`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
` ____________
`
`UNIFIED PATENTS INC.
`Petitioner
`
`v.
`
`UNIVERSAL SECURE REGISTRY, LLC
`Patent Owner
`____________
`
`IPR2018-00067
`Patent 8,577,813
` ____________
`
`
`
`DECLARATION OF DR. ERIC COLE IN SUPPORT OF
`PETITIONER’S REPLY TO PATENT OWNER’S RESPONSE
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 1
`
`
`
`
`
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`I, Eric Cole, hereby declare the following:
`
`I.
`
`BACKGROUND AND QUALIFICATIONS
`1.
`I have been asked to respond to certain opinions provided by Dr.
`
`Markus Jacobsson in his declaration (EX2004) that accompanied Patent Owner’s
`
`Response and that responded to my original declaration (EX1009) in this matter..
`
`2. My opinions
`
`in my original declaration
`
`remain
`
`the same.
`
`Additionally, as before, I offer the below opinions and background knowledge
`
`from the lens of a person having ordinary skill in the art at the time of the earliest
`
`possible priority date of the ’813 Patent, which I have been told to assume is
`
`February 21, 2006 (a “PHOSITA”).1
`
`3. As part of my work in connection with this declaration, I have
`
`reviewed the following materials in addition to those materials already reviewed in
`
`preparation of my original declaration (EX1009) and those materials reviewed in
`
`preparation of my recent declaration in support of Petitioner’s Response to Patent
`
`Owner’s Contingent Motion to amend (EX1022):
`
`
`1 This February 21, 2006 is the same earliest possible priority date I was instructed to
`assume in my original declaration. See EX1009, at ¶26. I note that I had a typographical
`error in my Declaration in Support of Petitioner’s Opposition to Patent Owner’s
`Contingent Motion to Amend, which had stated an assumed date of “June 9, 2006.”
`EX1022, at ¶2. In preparing that declaration, I had applied the same assumed priority
`date set forth in my original declaration (i.e., February 21, 2006). In any event, my
`opinions would not have changed based on that slight difference in assumed priority
`dates.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 2
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`• PO’s Preliminary Response (Paper 7);
`• Declaration of Dr. Jakobsson (EX1033);
`• U.S. Pub. 2003/0093690 to Kemper (“Kemper”) (EX1034);
`• U.S. Pub. 2004/0111343 to Lindvall (“Lindvall”) (EX1035).
`
`
`II. OPINION
`A. Additional Background of Technology
`
`Multi-factor Authentication
`
`4.
`
`As I mentioned in both of my previous declarations, it was well
`
`known in the art by 2006 that systems requiring multi-factor authentication (e.g.,
`
`the use of a PIN and a biometric verification) provided enhanced security against
`
`theft compared to systems requiring only one source of information for
`
`authentication. Dr. Jakobsson appears to opine the opposite, namely, that it would
`
`not “enhance security” to employ a system requiring both types of authentication.
`
`See, e.g., Jakobsson Decl. (EX2004) at ¶92. Respectfully, I disagree—systems
`
`using multi-factor authorization techniques were (and are) almost universally more
`
`secure than systems using only one factor. But a PHOSITA in 2006 was highly
`
`motivated
`
`to
`
`incorporate different
`
`types of authentication
`
`into financial
`
`transactions, both to prevent unscrupulous third parties from accessing or using the
`
`user’s financial data and to confirm to a verifier that a financial service is being
`
`requested by an authorized user. Systems requiring multiple types of authentication
`
`presented more obstacles to a would-be attacker because the compromise of the
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 3
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`first source (e.g., a PIN being overheard or seen, or a system being hacked for
`
`biometric information) would not necessarily implicate the second.
`
`5.
`
`For example, Jin et al., cited in my original declaration, provide some
`
`reasons that were known to a PHOSITA as to why systems using both biometrics
`
`and secret information to authenticate a user was more desirable than the use of
`
`biometrics alone or secret information, such as a PIN, alone. PINs suffered from
`
`the weakness that they could be illicitly acquired through observation by an
`
`unscrupulous party, while a person’s biometrics suffer from a different weakness
`
`in that, if compromised, they cannot be changed and place a user at risk for an
`
`attacker masquerading as them.2
`
`6.
