`U.S. Patent 8,577,813
`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
` ____________
`
`UNIFIED PATENTS INC.
`Petitioner
`
`v.
`
`UNIVERSAL SECURE REGISTRY, LLC
`Patent Owner
`____________
`
`IPR2018-00067
`Patent 8,577,813
` ____________
`
`
`
`DECLARATION OF DR. ERIC COLE
`
`
`
`IPR2018-00067
`Unified EX1009 Page 1
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`I, Eric Cole, hereby declare the following:
`
`I.
`
`BACKGROUND AND QUALIFICATIONS
`1. My name is Eric Cole and I am over 21 years of age and otherwise
`
`competent to make this Declaration. I make this Declaration based on facts and
`
`matters within my own knowledge and on information provided to me by others,
`
`and, if called as a witness, I could and would competently testify to the matters set
`
`forth herein.
`
`2.
`
`I have been retained as a technical expert witness in this matter by
`
`Counsel for Petitioner Unified Patents, Inc. (“Unified”)
`
`to provide my
`
`independent opinions on certain issues requested by Counsel for Petitioner
`
`relating to the accompanying petition for Inter Partes Review of U.S. Patent
`
`8,577,813 (“the ’813 Patent”). My compensation in this matter is not based on the
`
`substance of my opinions or the outcome of this matter. I have no financial
`
`interest in Petitioner. I have been informed that Universal Secure Registry, LLC
`
`(“USR”) is the current assignee of the ’813 Patent according to U.S. Patent and
`
`Trademark Office records. I have no financial interest in USR, and I have no other
`
`interest in the outcome of this matter.
`
`3.
`
`I have summarized in this section my educational background, career
`
`history, and other qualifications relevant to this matter. A current version of my
`
`curriculum vitae has been included as Exhibit 1010.
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 2
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`I received my master’s degree in Computer Science from the New
`
`4.
`
`York Institute of Technology in 1993, followed by my doctorate in Network
`
`Security from Pace University in 2003.
`
`5.
`
`I began my career as a cyber security scientist more than twenty-five
`
`years ago as a technical director for the United States Central Intelligence Agency
`
`(CIA), where I worked on the design of several secure communication systems.
`
`Since then, I have held positions in the field of digital security, including in the
`
`design and development of secure systems for companies such as Grace
`
`International Consulting, Lockheed Martin, McAfee, Vista
`
`Information
`
`Technologies, and Teligent, Inc. I am a member of the European InfoSec Hall of
`
`Fame, a professional membership awarded by nomination and election by a panel
`
`of industry experts.
`
`6.
`
`I am a Fellow and instructor with the SANS Institute, a research and
`
`education organization consisting of information security professionals. SANS is
`
`the leading organization in computer security training. I have developed and
`
`taught numerous courses and performed research with the SANS Institute. For
`
`example, I established “Security 401: SANS Security Essentials” for teaching
`
`students critical components of network security and “Security 501: Enterprise
`
`Defender” for teaching topics relating to cyber security, networking security and
`
`operating system security. I also was tasked with implementing a cyber security
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 3
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`curriculum for a subsidiary of the SANS Institute, the SANS Technology Institute,
`
`an accredited graduate school focused exclusively on cyber security degree
`
`programs.
`
`7.
`
`I am the founder of Secure Anchor Consulting, where I and my team
`
`provide cyber security and network consulting services and lead research and
`
`development initiatives to advance information systems security on behalf of
`
`financial institutions, Fortune 500 companies, international organizations, and the
`
`federal government.
`
`8.
`
`I have authored and co-authored several books on secure networks
`
`and communications, including Hackers Beware: The Ultimate Guide to Network
`
`Security, Network Security Bible (2d Ed), and Wiley Pathways Network Security
`
`Fundamentals Project Manual. I have also written several courses that have in-
`
`depth coverage of networking concepts, implementation and design. Throughout
`
`my career I have designed, built and implemented many networks for both
`
`Fortune 500 companies and the federal government.
