IPR2018-00813
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`APPLE INC.,
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner
`________________
`
`Case IPR2018-00813
`U.S. Patent No. 9,100,826
`________________
`
`PATENT OWNER’S EXHIBIT 2113
`DECLARATION OF MARKUS JAKOBSSON
`IN SUPPORT OF PATENT OWNER’S REPLY TO OPPOSITION OF
`CONDITIONAL MOTION TO AMEND
`
`USR Exhibit 2113
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`APPLE INC.,
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner
`________________
`
`Case IPR2018-00813
`U.S. Patent No. 9,100,826
`________________
`
`PATENT OWNER’S EXHIBIT 2113
`DECLARATION OF MARKUS JAKOBSSON
`IN SUPPORT OF PATENT OWNER’S REPLY TO OPPOSITION OF
`CONDITIONAL MOTION TO AMEND
`
`USR Exhibit 2113
`
`
`
`IPR2018-00813
`
`1.
`
`I have been retained on behalf of Universal Secure Registry LLC
`
`(“Patent Owner”) in connection with the above-captioned inter partes review
`
`(IPR). I have been retained to provide my opinions in support of USR’s Reply to
`
`Opposition of Conditional Motion to Amend. I am being compensated for my time
`
`at the rate of $625 per hour. I have no interest in the outcome of this proceeding.
`
`2.
`
`In preparing this declaration, I have reviewed and am familiar with the
`
`Petition for IPR2018-00813, U.S. Patent No. 9,100,826 (hereinafter “’826 patent”),
`
`and its file history, and all other materials cited and discussed in the Petition
`
`(including all prior art references cited therein) and all other materials cited and
`
`discussed in this Declaration including the Conditional Motion to Amend, Paper 19
`
`(“Motion”) and Petitioner’s Opposition to the Conditional Motion to Amend, Paper
`
`25 (“Op.”).
`
`3.
`
`The statements made herein are based on my own knowledge and
`
`opinion. This Declaration represents only the opinions I have formed to date. I may
`
`consider additional documents as they become available or other documents that
`
`are necessary to form my opinions. I reserve the right to revise, supplement, or
`
`amend my opinions based on new information and on my continuing analysis.
`
`USR Exhibit 2113, Page 1
`
`
`
`IPR2018-00813
`
`I.
`
`QUALIFICATIONS
`
`4.
`
`My qualifications can be found in my Curriculum Vitae, which
`
`includes my detailed employment background, professional experience, and list of
`
`technical publications and patents. Ex. 2102.
`
`5.
`
`I am currently the Chief of Security and Data Analytics at Amber
`
`Solutions, Inc., a cybersecurity company that develops home and office automation
`
`technology. At Amber, my research studies and addresses abuse, including social
`
`engineering, malware and privacy intrusions. My work primarily involves
`
`identifying risks, developing protocols and user experiences, and evaluating the
`
`security of proposed approaches.
`
`6.
`
`I received a Master of Science degree in Computer Engineering from
`
`the Lund Instituted of Technology in Sweden in 1993, a Master of Science degree
`
`in Computer Science from the University of California at San Diego in 1994, and a
`
`Ph.D. in Computer Science from the University of California at San Diego in 1997,
`
`specializing in Cryptography. During and after my Ph.D. studies, I was also a
`
`Researcher at the San Diego Supercomputer Center, where I did research on
`
`authentication and privacy.
`
`7.
`
`From 1997 to 2001, I was a Member of Technical Staff at Bell Labs,
`
`where I did research on authentication, privacy, multi-party computation, contract
`
`exchange, digital commerce including crypto payments, and fraud detection and
`
`USR Exhibit 2113, Page 2
`
`
`
`IPR2018-00813
`
`prevention. From 2001 to 2004, I was a Principal Research Scientist at RSA Labs,
`
`where I worked on predicting future fraud scenarios in commerce and
`
`authentication and developed solutions to those problems. During that time I
`
`predicted the rise of what later became known as phishing. I was also an Adjunct
`
`Associate Professor in the Computer Science department at New York University
`
`from 2002 to 2004, where I taught cryptographic protocols.
