`Attorney Docket No. IQAMR002USO
`
`Certification Under 37 C.F.R.
`
`1.8
`
`I hereby certify that on March 1, 2012 this correspondence is being: (a) deposited with the
`United States Postal Service in an envelope addressed to Commissioner for Patents, P.O.
`Box 1450, Alexandria, Virginia 22313-1450; or (b) transmitted via facsimile to facsimile
`number 571-273-8300; or (c) electronically filed with the U.S. Patent Office.
`
`
`Date: March 1 2012
`
`Signature:
`
`/Michael P. Fortkort/
`Michael P. Fortkort
`
`(Reg. No. 35,141)
`
`IN THE UNITED STATES PATENT & TRADEMARK OFFICE
`
`APPLICANT: NADER ASGHARI-KAMRANI and IQAMRAN ASGHARI-KAMRANI
`
`SERIAL NO.: 12/210,926
`
`FILING DATE: September 15, 2008
`
`EXAMINER: Mr. Abdulhakim Nobahar
`
`ART UNIT: 2432
`
`TITLE: CENTRALIZED IDENTIFICATION AND AUTHENTICATION SYSTEM AND
`METHOD
`
`ATTORNEY DOCKET: KAMR002USO
`
`CONFIRMATION NO.: 7516
`
`VIA ELECTRONIC FILING SYSTEM
`ASSISTANT COMMISSIONER FOR PATENTS
`
`WASHINGTON, D.C. 20231
`
`AFFIDAVIT UNDER RULE 132
`
`Applicants hereby submit this affidavit in support of their response to the Office
`
`Action mailed January 6, 2012 which rejected the pending claims.
`
`This affidavit is being provided as testimony in the prosecution of U.S. Serial No.
`
`12/210,926, and pursuant to the provisions of 37 C.F.R. § 1.132. The witness hereby avers
`
`and testifies as follows:
`
`
`
`B2a’2E|/2812
`
`13:52
`
`?8322'.-'42lEl5
`
`CGI FED 523A
`
`PAGE
`
`11f1El
`
`U.S. Patent Application No. 121210326
`Attorney Docket No. KAMR002USO
`
`1.
`
`I am Kamran Asghari-Kamrani, one of the inventors listed in U.S. patent
`
`Application, which is the subject of the present proceeding.
`
`2.
`
`Bachelor of Computer Science — Specialization: Data Management and Database
`
`Design, Technical University of The Hague, The Hague, Netherlands.
`
`3-
`
`Director, CG! Federal. Senior level business and IT professional with over 18
`
`years of experience in architeoting and leading complex enterprise-wide solutions for Fortune
`
`1000 companies and the federal govcmment; an Expert in authorization and authentication, fraud
`
`and identity theft prevention; Devoted much of my time to studying, and devising solutions for
`
`these multifaceted problems; Knowledgeable in the computer Architecture Software and
`
`Information Security area.
`
`4.
`
`5.
`
`I am familiar with the specification and pending claiins of the present Application.
`
`Ihave reviewed U.s. Patent Publication No. 2010/0100724 A1 by Kaiislci, Jr.
`
`("Kaliski, Jrx”).
`
`Nance Not Equivalent to SecureCode
`
`6.
`
`One of skill in the authentication art would understand that an identifier is non
`
`secret information such as a name or label that identifies an entity. And in the world of H
`
`authentication an identifier is only used for identification of an entity and not for authentication
`
`of the entity.
`
`7.
`
`One of skill in the authentication art would understand that in Kaliski. Jr., a notice
`
`is a session identifier. “The authentication server 730 returns the blinded result R to the client
`715, along with a notice or other session identifier 772.” Kaliski. Jr., 1} [0111] (emphasis
`I
`
`supplied).
`
`
`
`B2/2912812
`
`13: 52
`
`7832274285
`
`CGI FED 5234‘:
`
`PAGE
`
`12/1B
`
`U.S. Patent Application No. 12/210,926
`Attomey Docket No. KAMROOZUSO
`
`A cryptographic name is an arbitzrary number used to establish the uniqueness or
`
`discreteness of an operation. That is, an operation such as a data request is accompanied by a
`
`notice in order to demonstrate that the request is not a repeat or replay of a previous request.
