`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
` ____________
`
`UNIFIED PATENTS INC.
`Petitioner
`
`v.
`
`UNIVERSAL SECURE REGISTRY, LLC
`Patent Owner
`____________
`
`IPR2018-00067
`Patent 8,577,813
` ____________
`
`
`
`DECLARATION OF DR. ERIC COLE IN SUPPORT OF
`PETITIONER’S REPLY TO PATENT OWNER’S RESPONSE
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 1
`
`
`
`
`
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`I, Eric Cole, hereby declare the following:
`
`I.
`
`BACKGROUND AND QUALIFICATIONS
`1.
`I have been asked to respond to certain opinions provided by Dr.
`
`Markus Jacobsson in his declaration (EX2004) that accompanied Patent Owner’s
`
`Response and that responded to my original declaration (EX1009) in this matter..
`
`2. My opinions
`
`in my original declaration
`
`remain
`
`the same.
`
`Additionally, as before, I offer the below opinions and background knowledge
`
`from the lens of a person having ordinary skill in the art at the time of the earliest
`
`possible priority date of the ’813 Patent, which I have been told to assume is
`
`February 21, 2006 (a “PHOSITA”).1
`
`3. As part of my work in connection with this declaration, I have
`
`reviewed the following materials in addition to those materials already reviewed in
`
`preparation of my original declaration (EX1009) and those materials reviewed in
`
`preparation of my recent declaration in support of Petitioner’s Response to Patent
`
`Owner’s Contingent Motion to amend (EX1022):
`
`
`1 This February 21, 2006 is the same earliest possible priority date I was instructed to
`assume in my original declaration. See EX1009, at ¶26. I note that I had a typographical
`error in my Declaration in Support of Petitioner’s Opposition to Patent Owner’s
`Contingent Motion to Amend, which had stated an assumed date of “June 9, 2006.”
`EX1022, at ¶2. In preparing that declaration, I had applied the same assumed priority
`date set forth in my original declaration (i.e., February 21, 2006). In any event, my
`opinions would not have changed based on that slight difference in assumed priority
`dates.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 2
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`• PO’s Preliminary Response (Paper 7);
`• Declaration of Dr. Jakobsson (EX1033);
`• U.S. Pub. 2003/0093690 to Kemper (“Kemper”) (EX1034);
`• U.S. Pub. 2004/0111343 to Lindvall (“Lindvall”) (EX1035).
`
`
`II. OPINION
`A. Additional Background of Technology
`
`Multi-factor Authentication
`
`4.
`
`As I mentioned in both of my previous declarations, it was well
`
`known in the art by 2006 that systems requiring multi-factor authentication (e.g.,
`
`the use of a PIN and a biometric verification) provided enhanced security against
`
`theft compared to systems requiring only one source of information for
`
`authentication. Dr. Jakobsson appears to opine the opposite, namely, that it would
`
`not “enhance security” to employ a system requiring both types of authentication.
`
`See, e.g., Jakobsson Decl. (EX2004) at ¶92. Respectfully, I disagree—systems
`
`using multi-factor authorization techniques were (and are) almost universally more
`
`secure than systems using only one factor. But a PHOSITA in 2006 was highly
`
`motivated
`
`to
`
`incorporate different
`
`types of authentication
`
`into financial
`
`transactions, both to prevent unscrupulous third parties from accessing or using the
`
`user’s financial data and to confirm to a verifier that a financial service is being
`
`requested by an authorized user. Systems requiring multiple types of authentication
`
`presented more obstacles to a would-be attacker because the compromise of the
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 3
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`first source (e.g., a PIN being overheard or seen, or a system being hacked for
`
`biometric information) would not necessarily implicate the second.
`
`5.
`
`For example, Jin et al., cited in my original declaration, provide some
`
`reasons that were known to a PHOSITA as to why systems using both biometrics
`
`and secret information to authenticate a user was more desirable than the use of
`
`biometrics alone or secret information, such as a PIN, alone. PINs suffered from
`
`the weakness that they could be illicitly acquired through observation by an
`
`unscrupulous party, while a person’s biometrics suffer from a different weakness
`
`in that, if compromised, they cannot be changed and place a user at risk for an
`
`attacker masquerading as them.2
`
`6.