`
`8.
`
`From 2004 to 2016, I held a faculty position at the Indiana University
`
`at Bloomington, first as an Associate Professor of Computer Science, Associate
`
`Professor of Informatics, Associate Professor of Cognitive Science, and Associate
`
`Director of the Center for Applied Cybersecurity Research (CACR) from 2004 to
`
`2008; and then as an Adjunct Associate Professor from 2008 to 2016. I was the
`
`most senior security researcher at Indiana University, where I built a research
`
`group focused on online fraud and countermeasures, resulting in over 50
`
`publications and two books.
`
`9. While a professor at Indiana University, I was also employed by
`
`Xerox PARC, PayPal, and Qualcomm to provide thought leadership to their
`
`security groups. I was a Principal Scientist at Xerox PARC from 2008 to 2010, a
`
`Director and Principal Scientist of Consumer Security at PayPal from 2010 to
`
`2013, a Senior Director at Qualcomm from 2013 to 2015, and Chief Scientist at
`
`Agari from 2016 to 2018. Agari is a cybersecurity company that develops and
`
`USR Exhibit 2113, Page 3
`
`
`
`IPR2018-00813
`
`commercializes technology to protect enterprises, their partners and customers
`
`from advanced email phishing attacks. At Agari, my research studied and
`
`addressed trends in online fraud, especially as related to email, including problems
`
`such as Business Email Compromise, Ransomware, and other abuses based on
`
`social engineering and identity deception. My work primarily involved identifying
`
`trends in fraud and computing before they affected the market, and developing and
`
`testing countermeasures, including technological countermeasures, user interaction
`
`and education.
`
`10.
`
`I have founded or co-founded several successful computer security
`
`companies. In 2005 I founded RavenWhite Security, a provider of authentication
`
`solutions, and I am currently its Chief Technical Officer. In 2007 I founded
`
`Extricatus, one of the first companies to address consumer security education. In
`
`2009 I founded FatSkunk, a provider of mobile malware detection software; I
`
`served as Chief Technical Officer of FatSkunk from 2009 to 2013, when FatSkunk
`
`was acquired by Qualcomm and I became a Qualcomm employee. In 2013 I
`
`founded ZapFraud, a provider of anti-scam technology addressing Business Email
`
`Compromise, and I am currently its Chief Technical Officer. In 2014 I founded
`
`RightQuestion, a security consulting company.
`
`11.
`
`I have additionally served as a member of the fraud advisory board at
`
`LifeLock (an identity theft protection company); a member of the technical
`
`USR Exhibit 2113, Page 4
`
`
`
`IPR2018-00813
`
`advisory board at CellFony (a mobile security company); a member of the
`
`technical advisory board at PopGiro (a user reputation company); a member of the
`
`technical advisory board at MobiSocial dba Omlet (a social networking company);
`
`and a member of the technical advisory board at Stealth Security (an anti-fraud
`
`company). I have provided anti-fraud consulting to KommuneData (a Danish
`
`government entity), J.P. Morgan Chase, PayPal, Boku, and Western Union.
`
`12.
`
`I have authored five books and over 100 peer-reviewed publications,
`
`and have been a named inventor on over 100 patents and patent applications.
`
`13. My work has included research in the area of applied security,
`
`privacy, cryptographic protocols, authentication, malware, social engineering,
`
`usability and fraud.
`
`II.
`
`LEGAL UNDERSTANDING
`
`A.
`
`14.
`
`The Person of Ordinary Skill in the Art
`
`I understand that a person of ordinary skill in the relevant art (also
`
`referred to herein as “POSITA”) is presumed to be aware of all pertinent art, thinks
`
`along conventional wisdom in the art, and is a person of ordinary creativity—not
`
`an automaton.
`
`15.
