`U.S. Patent 8,577,813
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
` ____________
`
`
`UNIFIED PATENTS INC.
`Petitioner
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC
`Patent Owner
`
`____________
`
`
`IPR2018-00067
`Patent 8,577,813
`
` ____________
`
`
`
`
`
` PETITIONER’S RESPONSE IN OPPOSITION TO PATENT OWNER’S
`CONTINGENT MOTION TO AMEND
`
`
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`TABLE OF CONTENTS
`
`
`
`I.
`II.
`
`INTRODUCTION ....................................................................................... 1
`ARGUMENT ............................................................................................... 2
`A.
`Petition............................................................................................... 2
`1.
`Combination of Maes and Labrou ............................................ 2
`B.
`Not Previously Before the Board ....................................................... 9
`1.
`Combination of Maes, Labrou, and Gullman ......................... 10
`2.
`Combination of Maes, Labrou, and Jakobsson ....................... 13
`3.
`Maes, Labrou, and Weiss ....................................................... 16
`4.
`and Weiss, in further view of either Gullman or Jakobsson .... 18
`5.
`in further view of Burger ....................................................... 19
`6.
`view of Burger ....................................................................... 20
`The Proposed Claims are Unpatentable Under 35 U.S.C. § 101 ....... 20
`C.
`The Proposed Claims are Directed to an Abstract Idea ........... 21
`1.
`2.
`The Proposed Claims Lack an Inventive Concept .................. 23
`III. CONCLUSION.......................................................................................... 25
`
`The Proposed Amendments are Obvious over Prior Art Cited in the
`
`Proposed Claims 27-31, 37-44, and 46-52 are Obvious Over the
`
`The Proposed Amendments are Obvious over Additional Prior Art
`
`Claims 27-31, 37-41, and 50-52 are Obvious over the
`
`Claims 27-31, 37-41, and 50-52 are Obvious over the
`
`Claims 42-43 and 46-49 are Obvious over the Combination of
`
`Claim 45 is Obvious over the Combination of Maes, Labrou,
`
`Claims 32-36 are Obvious over i) Maes, Labrou, and Gullman,
`in further view of Burger and ii) Maes, Labrou, and Jakobsson,
`
`Claim 44 is Obvious over Maes, Labrou, and Weiss, in further
`
`
`
`
` i
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`INTRODUCTION
`
`The proposed claim amendments are obvious. They add two concepts:
`
`I.
`
`(1) taking seed information from sources of data known in the art for
`
`use in generating a non-predictable value, and
`
`(2) using known mathematical operations (i.e., encryption and
`
`decryption) employing a PIN for performing the known process of
`
`reversibly rendering data stored on a device unintelligible.
`
`As demonstrated below, each of these concepts was already well-known to a
`
`PHOSITA—hence, even if amended, the claims would remain obvious over prior
`
`art set forth in the Petition, as well as additional prior art introduced below.
`
`In addition, the proposal results in claiming ineligible subject matter under §
`
`101. The proposed claims recite performing abstract ideas related to account-
`
`verification using existing computer systems using well-known, generic encryption
`
`methods, as the Patent Office has found on substantially similar claims in related
`
`prosecution.
`
`Therefore, Petitioner respectfully requests that the Board deny PO’s
`
`contingent motion to amend.
`
`
`
`
`
`
`
`
`
`1
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`A.
`
`II. ARGUMENT
`
`The Proposed Amendments are Obvious over Prior Art Cited in the
`Petition
`
`1.
`
`Proposed Claims 27-31, 37-44, and 46-52 are Obvious Over the
`Combination of Maes and Labrou
`
`
`
`The proposed claims are obvious over Maes and Labrou, a combination set
`
`forth in the Petition. PO has introduced one new limitation (largely borrowed from
`
`prior dependent claims) into each of the proposed independent claims:
`
`• Proposed Claims 27 and 50 (previously independent Claims 1 and 24) add
`
`language that is similar to the seed limitations in original dependent Claim 10;
`
`• Proposed Claim 42 (previously independent Claim 16) adds language similar
`
`to the mathematical operation language in original dependent Claim 9.