`
`A PHOSITA would have recognized that requiring both types of
`
`information for verification of a user would allow each source to reconcile the
`
`deficiencies of the other. For example, it wouldn’t matter if the PIN were illicitly
`
`observed, because an unscrupulous observer could not “know” the user’s
`
`biometrics. Additionally, even if biometrics were somehow mimicked, an attacker
`
`could not mimic a PIN—it is either known, or it isn’t. Therefore, it was commonly
`
`
`2 See Jin (EX1012) at 1-2, 10 (Note: To provide ease of reference, I refer to the exhibit
`page number for non-patent or patent publication references); see also Cole Decl.
`(EX1009) at ¶34.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 4
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`accepted that “wider adoption of two-factor authentication is desirable” in e-
`
`commerce by 2006.3
`
`Multi-Layered Authentication
`
`7. Multi-layered authentication (i.e., authentication at multiple places in
`
`a security system) was also well-known in the art and had cognizable benefits. For
`
`example, U.S. Pub. 2003/0093690 to Kemper (issued as U.S. Pat. 7,222,361),
`
`entitled “Computer Security With Local And Remote Authentication,” describes a
`
`system in which a user must first be authenticated at a local database to access
`
`services, and then and a remote database in the same session to continue services.4
`
`8.
`
`A PHOSITA would have particularly recognized the pros of such an
`
`arrangement in the context of multi-purpose identification devices, such as PDAs
`
`or cell phones. A user may wish to access such devices for reasons other than a
`
`financial transaction, such as to call or send a message to a friend, look at a photo
`
`stored on the device, or change settings on the device. Local authentication using,
`
`for example, secret information and/or a biometric input, protects this information
`
`from unwanted intruders, who may be people with as simple means as your
`
`3 See Harris (EX1013) at 1:28-64; see also Kemper (EX1034) at [0002] (“‘[S]trong
`authentication” uses a combination of items belonging to at least two of the following
`three categories: 1) personal knowledge (such as a password or personal identification
`number); 2) personal possessions (such a cardkey or other physical token); and 3)
`personal characteristics (such as a handwriting sample, voiceprint, fingerprint, or retina
`scan).”)
`4 Kemper (EX1034) at Abstract, [0027]-[0029] Figs. 3-4
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 5
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`average Nosy Ned. However, when a financial transaction is performed,
`
`additionally requiring remote verification of such input provides enhanced security
`
`because a sophisticated attacker must mimic not only the user’s device, but they
`
`must also be able to acquire a person’s secret information and biometric data to
`
`receive access to financial services, which would be considerably more difficult.
`
`9. A PHOSITA would recognize pros and cons with any security system
`
`arrangement. The level of security and susceptibility to attack, the risk of false
`
`positives (granting access to the wrong person) or negatives (rejections of the right
`
`person), the scope of harm that would be caused by a successful attack, time to
`
`authenticate, and cost of implementation, inter alia, were (and still are) factors a
`
`PHOSITA would have considered in designing a security system. For example, as
`
`mentioned above, requiring only local verification of a user would be at risk of an
`
`attacker tricking a remote verifier into believing that the attacker is the user by
`
`presenting the requisite account and/or device ID information. However, storing a
`
`user’s secret information or biometric input in only remote databases requires
`
`security at the remote location to protect against breaches. There were known
`
`ways to offset such a risk, such as using one-way functions or other encryption
`
`techniques to store encrypted versions of user information instead of the
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 6
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`information itself.5 In designing any security system, a PHOSITA would have
`
`estimated in a predictable manner the various trade-offs and risks and benefits of
`
`different means of operating.
