PCT
`
`PROPERTY ORGANIZATION
`WORLD INTELLECTUAL
`International Bureau
`
`
`
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`
`W0 00/42491
`(
`(51) International Patent Classification 7 :
`11) International Publication Number:
`G06F 1/00
`
`(43) International Publication Date:
`20 July 2000 (20.07.00)
`
`
`
`(81) Designated States: AE, AL, AM, AT, AU, AZ, BA, BB, BG,
`(2]) International Application Number:
`PCT/USOO/0071 1
`
`
`BR, BY, CA, CH, CN, CR, CU, CZ, DE, DK, DM, EE,
`ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP,
`
`
`12 January 2000 (12.01.00)
`(22) International Filing Date:
`
`
`KE, KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA,
`
`MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, RO, RU,
`
`SD, SE, SG, SI, SK, SL, TJ, TM, TR, 'I'I‘, TZ, UA, UG,
`(30) Priority Data:
`US
`
`
`UZ, VN, YU, ZA, ZW, ARIPO patent (GH, GM, KE, LS,
`60/ 1 16,006
`15 January 1999 (15.01.99)
`US
`MW, SD, SL, SZ, TZ, UG, ZW), Eurasian patent (AM, AZ,
`30 March 1999 (30.03.99)
`09/28 1 ,0 17
`US
`BY, KG, KZ, MD, RU, TJ, TM), European patent (AT, BE,
`24 November 1999 (24.11.99)
`09/449, l 59
`
`
`CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC,
`
`NL, PT, SE), OAPI patent (BF, BJ, CF, CG, CI, CM, GA,
`GN, GW, ML, MR, NE, SN, TD, TG).
`(71) Applicant: RAINBOW TECHNOLOGIES, INC. [US/US]; 50
`
`Technology Drive, Irvine, CA 92618 (US).
`
`
`Published
`With international search report.
`Before the expiration of the time limit for amending the
`claims and to be republished in the event of the receipt of
`amendments.
`
`
`
`(72) Inventors: ABBOTT, Shawn, D.; 305 Pinnacle Ridge Place,
`RR12, Calgary, Alberta T3E 6W3 (CA). AFGHANI,
`Bahram; 891 Tia Juana Street, Laguna Beach, CA 92651
`(US).
`SOTOODEH, Mehdi;
`17 Paloma Drive, Mission
`Viejo, CA 92692 (US). DENTON, Norman, L., III; 34052
`Capo—by—the—Sea, Dana Point, CA 92629 (US). LONG,
`Calvin, W.; 1260 Oakhaven Lane, Arcadia, CA 91006 (US).
`PUNT, Maarten, G.; 24942 Paseo Arboleda, Lake Forest,
`CA 92630 (US). ANDERSON, Allan, D.; 11158 Bertha
`Place, Cerritos, CA 90703 (US). GODDING, Patrick, N.;
`22665 Shady Grove Circle, Lake Forest, CA 92630 (US).
`
`
`
`
`
`
`
`
`
`
`
`(74) Agent: COOPER, Victor, G.; Gates & Cooper, Suite 1050,
`6701 Center Drive, West, Los Angeles, CA 90025 (US).
`
`
`
`(54) Title: USE—COMPLIANT PERSONAL KEY WITH INTEGRAL INPUT AND OUTPUT DEVICES
`
`
`
`
`
`(57) Abstract
`
`A compact, self—contained, personal key is disclosed. The personal key comprises a USE—compliant interface (206) releasably coupl
`cable to a host processing device (102); a memory (214); and a processor (212). The processor (212) provides the host processing device
`(102) conditional access to data storable in the memory (214) as well as the functionality required to manage files stored in the personal key
`and for performing computations based on the data in the files. In One embodiment, the personal key also comprises an integral user input
`device (218) and an integral user output device (222). The input and output devices (218, 222) communicate with the processor (212) by
`communication paths (220, 222) which are independent from the USE—compliant interface (206), and thus allow the user to communicate
`with the processor (212) without manifesting any private information external to the personal key.
`
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 1 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 1 of 57
`
`

