`
`
`(51) International Patent Classification 7 :
`
`GO06F 1/00
`
`
`
`
`
`(81) Designated States: AE, AL, AM, AT, AU, AZ, BA, BB, BG,
`BR, BY, CA, CH, CN, CR, CU, CZ, DE, DK, DM, EE,
`
`
`ES, FI, GB, GD, GE, GH, GM, HR, HU,ID,IL,IN,IS, JP,
`12 January 2000 (12.01.00)
`(22) International Filing Date:
`
`
`KE, KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA,
`
`MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, RO, RU,
`
`SD, SE, SG, SI, SK, SL, TJ, TM, TR, TT, TZ, UA, UG,
`
`
`(30) Priority Data:
`US
`UZ, VN, YU, ZA, ZW, ARIPO patent (GH, GM, KE,LS,
`60/1 16,006
`15 January 1999 (15.01.99)
`US
`MW,SD,SL, $Z, TZ, UG, ZW), Eurasian patent (AM, AZ,
`30 March 1999 (30.03.99)
`09/281,017
`US
`BY, KG, KZ, MD, RU, TJ, TM), European patent (AT, BE,
`24 November 1999 (24.11.99)
`09/449, 159
`
`
`CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC,
`
`NL, PT, SE), OAPI patent (BF, BJ, CF, CG, CI, CM, GA,
`GN, GW, ML, MR, NE, SN, TD, TG).
`(71) Applicant: RAINBOW TECHNOLOGIES, INC. [US/US]; 50
`
`Technology Drive, Irvine, CA 92618 (US).
`
`
`Published
`With international search report.
`Before the expiration of the time limit for amending the
`claims and to be republished in the event of the receipt of
`amendments.
`
`
`
`
`
`
`
`
`
`
`
`PCT
`
`PROPERTY ORGANIZATION
`WORLD INTELLECTUAL
`International Bureau
`
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY(PCT)
`
`(11) International Publication Number:
`
`WO 00/42491
`
`(43) International Publication Date:
`
`20 July 2000 (20.07.00)
`
`(21) International Application Number:
`
`PCT/US00/00711
`
`(72) Inventors: ABBOTT, Shawn, D.; 305 Pinnacle Ridge Place,
`RR12, Calgary, Alberta T3E 6W3 (CA). AFGHANI,
`Bahram; 891 Tia Juana Street, Laguna Beach, CA 92651
`(US).
`SOTOODEH, Mehdi;
`17 Paloma Drive, Mission
`Viejo, CA 92692 (US). DENTON,Norman,L., HI; 34052
`Capo-by-the-Sea, Dana Point, CA 92629 (US). LONG,
`Calvin, W.; 1260 Oakhaven Lane, Arcadia, CA 91006 (US).
`PUNT, Maarten, G.; 24942 Paseo Arboleda, Lake Forest,
`CA 92630 (US). ANDERSON, Allan, D.; 11158 Bertha
`Place, Cerritos, CA 90703 (US). GODDING, Patrick, N.;
`22665 Shady Grove Circle, Lake Forest, CA 92630 (US).
`
`
`
`
`
`(74) Agent: COOPER, Victor, G.; Gates & Cooper, Suite 1050,
`6701 Center Drive, West, Los Angeles, CA 90025 (US).
`
`(54) Title: USB-COMPLIANT PERSONAL KEY WITH INTEGRAL INPUT AND OUTPUT DEVICES
`
`
`
`
`
`(57) Abstract
`
`A compact, self-contained, personal key is disclosed. The personal key comprises a USB-compliant interface (206) releasably coupl
`eable to a host processing device (102); a memory (214); and a processor (212). The processor (212) provides the host processing device
`(102) conditional access to data storable in the memory (214) as well as the functionality required to manage files stored in the personal key
`and for performing computations based on the data in the files. In one embodiment, the personal key also comprises an integral user input
`device (218) and an integral user output device (222). The input and output devices (218, 222) communicate with the processor (212) by
`communication paths (220, 222) which are independent from the USB-compliant interface (206), and thus allow the user to communicate
`with the processor (212) without manifesting any private information external to the personal key.