`
`Repeatable Cryptographic Strings Based on Biometrics
`
`10. Dr. Jakobsson has also opined that prior art systems attempting to
`
`employ a hash function based on a string of information deterministically
`
`generated from different captures of a biometric input from a single person would
`
`be inoperable because “different [] values will be obtained for different tries and
`
`the encryption key will unpredictable vary.” See Jakobsson Decl. (EX2004) at ¶88.
`
`This conclusion is based on an inaccurate premise – that the same string could not
`
`be recreated upon different “tries” of the same biometric source. While it is true
`
`that the results of different measurements may cause the same biometric input to
`
`vary as a result of the “fuzziness” of such biometric measurements, a PHOSITA
`
`would have recognized known ways to generate repeatable cryptographic strings
`
`from different tries of the same biometric source by 2006.
`
`11. For example, Bohannon, filed in February 2000 and publicly available
`
`by May 2005, is specifically directed to a system that does exactly what Dr.
`
`Jakobsson opined could not be done—generating a repeatable cryptographic key
`
`5 See, e.g., Schneier (EX1015) at 86 (explaining how authentication using one-way
`functions allows a host system to authenticate a user without storing passwords
`themselves).
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 7
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`based on varying parameters representing physical measurements, and, more
`
`particularly, to biometric input:
`
`The present invention provides for the generation of a repeatable
`cryptographic key based on a set of potentially varying parameters.
`The cryptographic key is repeatable in that the same key is generated
`notwithstanding that the parameters, on which generation of the key is
`based, may vary from one generation of the key to the next. In an
`advantageous embodiment, the parameters represent measurements of
`some physical characteristics of either a person or a thing. For
`example, one class of physical characteristics
`is biometric
`characteristics of a person. As used herein, the term biometric
`characteristics includes any measurable biological, physiological, or
`biomechanical characteristics of a person. Such characteristics
`include, for example, fingerprint, iris, DNA, typing patterns, Voice,
`blood, etc. 6
`12. Bohannon is not the only reference addressing means for generating a
`
`repeatable cryptographic string using biometric input. For example, Hao et al.
`
`published a paper in 2005 that discussed existing methods of employing biometrics
`
`in cryptography and suggested a means of creating a biometric key from an iris
`
`
`6 Bohannon (EX1030) at 4:14-27; see also id. at Abstract, 2:38-47, see also id. at 5:8-13.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 8
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`scan in combination with a string of error-correction data, with a 0.47% false
`
`rejection rate.7
`
`B. The Combination of Maes and Pare
`
`Pare does not teach away from the use of electronic ID devices
`
`
`13. The primary functionality taught in Pare is how to protect transmitted
`
`confidential information used to remotely verify a user for financial transactions. A
`
`PHOSITA would readily recognize the applicability of such a system in a device
`
`like Maes, particularly since Maes itself teaches encrypting data for transmission to
`
`a central server and POS for verification purposes. As I explained in my original
`
`declaration, the encryption techniques taught in Pare would enhance the security
`
`and prevent attacks on information transmitted, including the information
`
`transmitted in Maes, and would further Maes’s goal of reducing fraud in financial
`
`transactions. See EX1009, at ¶54.
`
`14. A conclusion that Pare teaches away from any “portable man made
`
`memory device” would take Pare’s teachings out of context and is not the
`
`conclusion a PHOSITA reading Pare would reach. When Pare describes a portable
`
`man-made memory device, Pare is referring specifically to smart cards, and it also
`
`refers to credit cards as being “tokens.” See Pare (EX1004) at Abstract; 1:10-2:3;
`
`
`7 Hao (EX1031) at 4-5; see also id. at 4 (defining “biometric key” as a “repeatable string
`derived from a user biometric”), 12.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 9
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`see also 7:17-21. Pare describes financial cards, like credit cards, debit cards, and
`
`smart cards as being “tokens” and that these “tokens” can be problematic because
`
`of the risk of loss, theft, or counterfeiting. But not once does Pare identify
`
`electronic devices such as cell phones or PDAs as themselves being “tokens.”