`
`I have been asked to consider the level of ordinary skill in the field
`
`that someone would have had at the time the claimed invention was made. In
`
`deciding the level of ordinary skill, I considered the following:
`
`USR Exhibit 2113, Page 5
`
`
`
`• the levels of education and experience of persons working in the
`
`IPR2018-00813
`
`field;
`
`• the types of problems encountered in the field; and
`
`• the sophistication of the technology.
`
`16. A person of ordinary skill in the art relevant to the ’826 patent at the
`
`time of the invention would have a Bachelor of Science degree in electrical
`
`engineering and/or computer science, and three years of work or research
`
`experience in the fields of secure transactions and encryption, or a Master’s degree
`
`in electrical engineering and/or computer science and two years of work or
`
`research experience in related fields.
`
`17.
`
`I am well-qualified to determine the level of ordinary skill in the art
`
`and am personally familiar with the technology of the ’826 Patent. I was a person
`
`of at least ordinary skill in the art at the time of the priority date of the ’826 patent
`
`in 2006. Regardless if I do not explicitly state that my statements below are based
`
`on this timeframe, all of my statements are to be understood as a POSITA would
`
`have understood something as of the priority date of the ’826 patent.
`
`B.
`
`18.
`
`Legal Principles
`
`I am not a lawyer and will not provide any legal opinions.
`
`USR Exhibit 2113, Page 6
`
`
`
`IPR2018-00813
`
`19.
`
`Though I am not a lawyer, I have been advised that certain legal
`
`standards are to be applied by technical experts in forming opinions regarding the
`
`meaning and validity of patent claims.
`
`20.
`
`I have been informed and understand that if the Board should accept
`
`Petitioner’s arguments and cancel any of the original issued claims of the ’826
`
`patent, Patent Owner has made a conditional motion to amend to substitute the
`
`canceled claim(s) with corresponding proposed amended claims 36-61, as set forth
`
`in Section III of Ex. 2111 (my declaration in support of Patent Owner’s Motion to
`
`Amend).
`
`21.
`
`I have been informed and understand that to permit the proposed
`
`substitute claims to be entered, Patent Owner must show, among other things, that
`
`the substitute claims are supported by the written description of the original
`
`disclosure of the patent, as well as any patent application to which the claim seeks
`
`the benefit of priority in this proceeding.
`
`22.
`
`I have been informed by counsel and understand that to satisfy the
`
`written description requirement, the substitute claims must be disclosed in
`
`sufficient detail such that one skilled in the art can reasonably conclude that the
`
`inventor had possession of the claimed invention as of the filing date sought. I
`
`understand that the Patent Owner can show possession of the claimed invention by
`
`USR Exhibit 2113, Page 7
`
`
`
`IPR2018-00813
`
`pointing to such descriptive means as words, structures, figures, diagrams, and
`
`formulas that fully set forth the claimed invention.
`
`23.
`
`I have been informed by counsel and understand that incorporation by
`
`reference is a method by which material from one or more documents may be
`
`integrated into a host document. I understand that material incorporated by
`
`reference is considered part of the written description of the patent that can be used
`
`to show possession of the claimed invention.
`
`24.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, that the substitute claims do not introduce new subject matter.
`
`25.
`
`I understand that new matter is any addition to the claims without
`
`support in the original disclosure.
`
`26.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, the substitute claims do not broaden the scope of the original claims.
`
`27.
`
`I understand that claims in dependent form are construed to include all
`
`the limitations of the claim incorporated by reference into the dependent claim and
`
`further limit the claim incorporated by reference.
`
`28.
`
`It has been explained to me by counsel for the Patent Owner that in
`
`proceedings before the USPTO, the claims of an unexpired patent are to be given
`
`USR Exhibit 2113, Page 8
`
`
`
`IPR2018-00813
`
`their broadest reasonable interpretation in view of the specification from the
`
`perspective of one having ordinary skill in the relevant art at the time of the
`
`invention. I have considered each of the claim terms using the broadest reasonable
`
`interpretation standard.
`
`III. RESPONSIVE ARGUMENTS TO OPPOSITION
`
`A.