`
`
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 1 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 1 of 57
`
`

`

`Zimbabwe
`
`™T
`
`R
`TT
`VA
`UG
`us
`UZ
`VN
`YU
`ZW
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 2 of 57
`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Spain
`Finland
`France
`Gabon
`United Kingdom
`Georgia
`Ghana
`Guinea
`Greece
`Hungary
`Treland
`Israel
`Iceland
`Italy
`Japan
`Kenya
`Kyrgyzstan
`Democratic People’s
`Republic of Korea
`Republic of Korea
`Kazakstan
`Saint Lucia
`Liechtenstein
`Sri Lanka
`Liberia
`
`ML
`MN
`MR
`MW
`MX
`NE
`NL
`NO
`NZ
`PL
`PT
`RO
`RU
`sD
`SE
`8G
`
`Codesused to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT.
`SI
`Slovenia
`ES
`LS
`Lesotho
`Albania
`LT
`Slovakia
`FI
`SK
`Armenia
`Lithuania
`SN
`FR
`LU
`Austria
`Luxembourg
`Senegal
`GA
`LV
`Latvia
`Australia
`SZ
`Swaziland
`TD
`MC
`Monaco
`Chad
`GB
`Azerbaijan
`TG
`MD
`GE
`Togo
`Republic of Moldova
`Bosnia and Herzegovina
`Barbados
`GH
`MG
`TJ
`Madagascar
`Tajikistan
`Turkmenistan
`MK
`GN
`The former Yugoslav
`Belgium
`GR
`Burkina Faso
`Turkey
`Republic of Macedonia
`Mali
`HU
`Trinidad and Tobago
`Bulgaria
`IE
`Ukraine
`Benin
`Mongolia
`IL
`Mauritania
`Brazil
`Uganda
`Is
`United States of America
`Belarus
`Malawi
`IT
`Mexico
`Canada
`Uzbekistan
`Viet Nam
`JP
`Niger
`Central African Republic
`KE
`Netherlands
`Yugoslavia
`Congo
`KG
`Switzerland
`Norway
`New Zealand
`KP
`Cote d'Ivoire
`Poland
`Cameroon
`China
`Portugal
`Romania
`Cuba
`Russian Federation
`Czech Republic
`Sudan
`Germany
`Denmark
`Sweden
`Estonia
`Singapore
`
`KR
`KZ
`Lc
`
`uL
`
`K
`LR
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 2 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`USB-COMPLIANT PERSONAL KEY WITH
`
`INTEGRAL INPUT AND OUTPUT DEVICES
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`Field of the Invention
`
`The presentinvention relates to computerperipherals, and in particularto a
`
`personal key having input and output devices integrated therewith to provide for
`
`increased security.
`
`2.
`
`Description of the Related Art
`
`In the last decade, the use of personal computers in both the homeandin the
`
`office have become widespread. These computers provide a highlevel of
`
`20
`
`functionality to many people at a moderateprice, substantially surpassing the
`
`performanceofthe large mainframe computers of only a few decades ago. The trend
`
`is further evidenced by the increasing popularity of laptop and notebook computers,
`
`which provide high-performance computing power on a mobile basis.
`
`The widespread availability of personal computers has had a profound impact
`
`25
`
`on interpersonal communications as well. Only a decade ago, telephones orfax
`
`machinesoffered virtually the only media for rapid business communications. Today,
`
`a growing numberofbusinesses and individuals communicate via electronic mail
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 3 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 3 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-2-
`
`(e-mail). Personal computers have also been instrumental in the emergence of the
`
`Internet and its growing use as a medium of commerce.
`
`While certainly beneficial, the growing use of computers in personal
`
`communications, commerce, and business has also given rise to a number of unique
`
`5
`
`challenges.
`
`First, the growing use of computers has resulted in extensive unauthorized use
`
`and copying of computer software, costing software developers substantial revenue.
`
`Although unauthorized copyingor use ofsoftware is a violationof the law, the
`
`widespread availability of pirated software and enforcement difficulties have limited
`
`10
`
`the effectiveness of this means of preventing software piracy.
`
`Software developers and computer designers alike have sought technical
`
`solutions to attack the problemof software piracy. One solution uses an external
`
`device knownas a hardware key, or "dongle" coupled to an input/output(I/O) port of
`
`the host computer.
