776 indicates simply whether or not the authentication of the
`
`client by the Web server was succcssfiil. See Kaliski, Jr. ‘W [0109] through [D112]. This
`
`message 776 is a one way acknowledgement and expects no return, whereas the
`
`- 2 -
`
`L00] Z0O'd 9630!?
`
`09361
`
`5002/9'E/T10
`
`
`
`US. Patent Application No. 12/210,926
`Attorney Docket No. ICAMROOZUSD
`
`authentication request message as recited in the claims at issue is a different type of message
`
`than the cited acknowledgement as the claimed authentjcation request should generate a
`
`response because it is a REQUEST as opposed to an acknowledgement. Thus, the message
`
`in Kaliski. Jr. cited by the Officc Action at issue is not equivalent to the claimed
`authentication request message in Kamrani. Thus, one ofskill in the authentication art would
`
`understand that the argument in the Office Action equating the claimed authentication request
`
`message to the aelcnowlcdgernent message 776 in Kaliski, Jr. is not valid.
`
`No Central Entity Authenticating User
`
`10.
`
`One of skill in the authentication art would understand that there is nothing in
`
`Kaliski. Jr. equivalent to a Central Entity authenticating the user as recited in the claims at
`
`issue. The Oflice Action equates the Central Entity to the authentication server 730 in
`
`Kaiiski, Jr. But, the authentication server 730 in FIG 7 never authenticates the client-
`
`Rather, the web server 710 authenticates the client based on successful decryption ofthe
`
`client’s digital signature associated with the hardened password. See Katiski, Jr. '|[1[ [0l(i9]
`
`through [01 12]. Moreover, the web server 710 ofKalisici, Jr. does not generate anything
`
`equivalent to the claimed Secure-Code, as recited in the claims at issue. Thus, neither the web
`
`server 710 nor the authentication server 730 ofKaliski, Jr. performs the functions of the
`
`Central Entity recited in the claims.
`
`1 l.
`
`One ofskill in the authentication art would understand that in Kalirld, Jr; a
`
`user’s client application generates a hardened password (based on the blinded result R_ I
`
`received from the authentication server) and submits the generated hardened password to the
`
`web server and not to the authentication server cited by the Office Action In Kaliski, Jr. the
`
`client receives the blinded result R along with a nonce from the authentication server and
`
`L0O/
`
`'c'.'0Cl'd 96Z0#
`
`09:61
`
`600?.‘/91'./F0
`
`
`
`U.S. Patent Application No. 121210326
`Attorney Docket No. KAMR002USO
`
`generates the hardened password at the client side for authentication to the web server.
`
`Jr., ‘[1 [D111].
`
`12. One of skill in the authentication art would understand that the argument in the
`
`Offiee Action equating the claimed “authenticating by the Central—Entity the user during the
`transaction, ifthe digital identity is valid" with the atrthentication protocol in Kaliski, Jr. is
`
`not valid. The authentication server 730 does not authenficate the client; it is the web server
`
`that authenticates the client. And, the web server 710 of Kaliski, Jr. also cannot be the
`
`claimed Central Entity because the web server does not generate anything equivalent to the
`
`claimed Sccurecode. Thus, there is no Central Entity authenticating the user in Kaiiski, Jr.
`
`Authentication Process Different
`
`13. The web server of Karina‘, Jr. stores the user‘s personal information as encryption
`
`secrets (See Knliski, Jr., 1] [(31031) and the encrypted secrets are stored such that they can be
`
`decrypted with a decryption key/hardened password. In Kalislli, Jr. a blind-function
`
`evaluation protocol is used by the client to drive a decryption keylhardenod password from a
`
`blinded result R received fiom the authentication server (Sec Kalirki, Jr., 1 [01 11]), to '
`
`decrypt the encrypted secrets. The web server authenticates the client ifthc hardened
`
`password received from the client successfully decrypt user's information.
`
`14. It is clear that in Kaliski, Jr-., gughcntication is based on a cr3q;t_r_;gra;;h_ig protocol.
`
`The use of this cryptographic approach aiiows authenticity of a client to be checked by
`
`creating a digital signature ofa user's personal information using the encryption key, which
`
`can be verified using hardened password as the decryption key received from the client.
`
`during the transaction.
`
`15. One of skill in the authentication an would understand that in the blind function
`
`evaluation protocol used in Kalisld, Jr. (See, Kalislci. Jr. ‘ll [0038]), the client has some secret
`
`information and the authentication server has some secret information, and together the client
`
`- 4 -
`
`L00! V001 9530*
`
`09361’.