`
`i.
`
`Proposed Claims 27 and 50
`
`Claims 27 and 50 introduce a new limitation (contained in limitations 27[e]
`
`and 50[d]) that requires generating a seed using at least two of an electronic serial
`
`number, a discrete code associated with the electronic ID device, a PIN, a time value,
`
`and the biometric input, wherein the seed is used to generate the non-predictable
`
`value. As discussed in the Petition, the combination of Maes and Labrou renders
`
`obvious the original limitations of claims 27 and 50. See Petition (Paper 12) at 9-
`
`27, 38-40; see also Decision (Paper 14) at 12-13. And Labrou teaches and renders
`
`obvious the additional limitation proposed by PO.
`
`
`
`2
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`As set forth in the Petition, Labrou’s “random sequence number (RSN)”
`
`satisfies the claimed “non-predictable value” used in generating the encrypted
`
`authentication information (“EAI”). Paper 12 at 20-21. Further, Labrou teaches
`
`generating a seed, S’ (i.e., the claimed “seed”), which is employed to generate the
`
`RSN. Specifically, Labrou teaches a pseudorandom number generator function R is
`
`used in generating the RSN; in a process that uses the function R iteratively, both a
`
`time value (T0 or T0’) and an original seed, S, can be used to a generate a new seed,
`
`S’, to be used in generating the RSN (i.e., non-predictable value). Labrou (EX1005)
`
`at [0535]-[0536]; see also Cole MTA Decl. (EX1022), at ¶¶18-20. The original seed
`
`S is at least “a discrete code associated with the user’s device” because each device
`
`has its own S, which is determined from the UPTD’s device ID (DID):
`
`Each AP device has its own R and S, which are securely stored on the
`device and at the AVP [Agreement Verification Party]. On the AVP,
`given the DID of an AP device by which a RSN is generated, a program
`can deterministically locate the same pseudorandom number generator
`function R and the corresponding pseudorandom number generation
`seed S for that device from the User and Device Database ….
`Labrou (EX1005) at [0226]1; see also id. at [0517], Figure 43 (Secure Transaction
`
`Server storing “Random Seed” “[f]or each Device ID”). Further, the Device ID used
`
`
`1 Unless otherwise indicated, all emphasis has been added by Petitioner.
`
`
`
`3
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`to determine the seed S would be understood to be a form of an “electronic serial
`
`number.” Cole MTA Decl. (EX1022), at ¶19. Labrou, therefore, teaches
`
`“generat[ing] a seed” (Labrou’s new seed S’) “using at least two of an electronic
`
`serial number” (Labrou’s Device ID), “a discrete code associated with the electronic
`
`ID device” (Labrou’s original seed S which is determined from the Device ID), and
`
`“. . . a time value” (Labrou’s T0 or T0’). Id. at ¶¶18-20. Labrou, therefore, satisfies
`
`the new limitation added to Proposed Claims 27 and 50.
`
`
`
`A PHOSITA would have been motivated to combine Labrou’s teachings
`
`regarding generating a seed that is used to generate the non-predictable value with
`
`the system of Maes. Cole MTA Decl. (EX1022), at ¶¶22. Pseudorandom number
`
`generator functions, as taught by Labrou, were commonly used for encryption by
`
`2006. See id. at ¶¶7-8, 22. Such functions necessarily required a seed input to
`
`generate a non-predictable value because computers are finite machines that require
`
`a starting value from which to compute. Id. Further, it was well known to include a
`
`dynamic value, such as the time value taught in Labrou, as part of the input for
`
`generating a seed (instead of just a fixed value, such as a PIN, password, or device
`
`secret) to create entropy for the non-predictable value, thus enhancing its non-
`
`predictability and the security of the encryption based thereon. Id. Thus, combining
`
`Labrou’s teachings for generating a seed and generating a non-predictable value
`
`therefrom would have used well-known methods to provide the same well-known
`
`
`
`4
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`benefits in enhancing encryption. Id. A PHOSITA would have been motivated to
`
`use Labrou’s specific teachings regarding enhancing the entropy of a non-
`
`predictable value used in encryption to further enhance transaction security, which
`
`was a desired goal of both Maes and Labrou. Cole MTA Decl. (EX1022), at ¶22.