`
`9.
`
`I have worked for the government as an employee and have held
`
`various contracting jobs with government agencies, which involved working with
`
`classified information. I have held various top-secret security clearances with
`
`Department of Defense (DOD), CIA, and Nuclear Regulatory Commission
`
`(NRC). I have worked for a wide range of government organizations including
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 4
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`FBI, National Security Agency, CIA, Department of Energy, DOD, the Treasury,
`
`Secret Service and the NRC.
`
`10. While serving as a Senior Officer for the Central Intelligence Agency
`
`as Program Manager / Technical Director for the Internet Program Team with
`
`Office of Technical Services, I implemented the Internet Program Team that
`
`designs, develops, tests, and deploys internet security products in 3 to 6 month
`
`intervals. In this role I received a letter of appreciation from the DCI (Director
`
`Central Intelligence) and six Exceptional Performance Awards.
`
`11. As a member of the Information Security Assessment Team with the
`
`Office of Security, I also evaluated and performed security assessment of network
`
`operating systems which include network infrastructures to identify potential
`
`vulnerabilities and solutions. I also designed a large scale auditing system with
`
`automated review capability and worked on several virus investigations for the
`
`Office of Security.
`
`12. Since 1999, I have been actively involved in working with financial
`
`institutions and credit card companies on designing, implementing and evaluating
`
`solutions for transactional security. This work has involved understanding and
`
`integrating both wireless solutions, authentication and encryption technologies.
`
`Throughout my career I have been actively involved in designing, securing and
`
`deploying wireless solutions for the transmission of sensitive information. This
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 5
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`work also included the testing, verifying, implementing and designing of
`
`encryption solutions (including key management) and various forms of
`
`authentication (including PIN/passwords and biometrics).
`
`13. As part of my work in connection with this proceeding, I have
`
`reviewed the following materials:
`
`• U.S. Patent 8,577,813 (Ex. 1001);
`• File History for U.S. Patent 8,577,813 (Ex. 1002);
`• U.S. Patent 6,016,476 to Maes et al. (“Maes”) (Ex. 1003)
`• U.S. Patent 5,870,723 to Pare et al. (“Pare”) (Ex. 1004);
`• U.S. Pub. US 2004/0107170 Al to Labrou et al. (“Labrou”) (Ex. 1005);
`• WO 2001/024123 to Burger et al. (“Burger”) (Ex. 1006);
`• U.S. Patent 7,865,448 to Pizarro (“Pizarro”) (Ex. 1007);
`• U.S. Patent Application Publication 2002/0178364 (Ex. 1008)
`• U.S. Patent 5,615,277 to Hoffman (1994) (EX 1011)
`• Jin et al., Biohashing: two factor authentication featuring fingerprint
`data and tokenized random number, Pattern Recognition 37 (11), pp.
`2245-2255 (2004) (Ex. 1012)
`• U.S. Patent 8,751,801 to Harris et al. (2005) (Ex. 1013)
`• U.S. Publication No. 2003/0219121 to van Someren (2002) (Ex. 1014)
`• Bruce Schneier, Applied Cryptography, 2d Ed (1996) (Ex. 1015)
`• American Bankers Association, Financial Institution Key Management
`(Wholesale), ANSI X9.17 (1995) (Ex. 1016)
`• WO Publication No. 2001/06699 to Duane et al. (2001) (Ex. 1017)
`• U.S. Patent 6,950,939 to Tobin (2001) (Ex. 1018)
`
`II. LEGAL FRAMEWORK
`
`A. Obviousness
`
`14.
`
`I am a technical expert and do not offer any legal opinions. However,
`
`counsel has informed me as to certain legal principles regarding patentability and
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 6
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`related matters under United States patent law, which I have applied in performing
`
`my analysis and arriving at my technical opinions in this matter.
`
`15.
