PCT
`
`WORLD INTELLECTUAL PROPERTY ORGANIZATION
`International Bureau
`
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`
`
`(51) International Patent Classification 7 :
`GO6F 1/00
`
`(11) International Publication Number:
`
`WO 00/42491
`
`(43) International Publication Date:
`
`20 July 2000 (20.07.00)
`
`
`
`(22) International Filing Date:
`
`12 January 2000 (12.01.00)
`
`with the processor (212) without manifesting any private information external to the personal key.
`
`A compact, self-contained, personal key is disclosed. The personal key comprises a USB-compliant interface (206) releasably coupl
`eable to a host processing device (102); a memory (214); and a processor (212). The processor (212) provides the host processing device
`(102) conditional access to data storable in the memory (214) as well as the functionality required to managefiles stored in the personal key
`and for performing computations based on the data in the files. In one embodiment, the personal key also comprises an integral user input
`device (218) and an integral user output device (222). The input and output devices (218, 222) communicate with the processor (212) by
`communication paths (220, 222) which are independent from the USB—compliant interface (206), and thus allow the user to communicate
`
`(21) International Application Number: PCT/US00/00711|(81) Designated States: AE, AL, AM, AT, AU, AZ, BA, BB, BG,
`BR, BY, CA, CH, CN, CR, CU, CZ, DE, DK, DM, EE,
`ES, FI, GB, GD, GE, GH, GM, HR, HU,ID,IL,IN,IS, JP,
`KE, KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA,
`MD, MG, MK, MN, MW, MX,NO, NZ, PL, PT, RO, RU,
`SD, SE, SG, SI, SK, SL, TJ, TM, TR, TT, TZ, UA, UG,
`UZ, VN, YU, ZA, ZW, ARIPO patent (GH, GM, KE,LS,
`MW,SD, SL, SZ, TZ, UG, ZW), Eurasian patent (AM, AZ,
`BY, KG, KZ, MD, RU, TJ, TM), European patent (AT, BE,
`CH, CY, DE, DK, ES, FI, FR, GB, GR,IE, IT, LU, MC,
`NL, PT, SE), OAPI patent (BF, BJ, CF, CG, CI, CM, GA,
`GN, GW, ML, MR, NE, SN, TD, TG).
`
`(30) Priority Data:
`60/1 16,006
`09/281,017
`09/449,159
`
`15 January 1999 (15.01.99)
`30 March 1999 (30.03.99)
`24 November 1999 (24.11.99)
`
`(71) Applicant: RAINBOW TECHNOLOGIES, INC. [US/US], 50
`Technology Drive, Irvine, CA 92618 (US).
`
`(72) Inventors: ABBOTT, Shawn, D.; 305 Pinnacle Ridge Place,|Published
`RR12, Calgary, Alberta T3E 6W3 (CA). AFGHANI,
`With international search report.
`Bahram; 891 Tia Juana Street, Laguna Beach, CA 92651
`Before the expiration of the time limit for amending the
`(US).
`SOTOODEH, Mehdi;
`17 Paloma Drive, Mission
`claims and to be republished in the event of the receipt of
`Viejo, CA 92692 (US). DENTON, Norman,L., HI; 34052
`amendments.
`Capo—by-the-Sea, Dana Point, CA 92629 (US). LONG,
`Calvin, W.; 1260 Oakhaven Lane, Arcadia, CA 91006 (US).
`PUNT, Maarten, G.; 24942 Paseo Arboleda, Lake Forest,
`CA 92630 (US). ANDERSON, Allan, D.; 11158 Bertha
`Place, Cerritos, CA 90703 (US). GODDING,Patrick, N.;
`22665 Shady Grove Circle, Lake Forest, CA 92630 (US).
`
`(74) Agent: COOPER, Victor, G.; Gates & Cooper, Suite 1050,
`6701 Center Drive, West, Los Angeles, CA 90025 (US).
`
`(54) Title) USB-COMPLIANT PERSONAL KEY WITH INTEGRAL INPUT AND OUTPUT DEVICES
`
`(57) Abstract
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT.