`

`Singapore
`
`Albania
`Armenia
`Austria
`Australia
`Azerbaijan
`Bosnia and Herzegovina
`Barbados
`Belgium
`Burkina Faso
`Bulgaria
`Benin
`Brazil
`Belarus
`Canada
`Central African Republic
`Congo
`Switzerland
`Cdte d‘Ivoire
`Cameroon
`China
`Cuba
`Czech Republic
`Germany
`Denmark
`Estonia
`
`ES
`FI
`FR
`GA
`GB
`GE
`GH
`GN
`GR
`HU
`IE
`IL
`IS
`IT
`JP
`KE
`KG
`KP
`
`KR
`KZ
`LC
`LI
`LK
`LR
`
`Spain
`Finland
`France
`Gabon
`United Kingdom
`Georgia
`Ghana
`Guinea
`Greece
`Hungary
`Ireland
`Israel
`Iceland
`Italy
`Japan
`Kenya
`Kyrgyzstan
`Democratic People's
`Republic of Korea
`Republic of Korea
`Kazakstan
`Saint Lucia
`Liechtenstein
`Sri Lanka
`Liberia
`
`Lesotho
`Lithuania
`Luxembourg
`Latvia
`Monaco
`Republic of Moldova
`Madagascar
`The former Yugoslav
`Republic of Macedonia
`Mali
`Mongolia
`Mauritania
`Malawi
`Mexico
`Niger
`Netherlands
`Norway
`New Zealand
`Poland
`Portugal
`Romania
`Russian Federation
`Sudan
`Sweden
`
`LS
`LT
`LU
`LV
`MC
`MD
`MG
`MK
`
`ML
`MN
`MR
`MW
`MX
`NE
`NL
`N0
`NZ
`PL
`PT
`R0
`RU
`SD
`SE
`SG
`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT.
`
`SI
`SK
`SN
`SZ
`TD
`TG
`TJ
`TM
`TR
`TT
`UA
`UG
`US
`UZ
`VN
`YU
`ZW
`
`Slovenia
`Slovakia
`Senegal
`Swaziland
`Chad
`Togo
`Tajikistan
`Turkmenistan
`Turkey
`Trinidad and Tobago
`Ukraine
`Uganda
`United States of America
`Uzbekistan
`Viet Nam
`Yugoslavia
`Zimbabwe
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 2 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 2 of 57
`
`

`

`WO 00/42491
`
`PCT/USOO/00711
`
`USB-COMPLLANT PERSONAL KEY WITH
`
`INTEGRAL INPUT AND OUTPUT DEVICES
`
`10
`
`15
`
`2O
`
`25
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`Field ofthe Invention
`
`The present invention relates to computer peripherals, and in particular to a
`
`personal key having input and output devices integrated therewith to provide for
`
`increased security
`
`2.
`
`Description of the Related Art
`
`In the last decade, the use of personal computers in both the home and in the
`
`office have become widespread. These computers provide a high level of
`
`functionality to many people at a moderate price, substantially surpassing the
`
`performance of the large mainframe computers of only a few decades ago. The trend
`
`is further evidenced by the increasing popularity of laptop and notebook computers,
`
`which provide high—performance computing power on a mobile basis.
`
`The widespread availability of personal computers has had a profound impact
`
`on interpersonal communications as well. Only a decade ago, telephones or fax
`
`machines offered virtually the only media for rapid business communications. Today,
`
`a growing number of businesses and individuals communicate via electronic mail
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 3 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 3 of 57
`
`