`
`A session is a series of information exchanges between two communicating parties,
`
`usually involving an initiation protocol and more than one message in each direction.
`
`In Katisia‘, Jr. a nonce is used for identification of a user's session. In the client/server
`
`world, a session refers to all the requests that a single client makes to a server. A session is
`
`specific to each user and’ for each user a new session is created to track all the requests from that
`
`user. Every user has a separate session and separate session identifier is associated with that
`
`session.
`
`8.
`
`One of skill in the authentication art would understand that the nonce in Kaliski,
`
`Jr. is not equivalent to the SccureCodc of the present application. A notice is a session identifier
`
`associated with a user's session, but a notice is not used for authentication of a user, as is the
`
`Secm‘eCode recited in the claims ofKamnmi.
`
`9.
`One of skill in the authentication art would understand that the staterncn_t.“the
`noncc corresponds to the recited dynamic Secureflode" is inaccurate. In Kaliski, Jr. the iveb
`
`server receives the muse and hardened password from the client and authenticates the" user based
`
`on successful decryption of a digital signature associated with the hardened password. Kaliski,
`
`Jr., W [OI 09] and [(3112]. The nonce is used by the web server to identify the user and the
`
`hardened password used in the authentication process of authenticating the user. In Kamrani, a
`
`dynamic code authenticates a user whereas in Kaliski, Jr. a notice is a session identifier.
`
`Therefore the argument that “the notice corresponds to the recited dynamic code” is invalid.
`
`
`
`B2f2EIf2@l2
`
`13:52
`
`7832274265
`
`CGI FED 623!-‘c
`
`PAGE
`
`13f1B
`
`US. Patent Application No. 12/210,926
`Attorney Docket No. KAMROOZUSO
`
`No Authenticatio Request Message
`
`10.
`
`One of skill in the authentication art would understand that in the system of
`
`Kaliski, Jr. there is nothing equivalent to a Central Entity receiving an authentication request
`message, as recited in the claims at issue. The
`Action equates the claimed authentication
`
`request message to message 776 ofKaliski. Jr. But, message 7'76 that the authentication server
`
`in FIG 7 ofKaliski, Jr. receives is NOT an authentication request message. Rather, message 776
`
`indicates simply whether or not the authentication of the client by the web server was successful.
`
`See Kaliskz‘, Jr. ‘MI [0109] through [0112]. This message 776 is a one way aclflmwledgernent
`
`and expects no return, whereas the authrmtication request message as recited in the claims at
`
`issue is a different type of message than the cited acknowledgement as the claimed
`
`authentication request should generate a response because it is a REQUEST as opposed to an
`
`acknowledgement. Thus, the message in Kalisiu‘, Jr. cited by the Office Action at issue is not
`
`equivalent to the claimed authentication request message in Kamrani. Thus, one of skill in the
`
`authentication art would understand that the argument in the Office Action equating the claimed
`
`authentication request message to the acknowledgement message 7'76 in Kaliski, Jr. isnot valid.
`
`No Central Entity Authenticating User
`
`11.
`
`One of skill in the authentication art would understand that there is nothing in
`
`Kalislri, Jr. equivalent to a Central Entity authenticating the user as recited in the claims in issue.
`
`The Office Action equates the Central Entity to the authentication server 730 in Kalislti, Jr. But,
`
`the authentication server 730 in FIG 7 never authenticates the client. Rather, the web server 710
`
`authenticates the client based on successful decryption of the client's digital signature associated
`
`with the hardened password. See Kalislo“, Jr. 11 [0109] through [0112]. Moreover, the web
`
`
`
`82/29I2B12
`
`13:52
`
`?3227425
`
`(361 FED 523:1‘-\
`
`PAGE
`
`14/18
`
`U.S. Patent Application No. 12/210,926
`Attorney Docket No. KAMR002USO
`
`server 710 ofKalisk-J, Jr. does not generate anything equivalent to the claimed SecureCede, as
`
`recited in the claims at issue. Thus, neither the web server 710 nor the authentication server 730
`
`ofKaIr'ski, Jr. performs the fimctions of the Central Entity recited in the claims.
`
`12.