`
`15
`
`While the use of such hardware keys is an effective way to reduce software
`
`piracy, to date, their use has been substantially limited to high value software
`
`products. Hardware keys have not been widely applied to popular software packages,
`
`in part, because the hardware keys are too expensive, andin part, becausethereis a
`
`reluctance on thepart of the application program user to bother with a hardware key
`
`20
`
`wheneveruse of the protected programis desired. Also, in many cases, the hardware
`
`keys are designed for use with only one application. Hence, where the use of multiple
`
`applications on the same computeris desired, multiple hardware keys must be
`
`operated at the same time.
`
`Whileit reflects a tremendous advance over telephones and facsimile
`
`25
`
`machines, e-mail also hasits problems. One of these problemsinvolves security.
`
`Telephonelines are relatively secure and a legally sanctioned way to engage in the
`
`private transmission of information, however, e-mails are generally sent over the
`
`Internet with no security whatsoever. Persons transmitting electronic messages must
`
`be assured that their messages are not opened or disclosed to unauthorized persons.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 4 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 4 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`3.
`
`Further, the addressee of the electronic message should be certain of the identity of the
`
`sender and that the message was not tampered with at some point during transmission.
`
`Although the packet-switching nature of Internet communications helps to
`
`minimizethe risk of intercepted communications, it would not be difficult for a
`
`determinedinterloper to obtain access to an unprotected e-mail message.
`
`Many methods have been developed to secure the integrity of electronic
`
`messages during transmission. Simple encryptionis the most common method of
`
`securing data. Both secret key encryption such as DES (Data Encryption Standard) and
`
`public key encryption methodsthat use both a public and a private key are implemented.
`
`10
`
`Public and private key encryption methods allow users to send Internet and e-mail
`
`messages without concernthat the message will be read by unauthorized personsorthat
`
`its contents will be tampered with. However, key cryptographic methods do notprotect
`
`the receiver of the message, because they do not allow the recipient to authenticate the
`
`validity of the public key or to validate the identity of the senderof the electronic
`
`15
`
`message.
`
`Theuse of digital certificates presents one solution to this problem. A digital
`
`certificate is a signed documentattesting to the identity and public key of the person
`
`signing the message. Digital certificates allow the recipient to validate the authenticity of
`
`a public key. However,the typical user may use e-mail to communicate with hundreds
`
`20
`
`of persons, and mayuse any oneof several computers to do so. Hence, a meansfor
`
`managing a numberof digital certificates across several computerplatformsis needed.
`
`Internet commerceraises other challenges. Users secking to purchase goods or
`
`services using the Internet must be assured that their credit card numbers and thelike are
`
`safe from compromise. At the same time, vendors must be assuredthat services and
`
`25
`
`goods are delivered only to those who have paid for them. In manycases, these goals
`
`are accomplished with the use of passwords. However,as Internet commerce becomes
`
`more commonplace, customers are finding themselves in a position where they must
`
`either decide to use a small number of passwordsfor all transactions, or face the
`
`daunting task of remembering multiple passwords. Using a small numberof passwords
`
`30
`
`for all transactions inherently compromisessecurity, since the disclosure of any ofthe
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 5 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 5 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`4.
`
`passwords may lead to a disclosure of the others. Even the use of a large number of
`
`passwords can lead to compromised security. Because customers commonlyforget their
`
`password, many Internet vendors provide an option wherebythe user can be reminded of
`
`their password by providing other personal information suchas their birthplace, mother's
`
`§
`
`maiden name,and/or social security number. This feature, while often necessary to
`
`promote Internet commerce, severely compromises the password by relying on "secret"
`
`information that is in fact, publicly available.
`
`Even in cases where the useris willing and able to keep track of a large number
`
`of passwords, the password security technique is often compromised by the fact that the
`
`10
`
`useris inclined to select a password that is relatively easy to remember. It is indeed rare
`
`that a user selects a truly random password. What is needed is a means for generating
`
`and managing random passwords that can be stored and recalled for use on a wide
`
`variety of computerplatforms.
`
`Internet communications have also seen the increased use of "cookies." Cookies
`
`15
`
`comprise data and programs that keep track of a user's patterns and preferencesthat
`
`can be downloaded from the Internet server for storage on the user's computer.