`SI
`Slovenia
`ES
`Slovakia
`FI
`SK
`FR
`SN
`Senegal
`SZ
`Swaziland
`GA
`TD
`GB
`Chad
`TG
`GE
`Togo
`GH
`TJ
`Tajikistan
`Turkmenistan
`GN
`GR
`Turkey
`Trinidad and Tobago
`Ukraine
`Uganda
`United States of America
`Uzbekistan
`Viet Nam
`Yugoslavia
`
`Zimbabwe
`
`LS
`LT
`LU
`LV
`MC
`MD
`MG
`MK
`
`ML
`MN
`MR
`MW
`Mx
`NE
`NL
`NO
`NZ
`PL
`PT
`RO
`RU
`SD
`SE
`SG
`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`™T
`
`R
`TT
`UA
`UG
`Us
`UZ
`VN
`YU
`Zw
`
`Lesotho
`Lithuania
`Luxembourg
`Latvia
`Monaco
`Republic of Moldova
`Madagascar
`The former Yugoslav
`Republic of Macedonia
`Mali
`Mongolia
`Mauritania
`Malawi
`Mexico
`Niger
`Netherlands
`Norway
`New Zealand
`Poland
`Portugal
`Romania
`Russian Federation
`Sudan
`Sweden
`Singapore
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`Albania
`Armenia
`Austria
`Australia
`Azerbaijan
`Bosnia and Herzegovina
`Barbados
`Belgium
`Burkina Faso
`Bulgaria
`Benin
`Brazil
`Belarus
`Canada
`Central African Republic
`Congo
`Switzerland
`Cédte d'Ivoire
`Cameroon
`China
`Cuba
`Czech Republic
`Germany
`Denmark
`Estonia
`
`Spain
`Finland
`France
`Gabon
`United Kingdom
`Georgia
`Ghana
`Guinea
`Greece
`Hungary
`Treland
`Tsrael
`Iceland
`Ttaly
`Japan
`Kenya
`Kyrgyzstan
`Democratic People’s
`Republic of Korea
`Republic of Korea
`Kazakstan
`Saint Lucia
`Liechtenstein
`Sri Lanka
`Liberia
`
`TE
`IL
`Is
`It
`JP
`KE
`KG
`KP
`
`KR
`KZ
`Lc
`LI
`LK
`LR
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`USB-COMPLIANT PERSONAL KEY WITH
`
`INTEGRAL INPUT AND OUTPUT DEVICES
`
`10
`
`BACKGROUND OF THE INVENTION
`
`1,
`
`Field of the Invention
`
`The present invention relates to computer peripherals, and in particular to a
`
`personal key having input and output devices integrated therewith to provide for
`
`increased security.
`
`2.
`
`Description of the Related Art
`
`In the last decade, the use of personal computers in both the homeandin the
`
`office have become widespread. These computers provide a high level of
`
`20
`
`functionality to many people at a moderate price, substantially surpassing the
`
`performanceof the large mainframe computers of only a few decades ago. Thetrend
`
`is further evidenced bythe increasing popularity of laptop and notebook computers,
`
`whichprovide high-performance computing power on a mobile basis.
`
`The widespread availability of personal computers has had a profound impact
`
`25
`
`on interpersonal communications as well. Only a decade ago, telephonesor fax
`
`machines offered virtually the only media for rapid business communications. Today,
`
`a growing numberof businesses and individuals communicate via electronic mail
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-2-
`
`(e-mail). Personal computers have also been instrumental in the emergence of the
`
`Internet and its growing use as a medium of commerce.
`
`While certainly beneficial, the growing use of computers in personal
`
`communications, commerce, and business has also given rise to a number of unique
`
`challenges.
`
`First, the growing use of computers has resulted in extensive unauthorized use
`
`and copying of computer software, costing software developers substantial revenue.
`
`Although unauthorized copying or use of software is a violation of the law, the
`
`widespreadavailability of pirated software and enforcement difficulties have limited
`
`the effectiveness of this means of preventing software piracy.
`
`Software developers and computer designers alike have sought technical
`
`solutions to attack the problem of software piracy. One solution uses an external
`
`device knownas a hardware key,or "dongle" coupled to an input/output (I/O) port of
`
`the host computer.