`
`29.
`
`Claim 56 Has Written Description Support
`
`I understand that Petitioner contends that substitute claim 56 lacks
`
`written description support and is therefore invalid under 35 U.S.C. § 112. Op. at
`
`3-4. I respectfully disagree.
`
`30.
`
`Limitations 56[c] and 56[e] specify that the first authentication
`
`information includes a first key encrypted by a second key and that the encrypted
`
`first key is decrypted using the second key to retrieve the first key. Motion at B6.
`
`The specification describes that a first wireless signal includes “a PKI encrypted
`
`one-time DES key.” Ex. 2106 at 49:24-26. The specification further describes how
`
`“[t]he second wireless device uses the first public key to decrypt the PKI encrypted
`
`DES key.” Id. at 50:30-31. I understand that in response to this disclosure,
`
`Petitioner states “a value encrypted with a public key, which is an asymmetric key,
`
`could not be decrypted using the same public key. Even with extensive
`
`experimentation, it would be impossible for a POSITA to implement encryption
`
`and decryption with a public key.” Op. at 4. In my opinion the specification as
`
`USR Exhibit 2113, Page 9
`
`
`
`IPR2018-00813
`
`written contains an obvious error because a public key cannot be used to decrypt
`
`ciphertext.
`
`31.
`
`I have been informed that an amendment to correct an obvious error
`
`does not constitute new matter where the ordinary artisan would not only recognize
`
`the existence of the error in the specification, but also recognize the appropriate
`
`corrections. The obvious error noted by Petitioner in the ’860 Application would
`
`immediately be recognized by a POSITA, who would also recognize the
`
`appropriate corrections. In particular, a POSITA would know that a public key
`
`cannot be used to both encrypt and decrypt data, and upon identifying this obvious
`
`error, a POSITA would also readily recognize two corrections—both very trivial in
`
`nature—that would clarify the specification.
`
`32.
`
`First, in my opinion, since a public key cannot be used to both encrypt
`
`and decrypt data, a POSITA would readily understand that the recipient’s public
`
`key would have been used to perform encryption of the data (e.g., second wireless
`
`device’s public key used to encrypt DES key) and the recipient’s private key would
`
`be used to decrypt the data (e.g., second wireless device’s private key used to
`
`decrypt DES key). Also, since an asymmetric, public key cannot be used to
`
`perform symmetric encryption/decryption, then the key described in the
`
`specification as performing the desired symmetric encryption and decryption of the
`
`DES key may simply be a symmetric key like the claimed “second key.” In my
`
`USR Exhibit 2113, Page 10
`
`
`
`IPR2018-00813
`
`opinion, both of these corrections in view of the specification’s teachings would be
`
`readily recognizable to a POSITA. As such, I believe the specification provides
`
`written description support for limitations 56[c] and 56[e].
`
`B.
`
`Petitioner Fails to Show that Cited References Render Obvious
`“to conduct a credit and/or debit card [financial] transaction”
`
`33.
`
`I understand that Petitioner contends that Jakobsson alone or in
`
`combination with Schutzer discloses the limitation “to conduct a credit and/or debit
`
`card [financial] transaction” of claims 36 and 45. Op. at 4-7, 12. First, Petitioner
`
`appears to argue that Jakobsson discloses the aforementioned limitation because
`
`Jakobsson states that “[a]uthentication can result in…access to such services as
`
`financial services…” and that Jakobsson’s user device 120 can be a “credit-card
`
`sized device…such as a credit card including a magnetic strip or other data store[d]
`
`on one of its sides.” Op. at 5 (citing Ex. 1104, Jakobsson at [0039], [0041]).
`
`34. However, in my opinion, Jakobsson does not disclose that its user
`
`device is used for credit/debit card [financial] transactions. Petitioner points to
`
`paragraphs [0039] and [0041] of Jakobsson as allegedly disclosing that Jakobsson
`
`can be used in financial transactions. Op. at 5. But paragraph [0039] states that
`
`authentication of the user by the verifier 105 can result in providing “access to a
`
`physical location, communications network, computer system, and so on; access to
`
`such services as financial services and records, health services and records and so
`
`on; or access to levels of information or services.” Ex. 1104, Jakobsson at [0039].