`
`A PHOSITA would have recognized that requiring both types of
`
`information for verification of a user would allow each source to reconcile the
`
`deficiencies of the other. For example, it wouldn’t matter if the PIN were illicitly
`
`observed, because an unscrupulous observer could not “know” the user’s
`
`biometrics. Additionally, even if biometrics were somehow mimicked, an attacker
`
`could not mimic a PIN—it is either known, or it isn’t. Therefore, it was commonly
`
`
`2 See Jin (EX1012) at 1-2, 10 (Note: To provide ease of reference, I refer to the exhibit
`page number for non-patent or patent publication references); see also Cole Decl.
`(EX1009) at ¶34.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 4
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`accepted that “wider adoption of two-factor authentication is desirable” in e-
`
`commerce by 2006.3
`
`Multi-Layered Authentication
`
`7. Multi-layered authentication (i.e., authentication at multiple places in
`
`a security system) was also well-known in the art and had cognizable benefits. For
`
`example, U.S. Pub. 2003/0093690 to Kemper (issued as U.S. Pat. 7,222,361),
`
`entitled “Computer Security With Local And Remote Authentication,” describes a
`
`system in which a user must first be authenticated at a local database to access
`
`services, and then and a remote database in the same session to continue services.4
`
`8.
`
`A PHOSITA would have particularly recognized the pros of such an
`
`arrangement in the context of multi-purpose identification devices, such as PDAs
`
`or cell phones. A user may wish to access such devices for reasons other than a
`
`financial transaction, such as to call or send a message to a friend, look at a photo
`
`stored on the device, or change settings on the device. Local authentication using,
`
`for example, secret information and/or a biometric input, protects this information
`
`from unwanted intruders, who may be people with as simple means as your
`
`3 See Harris (EX1013) at 1:28-64; see also Kemper (EX1034) at [0002] (“‘[S]trong
`authentication” uses a combination of items belonging to at least two of the following
`three categories: 1) personal knowledge (such as a password or personal identification
`number); 2) personal possessions (such a cardkey or other physical token); and 3)
`personal characteristics (such as a handwriting sample, voiceprint, fingerprint, or retina
`scan).”)
`4 Kemper (EX1034) at Abstract, [0027]-[0029] Figs. 3-4
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 5
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`average Nosy Ned. However, when a financial transaction is performed,
`
`additionally requiring remote verification of such input provides enhanced security
`
`because a sophisticated attacker must mimic not only the user’s device, but they
`
`must also be able to acquire a person’s secret information and biometric data to
`
`receive access to financial services, which would be considerably more difficult.
`
`9. A PHOSITA would recognize pros and cons with any security system
`
`arrangement. The level of security and susceptibility to attack, the risk of false
`
`positives (granting access to the wrong person) or negatives (rejections of the right
`
`person), the scope of harm that would be caused by a successful attack, time to
`
`authenticate, and cost of implementation, inter alia, were (and still are) factors a
`
`PHOSITA would have considered in designing a security system. For example, as
`
`mentioned above, requiring only local verification of a user would be at risk of an
`
`attacker tricking a remote verifier into believing that the attacker is the user by
`
`presenting the requisite account and/or device ID information. However, storing a
`
`user’s secret information or biometric input in only remote databases requires
`
`security at the remote location to protect against breaches. There were known
`
`ways to offset such a risk, such as using one-way functions or other encryption
`
`techniques to store encrypted versions of user information instead of the
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 6
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`information itself.5 In designing any security system, a PHOSITA would have
`
`estimated in a predictable manner the various trade-offs and risks and benefits of
`
`different means of operating.