`
`
`
`A PHOSITA would have had a reasonable expectation of success
`
`incorporating Labrou’s teachings into Maes. Both systems teach using wireless
`
`devices in secure transactions, and Maes teaches that its device may “employ any
`
`known encryption technique or algorithm” and transmit encrypted data. Maes
`
`(EX1003) at 10:7-15, 13:34-38. Labrou provides specific means of encrypting data
`
`using a wireless device, such as a PDA. Labrou (EX1005) at [0156]. Incorporating
`
`Labrou’s specific encryption teachings into Maes would have involved applying
`
`known encryption techniques to similar prior art and yielded the predictable,
`
`desirable result of enhancing transaction security by improving the encryption used.
`
`See Cole MTA Decl. (EX1022) at ¶22; see also KSR v. Teleflex, 550 U.S. 398, 401
`
`(2007) (“[I]f a technique has been used to improve one device, and a [PHOSITA]
`
`would recognize that it would improve similar devices in the same way, using the
`
`technique is obvious …”). Therefore, Proposed Claims 27 and 50 are obvious over
`
`the combination of Maes and Labrou.
`
`ii.
`
`Proposed Claim 42
`
`
`
`
`
`Proposed Claim 42 replaces Claim 16, which, as discussed in the Petition, was
`
`5
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`obvious over the combination of Maes and Labrou. Paper 12 at 33-35. Claim 42
`
`additionally requires that “data stored in the electronic ID device is subject to a
`
`mathematical operation employing the secret information that acts to modify the data
`
`such that it is unintelligible until the electronic ID device is activated, and the
`
`electronic ID device uses the secret information to reverse the mathematical
`
`operation and render the data legible.” This amended language is similar to original
`
`dependent Claim 9 (for which PO did not make specific validity arguments in its
`
`POPR or Response), except it adds that the mathematical operation uses the secret
`
`information (e.g., PIN). The ’813 Patent provides an XOR operation that uses a
`
`user’s PIN as one embodiment of the claimed mathematical operation. ’813 Patent
`
`(EX1001) at 45:18-47. Essentially, Proposed Claim 42 requires that the device
`
`encrypts “data” (i.e., any data) stored on the device until a PIN is provided, and the
`
`PIN is then used to decrypt such data.
`
`
`
`Maes teaches that “[t]he CPU 12 [of the PDA device] further includes an
`
`encrypter/decrypter module 24 for encrypting the personal and financial information
`
`before being stored in memory 14 and for decrypting such information when
`
`accessed by the user.” Maes (EX1003) at 5:14-17, 7:51-56. And local verification,
`
`using, for example, a combination of a biometric input and PIN input, must be
`
`performed before encrypted data is retrieved from memory and decrypted for use in
`
`a transaction (i.e., before the unintelligible data is rendered legible using a
`
`
`
`6
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`mathematical operation). See id. at 3:59-64, 11:27-32; see also Figs. 1 & 5. Maes
`
`expressly teaches use of “any known encryption technique or algorithm” such as
`
`those described in the well-known text by Bruce Schneier, Applied Cryptography.
`
`Id. at 10:11-14. It would have been obvious to a PHOSITA, based on Maes alone in
`
`view of a PHOSITA’s knowledge and ordinary skill, to perform Maes’ encryption
`
`using a basic XOR (“exclusive-OR”) operation with a secret string, such as a
`
`keyword or password, as one of the simplest, most computationally inexpensive
`
`means to reversibly render data on a device unintelligible. Cole MTA Decl.
`
`(EX1022) at ¶¶9-10, 12 (citing, inter alia, Schneier EX1015).