`
`Typically, cookies contain a range of addresses. When the browser encounters those
`
`addresses again, the cookies associated with the addresses are provided to the Internet
`
`server. For example, if a user's password were stored as a cookie, the use of the
`
`20
`
`cookie would allowthe userto request services or goods without requiring that the
`
`user enter the password again when accessing that service for the second and
`
`subsequenttime.
`
`Howeverbeneficial, cookies can also have their dark side. Many users object
`
`to storage of cookies on their computer's hard drive. In response to these concerns,
`
`25
`
`‘Internet browser software allows the user to select an option so that they are notified
`
`before cookies are stored or used. The trouble with this solution is that this usually
`
`results in an excessive number of messages prompting the user to accept cookies. A
`
`better solution than this all-or-nothing approach would be to allow the storage and/or
`
`use of cookies, but to isolate and control that storage and use to comply with user-
`
`30.
`
`specified criteria.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 6 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 6 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`5.
`
`Smartcard provide someof the above mentioned functionality, but smartcards
`
`do not present an ideal solution. First, personal keys are only valuable to the user if
`
`they offer a single, widely accepted secure repository for digital certificates and
`
`passwords. Smartcard readers are relatively expensive, and are not in wide use,at
`
`least in the United States, and are therefore unsuited to the task.
`
`Second, smartcards do not provide for entering data directly into the card.
`
`This opens the smartcard to possible sniffer modules in malicious software, which can
`
`monitor the smartcard-reader interface to determine the user’s personalidentification
`
`or password information. This problem is especially problematic in situations where
`
`the user is using an unknownor untrusted smartcard reader. The lack of any direct
`
`input device also prevents the user from performing any smartcard-related functions in
`
`the relatively commonsituation where no smartcard readeris available.
`
`Third, data cannot be accessed from the smartcard unless the smartcardis in
`
`the reader. This prevents the user from viewing data stored in the smartcard (i.e. a
`
`stored password) until a smartcard reader can be located. Given that smartcard
`
`readers (especially trusted ones) can bedifficult to find, this substantially limits the
`
`usefulness of the card. Of course, the user may simply write the password down on
`
`paper, but this may compromise the security ofall of the data in the card, and is
`
`inconsistent with the goal of providing a central, secure, portable repository for private
`
`10
`
`15
`
`20
`
`data.
`
`Fromthe foregoing, it can be seen that there is a need for a personal key that
`
`allows the user to store and retrieve passwords and digital certificates without
`
`requiring the use of vulnerable external interfaces.
`
`25
`
`SUMMARYOF THE INVENTION
`
`The present inventionsatisfies all of these needs with a personal key in a form
`
`factor that is compliant with a commonly available I/O interface such as the Universal
`
`Serial Bus (USB). The personal key includes a processor and a memory which
`
`30
`
`implement software protection schemesto prevent copying and unauthorized use.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page7 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 7 of 57
`
`

`

`WO00/42491
`
`PCT/US00/00711
`
`-6-
`
`The personal key provides for the storage and managementof digital certificates,
`
`allowing the user to store all of his digital certificates in one media that is portable
`
`from platform to platform. The personal key provides for the generation, storage, and
`
`management of many passwords, providing additional security and relieving the user
`
`from the task of remembering multiple passwords. The personal key provides a
`
`meansto store cookies and other Java-implemented software programs,allowing the
`
`user to accept cookies in a removable and secure form-factor. These features are
`
`especially useful whenthe present inventionis used in a virtual private network
`
`(VPN). The present invention can also be used for several applications
`
`10
`
`Because the personal key is capable of storing virtually all of the user's
`
`sensitive information, it is important that the personal key be as secure as possible.
`
`Hence, one embodimentofthe personal key also comprises a biometric sensor
`
`disposed to measure biometrics such as fingerprint data. The biometric sensor
`
`measures characteristics of the person holding the key (such as fingerprints) to
`
`confirm that the person possessing the key is the actual ownerofthe key.