`
`Repeatable Cryptographic Strings Based on Biometrics
`
`10. Dr. Jakobsson has also opined that prior art systems attempting to
`
`employ a hash function based on a string of information deterministically
`
`generated from different captures of a biometric input from a single person would
`
`be inoperable because “different [] values will be obtained for different tries and
`
`the encryption key will unpredictable vary.” See Jakobsson Decl. (EX2004) at ¶88.
`
`This conclusion is based on an inaccurate premise – that the same string could not
`
`be recreated upon different “tries” of the same biometric source. While it is true
`
`that the results of different measurements may cause the same biometric input to
`
`vary as a result of the “fuzziness” of such biometric measurements, a PHOSITA
`
`would have recognized known ways to generate repeatable cryptographic strings
`
`from different tries of the same biometric source by 2006.
`
`11. For example, Bohannon, filed in February 2000 and publicly available
`
`by May 2005, is specifically directed to a system that does exactly what Dr.
`
`Jakobsson opined could not be done—generating a repeatable cryptographic key
`
`5 See, e.g., Schneier (EX1015) at 86 (explaining how authentication using one-way
`functions allows a host system to authenticate a user without storing passwords
`themselves).
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 7
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`based on varying parameters representing physical measurements, and, more
`
`particularly, to biometric input:
`
`The present invention provides for the generation of a repeatable
`cryptographic key based on a set of potentially varying parameters.
`The cryptographic key is repeatable in that the same key is generated
`notwithstanding that the parameters, on which generation of the key is
`based, may vary from one generation of the key to the next. In an
`advantageous embodiment, the parameters represent measurements of
`some physical characteristics of either a person or a thing. For
`example, one class of physical characteristics
`is biometric
`characteristics of a person. As used herein, the term biometric
`characteristics includes any measurable biological, physiological, or
`biomechanical characteristics of a person. Such characteristics
`include, for example, fingerprint, iris, DNA, typing patterns, Voice,
`blood, etc. 6
`12. Bohannon is not the only reference addressing means for generating a
`
`repeatable cryptographic string using biometric input. For example, Hao et al.
`
`published a paper in 2005 that discussed existing methods of employing biometrics
`
`in cryptography and suggested a means of creating a biometric key from an iris
`
`
`6 Bohannon (EX1030) at 4:14-27; see also id. at Abstract, 2:38-47, see also id. at 5:8-13.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 8
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`scan in combination with a string of error-correction data, with a 0.47% false
`
`rejection rate.7
`
`B. The Combination of Maes and Pare
`
`Pare does not teach away from the use of electronic ID devices
`
`
`13. The primary functionality taught in Pare is how to protect transmitted
`
`confidential information used to remotely verify a user for financial transactions. A
`
`PHOSITA would readily recognize the applicability of such a system in a device
`
`like Maes, particularly since Maes itself teaches encrypting data for transmission to
`
`a central server and POS for verification purposes. As I explained in my original
`
`declaration, the encryption techniques taught in Pare would enhance the security
`
`and prevent attacks on information transmitted, including the information
`
`transmitted in Maes, and would further Maes’s goal of reducing fraud in financial
`
`transactions. See EX1009, at ¶54.
`
`14. A conclusion that Pare teaches away from any “portable man made
`
`memory device” would take Pare’s teachings out of context and is not the
`
`conclusion a PHOSITA reading Pare would reach. When Pare describes a portable
`
`man-made memory device, Pare is referring specifically to smart cards, and it also
`
`refers to credit cards as being “tokens.” See Pare (EX1004) at Abstract; 1:10-2:3;
`
`
`7 Hao (EX1031) at 4-5; see also id. at 4 (defining “biometric key” as a “repeatable string
`derived from a user biometric”), 12.
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 9
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`see also 7:17-21. Pare describes financial cards, like credit cards, debit cards, and
`
`smart cards as being “tokens” and that these “tokens” can be problematic because
`
`of the risk of loss, theft, or counterfeiting. But not once does Pare identify
`
`electronic devices such as cell phones or PDAs as themselves being “tokens.”
