`Attorney Docket No. IQAMR002USO
`
`Certification Under 37 C.F.R.
`
`1.8
`
`I hereby certify that on March 1, 2012 this correspondence is being: (a) deposited with the
`United States Postal Service in an envelope addressed to Commissioner for Patents, P.O.
`Box 1450, Alexandria, Virginia 22313-1450; or (b) transmitted via facsimile to facsimile
`number 571-273-8300; or (c) electronically filed with the U.S. Patent Office.
`
`
`Date: March 1 2012
`
`Signature:
`
`/Michael P. Fortkort/
`Michael P. Fortkort
`
`(Reg. No. 35,141)
`
`IN THE UNITED STATES PATENT & TRADEMARK OFFICE
`
`APPLICANT: NADER ASGHARI-KAMRANI and IQAMRAN ASGHARI-KAMRANI
`
`SERIAL NO.: 12/210,926
`
`FILING DATE: September 15, 2008
`
`EXAMINER: Mr. Abdulhakim Nobahar
`
`ART UNIT: 2432
`
`TITLE: CENTRALIZED IDENTIFICATION AND AUTHENTICATION SYSTEM AND
`METHOD
`
`ATTORNEY DOCKET: KAMR002USO
`
`CONFIRMATION NO.: 7516
`
`VIA ELECTRONIC FILING SYSTEM
`ASSISTANT COMMISSIONER FOR PATENTS
`
`WASHINGTON, D.C. 20231
`
`AFFIDAVIT UNDER RULE 132
`
`Applicants hereby submit this affidavit in support of their response to the Office
`
`Action mailed January 6, 2012 which rejected the pending claims.
`
`This affidavit is being provided as testimony in the prosecution of U.S. Serial No.
`
`12/210,926, and pursuant to the provisions of 37 C.F.R. § 1.132. The witness hereby avers
`
`and testifies as follows:
`
`
`
`B2/2Elf‘2B12
`
`13:52
`
`73322763285
`
`CGI FED 523A
`
`PAGE B3/1B
`
`U.S. Patent Application No. 12/210,926
`Attorney Docket No. KAMROOZUSO
`
`1.
`
`I am Nader Asghaxi—Kamrani, one of the inventors listed in US. patent
`
`Application, which is the subject ofthe present proceeding (“Kamram"’).
`
`2.
`
`I received a degree in computer science from Technical University of Vienna, in
`
`Vienna, Austriain 1993. I have been working in the field oi‘authentication over communication
`
`networks since 2000. I am one of skill in the art of authentication and electxical transactions,
`
`including PKI and digital signature, online credit card payment as well as banking transactions.
`
`3.
`
`4.
`
`I am familiar with the specification and pending claims of the present Application.
`
`Ihave reviewed U.S. Patent Publication No. 201010100724 Al byéKa.l1'sl:i, Jr.
`
`(“KaIiskf, Jn”).
`
`Nance Not Equivalent to Securecode
`
`5.
`
`One of skill in the authentication on would understand that an identifier is non
`
`secret information such as a name or label that identifies an entity. And in the world of
`
`authentication an identifier is only used for identification of an entity and not for authentication
`
`of the entity.
`
`6.
`One of skill in the authentication art would understand that in Kafiski. Jri, a nonce
`is a session identifier. “The authentication server 730 returns the blinded result R to
`client
`'
`
`715, along with a notice or other session identifier 772.” Kaliski, J'r., Ti [9111] (emphasis
`
`supplied).
`
`A an-prographic name is an atrbitxary number used to establish the uniqueness or
`
`discreteness of an operation. That is, an operation such as a data request is accompanied by 8. __
`
`nonce in order to demonstrate that the request is not a repeat or re-play of a previous request.
`A session is a series ofinfonnation exchanges between two communicating narties,
`
`2
`
`usually involving an initiation protocol and more than one message in each direction.
`
`
`
`o2r29/2o12
`
`13:52
`
`7332274235
`
`car FED 523A
`
`PAGE
`
`on/13
`
`U.S. Patent Application No. 121210.926
`Attorney Docket No. KAMROOZUSO
`
`In Kaliski, Jr. a nonce is used for identification of a uscr"5 session. In the
`
`client/server worid, a session refers to all the requests that a single client makes to a server. A
`
`session is specific to each user and for each user a new session is created to track all the
`
`requests from that user. Every user has a separate session and separate session identifier is
`
`associated with that session.