`
`Indeed, Pare teaches that the BIA device itself has a memory, so if the conclusion
`
`that any portable man-made memory device is a token were true, then the BIA
`
`itself would be a token. Specifically, Pare teaches that the BIA device contains
`
`memory for storing certain data for performing a financial transaction, allows a
`
`user to access their financial accounts, and can be integrated within a cellular
`
`telephone.8 Pare also makes clear that the technology to secure such devices
`
`existed at the time.9 A PHOSITA would, therefore, not find Pare to teach away
`
`from the use of electronic ID devices (such as Maes’s PDA).
`
`Local and Remote Authentication
`
`15. As mentioned above in Paragraphs 7-9, performing both local and
`
`remote authentication of a user was nothing new by the time of the ’813 Patent,
`
`
`8 See Pare at 9:65-10:1 (memory); 4:21-24; 11:22-28 (BIA integrated within telephone);
`14-19-32 (BIA integrated with telephone); 30:48-50 (BIA integrated with cellular
`telephone); 10:1-7 (cellular telephone network); 6:4-8 (system may display account name
`during authorization); 41:34-55 (accessing list of accounts).
`9 See id. at 14:33-37 (stating that a BIA integrated with a phone may be insecure but
`“higher-security versions with more complete enclosures are possible and encouraged.”);
`20:4-15 (teaching that use of biometric and PIN, along with encryption, restricts potential
`criminal access).
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 10
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`and there were many reasons a PHOSITA would have desired such an
`
`arrangement, particularly in the context of multi-purpose cell phones and PDAs.
`
`For example, a remote device may not be designed to have a trust relationship with
`
`the local device, such that separate devices may require their own separate
`
`authentication steps. Or an added layer of security may be desired. See, e.g., Maes
`
`(EX1003) at 13:19-24 (additional verification for “additional level of security”).
`
`Thus, there is nothing “redundant” about performing both, and the combination of
`
`Maes and Pare would not be considered redundant by a PHOSITA.
`
`16.
`
`I note that the ’813 Patent itself provides for both local and remote
`
`authentication, including for local and remote authentication of the same biometric.
`
`The claims contemplate a first authentication at the device level using a biometric,
`
`PIN, or both. And the specification describes that, for example, the biometric could
`
`be authenticated by both the user device and the server (i.e., the USR).’813 Patent
`
`(EX1001) at 47:35-38 (“[T]he authentication of the biometric occurs at the user
`
`device 352, at the POS device 354, at the USR 356 or at a combination of the
`
`preceding.”).
`
`17. Maes itself also already teaches both remote and local authentication.
`
`For example, in the context of a client/server mode, authentication must be
`
`performed to obtain a digital certificate (which may be used at any time). See e.g.,
`
`Maes (EX1003) at 8:50-65, 10:18-21. Additionally, to use the PDA for a financial
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 11
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`transaction, the user must authenticate him or herself locally, in local mode. Id. at
`
`3:59-61, 5:54-67.
`
`18. Maes does not restrict the lifetime that can be specified by the user for
`
`the digital certificate. See id. at 9:65-10:7. Therefore, a PHOSITA would recognize
`
`that the user could set the lifetime of the digital certificate to be so short as to be
`
`practically eligible for only one transaction at a time. Thus, both the client-server
`
`mode and local mode would be effectively occurring for a single transaction. In
`
`addition, in the event that a user went to perform a transaction in local mode and
`
`the device informed the user that their digital certificate had expired, then the user
`
`would have to promptly perform client-server mode to re-authenticate their
`
`biometric and PIN with the server to obtain a new, unexpired digital certificate just
`
`before performing the financial transaction with the device.
`
`19. Thus, any distinction between the client/server and local mode
`
`authentication as being part of different “sessions” is not meaningful. If one
`
`followed Patent Owner’s logic regarding the redundancy of local and remote
`
`verification, there would be no need for the client/server mode if the central server
`
`could just trust the PDA device’s authentication. And, the fact that the
`
`authorization number received by the merchant and transmitted to the central
`
`server for verifying a user in transactions is a function of the digital certificate
`
`indicates that the central server itself is performing part of the user verification for
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 12
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`a given transaction. See Maes at 12:66-13:5 (“Since the authorization number is a
`
`function of the unexpired digital certificate that was obtained from the central
`
`server 60 in the client/server mode, the central server 60 inform [sic] the merchant
`
`that the user was properly verified (step 318).”); 6:50-53.