`
`I have been informed that a person cannot obtain a patent on an
`
`invention if the differences between the invention and the prior art are such that
`
`the subject matter as a whole would have been obvious at the time the invention
`
`was made to a person having ordinary skill in the art. I have been informed that a
`
`conclusion of obviousness may be founded upon more than a single item of prior
`
`art. I have been further informed that obviousness is determined by evaluating the
`
`following factors: (1) the scope and content of the prior art, (2) the differences
`
`between the prior art and the claim at issue, (3) the level of ordinary skill in the
`
`pertinent art, and (4) secondary considerations of non-obviousness. In addition,
`
`the obviousness inquiry should not be done in hindsight. Instead, the obviousness
`
`inquiry should be done through the eyes of a PHOSITA at the time of the alleged
`
`invention.
`
`16.
`
`In considering whether certain prior art renders a particular patent
`
`claim obvious, counsel has informed me that I can consider the scope and content
`
`of the prior art, including the fact that one of skill in the art would regularly look
`
`to the disclosures in patents, trade publications, journal articles, conference
`
`papers, industry standards, product literature and documentation, texts describing
`
`competitive technologies, requests for comment published by standard setting
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 7
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`organizations, and materials from industry conferences, as examples. I have been
`
`informed that for a prior art reference to be proper for use in an obviousness
`
`analysis, the reference must be “analogous art” to the claimed invention. I have
`
`been informed that a reference is analogous art to the claimed invention if: (1) the
`
`reference is from the same field of endeavor as the claimed invention (even if it
`
`addresses a different problem); or (2) the reference is reasonably pertinent to the
`
`problem faced by the inventor (even if it is not in the same field of endeavor as the
`
`claimed invention). In order for a reference to be “reasonably pertinent” to the
`
`problem, it must logically have commended itself to an inventor's attention in
`
`considering his problem. In determining whether a reference is reasonably
`
`pertinent, one should consider the problem faced by the inventor, as reflected
`
`either explicitly or implicitly, in the specification. I believe that all of the
`
`references I considered in forming my opinions in this IPR are well within the
`
`range of references a PHOSITA would have consulted to address the type of
`
`problems described in the Challenged Claims.
`
`17.
`
`I have been informed that, in order to establish that a claimed
`
`invention was obvious based on a combination of prior art elements, a clear
`
`articulation of the reason(s) why a claimed invention would have been obvious
`
`must be provided. Specifically, I am informed that, under the U.S. Supreme
`
`Court’s KSR decision, a combination of multiple items of prior art renders a patent
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 8
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`claim obvious when there was an apparent reason for one of ordinary skill in the
`
`art, at the time of the invention, to combine the prior art, which can include, but is
`
`not limited to, any of the following rationales: (A) combining prior art methods
`
`according to known methods to yield predictable results; (B) substituting one
`
`known element for another to obtain predictable results; (C) using a known
`
`technique to improve a similar device in the same way; (D) applying a known
`
`technique to a known device ready for improvement to yield predictable results;
`
`(E) trying a finite number of identified, predictable potential solutions, with a
`
`reasonable expectation of success; (F) identifying that known work in one field of
`
`endeavor may prompt variations of it for use in either the same field or a different
`
`one based on design incentives or other market forces if the variations are
`
`predictable to one of ordinary skill in the art; or (G) identifying an explicit
`
`teaching, suggestion, or motivation in the prior art that would have led one of
`
`ordinary skill to modify the prior art reference or to combine the prior art
`
`references to arrive at the claimed invention.
`
`18.