`
`7.
`
`One of siciil in the authentication art would understand that the hone: in
`
`Kulrirki, Jr. is not equivalent to the Securecode of the present application. A nonoe is a
`
`' sessiori identifier associated with a user’s session, but a name is not used for authentication
`
`of a user, as is the Securecode recited in the claims oflfimrmnr.
`
`3.
`
`One of skill in the authentication art would understand that the statement “the
`
`home corresponds to the recited dynamic Sccurecode” is inaccurate. In Kalirki, Jr. the web
`
`server receives the notice and hardened password iirom the client and authenticates-the user
`
`based on successfiil decryption ofa digital signature associated with the hardened password.
`
`Kalirid, Jr., Til [0105] and[01!2]. The nonoe is used by the web server to identify the user
`
`and the hardened password used in the authentication process ofauthenticating the user. In
`
`Kamrani, a dynamic code authenticatres :1 user whereas in Kalz’slc:', Jr. an honor: is a session
`identifier. Therefore the argument that “the home corresponds to the recited dynamic codei’
`
`is invalid.
`
`No Authentication‘ Request Message
`
`9.
`
`Doe of skill in the authentication art would understand that in the system of
`
`Kalisla‘, Jr. there is nothing equivalent to a Central Entity receiving an authentication request
`
`message, as recited in the claims at issue. The Office Action equates the claimed
`
`authentication request message to message 776 of Kalrlslo’, Jr. But, message 776 that the
`
`authentication server in FIG 7 ofltfalislazj. Jr. receives is NOT an authentication request
`
`message. Rather, message 776 indicates simply whether or not the authentication ofthe
`
`-3-—
`
`
`
`B2f29.r'2E|l2
`
`13:52
`
`7632274235
`
`CGI FED 623A
`
`PAGE
`
`US. Patent Application No. 12/2 10,926
`Attorney Docket No. KAMROOZUSO
`
`client by the web server was successml. See Kalislu‘, Jr. fifil [0109] through [(3112]. This
`
`message 776 is a one way acknowledgernent and expects no return], whereas the
`
`authentication request message as recited in the claims at issue is a diflerent type ofmessage
`
`than the cited eelmorwledgement as the claimed authentication request should generate a
`
`response because it is at REQUEST as onposed to an acknowledgement. Thus, the message
`
`in Kalisfi, Jr. cited by the Office Action at issue is not equivalent to the claimed
`
`authentication request message in Kammni. Thus, one of skill in the authentication art would
`
`understand that the argument in the Office Action equating the claimed authentication request
`
`message to the acknowledgement message 776 in Kalisld, Jr. is not valid.
`
`No Cenlrnl Entity Authentlottting User
`
`l0.
`
`One of skill in the authentication art would understand that there is nothing in
`
`Kalish‘, Jr. equivalent to a Central Entity authenticating the user as recited in the claims at
`
`issue. The Ofiiee Action equates the Central Entity to the authentication server 730 in
`
`Kaliski, Jr. But, the authentication server 730 in FIG 7 never authenticates the client.
`
`Rather, the web server 710 authenticates the client based on successful decryption ofthe
`client‘s digital signature associated with the hardened password. See Iifaliskr; Jr. 111] folllil] Q
`
`through [D112]. Moreover, the web server 710 ofKaltrki, Jr. does not generate anything
`
`equivalent to the claimed Secure-Code, as recited in the claims at issue. Thus, neither the web
`
`server 710 nor the authentication server 730 ofKaliski, Jr. performs the functions of the
`
`Central Entity recited in the claims.
`
`11.
`
`One of skill in the authentication on would understand that in Kaliskl, Jr. a
`
`user’s client application generates a hardened password (based on the blinded result R
`
`received from the authentication server) and submits the generated hardened password to the
`
`web server and not to the authentication server cited by the Office Action. In Koliski, Jr". the
`
`.-3-
`
`
`
`B2f2El/2812
`
`13:52
`
`7B322?t12B5
`
`DGI FED 523A
`
`PAGE BEIIB
`
`Patent Application No. l2I2l0,926
`Attorney Docket No. KAMRDOZUSO
`
`client receives the blinded result it along with a notice fiom the authentication server and
`
`generates the hardened password at the client side for authentication to the web server.