`
`Indeed, Pare teaches that the BIA device itself has a memory, so if the conclusion
`
`that any portable man-made memory device is a token were true, then the BIA
`
`itself would be a token. Specifically, Pare teaches that the BIA device contains
`
`memory for storing certain data for performing a financial transaction, allows a
`
`user to access their financial accounts, and can be integrated within a cellular
`
`telephone.8 Pare also makes clear that the technology to secure such devices
`
`existed at the time.9 A PHOSITA would, therefore, not find Pare to teach away
`
`from the use of electronic ID devices (such as Maes’s PDA).
`
`Local and Remote Authentication
`
`15. As mentioned above in Paragraphs 7-9, performing both local and
`
`remote authentication of a user was nothing new by the time of the ’813 Patent,
`
`
`8 See Pare at 9:65-10:1 (memory); 4:21-24; 11:22-28 (BIA integrated within telephone);
`14-19-32 (BIA integrated with telephone); 30:48-50 (BIA integrated with cellular
`telephone); 10:1-7 (cellular telephone network); 6:4-8 (system may display account name
`during authorization); 41:34-55 (accessing list of accounts).
`9 See id. at 14:33-37 (stating that a BIA integrated with a phone may be insecure but
`“higher-security versions with more complete enclosures are possible and encouraged.”);
`20:4-15 (teaching that use of biometric and PIN, along with encryption, restricts potential
`criminal access).
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 10
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`and there were many reasons a PHOSITA would have desired such an
`
`arrangement, particularly in the context of multi-purpose cell phones and PDAs.
`
`For example, a remote device may not be designed to have a trust relationship with
`
`the local device, such that separate devices may require their own separate
`
`authentication steps. Or an added layer of security may be desired. See, e.g., Maes
`
`(EX1003) at 13:19-24 (additional verification for “additional level of security”).
`
`Thus, there is nothing “redundant” about performing both, and the combination of
`
`Maes and Pare would not be considered redundant by a PHOSITA.
`
`16.
`
`I note that the ’813 Patent itself provides for both local and remote
`
`authentication, including for local and remote authentication of the same biometric.
`
`The claims contemplate a first authentication at the device level using a biometric,
`
`PIN, or both. And the specification describes that, for example, the biometric could
`
`be authenticated by both the user device and the server (i.e., the USR).’813 Patent
`
`(EX1001) at 47:35-38 (“[T]he authentication of the biometric occurs at the user
`
`device 352, at the POS device 354, at the USR 356 or at a combination of the
`
`preceding.”).
`
`17. Maes itself also already teaches both remote and local authentication.
`
`For example, in the context of a client/server mode, authentication must be
`
`performed to obtain a digital certificate (which may be used at any time). See e.g.,
`
`Maes (EX1003) at 8:50-65, 10:18-21. Additionally, to use the PDA for a financial
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 11
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`transaction, the user must authenticate him or herself locally, in local mode. Id. at
`
`3:59-61, 5:54-67.
`
`18. Maes does not restrict the lifetime that can be specified by the user for
`
`the digital certificate. See id. at 9:65-10:7. Therefore, a PHOSITA would recognize
`
`that the user could set the lifetime of the digital certificate to be so short as to be
`
`practically eligible for only one transaction at a time. Thus, both the client-server
`
`mode and local mode would be effectively occurring for a single transaction. In
`
`addition, in the event that a user went to perform a transaction in local mode and
`
`the device informed the user that their digital certificate had expired, then the user
`
`would have to promptly perform client-server mode to re-authenticate their
`
`biometric and PIN with the server to obtain a new, unexpired digital certificate just
`
`before performing the financial transaction with the device.
`
`19. Thus, any distinction between the client/server and local mode
`
`authentication as being part of different “sessions” is not meaningful. If one
`
`followed Patent Owner’s logic regarding the redundancy of local and remote
`
`verification, there would be no need for the client/server mode if the central server
`
`could just trust the PDA device’s authentication. And, the fact that the
`
`authorization number received by the merchant and transmitted to the central
`
`server for verifying a user in transactions is a function of the digital certificate
`
`indicates that the central server itself is performing part of the user verification for
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 12
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`a given transaction. See Maes at 12:66-13:5 (“Since the authorization number is a
`
`function of the unexpired digital certificate that was obtained from the central
`
`server 60 in the client/server mode, the central server 60 inform [sic] the merchant
`
`that the user was properly verified (step 318).”); 6:50-53.