`
`I am informed that the existence of an explicit teaching, suggestion, or
`
`motivation to combine known elements of the prior art is a sufficient, but not a
`
`necessary, condition to a finding of obviousness. This so-called “teaching-
`
`suggestion-motivation” test is not the exclusive test and is not to be applied rigidly
`
`in an obviousness analysis. In determining whether the subject matter of a patent
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 9
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`claim is obvious, neither the particular motivation nor the avowed purpose of the
`
`patentee controls. Instead, the important consideration is the objective reach of the
`
`claim. In other words, if the claim extends to what is obvious, then the claim is
`
`invalid. I am further informed that the obviousness analysis often necessitates
`
`consideration of the interrelated teachings of multiple patents, the effects of
`
`demands known to the technological community or present in the marketplace,
`
`and the background knowledge possessed by a person having ordinary skill in the
`
`art. All of these issues may be considered to determine whether there was an
`
`apparent reason to combine the known elements in the fashion claimed by the
`
`patent.
`
`19.
`
`I also am informed that in conducting an obviousness analysis, a
`
`precise teaching directed to the specific subject matter of the challenged claim
`
`need not be sought out because it is appropriate to take account of the inferences
`
`and creative steps that a PHOSITA would employ. The prior art considered can be
`
`directed to any need or problem known in the field of endeavor at the time of
`
`invention and can provide a reason for combining the elements of the prior art in
`
`the manner claimed. In other words, the prior art need not be directed towards
`
`solving the same specific problem as the problem addressed by the patent. Further,
`
`the individual prior art references themselves need not all be directed towards
`
`solving the same problem. I am informed that, under the KSR obviousness
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 10
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`standard, common sense is important and should be considered. Common sense
`
`teaches that familiar items may have obvious uses beyond their primary purposes.
`
`20.
`
`I also am informed that the fact that a particular combination of prior
`
`art elements was “obvious to try” may indicate that the combination was obvious
`
`even if no one attempted the combination. If the combination was obvious to try
`
`(regardless of whether it was actually tried) or leads to anticipated success, then it
`
`is likely the result of ordinary skill and common sense rather than innovation. I am
`
`further informed that in many fields it may be that there is little discussion of
`
`obvious techniques or combinations, and it often may be the case that market
`
`demand, rather than scientific literature or knowledge, will drive the design of an
`
`invention. I am informed that an invention that is a combination of prior art must
`
`do more than yield predictable results to be non-obvious.
`
`21.
`
`I am informed that for a patent claim to be obvious, the claim must be
`
`obvious to a PHOSITA at the time of the alleged invention. I am informed that the
`
`factors to consider in determining the level of ordinary skill in the art include (1)
`
`the educational level and experience of people working in the field at the time the
`
`invention was made, (2) the types of problems faced in the art and the solutions
`
`found to those problems, and (3) the sophistication of the technology in the field.
`
`22.
`
`I am informed that it is improper to combine references where the
`
`references teach away from their combination. I am informed that a reference may
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 11
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`be said to teach away when a PHOSITA, upon reading the reference, would be
`
`discouraged from following the path set out in the reference, or would be led in a
`
`direction divergent from the path that was taken by the patent applicant. In
`
`general, a reference will teach away if it suggests that the line of development
`
`flowing from the reference’s disclosure is unlikely to be productive of the result
`
`sought by the patentee. I am informed that a reference teaches away, for example,
`
`if (1) the combination would produce a seemingly inoperative device, or (2) the
`
`references leave the impression that the product would not have the property
`
`sought by the patentee. I also am informed, however, that a reference does not
`
`teach away if it merely expresses a general preference for an alternative invention
`
`but does not criticize, discredit, or otherwise discourage investigation into the
`
`invention claimed.
`
`23.
`
`I am informed that even if a prima facie case of obviousness is
`
`established, the final determination of obviousness must also consider “secondary
`
`considerations” if presented. In most instances, the patentee raises these secondary
`
`considerations of non-obviousness. In that context, the patentee argues an
`
`invention would not have been obvious in view of these considerations, which
`
`include: (a) commercial success of a product due to the merits of the claimed
`
`invention; (b) a long-felt, but unsatisfied need for the invention; (c) failure of
`
`others to find the solution provided by the claimed invention; (d) deliberate
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 12
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`copying of the invention by others; (e) unexpected results achieved by the
`
`invention; (f) praise of the invention by others skilled in the art; (g) lack of
`
`independent simultaneous invention within a comparatively short space of time;
`
`(h) teaching away from the invention in the prior art.