`
`While the use of such hardware keys is an effective way to reduce software
`
`piracy, to date, their use has been substantially limited to high value software
`
`products. Hardware keys have not been widely applied to popular software packages,
`
`in part, because the hardware keys are too expensive, and in part, becausethere is a
`
`reluctance on the part of the application program user to bother with a hardware key
`
`whenever use of the protected programis desired. Also, in many cases, the hardware
`
`keys are designed for use with only one application. Hence, where the use of multiple
`
`applications on the same computeris desired, multiple hardware keys must be
`
`operated at the same time.
`
`10
`
`15
`
`20
`
`While it reflects a tremendous advance over telephones and facsimile
`
`25
`
`machines, e-mail also has its problems. One of these problems involves security.
`
`Telephone lines are relatively secure and a legally sanctioned way to engage in the
`
`private transmission of information, however, e-mails are generally sent over the
`
`Internet with no security whatsoever. Persons transmitting electronic messages must
`
`be assured that their messages are not openedor disclosed to unauthorized persons.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-3-
`
`Wn
`
`10
`
`Further, the addressee of the electronic message should becertain of the identity of the
`
`senderandthat the message was not tampered with at some point during transmission.
`
`Althoughthe packet-switching nature of Internet communicationshelpsto
`
`minimizethe risk of intercepted communications, it would not be difficult for a
`
`determined interloper to obtain access to an unprotected e-mail message.
`
`Many methods have been developed to secure the integrity of electronic
`
`messages during transmission. Simple encryption is the most common method of
`
`securing data. Both secret key encryption such as DES (Data Encryption Standard) and
`
`public key encryption methods that use both a public and a private key are implemented.
`
`Public and private key encryption methods allowusers to send Internet and e-mail
`
`messages without concern that the message will be read by unauthorized persons or that
`
`its contents will be tampered with. However, key cryptographic methodsdo not protect
`
`the receiver of the message, because they do not allow the recipient to authenticate the
`
`validity of the public key or to validate the identity of the sender of the electronic
`
`15
`
`message.
`
`The useof digital certificates presents one solution to this problem. A digital
`
`certificate is a signed documentattesting to the identity and public key of the person
`
`signing the message. Digital certificates allow the recipient to validate the authenticity of
`
`a public key. However, the typical user may use e-mail to communicate with hundreds
`
`20
`
`of persons, and mayuse any one of several computers to do so. Hence, a means for
`
`managing a numberof digital certificates across several computer platforms is needed.
`
`Internet commerceraises other challenges. Users seeking to purchase goods or
`
`services using the Internet must be assured that their credit card numbers and the like are
`
`safe from compromise. At the same time, vendors must be assured that services and
`
`goods are delivered only to those who havepaid for them. In many cases, these goals
`
`are accomplished with the use of passwords. However, as Internet commerce becomes
`
`more commonplace, customers are finding themselves in a position where they must
`
`either decide to use a small numberof passwordsforall transactions, or face the
`
`daunting task of remembering multiple passwords. Using a small numberof passwords
`
`30
`
`for all transactions inherently compromises security, since the disclosure of any of the
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-4-
`
`passwords may lead to a disclosure ofthe others. Even the use of a large number of
`passwords can lead to compromised security. Because customers commonly forget their
`
`password, many Internet vendors provide an option whereby the user can be reminded of
`
`their password by providing other personal information such astheir birthplace, mother's
`
`maiden name, and/or social security number. This feature, while often necessary to
`
`promote Internet commerce, severely compromises the password by relying on "secret"
`
`informationthat is in fact, publicly available.
`
`Evenin cases where the useris willing and able to keep track of a large number
`
`of passwords, the password security technique is often compromisedby the fact that the
`
`useris inclined to select a password thatis relatively easy to remember.
`
`It is indeed rare
`
`that a user selects a truly random password. What is needed is a means for generating
`
`and managing random passwords that can be stored and recalled for use on a wide
`
`variety of computerplatforms.
`
`Internet communications have also seen the increased use of "cookies." Cookies
`
`comprise data and programs that keep track of a user's patterns and preferencesthat
`
`can be downloaded from the Internet server for storage on the user's computer.