`
`20. A PHOSITA would not have considered the proposed combination of
`
`Maes and Pare, allowing for local and remote authentication, redundant such that
`
`the combination would not be made. It was known in the art to perform local and
`
`remote authentication, including in a same “session,” as discussed Paragraphs 7-9
`
`above, so incorporating the concepts taught in Pare related to encrypting
`
`transmitted authentication information would have resulted in obvious security
`
`enhancements to the similar system in Maes and is consistent with Maes’s desire to
`
`perform both local and remote authentication, including for an additional layer of
`
`security.
`
`The Teachings in Maes would be Operable with and are not Inconsistent with
`Enhanced Infrastructure
`
`21. Patent Owner argues
`
`that because Maes
`
`teaches backwards
`
`compatibility with existing infrastructure (e.g., by being able to use the Universal
`
`Card in swipe systems), then combining Maes’s teachings with any other prior art
`
`reference dealing with new technology or any upgrades to existing payment
`
`infrastructure defeats “the basic principle” of Maes’s invention. This conclusion is
`
`inconsistent with what a PHOSITA would have taken away from Maes’s
`IPR2018-00067
`
`
`
`
`Unified EX1032 Page 13
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`teachings. The basic principle that a PHOSITA would have taken away from the
`
`teachings in Maes is the desirability and operation of a portable electronic device
`
`that eliminates the need to physically carry insecure financial cards and provides
`
`for biometric and PIN verification to engage in secure transactions with merchants
`
`by using a remote central server to authorize transactions. See, e.g., Maes
`
`(EX1003) at 1:59-2:20, 2:23-30, 3:32-37. While Maes teaches that its system is
`
`capable of backwards compatibility, its teachings are very much related to adapting
`
`to new technology and upgrades to infrastructure as well. For example, Maes
`
`teaches that its system would work solely with the PDA device, without need for
`
`the Universal Card and with the PDA taking the place of the Universal Card. See
`
`Maes (EX1003) at 12:5-29.
`
`22.
`
`Indeed, there are many examples in Maes where the proposed
`
`card/PDA combination would not be able to work with conventional POS devices
`
`at the time of its filing, making updated infrastructure necessary. For example,
`
`though known, it was not common for existing POS systems to overwrite a receipt
`
`on the Universal Card—such a feature would have required updates to existing
`
`POS systems. Id. at 11:41-43 (“In a more advanced transaction terminal 80, the
`
`Universal card may be overwritten with a receipt of the transaction by the POS or
`
`ATM transaction terminal 80 (step 222).”); see also id. at 11:42-51, 12:16-18,
`
`14:17-21. Indeed, wireless POS devices that would communicate with a PDA
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 14
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`device, a feature explicitly taught by Maes, would have required updates to
`
`existing terminal infrastructure that did not have wireless capabilities yet. See id. at
`
`12:5-29; see also id. at 15:29-43 (teaching that the invention would be compatible
`
`with near-future PAN-enabled POS terminals). However, these updates would
`
`have been based on well-known, predictable technology, and a PHOSITA would
`
`have had a reasonable expectation of success in their implementation.