`
`24.
`
` I am further informed that secondary-considerations evidence is only
`
`relevant if the offering party establishes a connection, or nexus, between the
`
`evidence and the claimed invention. The nexus cannot be based on prior art
`
`features. The establishment of a nexus is a question of fact. While I understand
`
`that the Patent Owner here has not offered any secondary considerations at this
`
`time, I will supplement my opinions in the event that the Patent Owner raises
`
`secondary considerations during the course of this proceeding.
`
`
`
`B. Claim Construction
`
`25.
`
`I have been informed by counsel and understand that the first step in
`
`an unpatentability analysis involves construing the claims, as necessary, to
`
`determine their scope. Second, the construed claim language is then compared to
`
`the disclosures of the prior art. In proceedings before the United States Patent and
`
`Trademark Office, I have been informed that the claims of an unexpired patent are
`
`to be given their broadest reasonable interpretation in light of the specification
`
`from the perspective of a person of ordinary skill in the art at the time of the
`
`invention. And I have been informed that the ’813 Patent is unexpired. For
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 13
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`purposes of this proceeding, I have applied the claim constructions set forth in the
`
`claim construction section of the IPR Petition that this declaration accompanies
`
`when analyzing the prior art and the claims. See Petition at Section III.D. For
`
`those terms that have not expressly been construed, I have applied the meaning of
`
`the claim terms of the ’813 Patent that is generally consistent with the terms’
`
`ordinary and customary meaning, as a person of ordinary skill in the art would
`
`have understood them at the time of the invention.
`
`III. OPINION
`A. Level of Skill of a Person Having Ordinary Skill in the Art
`
`26.
`
`I was asked to provide my opinion as to the level of skill of a person
`
`having ordinary skill in the art (“PHOSITA”) of the ’813 Patent at the time of the
`
`claimed invention, which counsel has informed me to assume is February 21,
`
`2006. In determining the characteristics of a hypothetical person of ordinary skill
`
`in the art of the ’813 Patent at the time of the claimed invention, I was told to
`
`consider several factors, including the type of problems encountered in the art, the
`
`solutions to those problems, the rapidity with which innovations are made in the
`
`field, the sophistication of the technology, and the education level of active
`
`workers in the field. I also placed myself back in the time frame of the claimed
`
`invention, and considered the colleagues with whom I had worked at that time.
`
`27.
`
`In my opinion, a person having ordinary skill in the art of the ’813
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 14
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`Patent at the time of its filing would have been a person having the equivalent of a
`
`bachelor’s degree
`
`in computer science, electrical engineering, computer
`
`engineering, or a similar discipline, and at least two years of experience working
`
`with technology related secure transaction systems, or an equivalent amount of
`
`similar work experience or education, with additional education substituting for
`
`experience and additional experience substituting for education. Such a person of
`
`ordinary skill in the art would have been capable of understanding the ’813 patent
`
`and the prior art references discussed herein.
`
`28. Based on my education, training, and professional experience in the
`
`field of the claimed invention, I am familiar with the level and abilities of a person
`
`of ordinary skill in the art at the time of the claimed invention. Additionally, I met
`
`at least these minimum qualifications to be a person having ordinary skill in the
`
`art as of the time of the claimed invention of the ’813 Patent
`
`B.
`29.
`
`Background of the Technology
`
`I was asked to briefly summarize the background of the prior art from
`
`the standpoint of a PHOSITA prior to February 21, 2006, which counsel has told
`
`me to assume is the date of the alleged invention of the ’813 Patent.
`
`30. The ’813 Patent states that it is generally related to “systems,
`
`methods, and apparatus[es] for authenticating identity or verifying the identity of
`
`individuals and other entities seeking access to certain privileges and for
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 15
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`selectively granting privileges and providing other services in response to such
`
`identifications/ verifications.” Id. at 1:37-42. In addition, the ’813 Patent relates to
`
`transmitting
`
`information
`
`to/from a user device, particularly “contactless
`
`information transmission.” Id. at 1:42-46.