`

`WO 00/4249]
`
`PCT/USOO/007ll
`
`-2-
`
`(e-mail). Personal computers have also been instrumental in the emergence of the
`
`lntemet and its growing use as a medium of commerce.
`
`While certainly beneficial, the growing use of computers in personal
`
`communications, commerce, and business has also given rise to a number of unique
`
`5
`
`challenges.
`
`First, the growing use of computers has resulted in extensive unauthorized use
`
`and copying of computer software, costing software developers substantial revenue.
`
`Although unauthorized copying or use of software is a violation of the law, the
`
`widespread availability of pirated software and enforcement difficulties have limited
`
`to
`
`the effectiveness ofthis means ofpreventing software piracy.
`
`Software developers and computer designers alike have sought technical
`
`solutions to attack the problem of software piracy. One solution uses an external
`
`device known as a hardware key, or "dongle" coupled to an input/output (1/0) port of
`
`the host computer.
`
`15
`
`While the use of such hardware keys is an effective way to reduce software
`
`piracy, to date, their use has been substantially limited to high value software
`
`products. Hardware keys have not been widely applied to popular software packages,
`
`in part, because the hardware keys are too expensive, and in part, because there is a
`
`reluctance on the part of the application program user to bother with a hardware key
`
`20
`
`whenever use of the protected program is desired. Also, in many cases, the hardware
`
`keys are designed for use with only one application. Hence, where the use of multiple
`
`applications on the same computer is desired, multiple hardware keys must be
`
`operated at the same time.
`
`While it reflects a tremendous advance over telephones and facsimile
`
`25
`
`machines, e-mail also has its problems. One of these problems involves security.
`
`Telephone lines are relatively secure and a legally sanctioned way to engage in the
`
`private transmission of information, however, e-mails are generally sent over the
`
`Internet with no security whatsoever. Persons transmitting electronic messages must
`
`be assured that their messages are not opened or disclosed to unauthorized persons.
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 4 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 4 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-3-
`
`'JI
`
`10
`
`Further, the addressee of the electronic message should be certain of the identity of the
`
`sender and that the message was not tampered with at some point during transmission.
`
`Although the packet—switching nature of Internet communications helps to
`
`minimize the risk of intercepted communications, it would not be difficult for a
`
`determined interloper to obtain access to an unprotected e-mail message.
`
`Many methods have been developed to secure the integrity of electronic
`
`messages during transmission, Simple encryption is the most common method of
`
`securing data. Both secret key encryption such as DES (Data Encryption Standard) and
`
`public key encryption methods that use both a public and a private key are implemented.
`
`Public and private key encryption methods allow users to send Intemet and e-mail
`
`messages without concern that the message will be read by unauthorized persons or that
`
`its contents will be tampered with. However, key cryptographic methods do not protect
`
`the receiver of the message, because they do not allow the recipient to authenticate the
`
`validity of the public key or to validate the identity of the sender of the electronic
`
`15
`
`message.
`
`The use of digital certificates presents one solution to this problem. A digital
`
`certificate is a signed document attesting to the identity and public key of the person
`
`signing the message. Digital certificates allow the recipient to validate the authenticity of
`
`a public key. However, the typical user may use e—mail to communicate with hundreds
`
`of persons, and may use any one of several computers to do so. Hence, a means for
`
`managing a number of digital certificates across several computer platforms is needed.
`
`Internet commerce raises other challenges. Users seeking to purchase goods or
`
`services using the Internet must be assured that their credit card numbers and the like are
`
`safe from compromise. At the same time, vendors must be assured that services and
`
`goods are delivered only to those who have paid for them. In many cases, these goals
`
`are accomplished with the use of passwords. However, as Internet commerce becomes
`
`more commonplace, customers are finding themselves in a position where they must
`
`either decide to use a small number of passwords for all transactions, or face the
`
`daunting task of remembering multiple passwords. Using a small number of passwords
`
`for all transactions inherently compromises security, since the disclosure of any of the
`
`20
`
`25
`
`3O
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 5 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 5 of 57
`
`

`

`WO 00/42491
`
`PCT/USOO/007ll
`
`.4-
`
`passwords may lead to a disclosure of the others. Even the use of a large number of
`
`passwords can lead to compromised security. Because customers commonly forget their
`
`password, many Internet vendors provide an option whereby the user can be reminded of
`
`their password by providing other personal information such as their birthplace, mother's
`
`5
`
`maiden name, and/or social security number. This feature, while often necessary to
`
`promote Internet commerce, severely compromises the password by relying on ”secret"
`
`information that is in fact, publicly available.
`
`Even in cases where the useris willing and able to keep track of a large number
`
`of passwords, the password security technique is often compromised by the fact that the
`
`10
`
`user is inclined to select a password that is relatively easy to remember. It is indeed rare
`
`that a user selects a truly random password. What is needed is a means for generating
`
`and managing random passwords that can be stored and recalled for use on a wide
`
`variety of computer platforms.
`
`Internet communications have also seen the increased use of "cookies." Cookies
`
`15
`
`comprise data and programs that keep track of a user‘s patterns and preferences that
`
`can be downloaded from the Internet server for storage on the user's computer.
`
`Typically, cookies contain a range of addresses. When the browser encounters those
`
`addresses again, the cookies associated with the addresses are provided to the Internet
`
`server. For example, ifa user's password were stored as a cookie, the use ofthe
`
`20
`
`cookie would allow the user to request services or goods without requiring that the
`
`user enter the password again when accessing that service for the second and
`
`subsequent time.
`
`However beneficial, cookies can also have their dark side. Many users object
`
`to storage of cookies on their computer's hard drive. In response to these concerns,
`
`25
`
`Internet browser software allows the user to select an option so that they are notified
`
`before cookies are stored or used. The trouble with this solution is that this usually
`
`results in an excessive number ofmessages prompting the user to accept cookies. A
`
`better solution than this all-or-nothing approach would be to allow the storage and/or
`
`use of cookies, but to isolate and control that storage and use to comply with user—
`
`30
`
`specified criteria.
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 6 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 6 of 57
`
`