`
`Since the personal key represents a single, secure repository for a great deal of
`
`the data the user will need to use and interact with a variety of computerplatforms,it
`
`is also important that the personal key beable to interface(i.e., transmit and receive
`
`data) with a large variety of computers and computer peripherals. Hence, one
`
`embodimentof the personal key includes an electromagnetic wave transception device
`
`such as an infrared (IR) transceiver. This transceiver allows the personal key to
`
`exchange information with a wide variety of computers and peripherals without
`
`physical coupling.
`
`The present invention is well suited for controlling access to network services,
`
`or anywhere a password, cookie, digital certificate, or smartcard might otherwise be
`
`20
`
`25
`
`used, including:
`
`* Remote access servers, including Internet protocol security (IPSec), point
`
`to point tunneling protocol (PPTP), password authentication protocol
`
`(PAP), challenge handshake authentication protocol (CHAP), remote
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 8 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 8 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`access dial-in user service (RADIUS), terminal access controller access
`
`control system (TACACS),
`
`Providing Extranet and subscription-based web access control, including
`
`hypertext transport protocol (HTTP), secure sockets layer (SSL);
`
`Supporting secure online banking, benefits administration, account
`
`management;
`
`Supporting secure workflow and supply chain integration (form signing);
`
`Preventing laptop computer theft (requiring personalkey for laptop
`
`*
`
`*
`
`*
`
`*
`
`operation);
`
`* Workstation logon authorization;
`
`*
`
`*
`
`*
`
`Preventing the modification or copying of software;
`
`Encrypting files;
`
`Supporting secure e-mail, for example, with secure multipurpose Internet
`
`mail extensions (S/MIME), and open pretty good privacy (OpenPGP)
`
`+ Administering network equipment administration; and
`
`*
`
`' Electronic wallets, with, for example, secure electronic transaction (SET,
`
`MilliCent, eWallet)
`
`In one embodiment, the present invention comprises a compact, self-
`
`contained, personal token or key. The personal key comprises a USB-complhiant
`
`interface releaseably coupleable to a host processing device; a memory; and a
`
`processor. The processor provides the host processing device conditional access to
`
`data storable in the memory as well asthe functionality required to managefiles
`
`stored m the personal key and for performing computations based on the data in the
`
`files.
`
`In one embodiment, the personal key also comprises an integral user input
`
`device and anintegral user output device. The input and output devices communicate
`
`with the processor by communication paths which are independent from the USB-
`
`compliant interface, and thus allow the user to communicate with the processor
`
`without manifesting any private information external to the personalkey.
`
`20
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 9 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 9 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-8-
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Referring nowto the drawings in whichlike reference numbers represent
`
`corresponding parts throughout:
`
`FIG. | is a diagram showing an exemplary hardware environmentfor
`
`practicing the present invention;
`
`FIG. 2 is a block diagram illustrating selected modules of one embodiment of
`
`the present invention;
`
`FIG. 3 is a diagram of the memory resources provided by the memory of the
`
`personal key;
`
`FIG. 4 is a diagram showing one embodiment of howan encryption engineis
`
`used to authenticate the identity of the personal key or the application data stored
`
`therein;
`
`FIG. 5 is a diagram illustrating the data contents of a file system memory
`
`resource of an active personal key that provides authentication and specific
`
`configuration data for several application;
`
`FIG. 6 is a diagram presenting an illustration of one embodiment of the
`
`personal key;
`
`FIGs. 7A-7C are diagrams showing one embodimentofthe personal key
`
`having an input device includinga first pressure sensitive device and a second
`
`20
`
`pressure sensitive device, each communicatively coupled the processor by a
`
`communication path distinct from the USB-complhiantinterface;
`
`FIGs. 8A-8C are diagrams presenting an illustration of another embodiment of
`
`the present invention;
`
`FIG. 9 is a flow chart illustrating an embodimentofthe present invention in
`
`25
`
`which processoroperations are subject to user authorization; and
`
`FIG. 10 is a flow chart illustrating an embodimentofthe present invention in
`
`which the PIN is entered directly into the personal key.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 10 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 10 of 57
`
`

`

`WO 00/42491
`
`-9.
`
`PCT/US00/00711
`
`DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
`
`In the following description, reference is made to the accompanying drawings
`
`which form a part hereof, and which is shown, by wayof illustration, several
`
`embodimentsofthe presentinvention. It is understood that other embodiments may
`
`be utilized and structural changes may be made without departing from the scope of
`
`the present invention.