`
`31. The ’813 Patent describes that methods for transitioning from a
`
`magnetic form of communication to a wireless form of communication for user
`
`authentication were desired in the art. Id. at 3:34-36. As the ’813 Patent
`
`acknowledges, the field of secure systems had been shifting from transmissions
`
`via a magnetic card reader to wirelessly transmitting transactional information.
`
`See Ex. 1001, ’813 Patent at 3:3-12 (“[U]ser devices that may transmit
`
`information optically or via radio frequency (“RF”) signal transmission to a
`
`compatible system interface are now available”); 3:28-34 (“RF devices that
`
`transmit information wirelessly are expected to become much more prevalent
`
`…”). Indeed, each of the references cited in the Petition teach using some form of
`
`wireless communication to perform a transaction.
`
`32. Also, as acknowledged by the ’813 Patent, the field of security
`
`devices had, by the time of the ’813 Patent, seen improvements in the
`
`sophistication of authentication schemes by including advanced verification
`
`functionality, such as biometric sensors. See id. at 2:59-3:2. However, the concept
`
`of using biometrics for authenticating users of transaction devices, was well
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 16
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`known over a decade prior to the ’813 Patent.1
`
`Authenticating an Individual’s Identity
`33.
`
`In general, there are, and were at the time of the ’813 Patent, three
`
`known ways to authenticate the identity of an individual: (1) by information the
`
`individual knows (e.g., a password or PIN), (2) by information the individual has
`
`(e.g., a token, smart card), and (3) by information representing who the individual
`
`is (e.g., biometrics, such as a fingerprint or voice sample).2
`
`34. Systems employing two or more methods or levels of authentication
`
`(i.e., multi-factor authentication) represent a security improvement over a system
`
`that only employs one method because each method could reconcile the
`
`deficiencies of the others.3 For example, passwords or PINs could be overheard,
`
`tokens or smart cards could be lost or stolen, and biometric information is
`
`irreplaceable and poses serious privacy risks if compromised by an attacker.4
`
`Logically, multi-factor authentication was known to be more secure because it
`
`1 See, e.g., Ex. 1011, U.S. Patent 5,615,277 to Hoffman (1994) at 3:1-35 (describing
`systems and methods in the art for using biometric samples, such as voice or fingerprint
`systems, to a tokenless security system applicable to “transaction of financial and other
`services”).
`2 See, e.g., Ex. 1012, Jin et al., Biohashing: two factor authentication featuring
`fingerprint data and tokenized random number, Pattern Recognition 37 (11), pp. 2245-
`2255 (2004), at Abstract, 2246; see also, e.g., Ex. 1013, U.S. Patent 8,751,801 to Harris
`et al. (2005) at 1:28-64 (describing the three methods of user authentication in e-
`commerce, opining that “wider adoption of two-factor authentication is desirable.”).
`3 See Footnote 2.
`4 See Ex. 1012, Jin, at 2245-46, 54.
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 17
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`requires a would-be attacker/thief to successfully overcome multiple types of
`
`authentication.
`
`35. Often, for biometric systems, a number derived from the biometric
`
`input, and not a record copying the biometric input itself, is stored within an
`
`authentication device as a function of a tokenized random number. 5 Such a
`
`method of generating authentication information (i.e., in encrypted form) is one
`
`way to reinforce the security of the biometric input because, without the random
`
`or pseudo-random token, an attacker cannot access the secure data.
`
`Encrypting Data
`36. The claims of the ’813 Patent require that a user device generates
`
`“encrypted authentication information” using a non-predictable value. The
`
`concept of a using a “non-predictable value,” such as a random number or pseudo-
`
`random number, to encrypt data, including financial data, was known decades
`
`prior to the earliest priority date of the ’813 Patent.6 For example, one of the
`
`references cited in the Petition, Pare, refers to ANSI X9.17, which is a standard
`
`5 See id., generally and at 2249, 53; see also Ex. 1014, U.S. Publication No.