`
`20. A PHOSITA would not have considered the proposed combination of
`
`Maes and Pare, allowing for local and remote authentication, redundant such that
`
`the combination would not be made. It was known in the art to perform local and
`
`remote authentication, including in a same “session,” as discussed Paragraphs 7-9
`
`above, so incorporating the concepts taught in Pare related to encrypting
`
`transmitted authentication information would have resulted in obvious security
`
`enhancements to the similar system in Maes and is consistent with Maes’s desire to
`
`perform both local and remote authentication, including for an additional layer of
`
`security.
`
`The Teachings in Maes would be Operable with and are not Inconsistent with
`Enhanced Infrastructure
`
`21. Patent Owner argues
`
`that because Maes
`
`teaches backwards
`
`compatibility with existing infrastructure (e.g., by being able to use the Universal
`
`Card in swipe systems), then combining Maes’s teachings with any other prior art
`
`reference dealing with new technology or any upgrades to existing payment
`
`infrastructure defeats “the basic principle” of Maes’s invention. This conclusion is
`
`inconsistent with what a PHOSITA would have taken away from Maes’s
`IPR2018-00067
`
`
`
`
`Unified EX1032 Page 13
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`teachings. The basic principle that a PHOSITA would have taken away from the
`
`teachings in Maes is the desirability and operation of a portable electronic device
`
`that eliminates the need to physically carry insecure financial cards and provides
`
`for biometric and PIN verification to engage in secure transactions with merchants
`
`by using a remote central server to authorize transactions. See, e.g., Maes
`
`(EX1003) at 1:59-2:20, 2:23-30, 3:32-37. While Maes teaches that its system is
`
`capable of backwards compatibility, its teachings are very much related to adapting
`
`to new technology and upgrades to infrastructure as well. For example, Maes
`
`teaches that its system would work solely with the PDA device, without need for
`
`the Universal Card and with the PDA taking the place of the Universal Card. See
`
`Maes (EX1003) at 12:5-29.
`
`22.
`
`Indeed, there are many examples in Maes where the proposed
`
`card/PDA combination would not be able to work with conventional POS devices
`
`at the time of its filing, making updated infrastructure necessary. For example,
`
`though known, it was not common for existing POS systems to overwrite a receipt
`
`on the Universal Card—such a feature would have required updates to existing
`
`POS systems. Id. at 11:41-43 (“In a more advanced transaction terminal 80, the
`
`Universal card may be overwritten with a receipt of the transaction by the POS or
`
`ATM transaction terminal 80 (step 222).”); see also id. at 11:42-51, 12:16-18,
`
`14:17-21. Indeed, wireless POS devices that would communicate with a PDA
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 14
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`device, a feature explicitly taught by Maes, would have required updates to
`
`existing terminal infrastructure that did not have wireless capabilities yet. See id. at
`
`12:5-29; see also id. at 15:29-43 (teaching that the invention would be compatible
`
`with near-future PAN-enabled POS terminals). However, these updates would
`
`have been based on well-known, predictable technology, and a PHOSITA would
`
`have had a reasonable expectation of success in their implementation.
`
`23. Further, even though there are embodiments in which Maes teaches
`
`verbally communicating or displaying the authorization number for transactions
`
`not involving electronic data transfer, this is not a feature that represents a basic
`
`principle operation of Maes or that detracts from the fact that it would have been
`
`obvious to a PHOSITA to wirelessly transmit an encrypted transaction message, as
`
`taught in Pare and supported by the teachings in other embodiments of Maes. The
`
`key characteristic of the authorization number is that it “is a function of the
`
`unexpired digital certificate that was obtained from the central server,” which
`
`allows the central server to confirm for the merchant that the user had been
`
`previously properly verified with the server. Maes at 13:1-5. Indeed, in one
`
`embodiment of Maes, it teaches that the authorization number may be transmitted
`
`directly, through wireless means. See Maes (EX1003) at 14:58-67 (transfer of
`
`money requiring authorization number may be performed via IR). Therefore, a
`
`PHOSITA would not conclude that Maes’s basic principle, and the sole purpose of
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 15
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`the authorization number, is for the system to be used in transactions not involving
`
`electronic data transfer.