`
`Hardware Environment
`
`FIG.
`
`1 illustrates an exemplary computer system 100 that could be used to
`
`implement the present invention. The computer 102 comprises a processor 104 and a
`
`memory, such as random access memory (RAM) 106. The computer 102 is
`
`operatively coupled to a display 122, which presents images such as windowsto the
`
`user on a graphical user interface 118B. The computer 102 may be coupled to other
`
`devices, such as a keyboard 114, a mouse device 116, a printer 128, etc. Of course,
`
`those skilled in the art will recognize that any combination of the above components,
`
`or any numberof different components, peripherals, and other devices, may be used
`
`with the computer 102.
`
`Generally, the computer 102 operates under control of an operating system 108
`
`stored in the memory 106, and interfaces with the user to accept inputs and commands
`
`and to present results through a graphical user interface (GUI) module 118A.
`
`Although the GUI module 118A is depicted as a separate module, the instructions
`
`performing the GUI functions can be resident or distributed in the operating system
`
`108, the computer program 110, or implemented with special purpose memory and
`
`processors. The computer 102 also implements a compiler 112 which allows an
`
`application program 110 written in a programming language such as COBOL, C++,
`
`FORTRAN,or other languageto be translated into processor 104 readable code.
`
`After completion, the application 110 accesses and manipulates data stored in the
`
`memory 106 of the computer 102 using the relationships and logic that are generated
`
`using the compiler 112. The computer 102 also comprises an input/output(I/Q) port
`
`130 for a personal token 200 (hereinafter alternatively referred to also as a personal
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 11 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 11 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-10-
`
`key 200). In one embodiment, the I/O port 130 is a USB-compliant port
`
`implementing a USB-compliantinterface.
`
`In one embodiment, instructions implementing the operating system 108, the
`
`computer program 110, and the compiler 112 are tangibly embodied in a computer-
`
`readable medium, e.g., data storage device 120, which could include one or more
`
`fixed or removable data storage devices, such as a zip drive, floppy disc drive 124,
`
`hard drive, CD-ROM drive, tape drive, etc. Further, the operating system 108 and the
`
`computer program 110 are comprised of instructions which, whenread and executed
`
`by the computer 102, causes the computer 102 to perform the steps necessary to
`
`implement and/or use the present invention. Computer program 110 and/or operating
`
`instructions mayalso be tangibly embodied in memory 106 and/or data
`
`communications devices, thereby making a computer program product orarticle of
`
`manufacture according to the invention. As such, the terms "article of manufacture"
`
`and "computer program product" as used herein are intended to encompass a computer
`
`program accessible from any computer readable device or media.
`
`The computer 102 may be communicatively coupled to a remote computer or
`
`server 134 via communication medium 132 such as a dial-up network, a wide area
`
`network (WAN), local area network (LAN), virtual private network (VPN)or the
`
`Internet. Program instructions for computer operation, including additional or
`
`alternative application programs can be loaded from the remote computer/server 134.
`
`In one embodiment, the computer 102 implements an Internet browser,allowing the
`
`user to access the world wide web (WWW)andotherinternet resources.
`
`Those skilled in the art will recognize that many modifications may be madeto
`
`this configuration without departing from the scope ofthe present invention. For
`
`example, those skilled in the art will recognize that any combination of the above
`
`components, or any numberof different components, peripherals, and other devices,
`
`may be used with the present invention.
`
`Architectural Overview
`
`20
`
`25
`
`FIG. 2 is a block diagram illustrating selected modules of the present
`
`30
`
`invention. The personal key 200 communicates with and obtains power from the host
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 12 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 12 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-li-
`
`computer through a USB-compliant communication path 202 in the USB-compliant
`
`interface 204 which includes the input/output port 130 of the host computer 102 and a
`
`matching input/output(I/O) port 206 on the personal key 200. Signals received at the
`
`personal key I/O port 206 are passed to and from the processor 212 by a driver/buffer
`
`wa
`
`208 via communication paths 210 and 216. The processor 212 is communicatively
`
`coupled to a memory 214, which maystore data and instructions to implementthe
`
`above-described features of the invention.