`
`Typically, cookies contain a range of addresses. When the browser encounters those
`
`addresses again, the cookies associated with the addresses are provided to the Internet
`
`10
`
`15
`
`server. For example, if a user's password were stored as a cookie, the use of the
`
`20
`
`cookie would allow the user to request services or goods without requiring that the
`
`user enter the password again when accessing that service for the second and
`
`subsequent time.
`
`Howeverbeneficial, cookies can also have their dark side. Many users object
`
`to storage of cookies on their computer's hard drive. In response to these concerns,
`
`Internet browser software allows the user to select an option so that they are notified
`
`before cookies are stored or used. Thetrouble with this solution 1s that this usually
`
`results in an excessive number of messages prompling the user to accept cookies. A
`
`better solution than this all-or-nothing approach would be to allow the storage and/or
`
`use of cookies, but to isolate and control that storage and use to comply with user-
`
`30
`
`specified criteria.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-5-
`
`Smartcard provide some of the above mentioned functionality, but smartcards
`
`do not present an ideal solution. First, personal keys are only valuable to the userif
`
`they offer a single, widely accepted secure repository for digital certificates and
`
`passwords. Smartcard readers are relatively expensive, and are not in wide use,at
`
`least in the United States, and are therefore unsuited to the task.
`
`Second, smartcards do not provide for entering data directly into the card.
`
`This opens the smartcard to possible sniffer modules in malicious software, which can
`
`monitor the smartcard-reader interface to determine the user’s personal identification
`
`or password information. This problem is especially problematic in situations where
`
`10
`
`the user is using an unknownor untrusted smartcard reader. The lack of any direct
`
`input device also prevents the user from performing any smartcard-related functions in
`
`the relatively commonsituation where no smartcard readeris available.
`
`Third, data cannot be accessed from the smartcard unless the smartcard is in
`
`the reader. This prevents the user from viewing data stored in the smartcard (i.e. a
`
`stored password) until a smartcard reader can be located. Given that smartcard
`
`readers (especially trusted ones) can bedifficult to find, this substantially limits the
`
`usefulness of the card. Of course, the user may simply write the password down on
`
`paper, but this may compromise the security of all of the data in the card, and is
`
`inconsistent with the goal of providing a central, secure, portable repository for private
`
`20
`
`data.
`
`From the foregoing, it can be seen that there is a need for a personal key that
`
`allows the user to store and retrieve passwords and digital certificates without
`
`requiring the use of vulnerable external interfaces.
`
`25
`
`SUMMARY OF THE INVENTION
`
`The present invention satisfies all of these needs with a personal key in a form
`
`factor that is compliant with a commonly available I/O interface such as the Universal
`
`Serial Bus (USB). The personal key includes a processor and a memory which
`
`30
`
`implement software protection schemes to prevent copying and unauthorized use.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-6-
`
`The personal key provides for the storage and managementof digital certificates,
`
`allowing the userto storeall of his digital certificates in one media that is portable
`
`from platform to platform. The personal key provides for the generation, storage, and
`
`management of many passwords, providing additional security and relieving the user
`
`from the task of remembering multiple passwords. The personal key provides a
`
`meansto store cookies and other Java-implemented software programs, allowing the
`
`user to accept cookies in a removable and secure form-factor. These features are
`
`especially useful when the present invention is used inavirtual private network
`
`(VPN). The present invention can also be used for several applications
`
`10
`
`Becausethe personal key is capable of storing virtually all of the user's
`
`sensitive information, it is important that the personal key be as secure as possible.
`
`Hence, one embodimentof the personal key also comprises a biometric sensor
`
`disposed to measure biometrics such as fingerprint data. The biometric sensor
`
`measures characteristics of the person holding the key (such as fingerprints) to
`
`confirm that the person possessing the key is the actual ownerof the key.
`
`Since the personal key represents a single, secure repository for a great deal of
`
`the data the user will need to use and interact with a variety of computer platforms,it
`
`is also important that the personal key be able to interface(i.e., transmit and receive
`
`data) with a large variety of computers and computerperipherals. Hence, one
`
`embodimentof the personal key includes an electromagnetic wave transception device
`
`such as an infrared (IR) transceiver. This transceiver allows the personal key to
`
`exchange information with a wide variety of computers and peripherals without
`
`physical coupling.