`
`One of skill in the authentication art would understand that in Kczliski, Jr. a user's
`
`client application generates a hardened password (based on the blinded result R received from
`
`the authentication server) and submits the generated hardened password to the web server and
`
`not to the authentication server cited by the Office Action. In Kaliski. Jr. the client receives the
`
`blinded result R along with a noncc fi'om the authentication server and generates the hardened
`password at the client side for authentication to the web sewer. Kcliski, Jr., ‘ii [G111].
`
`13. One of skill in the authentication art would understand that the argument in the Office
`
`Action equating the claimed “authenticating by the Central—Entity the user during the transaction,
`
`if the digital identity is valid”
`
`the authentication protocol inffalisii, Jr. is not valid. The
`
`authentication server 730 does not authenticate the client; it is the web server that authenticates
`
`the client. And, the web server 710 of Kalislci, Jr. also cannot be the claimed Central Entity
`
`because the web saver does not generate anything equivalent to the cleimed SeeureCo_d_e. Thus,
`
`there is 110 Central Entity authenticating the user in Kaliski, Jr.
`
`Authentication Process Different
`
`14. The web server ofKaIiski, Jr. stores the user's personal infonnation as encryption
`
`secrets (See Kaliski, .fr., 1}[0I03]) and the encrypted secrets are stored such that their can be _
`decrypted with a decryption lceyfhardened password. In Kaliski, Jr. a blind function evaluatieti
`
`protocol is used by the client to drive a decryption key/hardened password fiom a blinded
`
`R received fitnn the authentication server (See Kaliski, Jr.. 1] [U11I]), to decrypt the encrypted
`
`
`
`EI2."29/2312
`
`13:52
`
`7El3227fl2B5
`
`CGI FED 523A
`
`PAGE
`
`1'5/13
`
`U.S. Patent Application No. 12/210,926
`Attorney Docket No. KAMROOZUSO
`
`secrets. The web server authenticates the client if the hardened password received from the client
`
`succcssfiilly decrypt user’s information.
`
`15. It is clear that in Katiski, Jr., authentication is based on a Eogisighic grotocol. The
`
`use of this cryptographic approach allows authenticity of a client to be checked by creating a
`
`digital signature of a user's personal information using the encryption key, which can be verified
`
`using hardened password as the decryption key received from the client during the transaction.
`
`16. One of skill in the authentication art would understand that in the blind fiinction
`
`evaluation protocol used in Kaliski, Jr. (See, Kaliski, Jr. 11 [0038]), the client has some secret
`
`information and the authentication server has some secret information, and together the client
`
`and the authentication server provide their respective secrets as an input to a jointly calculated
`
`fimction, with only the client obtaining the output of the jointly calculated fimction (the output is
`
`the decryption key or hardened password). This means that
`
`the client obtains the hardened
`
`password (decryption key) as the output of the blind function evaluation protocol. See Kaliski,
`
`Jr. Figure 7. The authentication server oflfalislci, Jr. which the Offico Action equated to the
`
`Central Entity of the claims cannot generate the hardened password (decryption key) since the
`
`authentication server does not have access to the client’s secret information. See Kalislh‘, Jr. 1T
`
`[D040], which states:
`
`The use of a blind fiuicticn evaluation protocol, or other
`embodiments in which the decryption key is derived from the
`client information, provides additional security benefits resulting
`from the fact that the first server 30 does not have the decryption
`key in an unblinded form. Even if the first server 30 is
`compromised, and a server secret obtained, it will still be necessary
`for an attacker to do more work to transform the server secret into
`
`the decryption key. Just as one example, in one such embodiment,
`the first server 30 and client 15 engage in a blind fimction
`evaluation protocol that results in the first server 30 providing to
`the client 15 a blinded key as the intermediate data 22. The client
`
`
`
`2f29./2812 13252
`
`7632274285
`
`CGI FED 5233
`
`PAGE
`
`15/18
`
`US. Patent Application No. 12/210,926
`Attorney Docket No. KAMROOZUSO
`
`15 has information used to unblind the decryption key 24, which is
`then used to decrypt the encrypted secrets 5. Compromise of the
`first server 30 would still not directly reveal the decryption key 25
`to an attacker.
`
`Thus, the entire basis for authentication in Kaliski, Jr. is different than the claimed SecuteCode
`
`authentication process ofKamrani, and one of oniinary skill in the art would understand this
`
`difference.