`
`23. Further, even though there are embodiments in which Maes teaches
`
`verbally communicating or displaying the authorization number for transactions
`
`not involving electronic data transfer, this is not a feature that represents a basic
`
`principle operation of Maes or that detracts from the fact that it would have been
`
`obvious to a PHOSITA to wirelessly transmit an encrypted transaction message, as
`
`taught in Pare and supported by the teachings in other embodiments of Maes. The
`
`key characteristic of the authorization number is that it “is a function of the
`
`unexpired digital certificate that was obtained from the central server,” which
`
`allows the central server to confirm for the merchant that the user had been
`
`previously properly verified with the server. Maes at 13:1-5. Indeed, in one
`
`embodiment of Maes, it teaches that the authorization number may be transmitted
`
`directly, through wireless means. See Maes (EX1003) at 14:58-67 (transfer of
`
`money requiring authorization number may be performed via IR). Therefore, a
`
`PHOSITA would not conclude that Maes’s basic principle, and the sole purpose of
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 15
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`the authorization number, is for the system to be used in transactions not involving
`
`electronic data transfer.
`
`24. Nothing in Maes prohibits changes to infrastructure; instead, Maes
`
`teaches a system for allowing adaptation to such changes. While it does teach the
`
`use of a Universal Card to allow the system to be backwards compatible, it clearly
`
`teaches that the PDA device may be used alone, with no card, including in wireless
`
`transactions. Id. at 12:5-29. As mentioned in Paragraph 22 above, Maes itself
`
`contemplates above, Maes itself presents examples of working with “special” or
`
`“advanced” POS systems. Id. at 11:42-51, 12:16-18, 14:17-21. Therefore, nothing
`
`in Maes restricts infrastructure updates and, if anything, Maes is compatible with
`
`such updates.
`
`25. Further, adding a simple seller registration process, to the extent it did
`
`not already exist, for purposes of implementing Pare’s commercial transaction
`
`message in Maes would not be incompatible with the teachings of Maes. Pare
`
`teaches that in embodiments employing the seller registration step may be
`
`something as simple as a seller’s phone number, so having seller registration would
`
`not have required substantial infrastructure enhancements and would have involved
`
`relatively small changes to software. See Pare (EX1004) at 56:9 (“[T]he seller
`
`identification code, be it phone number …”). Indeed, even with basic tokens, such
`
`as common credit cards and other financial cards, POS devices must be associated
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 16
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`with a merchant account compatible with various financial institutions through a
`
`standard seller registration process so that those institutions know where to direct
`
`the credit or money.10 A PHOSITA would recognized that similar standard seller
`
`registration processes would have been readily available and compatible with the
`
`Maes-Pare combination and would have required only minor modifications in
`
`software and yielded predictable results related to having a merchant have an
`
`account with a financial institution because of their commonplace nature at the
`
`time.
`
`Motivation to Combine Maes and Pare
`
`26. Contrary to Patent Owner’s arguments, a PHOSITA, in my opinion,
`
`would have been motivated to combine Pare’s teachings of encrypting shared
`
`transaction and authentication information with the transactional system in Maes
`
`to enhance the security system of Maes, and such a combination would have been
`
`obvious, as I have previously explained. See EX1009, ¶54. To be successful,
`
`enhanced security is a high priority and primary goal for any financial transaction
`
`system, and a PHOSITA working in the field of secure financial transactions at
`
`that time (and particularly those involving use of mobile devices) would have
`
`
`10 See, e.g., Lindvall (EX1035) at [0004], [0009]-[0012] (describing processes for
`
`allowing merchant account acquisition and approval).
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 17
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`considered references that presented means for enhanced security, such as the use
`
`of encrypted authentication information to enhance security and reduce the risk of
`
`fraud.
`
`27. Maes generally teaches the use of any known encryption technique to
`
`protect transmitted transaction data. See Maes (EX1003) at 10:10-15 (the
`
`invention “may employ any known encryption technique or algorithm” in
`
`encrypting data); see also id. at 13:24-38 (describing how an “encrypted
`
`information file” along with selected card information would be transmitted to a
`
`POS terminal as part of a transaction), 13:51-60. A PHOSITA would have been
`
`motivated by these teachings of Maes to consider existing techniques for
`
`encrypting transaction data, including Pare’s specific teachings of how to encrypt
`
`a message containing transaction and verification data. Both Maes and Pare
`
`present similar transaction systems using an electronic ID device and requiring
`
`remote authentication at a central server via a POS terminal. Therefore, a
`
`PHOSITA would have concluded that the teachings of Pare related to specific
`
`ways to encrypt transaction data would have presented an obvious improvement to
`
`the system in Maes that would have enhanced security and furthered Maes goal of
`
`reducing the risk of fraud.