`2003/0219121 to van Someren (2002), generally and at Abstract (teaching a method and
`apparatus that combines a random number with biometric information to generate a
`cryptographic key and secure information on a device).
`6 See Ex. 1015, Bruce Schneier, Applied Cryptography, 2d Ed (1996) at 372, 374
`(explaining the background of the Data Encryption Standard); see also Ex. 1016,
`American Bankers Association, Financial Institution Key Management (Wholesale),
`ANSI X9.17 (1995) at 25 (“Keys and initialization vectors (IVs) shall be generated so
`that keys and IVs are random or pseudorandom”).
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 18
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`specifically related to encryption key management for financial institutions. The
`
`ANSI standard explains that a random number may be a function of a secret 64-bit
`
`seed and a date/time vector.7
`
`37. The process of encrypting data generally calls for the execution of a
`
`mathematical operation, such as a cryptographic algorithm, a hash function, or
`
`other mathematical algorithm for generating and applying a cryptographic key.8
`
`The mathematical theories regarding specifically how data be encrypted is
`
`complicated, but the mere fact that mathematical operations may be used in
`
`encrypting data has been well known for decades.
`
`38. The data that becomes encrypted is often an important consideration
`
`for a developer of a secure system, but one general, common sense rule is that
`
`information that a user would not want others knowing (e.g., financial account
`
`information, a secret PIN, biometric characteristics, personal information, etc.)
`
`should be encrypted. Further, it was known such data can be encrypted both for
`
`the purposes of being stored in an encrypted form and also for purposes of being
`
`transmitted in encrypted form. The practice of encrypting authentication
`
`information, such as PINs and biometric information, in the context of wireless
`
`transactions was known and recognized, including by the time it was known that
`
`
`7 Ex. 1016, ANSI X9.17 at 151.
`8 Ex. 1015, Schneier at 22, 56 (describing one-way has functions), 89.
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 19
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`wireless transactions would become more and more common.9
`
`The Universal Secure Registry
`39.
`
`I have been informed by Counsel that the term “secure registry” used
`
`in the claims of the ’813 Patent should be construed to include “one or more
`
`systems maintaining one or more secure databases for storing account information
`
`for a plurality of users and that perform the function of validating authentication
`
`information of users.” See Petition at Sec. III.D. The concept of a secure registry,
`
`including a universal secure registry, was known years prior to the ’813 Patent.10
`
`For example, a major part of the business model of financial institutions and credit
`
`card companies has long been to maintain databases storing account information
`
`for users and validated authentication information to be used for authenticating
`
`users for completing transactions. The named inventor of the ’813 Patent, Mr.
`
`Weiss, had already disclosed the concept for a secure registry years prior to
`
`2006.11
`
`40. The specific sequence of how information may be communicated to a
`
`secure registry may be done in many different ways, each of which would have
`
`yielded predictable results from the standpoint of a PHOSITA by 2006. For
`
`9 See, e.g., Ex. 1017, WO Publication No. 2001/06699 to Duane et al. (2001) at 15:31-
`16:7 (“The encrypted sensitive information stored in a personal security device may
`include … a personal identification number (“PIN”) … biometric information …”).
`10 Ex. 1008, U.S. Patent Application Publication 2002/0178364 to Weiss.
`11 See id.
`
`
`
`
`
`IPR2018-00067
`
`Unified EX1009 Page 20
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`example, it was known that a wireless device could communicate directly with a
`
`registry to authorize a transaction on its own, or it could communicate via a point-
`
`of-sale device, as traditional credit cards have and do. 12 Whether the device
`
`communicates directly or indirectly with a registry would depend on various
`
`design considerations and objectives of the PHOSITA, including whether the
`
`device possessed
`
`appropria