12716845 (P.T.A.B. Oct. 21, 2016)

Ex Parte Robinton et al

Patent Trial and Appeal BoardOct 21, 2016

12716845 (P.T.A.B. Oct. 21, 2016)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. 121716,845 22442 7590 Sheridan Ross PC 1560 Broadway Suite 1200 Denver, CO 80202 FILING DATE FIRST NAMED INVENTOR 03/03/2010 Mark Robinton 10/25/2016 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 2943AAAB-191 1523 EXAMINER SHEPPERD, ERIC W ART UNIT PAPER NUMBER 2492 NOTIFICATION DATE DELIVERY MODE 10/25/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): e-docket@sheridanross.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte MARK ROBINTON and SCOTT B. GUTHERY Appeal 2015-007 468 Application 12/716,845 Technology Center 2400 Before MICHAEL J. STRAUSS, IRVINE. BRANCH, and DANIEL J. GALLIGAN, Administrative Patent Judges. GALLIGAN, Administrative Patent Judge. DECISION ON APPEAL Appellants 1 seek our review under 35 U.S.C. Â§ 134(a) of the Examiner's final rejection of claims 1-20. We have jurisdiction under 35 U.S.C. Â§ 6(b). We AFFIRM. 2 STATEMENT OF THE CASE Claims on Appeal 1 The Appeal Brief identifies Assa Abbloy AB as the real party in interest. App. Br. 2. 2 Our Decision refers to Appellants' Appeal Brief filed March 26, 2015 ("App. Br."); Appellants' Reply Brief filed August 10, 2015 ("Reply Br."); Examiner's Answer mailed June 8, 2015 ("Ans."); and Final Office Action mailed November 13, 2014 ("Final Act."). Appeal2015-007468 Application 12/716,845 Claims 1, 9, and 16 are independent claims. Claim 1 is illustrative and is reproduced below: 1. A method of authenticating a terminal device and a user to a card, the method comprising: receiving a card challenge at the terminal device; receiving a user-provided credential at the terminal device; combining the card challenge with the user-provided credential at the terminal device; and transforming, at the terminal device, the combination of the card challenge and user-provided credential, whereby the transformed value is configured to be provided to the card as a single expected response that authenticates the terminal and the user to the card. References Stoltz et al. US 6,615,264 Bl Sept. 2, 2003 Zai et al. US 2005/0061875 Al Mar. 24, 2005 Teresa Schwarzhoff et al. "Government Smart Card Interoperability Specification," Version 2.1, published July 16, 2003. Examiner's Rejections Claims 1---6, 9-14, and 16-20 stand rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over Schwarzhoff and Stoltz. Final Act. 4--15. Claims 7, 8, and 15 stand rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over Schwarzhoff, Stoltz, and Zai. Final Act. 16-17. ANALYSIS We have reviewed the Examiner's rejections in light of Appellants' arguments the Examiner erred (App. Br. 5-11; Reply Br. 4--8). We are not persuaded by Appellants' contentions. Insofar as they relate to issues raised in this appeal, we adopt as our own the Examiner's findings and we agree 2 Appeal2015-007468 Application 12/716,845 with the Examiner's conclusions. See Final Act. 4--17; Ans. 2-8. We highlight and address specific arguments and findings for emphasis as follows. Appellants contend the combination of Schwarzhoff and Stoltz does not teach or suggest "transforming, at the terminal device, the combination of the card challenge and user-provided credential, whereby the transformed value is configured to be provided to the card as a single expected response that authenticates the terminal and the user to the card," as recited in independent claim 1. See App. Br. 7-9; Reply Br. 4--6. Appellants' arguments in support of this contention are unpersuasive because they largely attack the individual teachings of Schwarzhoff and Stoltz and fail to address what the combined teachings of the references would have suggested to a person of ordinary skill in the art. "Non-obviousness cannot be established by attacking references individually where the rejection is based upon the teachings of a combination of references." In re Merck & Co., 800 F.2d 1091, 1097 (Fed. Cir. 1986) (citation omitted). The test for obviousness is not whether the claimed invention is "expressly suggested in any one or all of the references"; rather, "the test is what the combined teachings of the references would have suggested to those of ordinary skill in the art." In re Keller, 642 F.2d 413, 425 (CCPA 1981) (citations omitted). Appellants argue Stoltz "fails to disclose providing the combination of a card challenge and a user-provided credential, as a