`
`The present invention is well suited for controlling access to network services,
`
`or anywhere a password, cookie, digital certificate, or smartcard might otherwise be
`
`used, including:
`
`* Remote accessservers, including Internet protocol security (IPSec), point
`
`to point tunneling protocol (PPTP), password authentication protocol
`
`(PAP), challenge handshake authentication protocol (CHAP), remote
`
`20
`
`25
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`-7-
`
`PCT/US00/00711
`
`access dial-in user service (RADIUS), terminal access controller access
`
`control system (TACACS):;
`
`Providing Extranet and subscription-based web access control, including
`
`hypertext transport protocol] (HTTP), secure sockets layer (SSL);
`
`Supporting secure online banking, benefits administration, account
`
`management;
`
`Supporting secure workflow and supply chain integration (form signing);
`
`Preventing laptop computer theft (requiring personal key for laptop
`operation);
`
`Workstation logon authorization;
`
`Preventing the modification or copying of software;
`
`Encrypting files;
`
`Supporting secure e-mail, for example, with secure multipurpose Internet
`
`mail extensions (S/MIME), and open pretty good privacy (OpenPGP)
`
`Administering network equipment administration; and
`
`Electronic wallets, with, for example, secure electronic transaction (SET,
`
`MilliCent, eWallet)
`
`In one embodiment, the present invention comprises a compact, self-
`
`20
`
`contained, personal token or key. The personal key comprises a USB-compliant
`
`interface rcleaseably coupleable to a host processing device; a memory; and a
`
`processor. The processor provides the host processing device conditional access to
`
`data storable in the memory as well as the functionality required to managefiles
`
`stored in the personal key and for performing computations based on the data in the
`
`25
`
`files.
`
`In one embodiment, the personal key also comprises an integral user input
`
`device and an integral user output device. The input and output devices communicate
`
`with the processor by communication paths which are independent from the USB-
`
`compliant interface, and thus allow the user to communicate with the processor
`
`without manifesting any private information external to the personal key.
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-8-
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Referring nowto the drawings in which like reference numbers represent
`
`correspondingparts throughout:
`
`FIG. 1 is a diagram showing an exemplary hardware environmentfor
`
`practicing the present invention;
`
`FIG. 2 is a block diagram illustrating selected modules of one embodiment of
`
`the present invention;
`
`FIG. 3 is a diagram of the memory resources provided by the memory of the
`
`personal key;
`
`FIG. 4 is a diagram showing one embodiment of how an encryption engine is
`
`used to authenticate the identity of the personal key or the application data stored
`
`therein;
`
`FIG. 5 is a diagram illustrating the data contents of a file system memory
`
`resource of an active personal key that provides authentication and specific
`
`configuration data for several application;
`
`FIG. 6 is a diagram presenting an illustration of one embodimentof the
`
`personalkey;
`
`10
`
`15
`
`FIGs. 7A-7C are diagrams showing one embodimentof the personal key
`
`having an input device including a first pressure sensitive device and a second
`
`20
`
`pressure sensitive device, each communicatively coupled the processor by a
`
`communication path distinct from the USB-compliantinterface;
`
`FIGs. 8A-8C are diagrams presenting an illustration of another embodimentof
`
`the present invention;
`
`FIG. 9 is a flow chart illustrating an embodimentof the present invention in
`
`25
`
`which processor operations are subject to user authorization; and
`
`FIG. 10 is a flow chart illustrating an embodiment of the present invention in
`
`whichthe PIN is entered directly into the personal key.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-9-
`
`DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
`
`In the following description, reference is made to the accompanying drawings
`
`which form a part hereof, and which is shown, by wayof illustration, several
`
`embodiments of the present invention.
`
`It is understood that other embodiments may
`
`be utilized and structural changes may be made without departing from the scope of
`
`the present invention.