`
`In one embodiment, the memory214 is a
`
`non-volatile random-access memory that can retain factory-supplied data as well as
`
`customer-supplied application related data. The processor 212 mayalso include some
`
`internal memory for performing someofthese functions.
`
`The processor 212 is optionally communicatively coupled to an input device
`
`218 via an input device communication path 220 and to an output device 222 via an
`
`output device communication path 224, both of whichare distinct from the USB-
`
`compliant interface 204 and communication path 202. These scparate communication
`
`paths 220 and 224 allow the user to view information about processor 212 operations
`
`and provide input related to processor 212 operations without allowing a process or
`
`other entity with visibility to the USB-compliant interface 204 to eavesdrop or
`
`intercede. This permits secure communications between the key processor 212 and
`
`the user.
`
`In one embodimentofthe invention set forth more fully below,the user
`
`communicates directly with the processor 212 by physical manipulation of mechanical
`
`switches or devices actuatable from the external side of the key (for example, by
`
`pressure-sensitive devices such as buttons and mechanical switches).
`
`In another
`
`embodiment of the invention set forth more fully below, the input device includes a
`
`wheel with tactile detents indicating the selection of characters.
`
`The input device and output devices 218, 222 may cooperatively interact with
`
`one another to enhancethe functionality of the personal key 200. For example, the
`
`output device 222 may provide information prompting the user to enter information
`
`into the input device 218. For example, the output device 222 may comprise a visual
`
`display such as an alphanumeric LED or LCD display (which can display Arabic
`
`numbers andorletters) and/or an aural device. The user may be promptedto enter
`
`20
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 13 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 13 of 57
`
`

`

`WO 00/42491
`
`-12-
`
`PCT/US00/00711
`
`information by a beepingof the aural device, by a flashing pattern of the LED, or by
`
`both. The output device 222 mayalso optionally be used to confirm entry of
`
`information by the input device 218. For example, an aural output device may beep
`
`whenthe user enters information into the input device 218 or when the user inputis
`
`invalid. The input device 218 may take one of many forms, including different
`
`combinationsof input devices.
`
`Although the input device communication path 220 and the output device
`
`communication path 224 are illustrated in FIG. 2 as separate paths, the present
`
`invention can be implemented by combining the paths 220 and 224 while still
`
`retaining a communication path distinct from the USB-compliantinterface 204. For
`
`example, the input device 218 and output device 222 may be packagedin a single
`
`device and communications with the processor 212 multiplexed overa single
`
`communication path.
`
`In one embodimentof the invention, the present invention further comprises a
`
`second output device 222 that may be coupled to the USB-compliant interface 204
`
`instead of being coupled to the processor via a communication path distinct from the
`
`USB-compliant interface 204. This embodiment may be used, for example, to
`
`indicate to the userthat the personal key 200 has been correctly inserted into the host
`
`computer’s USB port (for example, by providing an indication of a powersignal of
`
`the USB-compliant interface). The second output device may also be used to show
`
`that data is passing to and from the host computer and the personal key 200 (for
`
`example, by providing an indication of a data signal from the USB-complhiant
`
`interface).
`
`The personal key has an interface including a USB driver module 266
`
`communicatively coupled to an application program interface (API) 260 having a
`
`plurality of API library routines. The API 260 provides an interface with the
`
`application 110 to issue commandsandacceptresults from the personal key 200. In
`
`one embodiment, a browser 262, such as the browser available from NETSCAPE,Inc.
`
`operates with the API 260 and the public key cryptographic standard (PKCS) module
`
`20
`
`25
`
`30
`
`264 to implement a token-based user authentication system.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`
`Page 14 of 57
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884 (US 8,539,047)
`Exhibit 2079
`Page 14 of 57
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-13-
`
`While the portability and utility of the personal key has many advantages,it
`
`also has one important disadvantage. ..it can be lost or stolen. This is especially
`
`troublesome because the personal key 200 represents a secure repository for so much
`
`of the user's private data. For these reasons, the ultimate security of the information
`
`contained in the personal key 200 (but not necessarily the personal key 200 itself) is
`
`highly important.
`
`Ultimately, the pers