`
`USR Exhibit 2113, Page 11
`
`
`
`IPR2018-00813
`
`This is the only mention of the word “financial” in Jakobsson, and this reference
`
`does not pertain to the authentication device (the alleged first handheld device);
`
`instead, it describes the actions taken by the verifier (the alleged second device).
`
`35. Moreover, I believe Petitioner’s reliance on paragraphs [0039] and
`
`[0041] of Jakobsson are misplaced. This disclosure does not teach or suggest a first
`
`handheld device that is used to conduct credit/debit card [financial] transactions.
`
`Instead, consistent with Jakobsson’s other disclosures, paragraph [0039] teaches
`
`that Jakobsson’s system verifies an authentication code specific to the
`
`authentication device in order to provide the user with access to a “physical
`
`location or object” or “electronic access to a computer system or data.” Ex. 1104,
`
`Jakobsson at [0039]; see also id., [0003]. I believe a POSITA would understand
`
`that the verifier provides “access to such services as financial services and records,
`
`health services and records and so on” by allowing the user to login to a computer
`
`system with such data (e.g., the website of a financial institution or healthcare
`
`provider) or by providing physical access to a location with the records. Similarly,
`
`paragraph [0041] merely states that user device may be a credit card sized device
`
`including a magnetic strip like that of a credit card; it does not state that the device
`
`is an actual credit card that can be used to conduct financial transactions. See Ex.
`
`1104, Jakobsson at [0041].
`
`USR Exhibit 2113, Page 12
`
`
`
`IPR2018-00813
`
`36.
`
`Second, I understand that Petitioner argues that “Schutzer teaches
`
`‘securely performing a bankcard transaction, such as a credit card or debit card
`
`transaction.’” Op. at 5 (citing Ex. 1130, Schutzer at [0010]). Petitioner further
`
`contends that “it would have been obvious to combine Schutzer’s bankcard
`
`transaction authentication system with the authentication system of Jakobsson
`
`because it would have involved nothing more than applying a known technique
`
`(using authentication for bankcard transactions) to a known device (the
`
`authentication system of Jakobsson) in the same way (by verifying information).”
`
`Op. at 6.
`
`37.
`
`In my opinion Petitioner fails to provide a reasoned explanation as to
`
`how a POSITA would combine/modify Jakobsson’s system with Schutzer’s credit
`
`card transaction scheme. A close review of Schutzer reveals that authentication of
`
`the user device 10 with the back end authenticator 22 occurs as a preliminary step
`
`to obtain a proxy credit card number before the user engages in the credit card
`
`transaction by sending the merchant the proxy card number. See Ex. 1130,
`
`Schutzer at [0026], [0028], [0029] (describing use of a PIN/password to pre-
`
`authenticate user). Petitioner fails to explain how or why a POSITA would be
`
`motivated to incorporate the teachings of Schutzer’s PIN/password-based user pre-
`
`authentication with Jakobsson main authentication scheme. I believe a POSITA
`
`would not modify or combine Schutzer’s teachings with Jakobsson because it
`
`USR Exhibit 2113, Page 13
`
`
`
`IPR2018-00813
`
`would lead to the nonsensical result of pre-authenticating Jakobsson’s user
`
`authentication device 120 with the verifier 105 before the user authentication
`
`device 120 goes through the complicated, time-consuming process of generating
`
`and transmitting an authentication code 290 to the verifier 105 for user
`
`authentication. And even if both Schutzer and Jakobsson “recognize the risk of
`
`stolen authentication credentials,” as alleged by Petitioner (Op. at 6-7), this does
`
`little to explain whether a POSITA would be motivated to make the suggested
`
`combination and whether there’s a reasonable chance of success.
`
`C.