`
`
`
`Further, Labrou expressly teaches that its PIE (which Labrou teaches may
`
`include a PIN) may be used in an XOR operation for performing encryption to
`
`reversibly render the RSN unintelligible. Labrou (EX1005) at [0537]-[0538]
`
`(describing performing an XOR operation on the PIE and RSN). Simple XOR
`
`encryption operations that use a string (such as a PIN) as a key to encrypt and decrypt
`
`have long been a well-known encryption technique that provided a benefit of being
`
`computationally inexpensive. Cole MTA Decl. (EX1022) at ¶¶10, 23. Given that
`
`Maes already teaches use of a PIN prior to decrypting data and that its system may
`
`“employ any known encryption technique or algorithm,” a PHOSITA would have
`
`been motivated to use Labrou’s teaching of an XOR function that employs a PIE
`
`(which Labrou teaches may be a PIN), in the encryption and decryption performed
`
`
`
`7
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`by Maes. Id. This would have been the use of a well-known encryption technique
`
`to provide a well-known benefit of providing a computationally inexpensive way to
`
`enhance the encryption and decryption described in Maes. Id. Because application
`
`of this well-known technique would use a PIN value already used by Maes and Maes
`
`already teaches encrypting and decrypting data stored on the device, it would have
`
`required minor modifications to software and would have yielded predictable results
`
`with a reasonable expectation of success. Id. Proposed Claim 42, therefore, is
`
`obvious over the combination of Maes and Labrou.
`
`iii. Proposed Claims 28-41, 43, 46-49, and 51-52
`
`Claims 28-41, 43-49, and 51-52 depend from Claims 27, 42 or 50 and are not
`
`substantively different from their original counterparts, which recite limitations that
`
`Petitioner has shown are obvious over Maes and Labrou. See Paper 12 at 27-40. In
`
`its Response, PO has argued that certain dependent claims are not met by the prior
`
`art relied upon in the Petition. See Paper 27 at 35-38 (claim 2 – now claim 28), 48-
`
`51 (claims 12 and 21 – now claims 38 and 47). Petitioner will address PO’s
`
`arguments with respect to these dependent claim limitations in its forthcoming Reply
`
`to PO’s Response.
`
`2.
`
`
`
`
`
`
`Proposed Claims 32-36 and 44 are Obvious Over the
`Combination of Maes, Labrou, and Burger
`
`
`Claim 32 depends from Claim 27, which is obvious over Maes and Labrou,
`
`8
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`as set forth above. See supra Sec. A.1.i. Claim 32 corresponds to original Claim 6,
`
`and recites a limitation which is taught by Burger, as set forth in the Petition. Paper
`
`12, at 41-42. Paper 12 at 41-42, 46-47. Claims 33-36 (corresponding to original
`
`Claims 7-10) depend from Claim 32 and recite limitations that are taught by Maes
`
`or Labrou, as also set forth in the Petition. Id. at 42-46. For the reasons discussed in
`
`the Petition, it would have been obvious to incorporate Burger’s teachings related to
`
`Proposed Claim 32 to modify the system of Maes. Therefore, Claims 32-36 are
`
`obvious over Maes, Labrou, and Burger.
`
`
`
`Similarly, Claim 44 depends from Claim 42, which is obvious over Maes and,
`
`Labrou, as set forth above. See supra Sec. A.1.ii. Claim 44 corresponds to original
`
`Claim 18 and recites a limitation which is taught by Burger, as set forth in the
`
`Petition. Paper 12, at 46-47. For the reasons discussed in the Petition, it would have
`
`been obvious to incorporate such teachings of Burger into the system of Maes. Id.
`
`Therefore, Claim 44 is obvious over Maes, Labrou, and Burger.
`
`B.
`
`The Proposed Amendments are Obvious over Additional Prior Art
`Not Previously Before the Board
`
`In addition to the prior art cited in the Petition, this Response to the Motion to
`
`
`
`Amend introduces three new references: U.S. Pat. 5,280,527 to Gullman et al.