`

`W0 00/4249]
`
`PCT/USOO/00711
`
`-5-
`
`Smartcard provide some of the above mentioned functionality, but smartcards
`
`do not present an ideal solution. First, personal keys are only valuable to the user if
`
`they offer a single, widely accepted secure repository for digital certificates and
`
`passwords. Smartcard readers are relatively expensive, and are not in wide use, at
`
`5
`
`least in the United States, and are therefore unsuited to the task.
`
`Second, smartcards do not provide for entering data directly into the card.
`
`This opens the smartcard to possible sniffer modules in malicious software, which can
`
`monitor the smartcard—reader interface to determine the user’s personal identification
`
`or password information. This problem is especially problematic in situations where
`
`10
`
`the user is using an unknown or untrusted smartcard reader. The lack of any direct
`
`input device also prevents the user from performing any smartcard-related functions in
`
`the relatively common situation where no smartcard reader is available.
`
`Third, data cannot be accessed from the smartcard unless the smartcard is in
`
`the reader. This prevents the user from viewing data stored in the smartcard (ie. a
`
`15
`
`stored password) until a smartcard reader can be located. Given that smartcard
`
`readers (especially trusted ones) can be difficult to find, this substantially limits the
`
`usefulness of the card. Of course, the user may simply write the password down on
`
`paper, but this may compromise the security of all of the data in the card, and is
`
`inconsistent with the goal of providing a central, secure, portable repository for private
`
`20
`
`data.
`
`From the foregoing, it can be seen that there is a need for a personal key that
`
`allows the user to store and retrieve passwords and digital certificates without
`
`requiring the use of vulnerable external interfaces.
`
`25
`
`SUMMARY OF THE INVENTION
`
`The present invention satisfies all of these needs with a personal key in a form
`
`factor that is compliant with a commonly available I/O interface such as the Universal
`
`Serial Bus (USE). The personal key includes a processor and a memory which
`
`30
`
`implement software protection schemes to prevent copying and unauthorized use.
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 7 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 7 of 57
`
`

`

`W0 00/4249]
`
`PCT/USOO/0071 l
`
`-6-
`
`The personal key provides for the storage and management of digital certificates,
`
`allowing the user to store all ofhis digital certificates in one media that is portable
`
`from platform to platform. The personal key provides for the generation, storage, and
`
`management of many passwords, providing additional security and relieving the user
`
`from the task of remembering multiple passwords. The personal key provides a
`
`means to store cookies and other J ava—implemented software programs, allowing the
`
`user to accept cookies in a removable and secure form-factor. These features are
`
`especially useful when the present invention is used in a virtual private network
`
`(VPN). The present invention can also be used for several applications
`
`Because the personal key is capable of storing virtually all of the user‘s
`
`sensitive information, it is important that the personal key be as secure as possible.
`
`Hence, one embodiment of the personal key also comprises a biometric sensor
`
`disposed to measure biometrics such as fingerprint data. The biometric sensor
`
`measures characteristics of the person holding the key (such as fingerprints) to
`
`confirm that the person possessing the key is the actual owner ofthe key.
`
`Since the personal key represents a single, secure repository for a great deal of
`
`the data the user will need to use and interact with a variety of computer platforms, it
`
`is also important that the personal key be able to interface (i.e., transmit and receive
`
`data) with a large variety of computers and computer peripherals. Hence, one
`
`embodiment of the personal key includes an electromagnetic wave transception device
`
`such as an infrared (IR) transceiver. This transceiver allows the personal key to
`
`exchange information with a wide variety of computers and peripherals without
`
`physical coupling.
`
`The present invention is well suited for controlling access to network services,
`
`or anywhere a password, cookie, digital certificate, or smartcard might otherwise be
`
`used, including:
`
`' Remote access servers, including Internet protocol security (IPSec), point
`
`to point tunneling protocol (PPTP), password authentication protocol
`
`(PAP), challenge handshake authentication protocol (CHAP), remote
`
`10
`
`20
`
`25
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 8 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 8 of 57
`
`