`
`Kaliski, Jr-., 1 [(1111].
`
`12. One of skill in the authéentimlzion on would understand that the argument in the
`
`Office Action equating the claimed “authenticating by the Central-Entity the user during the
`
`transaction, ifthe digital identity is valid” with the authentication protocol in Kaliski, Jr. is
`
`not valid. The authenticafiori server 730 does not authenticate the client; it is the web server
`
`that authenticates the client. And. the web server 710 of Itlaliski, Jr. also cannot be the
`
`claimed Central Entity because the web server does not generate anything equivalent to the
`
`claimed Seeumecode. Thus, there is no Central Entity authenticating the user in Kaltvki, Jr.
`
`Authetication Process Different
`
`13. The web server ofKalirki, Jnstores the user’s personal information as encryption
`
`secrets (See Kaliski, Jr., '1] (01057) and the encrypted secrets are stored such that they can be
`
`decrypted with an decryption ‘key/hardened password. In Kalislu‘, Jr. a blind function
`
`evaluation protocol is used by the client to drive a decryption key/hardened password from a
`
`blinded result R received fi'o'm the authentication server (See Kalisici, Jr., 11 [0111]), to _
`decrypt the encrypted secrets. The web server authenticates the client ifthe hardened
`I
`
`pmsword received from the client suecessfillly decrypt uscr’s information.
`
`14. It is clear that in Kaifski, J:-.,
`
`
`
`'_.n.._! -
`
`The use ofthis cryptographic approach allows authenticity ofa client to be checked by
`
`creating a digital signature ofa user’s personal information using the encryption key, which
`
`can be verified using hardened password as the decryption key received from the client
`
`during the transaction.
`
`15- One of skill in the autlrentidztion on would understand that in the blind function
`
`evaluation protocol used in Kaliski, Jr. (See, Kalislci. Jir. 1] {H0381}. the client has some secret
`
`-1‘-4-—
`
`
`
`B2./2El/'212
`
`13:52
`
`7832274285
`
`CGI FED 523A
`
`PAGE
`
`B?:'1El
`
`U.S. Patent Application No. 12f2l0,926
`Attorney Docket No. KAMROOZUSO
`
`information and the authentication server has some secret information, and together the client
`
`and the atltltentication server provide their respective secrets as an input to ajointly
`
`calculated fimction, with only the client obtaining the output ofthe jointly calculated function
`
`(the output is the decryption key or hardened password). This means that only the client
`
`obtains the hardened password (decryption key) as the output ofthe blind function evaluation
`
`protocol. See" Kaliski, Jr. Figure 7. The authentication server ofKaliski, Jr. which the Offioe
`
`Action equated to the Central Entity ofthe claims cannot generate the hardened password
`
`(decryption key) since the authentication server does not have access to the client's secret
`
`information. See Kaliski, Jr. 11 [(1040], which states:
`
`The use of a blind function evaluation protocol, or other
`embodiments in which the decryption key is derived fiont the
`client information, provides additional security benefits
`resulting fiotn me fact that the first server 30 does not have the
`decryption key in an unblinded form. Even ifthe iirst server 30
`is compromised, and a server secret obtained, it will still be
`necessary for an attacker to do more work to transform the
`server secret into the decryption key. Just as one example, in
`one such embodiment, the fit-st server 30 and client 15 engage
`in a blind function evaluation protocol that results in the first
`server 30 providing to the client 15 a blinded key as the
`intermediate data 22. The client 15 has information used to
`unblittd the decryption key 24, which is then used to decrypt
`the encrypted secrets 5. Compromise ofthe first server 30
`would still not directly reveal the decryption key 25 to an
`attacker.
`
`‘mus, the entire basis for authentication in Kaliski, Jr. is different than the claimed
`
`Seoul-eCode authentication process of Kantmm‘, and one ofordinary skill in the art would
`
`understand this diffienence.