`
`28. Further, it would have been obvious to use Pare’s encrypted data in
`
`place of Maes’s authorization number or basic card information, as it was
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 18
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`becoming increasingly feasible in the field of financial security to employ
`
`encryption to enhance security. The obviousness of the proposed combination is
`
`bolstered by Maes’s own teachings related to encryption and authentication. For
`
`example, Maes teaches encrypting financial data generally and in the context of
`
`authorization numbers. See Maes (EX1003) at 15:15-20 (“[T]o prevent fraud, the
`
`PDA device of User A may be configured such that the authorization number
`
`produced by the PDA device of User A contains the amount of money to be
`
`transferred to the account of User B in an encrypted … form.”); see also id. at
`
`13:39-50. And, importantly, the authorization number is a function of the
`
`unexpired digital certificate, which would have been obtained during the
`
`verification of a user during the client/server mode. Maes (EX1003) at 13:1-2.
`
`This relationship allows the central server to confirm that the authorization
`
`number is based on a valid verification of a user. Thus, a PHOSITA would
`
`understand that the authorization number already represents obscured data in that
`
`it is itself a function of the digital certificate. Therefore, Patent Owner’s argument
`
`that Maes never suggests “encrypting” the authorization number itself is
`
`misplaced. POR at 32. This argument that it would not be obvious to use Pare’s
`
`encrypted authentication information in place of Maes’ authorization number are
`
`inconsistent with the teachings of Maes, which itself teaches the exchange of
`
`encrypted information and the fact that the authorization number can itself contain
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 19
`
`
`
`encrypted data.
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`C. Maes and Labrou
`
`
`Labrou renders obvious the use of a PIN and biometric in generating a PIE
`
`
`29.
`
`In my opinion, a PHOSITA would have been motivated from the
`
`teachings of Labrou to generate a PIE from a biometric and PIN. The benefits of
`
`multi-factor authentication were well-known in the art well before 2006. Further,
`
`Labrou repeatedly mentions the use of biometric in combination with a PIN for
`
`verifying a user. See, e.g., Labrou (EX1005) at [0421] (“[A]t some point the user
`
`decides to make a purchase, … the user selects and confirms the transaction by
`
`selecting the purchase button and entering (to the device 102) her PIN (and/or
`
`biometric if available).”); see also id. at [0158], [0416]-[0418], [0456]. Finally,
`
`Maes itself bolsters this concept, specifically teaching the use of a biometric and a
`
`PIN for remote verification of a user. See, e.g., Maes (EX1003) at 3:46-48 (“[T]he
`
`central server verifies the user either biometrically or through PIN or password or
`
`a combination thereof”). Therefore, I stand by my original opinion that generating
`
`and transmitting encrypted authentication information generated from secret
`
`information and information associated with a biometric input, inter alia, is
`
`obvious over the combination of Maes and Labrou
`
`30.
`
`I disagree with Dr. Jakobsson’s opinion that Labrou’s teaching of
`
`generating a PIE from a biometric would have not been possible. As discussed
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 20
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`above in Paragraphs 10-12, a PHOSITA would have known methods of
`
`generating a repeatable cryptographic string from different measurements of a
`
`biometric input of a user (e.g., varying measurements of the same fingerprint). A
`
`PHOSITA therefore would have known how to generate a repeatable PIE in
`
`Labrou from varying biometric measurements of the same person (e.g., of the
`
`same fingerprint), and these teachings are enabled by Labrou in light of the
`
`knowledge of a PHOSITA.
`
`The Aliases of Labrou are “Account Identifying Information”
`
`31.
`
`I have not been asked and am not offering an opinion on claim
`
`construction of this term. However, in my opinion, if claims 12 and 21 required
`
`that “account identifying information” be genera