`
`(“Gullman”) (EX1023), U.S. Pat. App. Pub. 2004/0172535 to Jakobsson et al.
`
`(EX1024), and U.S. Pat. 5,479,512 to Weiss (“Weiss”) (EX1025). All three of these
`
`
`
`9
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`references were published over a year before the earliest possible priority date of the
`
`’813 Patent and, therefore, are prior art under at least 35 U.S.C. § 102(b).
`
`
`
`Further, all three references are analogous art to the ’813 Patent. See Cole
`
`MTA Decl. (EX1022) at ¶¶25, 30, 36. All three references are in the field of endeavor
`
`of the ’813 Patent because they relate to systems and methods for authenticating
`
`identity or verifying the identity of individuals seeking access to services. See ’813
`
`Patent (EX1001) at 1:37-42; compare with Gullman (EX1023) at 1:5-13, 2:29-36;
`
`Jakobsson (EX1024) at [0002], [0039]; Weiss (EX1025) at 2:65-3:7 (system relates
`
`to encryption system and method for authorizing a user). Each of the references is
`
`also reasonably pertinent to at least one problem with which the inventor of the ’813
`
`Patent was concerned. For example, Gullman and Jakobsson each teach providing
`
`improved security measures to prevent theft of user information or money by using
`
`biometrics. See, e.g., Gullman (EX1023) at 1:14-27; Jakobsson (EX1024) at [0008];
`
`see also ’813 Patent (EX1001) at 1:64-67. Similarly, Weiss relates to using
`
`encryption to solve problems related to the unauthorized access of either transmitted
`
`or stored data. See Weiss (EX1025) at 1:58-2:6; see also ’813 Patent at 45:18-54.
`
`1.
`
`Claims 27-31, 37-41, and 50-52 are Obvious over the
`Combination of Maes, Labrou, and Gullman
`
`
`
`
`
`As discussed above, the combination of Maes and Labrou renders Proposed
`
`Claims 27 and 50, and related dependent claims, obvious. However, in addition, the
`
`
`
`10
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`combination of Maes, Labrou, and Gullman also renders obvious the added “seed”
`
`limitations of independent Claims 27 and 50. Specifically, Gullman teaches methods
`
`for using a biometric measurement as part of the “seed” for generating a non-
`
`predictable security token (i.e., “non-predictable value”). See Gullman (EX1023) at
`
`2:20-26; see also id. at 1:32-34 (describing security token as a “non-predictable
`
`code.”). In addition to the biometric input (i.e., “biometric input” / “information
`
`associated with at least a portion of the biometric input”), other parts of this seed
`
`include a fixed code (i.e., “PIN” or “electronic serial number”) and a time-varying
`
`code, such as the time of day (i.e., “time value”), which are combined in a
`
`“verification algorithm” to generate the token:
`
`Upon entry of the cardholder's biometric information, the processor
`executes the verification algorithm. The verification algorithm uses the
`template data, the biometric input, a fixed code (i.e., PIN, embedded
`serial number, account number) and time-varying self-generated
`information to derive a token output.
`
`Id. at 2:53-59; see also id. at 4:3-8 (explaining that the relevant data is “combined”
`
`to generate the token).
`
`A PHOSITA would have been motivated to incorporate Gullman’s teachings
`
`regarding the combination of different values to create a seed for a non-predictable
`
`value into the system of Maes, as modified by Labrou. All three references relate to
`
`devices for providing verification of an identity of a user, and Gullman teaches a
`
`
`
`11
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`known technique for generating a seed using multiple known sources (e.g., time,
`
`serial number, biometric, and/or PIN) that was known in the art by 2006, and a
`
`PHOSITA would have been motivated to incorporate such teachings into similar
`
`prior art systems, such as Maes or Labrou, to achieve the known benefit of enhancing
`
`the strength of the non-predictable security token (and thus enhancing security) from
`
`combining multiple different values, including time and other values unavailable to
`
`outsiders, such as a PIN, an electronic serial number, and/or biometric information)
`
`as the seed. Cole MTA Decl. (EX1022) at ¶27.