`

`WO 00/42491
`
`PCT/USOO/OO711
`
`access dial-in user service (RADIUS), terminal access controller access
`
`control system (TACACS);
`
`Providing Extranet and subscription—based web access control, including
`
`hypertext transport protocol (HTTP), secure sockets layer (SSL);
`
`Supporting secure online banking, benefits administration, account
`
`management;
`
`Supporting secure workflow and supply chain integration (form signing);
`
`Preventing laptop computer theft (requiring personal key for laptop
`
`°
`
`‘
`
`'
`
`~
`
`operation);
`
`- Workstation logon authorization;
`
`-
`
`-
`
`-
`
`Preventing the modification or copying of software;
`
`Encrypting files;
`
`Supporting secure e-mail, for example, with secure multipurpose Internet
`
`mail extensions (S/MIME), and open pretty good privacy (OpenPGP)
`
`' Administering network equipment administration; and
`
`-
`
`' Electronic wallets, with, for example, secure electronic transaction (SET,
`
`MilliCent, eWallet)
`
`In one embodiment, the present invention comprises a compact, self-
`
`contained, personal token or key. The personal key comprises a USE—compliant
`
`interface releaseably coupleable to a host processing device; a memory; and a
`
`processor. The processor provides the host processing device conditional access to
`
`data storable in the memory as well as the functionality required to manage files
`
`stored in the personal key and for performing computations based on the data in the
`
`files.
`
`In one embodiment, the personal key also comprises an integral user input
`
`device and an integral user output device. The input and output devices communicate
`
`with the processor by communication paths which are independent from the USB-
`
`compliant interface, and thus allow the user to communicate with the processor
`
`without manifesting any private information external to the personal key.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 9 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 9 of 57
`
`

`

`W0 00/4249]
`
`PCT/USOO/00711
`
`-8-
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Referring now to the drawings in which like reference numbers represent
`
`corresponding parts throughout:
`
`FIG. I is a diagram showing an exemplary hardware environment for
`
`practicing the present invention;
`
`FIG. 2 is a block diagram illustrating selected modules ofone embodiment of
`
`the present invention;
`
`FIG. 3 is a diagram of the memory resources provided by the memory of the
`
`personal key;
`
`FIG. 4 is a diagram showing one embodiment of how an encryption engine is
`
`used to authenticate the identity of the personal key or the application data stored
`
`therein;
`
`FIG. 5 is a diagram illustrating the data contents of a file system memory
`
`resource of an active personal key that provides authentication and specific
`
`configuration data for several application;
`
`FIG. 6 is a diagram presenting an illustration of one embodiment of the
`
`personal key;
`
`FIGS. 7A—7C are diagrams showing one embodiment of the personal key
`
`having an input device including a first pressure sensitive device and a second
`
`pressure sensitive device, each communicatively coupled the processor by a
`
`communication path distinct from the USB-compliant interface;
`
`FIGS. 8A-8C are diagrams presenting an illustration of another embodiment of
`
`the present invention;
`
`FIG. 9 is a flow chart illustrating an embodiment of the present invention in
`
`which processor operations are subject to user authorization; and
`
`FIG. 10 is a flow chart illustrating an embodiment of the present invention in
`
`which the PIN is entered directly into the personal key.
`
`10
`
`IS
`
`20
`
`25
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 10 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 10 of 57
`
`