`
`Petitioner Fails to Identify and Address All Three of “First
`Authentication Information,” “One-time Code,” and “Digital
`Signature” Included in the Claimed First Wireless Signal
`
`38.
`
`I understand that Petitioner contends that substitute claims 36 and 45
`
`are obvious over Jakobsson in view of Schutzer but Petitioner fails to identify and
`
`account for all three features that are included in the claimed “first [wireless]
`
`signal” of substitute claims 36 and 45. Specifically, limitations 36[f] and 45[d]
`
`specify that the first [wireless] signal includes a “first authentication information,”
`
`a “one-time code,” and a “digital signature.” Motion at B1, B4. Petitioner’s
`
`analysis does not identify what in Jakobsson or Schutzer allegedly corresponds to
`
`the claimed “first authentication information.” Op. at 9-11.
`
`39.
`
`Instead, Petitioner first alleges that Jakobsson’s “authentication code”
`
`corresponds to the claimed “one-time code.” See Op. at 10 (“Jakobsson discloses a
`
`USR Exhibit 2113, Page 14
`
`
`
`IPR2018-00813
`
`number of different one-time codes that can change over time and can be combined
`
`with other information using combination function 230 to generate an
`
`authentication code.”). Next, Petitioner alleges that Schutzer discloses the claimed
`
`“digital signature.” Id. Petitioner then abruptly concludes, “Accordingly,
`
`Jakobsson in view of Schutzer discloses substitute limitations 36[f], 36[g], 36[h],
`
`36[j],” providing no analysis or explanation of what feature in Jakobsson or
`
`Schutzer allegedly corresponds to the claimed “first authentication information.”
`
`Id.
`
`40.
`
`In my opinion, Petitioner’s discussion of purported reasons to
`
`combine Jakobsson and Schutzer fares no better and also fails to explain what
`
`constitutes the claimed “first authentication information.” For instance, Petitioner
`
`argues that a POSITA would be allegedly motivated to “add the digital signature of
`
`Schutzer to the authentication code of Jakobsson” because doing so would be “a
`
`combination of prior art elements (one-time code, authentication code, and
`
`digital signature) according to known methods.” Op. at 10-11 (emphasis added).
`
`Petitioner further contends that a POSITA would prepend/append “the one-time
`
`code and digital signature to the authentication code.” Id. at 11.
`
`41. But the substitute claims do not recite an “authentication code;” the
`
`claims instead recite a “first authentication information” that is “derived from the
`
`first biometric information.” Moreover, Petitioner already relies on Jakobsson’s
`
`USR Exhibit 2113, Page 15
`
`
`
`IPR2018-00813
`
`“authentication code” as allegedly satisfying the claimed “one-time code,” not
`
`“first authentication information.” Thus, Petitioner’s references to both a “one-time
`
`code” and an “authentication code” as shown in the preceding paragraph is wrong.
`
`Petitioner glosses over its double counting of Jakobsson’s authentication code as
`
`being both the claimed “one-time code” and the “first authentication information.”
`
`42.
`
`Petitioner’s attempt to hand-wave away the three distinct requirements
`
`of the first [wireless] signal of claims 36 and 45 is improper and the Board should
`
`correspondingly deny its failed obviousness analysis.
`
`D.
`
`Petitioner Fails to address “the digital signature generated using a
`private key associated with the first handheld device”
`
`43.
`
`In my opinion, Petitioner fails to show that the prior art of record
`
`discloses “the digital signature generated using a private key associated with the
`
`first handheld device.” Motion at B1 (36[f]). Petitioner ignores this claim
`
`limitation in its analysis of the prior art. See Op. at 4-11. Instead, Petitioner focuses
`
`only on whether Schutzer discusses a “digital signature,” and neglects to dig
`
`deeper as to whether Schutzer’s digital signature is specifically generated using a
`
`private key associated with a handheld device. See Op. at 10 (citing Ex. 1130,
`
`Schutzer, ¶29). A close review of the cited portion of Schutzer reveals that
`
`Schutzer is silent on how the digital signature is generated, such as who or what
`
`generated the digital signature. In particular, no explicit or implicit disclosure is
`
`USR Exhibit 2113, Page 16
`
`
`
`IPR2018-00813
`
`made that Schutzer’s digital signature was generated using a private key of a
`
`handheld device.