`
`Further, incorporating this seed for use in the RSN generator of Labrou, for
`
`example, would have required only minor modifications in software and yielded
`
`predictable results regarding the type of information used for generating a seed,
`
`because Maes already teaches use of a biometric and PIN, as well as encryption, and
`
`Labrou already contemplates using both time and other data to generate a seed for
`
`generating a non-predictable value to be used in encrypting data. Id. Therefore, the
`
`incorporation of Gullman’s teachings regarding how to generate a non-predictable
`
`value from available sources of information into similar prior art systems would have
`
`had a reasonable expectation of success. Id. And this seed would not have made the
`
`PIE used in the EAI of Labrou redundant. For example, if the seed for the RSN
`
`consisted of the biometric, a serial number, and a time value, then the PIE used
`
`would be derived from the PIN, and no redundant information would inserted into
`
`
`
`12
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`the hash function used to generate EAI in Labrou. Cole MTA Decl. (EX1022) at ¶28.
`
`Therefore, Claims 27-31, 37-41, and 50-52 are obvious over the combination of
`
`Maes, Labrou, and Gullman.
`
`2.
`
`Claims 27-31, 37-41, and 50-52 are Obvious over the
`Combination of Maes, Labrou, and Jakobsson
`
`
`Jakobsson relates to a remote user verification system that uses one or more
`
`
`
`cryptographic combination functions to generate a non-predictable value that
`
`Jakobsson terms an “authentication code.” See Jakobsson at Abstract, [0013]; see also
`
`id. at [0049]; [0043], [0059]-[0060]. The combination function(s) use various inputs to
`
`generate the authentication code; for example, Jakobsson describes combining inputs
`
`from (1) a “dynamic value (e.g. a time value)” that changes over time (i.e., time value),
`
`(2) a device secret (e.g., a discrete code associated with the device), (3) an event state
`
`of a device, and (4) user data, such as a PIN and/or biometric data. See Jakobsson
`
`(EX1022) at Fig. 2; see also id. at [0013], [0017], [0043], [0049], [0060] (generally
`
`describing the invention); [0072], [0074] (the user data P may consist of a PIN,
`
`biometric information, or both); [0065] (the device secret K is a numerical value
`
`“uniquely associated with the device”); see also id. at [0066] (explaining that the
`
`time value is “uniquely associated with a particular predetermined time interval”),
`
`[0067]-[0069] (providing examples for T, such as the number of seconds since 12:00
`
`p.m. on Dec. 15, 1999).
`
`
`
`13
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`In one embodiment, a first combination function combines a time value T and
`
`
`
`a device secret K to generate an initial authentication code (i.e., a “seed”), and then
`
`this initial authentication code is further combined with user data P and an event
`
`state E, to generate a second authentication code (i.e., a non-predictable value). See
`
`Jakobsson at [0073]; see also id. at [0074]. Jakobsson teaches that such iterations of
`
`such combination functions could be based on any arrangement of the data used:
`
`[T]he combination function 230 combines a secret (K), a dynamic value
`(T), event state (E), user data (P), verifier identifier (V), and a generation
`value (N) to generate an authentication code 293. The combination
`function can combine these values (K, T, E, P. V. N) in various ways and
`in any order. Before being combined by the combination function 230,
`these values can be processed by one or more other functions.
`
`Id. at [0077]. Based on this teaching, a PHOSITA would recognize that, in addition to
`
`the examples provided in Paragraph [0073], other possible orders could exist. See Cole
`
`MTA Decl. (EX1022) at ¶¶31-33. For example, a PHOSITA would recognize from
`
`Jakobsson’s teachings that the system may first combine the user data, including both
`
`a biometric P, device secret K, and time value T as part of a first combination function
`
`to generate a non-predictable authentication code, and then using this authentication
`
`code as a seed in a second combination function that combines it with, for example, an
`
`event state E to generate a non-predictable authentication code. See id.