`

`W0 00/4249]
`
`-9-
`
`PCT/USOO/00711
`
`DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
`
`In the following description, reference is made to the accompanying drawings
`
`which form a part hereof, and which is shown, by way of illustration, several
`
`embodiments of the present invention. It is understood that other embodiments may
`
`5
`
`be utilized and structural changes may be made without departing from the scope of
`
`the present invention.
`
`Hardware Environment
`
`FIG.
`
`1 illustrates an exemplary computer system 100 that could be used to
`
`to
`
`implement the present invention. The computer 102 comprises a processor 104 and a
`
`memory, such as random access memory (RAM) 106. The computer 102 is
`
`operatively coupled to a display 122, which presents images such as windows to the
`
`user on a graphical user interface 118B. The computer 102 may be coupled to other
`
`devices, such as a keyboard 114, a mouse device 116, a printer 128, etc. Of course,
`
`15
`
`those skilled in the art will recognize that any combination of the above components,
`
`or any number of different components, peripherals, and other devices, may be used
`
`with the computer 102.
`
`Generally, the computer 102 operates under control of an operating system 108
`
`stored in the memory 106, and interfaces with the user to accept inputs and commands
`
`20
`
`and to present results through a graphical user interface (GUI) module 118A.
`
`Although the GUI module 118A is depicted as a separate module, the instructions
`
`performing the GUI functions can be resident or distributed in the operating system
`
`108, the computer program 110, or implemented with special purpose memory and
`
`processors. The computer 102 also implements a compiler 112 which allows an
`
`25
`
`application program 110 written in a programming language such as COBOL, C++,
`
`FORTRAN, or other language to be translated into processor 104 readable code.
`
`After completion, the application 110 accesses and manipulates data stored in the
`
`memory 106 of the computer 102 using the relationships and logic that are generated
`
`using the compiler 112. The computer 102 also comprises an input/output (I/O) port
`
`30
`
`130 for a personal token 200 (hereinafter alternatively referred to also as a personal
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 11 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 11 of 57
`
`

`

`WO 00/42491
`
`PCT/USOO/007ll
`
`-10-
`
`key 200). In one embodiment, the I/O port 130 is a USE-compliant port
`
`implementing a USE-compliant interface.
`
`In one embodiment, instructions implementing the operating system 108, the
`
`computer program 110, and the compiler 112 are tangibly embodied in a computer-
`
`readable medium, e.g., data storage device 120, which could include one or more
`
`fixed or removable data storage devices, such as a zip drive, floppy disc drive 124,
`
`hard drive, CD-ROM drive, tape drive, etc. Further, the operating system 108 and the
`
`computer program 1 10 are comprised of instructions which, when read and executed
`
`by the computer 102, causes the computer 102 to perform the steps necessary to
`
`implement and/or use the present invention. Computer program 110 and/or operating
`
`instructions may also be tangibly embodied in memory 106 and/or data
`
`communications devices, thereby making a computer program product or article of
`
`manufacture according to the invention. As such, the terms "article of manufacture"
`
`and "computer program product" as used herein are intended to encompass a computer
`
`program accessible from any computer readable device or media.
`
`The computer 102 may be communicatively coupled to a remote computer or
`
`server 134 via communication medium 132 such as a dial—up network, a wide area
`
`network (WAN), local area network (LAN), virtual private network (VPN) or the
`
`Intemet. Program instructions for computer operation, including additional or
`
`alternative application programs can be loaded from the remote computer/server 134.
`
`In one embodiment, the computer 102 implements an Internet browser, allowing the
`
`user to access the world wide web (WWW) and other internet resources.
`
`Those skilled in the art will recognize that many modifications may be made to
`
`this configuration without departing from the scope of the present invention. For
`
`example, those skilled in the an will recognize that any combination of the above
`
`components, or any number of different components, peripherals, and other devices,
`
`may be used with the present invention.
`
`Architectural Overview
`
`FIG. 2 is a block diagram illustrating selected modules of the present
`
`invention. The personal key 200 communicates with and obtains power from the host
`
`10
`
`15
`
`20
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 12 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 12 of 57
`
`