`
`44. Also, no implicit disclosure is made in Schutzer that the digital
`
`signature is necessarily generated by a private key of the user’s computing device
`
`10. For instance, Schutzer’s digital signature may be generated using the private
`
`key of a certificate authority and be used as part of a digital certificate to
`
`authenticate the user.
`
`45. As another example, the digital signature may be that of the user itself
`
`and not the user’s device. The distinction here may be subtle yet important. A user
`
`may personally have its own private-public key pair that it uses to create digital
`
`signatures that can be uniquely associated to him or her. That same user may,
`
`however, own multiple different electronic devices that each have their own
`
`public-private key pairs that may be used to create digital signatures that can be
`
`used to identify the specific device itself and not necessarily its user.
`
`E.
`
`46.
`
`Petitioner Fails to Address Several Limitations of Claim 45
`
`I understand that Petitioner asserts that “Substitute claim 45 adds
`
`similar amendments to claim 10 as substitute claim 36 to 1,” and then summarily
`
`concludes that, “Accordingly, substitute claim 45 is obvious for at least the same
`
`reasons claims 10 and 36 are obvious.” Op. at 12. But I believe Petitioner’s
`
`dismissive analysis neglects limitations that are distinctly unique to claim 45.
`
`USR Exhibit 2113, Page 17
`
`
`
`IPR2018-00813
`
`47.
`
`Petitioner fails to address limitations 45[e] and 45[g], which
`
`respectively recite, “at least one of the digital signature and/or the one-time code
`
`encrypted by the first handheld device” and “decrypting, with the second device, at
`
`least one of the digital signature and/or the one-time code encrypted by the first
`
`handheld device.” Motion at B3. Petitioner does not address anywhere in its
`
`Opposition what prior art reference purportedly discloses these claim features. In
`
`my opinion, these limitations are unique to claim 45 and are not found in claim 36.
`
`Thus, Petitioner’s summary reliance on its limited analysis of claim 36 as the basis
`
`for its opposition to claim 45 is explicitly deficient, leaving Petitioner with no
`
`argument whatsoever with respect to limitations 45[e] and 45[g].
`
`48. Next, limitation 45[d] requires that a first signal generated “include[]
`
`the first authentication information of the first entity, the one-time code, and the
`
`digital signature as separable fields of the first signal.” Motion at B4 (emphasis
`
`added). Again, this “separable fields” requirement is not present in claim 36 and is
`
`consequently not addressed by Petitioner in its analysis of claim 36. See Op. at 4-
`
`11. While Petitioner discusses “separable fields” with respect to a different claim,
`
`claim 42, Petitioner does not refer back to or cite to claim 42 in its analysis of
`
`claim 45.
`
`49. Moreover, in my opinion independent claim 45 includes other
`
`distinctly different limitations not found in independent claim 36 or dependent
`
`USR Exhibit 2113, Page 18
`
`
`
`IPR2018-00813
`
`claim 42 (e.g., “at least one of the digital signature and/or the one-time code
`
`encrypted by the first handheld device” and “decrypting…at least one of the digital
`
`signature and/or the one-time code encrypted by the first handheld device”). These
`
`limitations have a material impact on how claim 45 comes together as a whole to
`
`define a distinctly different invention than claim 36 or claim 42. To satisfy its
`
`burden, these differences require that Petitioner articulate in its Opposition how
`
`and why the “separable fields” limitation was obvious with respect to claim 45 as a
`
`whole. Petitioner does not.
`
`50. By neglecting to analyze multiple features of claim 45 in its
`
`Opposition, Petitioner fails to make a prima facie showing of unpatentability.
`
`F.
`
`51.