`
`
`
`14
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`A PHOSITA would have been motivated to combine Jakobsson’s teachings
`
`
`
`related to combining various kinds of inputs into a combination function to generate a
`
`first non-predictable authentication code (i.e., as a seed) and inputting this first code
`
`into a second combination function to generate a second authentication code as a non-
`
`predictable value with the system of Maes, as modified by Labrou. Cole MTA Decl.
`
`(EX1022) at ¶34. A PHOSITA would have recognized that the non-predictable
`
`authentication code would be used for the RSN of Labrou, or at least be used to
`
`supplement the inputs into the function R, to enhance security, as only the user device
`
`and verifying entity would be aware of the secret inputs and the functions used to
`
`combine them. Id. Subsequently, the non-predictable value may be used in accordance
`
`with the methods taught in Labrou—generating encrypting authentication information
`
`with a PIE (from, for example, a PIN), to secure a transaction message and enable the
`
`secure transaction server (STS) to verify a user. All three references relate to methods
`
`and systems for securely and remotely verifying the identity of a user, and such
`
`incorporation would have merely required the incorporation of known encryption
`
`techniques into an existing prior art system with similar purposes and structures. See id.
`
`Because the combination of Maes and Labrou already uses a seed to generate a non-
`
`predictable value, and because that combination also already includes the sources of
`
`seed data to be used, the incorporation of Jakobsson’s specific teachings regarding
`
`combining those various data sources to generate a seed to be used to generate a non-
`
`
`
`15
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`predictable authentication code would have yielded predictable results with a
`
`reasonable expectation of success. Id. And a PHOSITA would have appreciated that
`
`this combination would desirably further enhance security by combining those multiple
`
`data sources to enhance the strength of the non-predictable value. See id. Therefore,
`
`Claims 27-31, 37-41, and 50-52 are obvious over Maes, Labrou, and Jakobsson.
`
`3.
`
`Claims 42-43 and 46-49 are Obvious over the Combination of
`Maes, Labrou, and Weiss
`
`
`As discussed above, the combination of Maes and Labrou renders Proposed
`
`
`
`Claims 42 and related dependent claims obvious. However, in addition, the new
`
`combination of Maes, Labrou, and Weiss also satisfies the added limitation in
`
`Proposed Claim 42 (i.e., using a mathematical operation that uses secret information
`
`to reversibly render data unintelligible) and renders these claims obvious. As
`
`discussed, the ’813 Patent describes using a simple XOR operation with a PIN to
`
`secure data on a device. This is not the first time the inventor of the ’813 Patent
`
`described using such methods to encrypt data stored on a device. Weiss, prior art by
`
`the same inventor, teaches methods for “concryption” (compression and encryption)
`
`to securely store or transmit large amounts of data. See Weiss (EX1025) at Abstract.
`
`Weiss teaches using an XOR operation (i.e., “mathematical operation”) with a
`
`password (i.e., “secret information”) to encrypt (i.e., “render unintelligible”) data
`
`stored on a device:
`
`
`
`16
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`[T]he encryption step includes dividing the results of a selected
`compression step into a plurality of blocks or segments, selecting an
`encryption key for each segment and performing an encryption
`operation for each segment utilizing the corresponding encryption key.
`… For preferred embodiments, the encryption operation is performed
`by exclusive ORing the encryption key with the results … [T]he
`encryption key may be formed by exclusive ORing a password for a
`system user with a code derived from a token ….
`Id. at 3:10-35; see also id. at 6:27-52, Claim 12; see also id. at 3:4-7 (the encryption
`
`key is static for stored data). Weiss teaches that to decrypt the data, the system simply
`
`reverses the encryption process. See id. at 4:15-18.