`
`FIG. 1 illustrates an exemplary computer system 100 that could be used to
`
`10
`
`implement the present invention. The computer 102 comprises a processor 104 and a
`
`Hardware Environment
`
`memory, such as random access memory (RAM) 106. The computer 102is
`
`operatively coupled to a display 122, which presents images such as windowsto the
`
`user on a graphical user interface 118B. The computer 102 may be coupled to other
`
`devices, such as a keyboard 114, a mouse device 116, a printer 128, etc. Of course,
`
`those skilled in the art will recognize that any combination of the above components,
`
`or any numberof different components, peripherals, and other devices, may be used
`
`with the computer 102.
`
`Generally, the computer 102 operates under control of an operating system 108
`
`stored in the memory 106, and interfaces with the user to accept inputs and commands
`
`and to present results through a graphical user interface (GUI) module 118A.
`
`Although the GUI module 118A is depicted as a separate module,the instructions
`
`performing the GUI functions can be resident or distributed in the operating system
`
`108, the computer program 110, or implemented with special purpose memory and
`
`processors. The computer 102 also implements a compiler 112 which allows an
`
`application program 110 written in a programming language such as COBOL,C++,
`
`FORTRAN,orother languageto be translated into processor 104 readable code.
`
`After completion, the application 110 accesses and manipulates data stored in the
`
`memory 106 of the computer 102 using the relationships and logic that are generated
`
`using the compiler 112. The computer 102 also comprises an input/output (I/O)port
`
`130 for a personal token 200 (hereinafter alternatively referred to also as a personal
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-10-
`
`key 200).
`
`In one embodiment, the I/O port 130 is a USB-compliant port
`
`implementing a USB-compliantinterface.
`
`In one embodiment, instructions implementing the operating system 108, the
`
`computer program 110, and the compiler 112 are tangibly embodied in a computer-
`
`readable medium, e.g., data storage device 120, which could include one or more
`
`fixed or removable data storage devices, such as a zip drive, floppy disc drive 124,
`
`hard drive, CD-ROM drive, tape drive, etc. Further, the operating system 108 and the
`
`computer program 110 are comprised of instructions which, when read and executed
`
`by the computer 102, causes the computer 102 to perform the steps necessary to
`
`implement and/or use the present invention. Computer program 110 and/or operating
`
`instructions may also be tangibly embodied in memory 106 and/or data
`
`communications devices, thereby making a computer program productorarticle of
`
`manufacture according to the invention. As such, the terms "article of manufacture"
`
`and "computer program product" as used herein are intended to encompass a computer
`
`program accessible from any computer readable device or media.
`
`The computer 102 may be communicatively coupled to a remote computeror
`
`server 134 via communication medium 132 such as a dial-up network, a wide area
`
`network (WAN), local area network (LAN), virtual private network (VPN)or the
`
`Internet. Programinstructions for computer operation, including additional or
`
`alternative application programs can be loaded from the remote computer/server 134.
`
`In one embodiment, the computer 102 implements an Internet browser, allowing the
`
`user to access the world wide web (WWW)andother internet resources.
`
`Those skilled in the art will recognize that many modifications may be made to
`
`this configuration without departing from the scope of the present invention. For
`
`example, those skilled in the art will recognize that any combination of the above
`
`components, or any numberof different components, peripherals, and other devices,
`
`may be used with the present invention.
`
`Architectural Overview
`
`20
`
`25
`
`FIG. 2 is a block diagram illustrating selected modules of the present
`
`30
`
`invention. The personal key 200 communicates with and obtains power from the host
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-11-
`
`computer through a USB-compliant communication path 202 in the USB-compliant
`
`interface 204 which includes the input/output port 130 of the host computer 102 and a
`
`matching input/output (I/O) port 206 on the personal key 200. Signals received at the
`
`personal key I/O port 206 are passed to and from the processor 212 by a driver/buffer
`
`208 via communication paths 210 and 216. The processor 212 is communicatively
`
`coupled to a memory 214, which maystore data and instructions to implement the
`
`above-described features of the invention.
`
`In one embodiment, the memory 214 is a
`
`non-volatile random-access memory that can retain factory-supplied data as well as
`customer-supplied application related data. The processor 212 may also include some
`
`10
`
`internal memory for performing some of these functions.