`
`Petitioner Fails to Show Prior Art Discloses “Separable Fields”
`
`I understand that Petitioner argues that a POSITA would have
`
`understood that Jakobsson’s combination function 230 could be used to generate
`
`authentication codes by prepending or appending various values together to arrive
`
`at a separable authentication code, and that, “Accordingly, it would have been
`
`obvious to a POSITA to append the one-time code and digital signature to form
`
`the combined authentication code or include them as additions thereto such that
`
`they would be separable to from one another.” Op. at 14. In my opinion, there are
`
`at least two things wrong with Petitioner’s reasoning.
`
`USR Exhibit 2113, Page 19
`
`
`
`IPR2018-00813
`
`52.
`
`First, appending a one-time code to a digital signature to form a
`
`combined authentication code results in two-field composite signal whereas the
`
`substitute claims require at least three. And Petitioner fails to make reference to
`
`what feature in Jakobsson, if anything, is the claimed “first authentication
`
`information.”
`
`53.
`
`Second, Jakobsson never discloses an embodiment where an
`
`authentication code is generated without use of—at least at some stage—a one-way
`
`function, such as a hash function. Even in the embodiment where Jakobsson
`
`describes a PIN (P) being appended to authentication code A(K, T, E), the latter
`
`value is the result of a one-way function. See Ex. 1104, Jakobsson at [0073]. Use
`
`of a one-way function is critical to Jakobsson’s system because otherwise the
`
`system would not be secure. In light of the teachings of Jakobsson, a POSITA
`
`would not, for example, prepend/append various values without applying a one-
`
`way function because certain types of information described in Jakobsson, such as
`
`the secret key K or biometric value P, would be put at risk of interception.
`
`G.
`
`54.
`
`Jakobsson and Burnett Fail to Disclose Limitations 56[c], 56[e]
`
`I understand that Petitioner relies on Jakobsson in view of Burnett to
`
`show that claim 56 is obvious. However, I believe Petitioner’s analysis of
`
`Jakobsson and Burnett is flawed.
`
`USR Exhibit 2113, Page 20
`
`
`
`IPR2018-00813
`
`55.
`
`Petitioner argues that “[t]o the extent that Jakobsson does not
`
`explicitly discuss encrypting data with a first key and encrypting the first key with
`
`a second key, Burnett discloses this limitation.” Op. at 16. Specifically, Petitioner
`
`states that “Burnett discloses that a ‘session key’ ([first key]) used to encrypt
`
`information can be encrypted using a key encryption key (‘KEK’) ([second key]),
`
`and that the same KEK can be used to decrypt the first key.” Op. at 15 (citing Ex.
`
`1123, Burnett at 54-55, FIG. 3-1). Petitioner also claims that it would have been
`
`obvious to “modify the authentication information of Jakobsson by encrypting it
`
`with a session key, encrypting the session key with a KEK, and transmitting the
`
`KEK-encrypted session key…to the second device for decryption as taught by
`
`Burnett.” Op. at 17. A close review of Burnett reveals that Petitioner
`
`misunderstands and misapplies Burnett.
`
`56. Among other things, Chapter 3 of Burnett discusses password-based
`
`encryption (PBE). In particular, it describes how a “session key,” which is used to
`
`encrypt and decrypt bulk data, may itself be encrypted using another key that is
`
`known as a key encryption key (KEK). Ex. 1123, Burnett at 54. Burnett further
`
`discusses how, advantageously, the KEK is not stored and is instead generated
`
`as needed at the device to encrypt or decrypt the session key to recover the
`
`encrypted data. Id. (“When he needs a KEK to encrypt, [he] will generate it, use
`
`it, and then throw it away. When he needs to decrypt the data, he generates the
`
`USR Exhibit 2113, Page 21
`
`
`
`IPR2018-00813
`
`KEK again, uses it, and throws it away.”). In particular, the process uses PBE
`
`where a “mixing algorithm” blends a “salt” (i.e., a random value) and a user-
`
`selected password together to generate a KEK. Id. at 55. After
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