`
`
`
`A PHOSITA would have been motivated to incorporate Weiss’s teachings
`
`related to using exclusive-OR operations employing a password (i.e., “secret
`
`information”) to encrypt data stored on an identification device into the system of
`
`Maes, as modified by Labrou, as this was a well-known technique for limiting access
`
`to data stored on a device in a computationally inexpensive way (i.e., by using the
`
`well-known XOR operation). See Cole MTA Decl. (EX1022) at ¶¶10, 38-39. Like
`
`Weiss, some embodiments of Maes requires the entry of a password or PIN to
`
`retrieve data, and Maes teaches that “any known encryption/decryption process”
`
`may be used to provide Maes’ encryption. See Maes (EX1003) at 10:11-18.
`
`Incorporating Weiss’s teachings into the PDA device of Maes would have required
`
`only minor modifications to the software of the PDA of Maes and would have
`
`
`
`17
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`yielded predictable results related to protecting data stored in a device via a
`
`password, because (1) Maes already teaches use of a password or PIN, (2) Maes
`
`already teaches storing data in encrypted form on its device, and (3) Weiss’s XOR
`
`operation was a well-known and computationally inexpensive technique for securing
`
`data on a device. See Cole MTA Decl. (EX1022) at ¶39. Therefore, a PHOSITA
`
`would have had a reasonable expectation of success in securing the data stored on
`
`the device of Maes in accordance with the techniques taught in Weiss. Id.
`
`4.
`
`Claim 45 is Obvious over the Combination of Maes, Labrou,
`and Weiss, in further view of either Gullman or Jakobsson
`
`
`Claim 45 depends from Claim 42 and recites that the authentication
`
`
`
`information is generated from a seed by employing at least two of the biometric data,
`
`the secret information, and an electronic serial number of the electronic ID device.
`
`Claim 42 is obvious over Maes, Labrou, and Weiss (see supra Sec. B.3). Claim 45
`
`is obvious over the combination of Maes, Labrou, and Weiss in further view of
`
`Gullman, as Gullman teaches that a seed may be generated from, e.g., a biometric
`
`and an electronic serial number of the device. See Gullman (EX1023) at 2:53-59;
`
`see also id. at 4:4-8; Cole MTA Decl. (EX1022) at ¶40. Further, Claim 45 is also
`
`obvious over the combination of Maes, Labrou, and Weiss in further view of
`
`Jakobsson, which a PHOSITA would recognize teaches combining a device secret
`
`K and fingerprint data, inter alia, for generating a non-predictable authentication
`
`
`
`18
`
`
`
`IPR2018-00067
`U.S. Patent No. 8,577,813
`
`code to be used in generating EAI. See Jakobsson (EX1024) at [0073]; see also id.
`
`at [0074], [0077], and [0013]; see also Cole MTA Decl. (EX1022) at ¶¶32-34. A
`
`“device secret” is a unique value manufactured into a device and, therefore, is an
`
`example of a serial number. See Jakobsson (EX1024) at [0065]. For the same reasons
`
`discussed regarding Claims Proposed Claims 27 and 50 in Sections B.1 and B.2,
`
`supra, a PHOSITA would have been motived to incorporate these teachings of
`
`Gullman or Jakobsson, respectively, into the system of Maes, as modified by
`
`Labrou, as further modified by Weiss, and would have had a reasonable expectation
`
`of success in making such combinations. Cole MTA Decl. (EX1022) at ¶40-41.
`
`5.
`
`Claims 32-36 are Obvious over i) Maes, Labrou, and Gullman,
`in further view of Burger and ii) Maes, Labrou, and Jakobsson,
`in further view of Burger
`
`
`
`
`
`Claim 32 depends from Claim 27, which is obvious over i) Maes, Labrou, and
`
`Gullman (see supra Sec. B.1) and ii) Maes, Labrou, and Jakobsson (see supra Sec.
`
`B.2). Claim 32 corresponds to original Claim 6 (which PO did not specifically
`
`defend in its Response), and recites a limitation taught by Burger, as set forth in the
`
`Petition. Paper 12, at 41-42. Claims 33-36 depend from Claim 32 and, as discussed
`
`above (s