`
`24. Nothing in Maes prohibits changes to infrastructure; instead, Maes
`
`teaches a system for allowing adaptation to such changes. While it does teach the
`
`use of a Universal Card to allow the system to be backwards compatible, it clearly
`
`teaches that the PDA device may be used alone, with no card, including in wireless
`
`transactions. Id. at 12:5-29. As mentioned in Paragraph 22 above, Maes itself
`
`contemplates above, Maes itself presents examples of working with “special” or
`
`“advanced” POS systems. Id. at 11:42-51, 12:16-18, 14:17-21. Therefore, nothing
`
`in Maes restricts infrastructure updates and, if anything, Maes is compatible with
`
`such updates.
`
`25. Further, adding a simple seller registration process, to the extent it did
`
`not already exist, for purposes of implementing Pare’s commercial transaction
`
`message in Maes would not be incompatible with the teachings of Maes. Pare
`
`teaches that in embodiments employing the seller registration step may be
`
`something as simple as a seller’s phone number, so having seller registration would
`
`not have required substantial infrastructure enhancements and would have involved
`
`relatively small changes to software. See Pare (EX1004) at 56:9 (“[T]he seller
`
`identification code, be it phone number …”). Indeed, even with basic tokens, such
`
`as common credit cards and other financial cards, POS devices must be associated
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 16
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`with a merchant account compatible with various financial institutions through a
`
`standard seller registration process so that those institutions know where to direct
`
`the credit or money.10 A PHOSITA would recognized that similar standard seller
`
`registration processes would have been readily available and compatible with the
`
`Maes-Pare combination and would have required only minor modifications in
`
`software and yielded predictable results related to having a merchant have an
`
`account with a financial institution because of their commonplace nature at the
`
`time.
`
`Motivation to Combine Maes and Pare
`
`26. Contrary to Patent Owner’s arguments, a PHOSITA, in my opinion,
`
`would have been motivated to combine Pare’s teachings of encrypting shared
`
`transaction and authentication information with the transactional system in Maes
`
`to enhance the security system of Maes, and such a combination would have been
`
`obvious, as I have previously explained. See EX1009, ¶54. To be successful,
`
`enhanced security is a high priority and primary goal for any financial transaction
`
`system, and a PHOSITA working in the field of secure financial transactions at
`
`that time (and particularly those involving use of mobile devices) would have
`
`
`10 See, e.g., Lindvall (EX1035) at [0004], [0009]-[0012] (describing processes for
`
`allowing merchant account acquisition and approval).
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 17
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`considered references that presented means for enhanced security, such as the use
`
`of encrypted authentication information to enhance security and reduce the risk of
`
`fraud.
`
`27. Maes generally teaches the use of any known encryption technique to
`
`protect transmitted transaction data. See Maes (EX1003) at 10:10-15 (the
`
`invention “may employ any known encryption technique or algorithm” in
`
`encrypting data); see also id. at 13:24-38 (describing how an “encrypted
`
`information file” along with selected card information would be transmitted to a
`
`POS terminal as part of a transaction), 13:51-60. A PHOSITA would have been
`
`motivated by these teachings of Maes to consider existing techniques for
`
`encrypting transaction data, including Pare’s specific teachings of how to encrypt
`
`a message containing transaction and verification data. Both Maes and Pare
`
`present similar transaction systems using an electronic ID device and requiring
`
`remote authentication at a central server via a POS terminal. Therefore, a
`
`PHOSITA would have concluded that the teachings of Pare related to specific
`
`ways to encrypt transaction data would have presented an obvious improvement to
`
`the system in Maes that would have enhanced security and furthered Maes goal of
`
`reducing the risk of fraud.