`
`6002/9T./V70
`
`
`
`U.S. Patent Application No- 121210326
`Attorney Docket No. KAMROOZUSO
`
`and the authentication server provide their respective secrets as an input to ajointly
`
`calculated function, with only the client obtaining the output ofthe jointly calculated function
`
`(the output is the decryption key or hardened password). This means that only the client
`
`obtains the hardened password (decryption key) as the output of the blind function evaluation
`protocol. Soc Kalxlrki. Jr. igurc 7. The autheritication server ofKaliski, Jr. which the Office
`
`Action equated to the Central Entity of the claims cannot generate the hardened password
`
`(decryption key) since the authentication server does not have access to the client’s secret
`
`information. See Kaliski, Jr. 1[004-0], which states:
`
`The use of a blind function evaluation protocol, or other
`embodiments in which the decryption key is derived from the
`client information, provides additional security benefits
`resulting from the fact that the first server 30 does not have the
`decryption key in an unblindcd form. Even if the first server 30
`is compromised, and a server secret obtained, it will still be
`necessary for an attacker to do more work to transform the
`server secret into the decryption key. Just as one example, in
`one such embodiment, the first server 30 and clit 15 engage
`in it blind function evaluation protocol that results in the first
`server 30 providing to the client 15 a blinded key as the
`intermediate data 22. The client 15 has information used to
`unblind the decryption key 24, which is then used to decrypt
`the encrypted secrets 5. Compromise of the first server 30
`would still not directly ntveal the decryption key 25 to an
`attacker.
`
`Thus, the entire basis for authentication in Kaliski, Jr. is different than the claimed
`
`Securecode authentication process 0fKamram', and one of ordinary skill in the art would
`
`understand this difference,
`
`M
`
`Hill at al.
`
`16.
`
`One of slcill in the authentication and payment art would understand that the
`
`user ot'Hi1I er a1. purchases a set of payment tokens from the payment service provider before
`
`the user being involved in any transaction with the merchant. Hill at at, col. 5, lines 31-51
`
`LOO/ 900%: 95zo#
`
`19”” Eoozfst/to
`
`
`
`us. Patent Application No. 12/210,926
`Attorney Docket No. KAMRUOEEUSO
`
`and col. 8, lines 1-9. The tokens are not valid for a predefined period of time because the user
`
`buys them. The tokens are like real money and will be used for online purchases.
`
`Initially, the user establishes an internal connection with
`the payment service, and purelaascs toluene: ta a certain value.
`This it
`action may be carried out, for example, by trans-
`mim in the client to the payment eenrie: a request for
`tel-was lo a certain value, say 1110. together with a credit card
`number. This number may be encrypted using any one of a
`number of public key encryption tools, such as PGP. ‘Flu;
`payment m-vice debits the relevant sum from the r.1'edilcard
`aeeotmt, and generates a. number of payment Inlrcn.-5. say
`1000 tokens of value lp. These are encrypted using the
`public key algorith and netumed to the user via the ime:-net
`connection, together with a key which is unique to the user.
`Each token comprises, in this example, a 64 bit random
`hexadecimal number. drawn from at large list of n mtdom
`numbers R-(:0, fl, :2, .
`.
`.
`, m—2, m—1) at the payment
`For each TlS£."l!', the paymentsenrine keeps two pieces
`of secret information 1: and 5. k is a mtdom key for use with
`a symmetric bled: cipher. 2'. is a random wiry pararncter,
`where (055-fén-'1) taken at random from the range (0 . .
`. n).
`There is also an integer index vaxiatble 1'. lls same? is not
`essential although it’: integrity is imptmmt.
`
`(-5
`
`50
`
`One of skill in the authentication art would undersmnd that the payment server
`
`offlitl at al. encrypt the generated set of tokens with use-1"s public key and send it to the user
`
`before the user starting any transactions with a merchant. Hill at at. cat. 5, lines 40-42.
`
`Ca:-net program installed on user's computer stores the tokens. Hill Col. 5. lines 25-30 and
`
`h'n&:.s‘ 52-65; Col 6, lines 3-20.
`
`One of skill in the authentication art would understand thatthe merchant stores
`
`a set of authentication tokens before starting any transaction with the user. Hill at a!., col. 6,
`
`lines 46-47 and col. 1 3, lines I -5.
`
`The merchant module includes administration firnctions.
`These mmntain a count of how many unused authentication
`tokens remain, and send a request for further tokens to the
`payment service when that number falls below a predeter-
`mined threshold.
`
`LOCI 900'd 96ZD#
`
`IG=6I
`
`6003/91/b0
`
`
`
`LES. Patent Application No. 12/210,926
`Attorney Docket No. KAMROOZUSO
`
`19.
`
`One of skill in the authentication art would understand that the authentication
`
`tokens ofthe merchant are similar to the payment tokens ofthe user. The tokens are issued to
`
`the merchant at the time of registration and before the merchant or the user being involved in
`
`any transacubn. Hill et a.!._, col 6, lines 25-32. The merchant and the user do not receive any
`
`tokens at the time of the transaction and the tokens stored at the user or merchant’s computer
`
`are not valid for a. predefined period oftime- I-Iil1’stokcns do not serve an identification
`
`fimction, but rather act is a fungiblc financial instrument. That is. a given quantity or value of
`
`tokens is equivalent to their stated value in dollars.
`
`I affirm that all statements made herein of my own knowledge are true, and that all
`
`statements made herein on information and belief are believed to be true. I understand that
`
`willful false statements and the like are punishable by fine or imprisonment, or both
`
`(18 U.SC. 1001), and may jeopardize the validity of the present patent application or any
`
`patent issuing thereon.
`
`FURTHER AFFIANT SAYETH NOT-
`
`It witness whereof‘,
`
`Abolfazlgosseinzadeh
`
`Date
`
`LOCI L00‘;-I 9620
`
`#
`
`E93612
`
`6002/91'./3'0