`

`W0 00/4249]
`
`PCT/USOO/007ll
`
`-11-
`
`computer through a USE-compliant communication path 202 in the USE-compliant
`
`interface 204 which includes the input/output port 130 ofthe host computer 102 and a
`
`matching input/output (L’O) port 206 on the personal key 200. Signals received at the
`
`personal key I/O port 206 are passed to and from the processor 212 by a driver/buffer
`
`208 via communication paths 210 and 216. The processor 212 is communicatively
`
`coupled to a memory 214, which may store data and instructions to implement the
`
`above-described features of the invention In one embodiment, the memory 214 is a
`
`non-volatile random-access memory that can retain factory-supplied data as well as
`
`customer-supplied application related data. The processor 212 may also include some
`
`internal memory for performing some of these functions.
`
`The processor 212 is optionally communicatively coupled to an input device
`
`218 via an input device communication path 220 and to an output device 222 via an
`
`output device communication path 224, both of which are distinct from the USB-
`
`compliant interface 204 and communication path 202. These separate communication
`
`paths 220 and 224 allow the user to view information about processor 212 operations
`
`and provide input related to processor 212 operations without allowing a process or
`
`other entity with visibility to the USE-compliant interface 204 to eavesdrop or
`
`intereede. This permits secure communications between the key processor 212 and
`
`the user.
`
`In one embodiment ofthe invention set forth more fully below, the user
`
`communicates directly with the processor 212 by physical manipulation of mechanical
`
`switches or devices aetuatable from the external side of the key (for example, by
`
`pressure-sensitive devices such as buttons and mechanical switches).
`
`In another
`
`embodiment of the invention set forth more fully below, the input device includes a
`
`wheel with tactile detents indicating the selection of characters.
`
`The input device and output devices 218, 222 may cooperatively interact with
`
`one another to enhance the functionality of the personal key 200. For example, the
`
`output device 222 may provide information prompting the user to enter information
`
`into the input device 218. For example, the output device 222 may comprise a visual
`
`display such as an alphanumeric LED or LCD display (which can display Arabic
`
`numbers and or letters) and/or an aural device. The user may be prompted to enter
`
`U-
`
`10
`
`15
`
`20
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 13 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 13 of 57
`
`

`

`W0 00/4249]
`
`-12-
`
`PCT/US00/00711
`
`information by a beeping of the aural device, by a flashing pattern of the LED, or by
`
`both. The output device 222 may also optionally be used to confirm entry of
`
`information by the input device 218. For example, an aural output device may beep
`
`when the user enters information into the input device 218 or when the user input is
`
`invalid. The input device 218 may take one of many forms, including different
`
`combinations of input devices.
`
`Although the input device communication path 220 and the output device
`
`communication path 224 are illustrated in FIG. 2 as separate paths, the present
`
`invention can be implemented by combining the paths 220 and 224 while still
`
`retaining a communication path distinct from the USE-compliant interface 204. For
`
`example, the input device 218 and output device 222 may be packaged in a single
`
`device and communications with the processor 212 multiplexed over a single
`
`communication path.
`
`In one embodiment of the invention, the present invention further comprises a
`
`second output device 222 that may be coupled to the USE-compliant interface 204
`
`instead of being coupled to the processor via a communication path distinct from the
`
`USE-compliant interface 204. This embodiment may be used, for example, to
`
`indicate to the user that the personal key 200 has been correctly inserted into the host
`
`computer’s USB port (for example, by providing an indication of a power signal of
`
`the USE-compliant interface). The second output device may also be used to show
`
`that data is passing to and from the host computer and the personal key 200 (for
`
`example, by providing an indication of a data signal from the USE-compliant
`
`interface).
`
`The personal key has an interface including a USB driver module 266
`
`communicatively coupled to an application program interface (API) 260 having a
`
`plurality of API library routines. The API 260 provides an interface with the
`
`application 110 to issue commands and accept results from the personal key 200. In
`
`one embodiment, a browser 262, such as the browser available from NETSCAPE, Inc.
`
`operates with the API 260 and the public key cryptographic standard (PKCS) module
`
`264 to implement a token-based user authentication system.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`|PR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 14 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 14 of 57
`
`

`

`WO 00/42491
`
`PCT/USOO/007ll
`
`-13-
`
`While the portability and utility of the personal key has many advantages, it
`
`also has one important disadvantage. . .it can be lost or stolen. This is especially
`
`troublesome because the personal key 200 represents a secu