`
`Hill et al-
`
`16.
`
`One of skill in the ttuthentication and payment art would understand that the
`
`user of H'ilI et of. purchases at set ofpayment tokens from the payment service provider before _5
`
`the user being involved in any transaction with the merchant. Hill at al., col. 5, lines 31-51
`
`us‘-
`
`
`
`62/29/281 2
`
`13:52
`
`7832274285
`
`CGI FED 5239:
`
`PAGE
`
`E18!’ 1 8
`
`us. Patent Application No. 12r21o,92n
`Attorney Docket No. KAMR002USO
`
`and col. 8, lines L9. The tokens are not valid for a predefined period of time because the user
`
`buys them. The tokens one like real money and will be used for online purchases.
`
`Initially, the user establishes an internal connection with
`the payment service, and purclrnses tokens to A certain value.
`Thist
`elion may be carried out, for example, by Irene»
`mfin the client to the payment service at request for
`tokens to a cenain value. say 1210, together wvilh 2 ctedil card
`number. This number may be encrypted using any one of 1
`number of public key encryption tools, such as PG?» Tht
`payment service debits the relevant sum from the credit card
`account. and generates a number of payment tokens, say
`1000 tokens at value tp. Them Ire encrypted using the
`public key algorithm and returned to the user Vin the interuel
`connection, together with a key which is unique In the um‘.
`Each mlren comprises, in this cxacrtple, a 64 bit random
`hexadecimal number, drawn from a large list of 1: random
`nu mbers RAM), (1, 19.,
`.
`.
`. , rn-1. rn—1) at the payment
`service. For each user. the payment service keeps two piece:
`of secret. infiorrnation It and s. I: is at random key for use with
`a symmetric block cipher. 5 is a random security puuuuwr.
`where (0:Es§n——1)taken at random Erom the may (0 . . . 1:).
`Ihcre is also an integer index variable L Its secrecy is not
`essential although it‘s integrity is important.
`
`I15
`
`1'7.
`
`One of skill in the aufltentication an would understand that the payment server
`
`ofHill et al. encrypt the generated set of tokens with user’: public key and send it to the user
`
`before the user starting any transactions with a merchant. Hill at 411., col’. 5. lines 40-42. The
`
`Camel: program installed all user’s computer stores the tokens. Hill Col. 5, fine: 25-30 and
`
`lines 52-65; C016, lines 3-20.
`
`18.
`
`One of skill in the authentication art would understand that the merchant stores
`
`at m of authentication tokens before starting any transaction with the user. Hill et a!., col. 6,
`
`lines 46-47’ andcol. 13, lines I-5.
`
`The merchant module includes administration functions.
`These maintain a count of how many unused authentication
`tokens remain, and send a request for further tokens to the
`payment service when that number falls below a predeter-
`mined threshold.
`
`U1
`
`
`
`82/29/231 2
`
`13:52
`
`7632274235
`
`CGI FED 523A
`
`PAGE
`
`39/1 8
`
`U.S. Patent Appnsanun No. 12r21o,925
`Attorney Docket No. KAMROOZUSO
`
`19.
`
`One of skill in the authentication an would understand that the authentication
`
`tokens of the merchant an similar to the payment tokens of the user. The tokens are issued to
`
`the memhant at the time ofregistration and before the merchant or the user being involved in
`
`any transaction. Hill et a1., ml 6, lines 25-32. The naexehant
`
`the user do not receive any
`
`.
`
`tokens at the time ofthe transaction and the tokens stored at the user or mcrcliunfs computer
`
`are not valid for a predefined period oftime. Hill’s tokens do not serve an identification
`
`fimetion, but rather act is a fnngible financial instrument. That is, 3 given quantity or value of
`
`tokens is equivalent to their stated value in dollars.
`
`I aiiinn that all statements made heiein of my own knowledge are true, and that all
`
`statements made herein on information and belief are believed to be true. I understand that
`
`willfiil false statements and the like are punishable by fine or imprisonment, or both
`
`(as U.S.C. 1001), and may jeopardize the validity ofthe present patent application or any
`
`patent issuing thereon.
`
`FUR.TI'IER AFFIANT SAYBTH NOT.
`
`It witness whereof,