`
`The processor 212 is optionally communicatively coupled to an input device
`
`218 via an input device communication path 220 and to an output device 222 via an
`
`output device communication path 224, both of which are distinct from the USB-
`
`compliant interface 204 and communication path 202. These separate communication
`
`paths 220 and 224 allow the user to view information about processor 212 operations
`
`and provide input related to processor 212 operations without allowing a process or
`
`other entity with visibility to the USB-compliant interface 204 to eavesdrop or
`
`intercede. This permits secure communications betweenthe key processor 212 and
`
`the user.
`
`In one embodimentof the invention set forth more fully below, the user
`
`communicates directly with the processor 212 by physical manipulation of mechanical
`
`switches or devices actuatable from the external side of the key (for example, by
`
`pressure-sensitive devices such as buttons and mechanical switches).
`
`In another
`
`embodimentof the invention set forth more fully below, the input device includes a
`
`wheel with tactile detents indicating the selection of characters.
`
`The input device and output devices 218, 222 may cooperatively interact with
`
`one another to enhancethe functionality of the personal key 200. For example, the
`
`output device 222 may provide information prompting the user to enter information
`
`into the input device 218. For example, the output device 222 may comprise a visual
`
`display such as an alphanumeric LED or LCD display (which can display Arabic
`
`numbers and orletters) and/or an aural device. The user may be prompted to enter
`
`20
`
`25
`
`30
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-12-
`
`information by a beeping of the aural device, by a flashing pattern of the LED, or by
`
`both. The output device 222 may also optionally be used to confirm entry of
`
`information by the input device 218. For example, an aural output device may beep
`
`whenthe user enters information into the input device 218 or when the user input is
`
`invalid. The input device 218 may take one of many forms,including different
`
`combinations of input devices.
`
`Although the input device communication path 220 and the output device
`
`communication path 224 are illustrated in FIG. 2 as separate paths, the present
`
`invention can be implemented by combiningthe paths 220 and 224 whilestill
`
`10
`
`retaining a communication path distinct from the USB-complhantinterface 204. For
`
`example, the input device 218 and output device 222 may be packaged in a single
`
`device and communications with the processor 212 multiplexed over a single
`
`communication path.
`
`In one embodimentof the invention, the present invention further comprises a
`
`second output device 222 that may be coupled to the USB-compliantinterface 204
`
`instead of being coupled to the processor via a communication path distinct from the
`
`USB-compliant interface 204. This embodiment may be used, for example, to
`
`indicate to the user that the personal key 200 has been correctly inserted into the host
`
`computer’s USB port (for example, by providing an indication of a powersignal of
`
`20
`
`the USB-compliantinterface). The second output device may also be used to show
`
`that data is passing to and from the host computer and the personal key 200 (for
`
`example, by providing an indication of a data signal from the USB-compliant
`
`interface).
`
`The personal key has an interface including a USB driver module 266
`
`25
`
`communicatively coupled to an application program interface (API) 260 having a
`
`plurality of API library routines. The API 260 provides an interface with the
`
`application 110 to issue commands and acceptresults from the personal key 200.
`
`In
`
`one embodiment, a browser 262, such as the browser available from NETSCAPE,Inc.
`
`operates with the API 260 andthe public key cryptographic standard (PKCS) module
`
`30
`
`264 to implement a token-based user authentication system.
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00906 (US 9,059,969)
`Exhibit 2079
`
`

`

`WO 00/42491
`
`PCT/US00/00711
`
`-13-
`
`While the portability and utility of the personal key has many advantages,it
`
`also has one important disadvantage...it can be lost or stolen. This is especially
`
`troublesome becausethe personal key 200 represents a secure repository for so much
`
`of the user's private data. For these reasons, the ultimate security of the information
`
`contained in the personal key 200 (but not necessarily the personal key 200 itself) is
`
`highly important.
`
`Ultimately, the personal key 200 identifies the possessorto the outside world
`
`through the host computer 102, but there is no guarantee that the person in possession
`
`of the personal key 200 is the actual owner, because the personal key may have been
`
`lost or stolen. Security can be increased with the usc of personal passwords and the
`
`like, but this solution is not ideal. First, the use of a single password raises the very
`
`r