`
`Iiillet al.
`
`17.
`
`One of skill in the authentication and payment art would understand that the user
`
`ofHill et al. purchases 3 set of payment tokens from the payment service provider before the
`
`user being involved in any transaction with the merchant. Hill at 511., 00!. 5, lines 31-51 and col.
`
`8, lines I-9. The tokens are not valid for a predefined period of time because the user buys them.
`
`The tokens are like real money and will be used for online purchases.
`
`Initially, the user establishes an interact connection with
`the payment servioc, and purghnscs tokens to a certain value.
`This tr
`saetian may be carried out, for example, by trans-
`mining
`the client In the paymem service a requesi for
`tokens to a certain value, say 3110, together with a emdil card
`number. ‘This number mly be encrypted using my one of A
`number of public key encryption tools, such as P01! ‘[11:
`pnymnnl service details the relevant sum from the credit card
`account, and generates a number of payment tokens, say
`1000 tokens of value 113. These Ire encrypted using the “’
`public key algorithm amt! returned to the user via the inlernet
`connection, together with a key which is unique to the user.
`Each when "comprises, in this example, a 64 bil nndom
`hexadecimal mnnber, drawn from a large list of 11 random
`numbers R.-(rt). r1, r2, .
`.
`.
`, rn-'2, m-1) :1 the payment
`service. For each user, the payment service keeps two pieces
`of secret information It and s. k is a random key for use with
`a symmetric block cipher. s is a random security panmeter,
`where (0.§s§n—1) taken at random from the range (0 . . . 11).
`There is also an integer index variable L ll: secrecy is not 5”
`essential although it’: integrity is important.
`
`45
`
`
`
`82/29/2812
`
`13:52
`
`?I332274235
`
`CGI FED 523A
`
`PAGE
`
`1?/18
`
`US. Patent Application No. 12/210,926
`Attorney Docket No. KAMR002USO
`
`18.
`
`One of skill in the authentication art would understand that the payment server of
`
`Hill at at. encrypt the generated set of tokens with user’s public key and send it to the user before
`the user starting any transactions with a merchant. Hill at rrl., col. 5, liner 40-42. The Carnet
`
`program installed on user's computer stores the tokens. Hill Col. 5, lines 25-30 and lines 52-65,‘
`
`C016, lines 3-20.
`
`19.
`
`One of skill in the authentication art would understand that the merchant stores a
`
`set ofanthentication tokens before starting any transaction with the user. Hill et a!., col. 6, lines
`
`46—47and col. 13, lines L5.
`
`The merchant module includes administration functions.
`
`These maintain a oount of how many unused authentication
`tokens remain, and send a request for further tokens to the
`payment service when. that number falls below a predeteo 5
`mined threshold.
`
`20.
`
`One of skill in the authentication art would understand that the authentication
`
`tokens of the merchant are similar to the payment tokens ofthe user. The tokens are issued to the
`
`merchant at the time ofregistration and before the merchant or the user being involved in any
`transaction. Hill et at, col 6, lines 25-32. The merchant and the user do not receive anyttolrens at
`the time ofthe transaction and the tokens stored at the user or merchanfs computer are not valid
`
`for a predefined period of time.
`
`I-Ii]1’s tokens do not serve an identification function, but rather
`
`act is a fimgible financial instrument. That is, a given quantity or value of tokens is equivalent to
`
`their stated value in dollars.
`
`I affirm that all statements made herein ofmy own knowledge are true, and that all
`
`statements made herein on information and belief are believed to be true. I understand that
`
`willful false statements and the like are punishable by fine or imprisonment, or both (18 U.S.C.
`
`
`
`B2/293281 2
`
`1 3: 52
`
`7832274255
`
`CGI FED 623A
`
`PAGE
`
`18/13
`
`U.S. Patent Application No. 12l210,926
`Attomey Docket No. KAMROOZUSO
`
`1001), and mayjoopaxdizc thc validity of the present patent application 01' any patent issuing
`
`thereon.
`
`FURTHER AFFIANT SAYETH NOT.
`
`Itwitness whcrcor’f:,’d_n,.___7
`J
`= »/7
`
`Kamran Asg ari—Kamrani
`
`.
`
`oa[;L"+[;xo\éL
`
`Date