`
`28. Further, it would have been obvious to use Pare’s encrypted data in
`
`place of Maes’s authorization number or basic card information, as it was
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 18
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`becoming increasingly feasible in the field of financial security to employ
`
`encryption to enhance security. The obviousness of the proposed combination is
`
`bolstered by Maes’s own teachings related to encryption and authentication. For
`
`example, Maes teaches encrypting financial data generally and in the context of
`
`authorization numbers. See Maes (EX1003) at 15:15-20 (“[T]o prevent fraud, the
`
`PDA device of User A may be configured such that the authorization number
`
`produced by the PDA device of User A contains the amount of money to be
`
`transferred to the account of User B in an encrypted … form.”); see also id. at
`
`13:39-50. And, importantly, the authorization number is a function of the
`
`unexpired digital certificate, which would have been obtained during the
`
`verification of a user during the client/server mode. Maes (EX1003) at 13:1-2.
`
`This relationship allows the central server to confirm that the authorization
`
`number is based on a valid verification of a user. Thus, a PHOSITA would
`
`understand that the authorization number already represents obscured data in that
`
`it is itself a function of the digital certificate. Therefore, Patent Owner’s argument
`
`that Maes never suggests “encrypting” the authorization number itself is
`
`misplaced. POR at 32. This argument that it would not be obvious to use Pare’s
`
`encrypted authentication information in place of Maes’ authorization number are
`
`inconsistent with the teachings of Maes, which itself teaches the exchange of
`
`encrypted information and the fact that the authorization number can itself contain
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 19
`
`
`
`encrypted data.
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`
`C. Maes and Labrou
`
`
`Labrou renders obvious the use of a PIN and biometric in generating a PIE
`
`
`29.
`
`In my opinion, a PHOSITA would have been motivated from the
`
`teachings of Labrou to generate a PIE from a biometric and PIN. The benefits of
`
`multi-factor authentication were well-known in the art well before 2006. Further,
`
`Labrou repeatedly mentions the use of biometric in combination with a PIN for
`
`verifying a user. See, e.g., Labrou (EX1005) at [0421] (“[A]t some point the user
`
`decides to make a purchase, … the user selects and confirms the transaction by
`
`selecting the purchase button and entering (to the device 102) her PIN (and/or
`
`biometric if available).”); see also id. at [0158], [0416]-[0418], [0456]. Finally,
`
`Maes itself bolsters this concept, specifically teaching the use of a biometric and a
`
`PIN for remote verification of a user. See, e.g., Maes (EX1003) at 3:46-48 (“[T]he
`
`central server verifies the user either biometrically or through PIN or password or
`
`a combination thereof”). Therefore, I stand by my original opinion that generating
`
`and transmitting encrypted authentication information generated from secret
`
`information and information associated with a biometric input, inter alia, is
`
`obvious over the combination of Maes and Labrou
`
`30.
`
`I disagree with Dr. Jakobsson’s opinion that Labrou’s teaching of
`
`generating a PIE from a biometric would have not been possible. As discussed
`
`
`
`
`
`
`
`IPR2018-00067
`Unified EX1032 Page 20
`
`
`
`IPR2018-00067 Cole Declaration
`U.S. Patent 8,577,813
`above in Paragraphs 10-12, a PHOSITA would have known methods of
`
`generating a repeatable cryptographic string from different measurements of a
`
`biometric input of a user (e.g., varying measurements of the same fingerprint). A
`
`PHOSITA therefore would have known how to generate a repeatable PIE in
`
`Labrou from varying biometric measurements of the same person (e.g., of the
`
`same fingerprint), and these teachings are enabled by Labrou in light of the
`
`knowledge of a PHOSITA.
`
`The Aliases of Labrou are “Account Identifying Information”
`
`31.
`
`I have not been asked and am not offering an opinion on claim
`
`construction of this term. However, in my opinion, if claims 12 and 21 required
`
`that “account identifying information” be genera
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