single value, to the card." App. Br. 7. However, in rejecting claim 1, the Examiner did not rely solely on Stoltz for providing the combined value to the card. Rather, the Examiner relied on Schwarzhoff' s teachings of a challenge response process 3 Appeal2015-007468 Application 12/716,845 between a card and a terminal in combination with Stoltz's teachings of combining a challenge and a user PIN. See Final Act. 5-6; Ans. 2-3. In particular, the Examiner found Schwarzhoff teaches receiving a card challenge and a user-provided credential at the terminal device. Final Act. 5 (citing Schwarzhoff Â§Â§ 3.1and5.1.2.1). We agree with these findings because Schwarzhoff teaches that a PIN code can be used for authentication where a PIN pad is available(Â§ 3.1) and that the "GET CHALLENGE" command "cause[ s] the smart card to issue a random number, i.e., the challenge"(Â§ 5.1.2.1 ). The Examiner further found Stoltz teaches combining a user-provided credential, such as a PIN, with a challenge, such as a random number. Final Act. 5 (citing Stoltz col. 18, 11. 39-56). Stoltz discloses: Network terminal 202 generates a response value that is the output of a hash function (i.e., a hash value or challenge response) from an input including the user's PIN, the value of the identifier, the value of the secret stored in the user's smart card and the value of the challenge (e.g., the random number generated in step 504). Stoltz, col. 18, 11. 41--4 7. Stoltz discloses one such hash function is the exclusive-or (XOR) operation. Stoltz, col. 18, 11. 49-51. The Examiner concluded the subject matter of claim 1 would have been obvious based on the combined teachings of Schwarzhoff and Stoltz, explaining: It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the single challenge response of Stolz with the government interoperability specification of Schwarzhoff, such that the card challenge and PIN of Schwarzhoff is combined via XOR for a single response as in Stolz and then transferred using a secure channel of Schwarzhoff, 4 Appeal2015-007468 Application 12/716,845 as it would advantageously improve the efficiency of a government standard by reducing the number of communications between card and terminal and provide further security by securing the credentials in transit. Final Act. 6. Thus, the Examiner relied upon the combined teachings of Schwarzhoff and Stoltz to reach the conclusion of obviousness. We agree with the Examiner's findings, and we are not persuaded of error in the Examiner's conclusion of obviousness. Appellants further argue Stoltz does not teach sending the combined value to the card but, rather, teaches sending it to an authentication module. Reply Br. 6. Appellants also argue Stoltz does not teach "authenticat[ing] the terminal and the user to the card." Reply Br. 5. Once again, these arguments fail to appreciate and address the combined teachings of Schwarzhoff and Stoltz. As the Examiner explained in the Answer, "Schwarzhoff[] is relied upon to show the transformation and providing to a card, and Stolz is relied upon to show the combination of user credential and challenge." Ans. 4. The Examiner found Schwarzhoff teaches authenticating a terminal device and a user to a card. Final Act. 5 (citing Schwarzhoff Â§ 3 .3 i-f 2). We agree. Schwarzhoff discloses that "[ e ]stablishing a security context involves authentication of the parties involved in the service exchange. These parties include the user executing the client application, the client application itself, and the smart card." Schwarzhoff Â§ 3 .3 i-f 2. Schwarzhoff further discloses: The client application would encrypt the challenge and send the resultant cryptogram to the smart card via the EXTERNAL AUTHENTICATE APDU. The smart card would then decrypt it using the same algorithm as the client application and compare it to its internally stored copy of the challenge. If the 5 Appeal2015-007468 Application 12/716,845 cryptograms match, the client application is authenticated to the smart card. Schwarzhoff Â§ 5 .1.2.1 (emphasis added). Thus, contrary to Appellants' argument, we find Schwarzhoff teaches authenticating "to the card," as recited in claim 1. Furthermore, Appellants argue the Examiner's statement that each step of claim 1 is performed "at the terminal device" is erroneous because the claim recites "whereby the transformed value is configured to be provided to the card as a single expected response that authenticates the terminal and the user to the card." Reply Br. 7 (citing Ans. 7). According to Appellants, therefore, "[i]t is the card that authenticates." Reply Br. 7. We disagree with Appellants' interpretation because claim 1 does not affirmatively recite a step requiring the card to perform authentication. In fact, the claim does not even recite a step requiring provision of the transformed value to the card. Rather, the language cited by Appellants is recited in a "whereby" clause that recites that "the transformed value is configured to be provided to the card." That is, claim 1, at most, requires only that the transforming step configure the transformed value as specified, but does not require provision of the transformed value to, or any particular action by, the card. Thus, the Examiner is correct that claim 1 "explicitly and repeatedly state[s] that each and every step of the claim is performed 'at the terminal device."' Ans. 7. In any event, Schwarzhoff discloses that the smart card performs authentication, as discussed above. See Schwarzhoff Â§ 5.1.2.1 Appellants further contend "it is improper to combine Schwarzhoff with Stolz," arguing that, "[e]ven in a post-KSR era, a motivation to combine references is still a requirement to maintain a prima facie case of 6 Appeal2015-007468 Application 12/716,845 obviousness." App. Br. 9. Appellants still further argue that "some suggestion must be identified as to why references would be combined." App. Br. 9. Contrary to Appellants' arguments, the Court in KSR repudiated any requirement for such a "teaching, suggestion or motivation" to show obviousness. KSR Int'! Co. v. Teleflex Inc., 550 U.S. 398, 415 (2007) ("We begin by rejecting the rigid approach of the Court of Appeals."). Rather, the requirement is that the Examiner show "the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains." KSR, 550 U.S. at 406 (quoting 35 U.S.C. Â§ 103). Here, the Examiner explained how the subject matter of the claims would have been obvious to a person of ordinary skill in the art, providing articulated reasoning with rational underpinning, supported by evidence in the record. See Final Act. 5---6 (rationale reproduced above); Ans. 5-8. Appellants argue that the combination is improper because [t]he motivation to utilize a card to authenticate a user and a terminal is counterintuitive which, in part, illustrates the novelty of Appellant's claims and the inability to maintain the rejection over teachings whereby a terminal (or authentication manager or module - see Stolz) authenticates a card and a user. Reply Br. 7-8. However, this argument overlooks Schwarzhoff's express teaching, explained above, that the smart card performs authentication. See Schwarzhoff Â§ 5.1.2.1 ("The smart card would then decrypt it using the same algorithm as the client application and compare it to its internally stored copy of the challenge. If the cryptograms match, the client application is authenticated to the smart card."). As such, Appellants' arguments do not persuade us the Examiner erred in combining Schwarzhoff and Stoltz. 7 Appeal2015-007468 Application 12/716,845 Because we are not persuaded of error in the Examiner's conclusion of obviousness of the subject matter of claim 1, we sustain the rejection of claim 1 under 35 U.S.C. Â§ 103(a). Appellants present no persuasive arguments for independent claims 9 and 16, arguing that these claims "recite a similar limitation and are rejected for similar reasons." App. Br. 10. Because we sustain the rejection of claim 1, we likewise sustain the rejection of independent claims 9 and 16. We further note Appellants' arguments that the card, not the terminal, must perform authentication, which we address above, do not address the broader scope of independent claims 9 and 16. In particular, independent claim 9 recites that "one or both of the card and terminal are adapted to verify an authenticity of the other of the card and terminal," and independent claim 16 recites "transmitting the combined authentication value to one of a card and terminal such that the combined authentication value, or a transformation thereof, can be analyzed by an analyzing device." (Emphases added). Thus, the scope of these claims encompasses authentication by devices other than the card. With respect to dependent claims 2-8, 10-15, and 17-20, Appellants rely on arguments advanced with respect to the independent claims and do not advance additional persuasive arguments for patentability. As such, we also sustain the rejections of the dependent claims. 8 Appeal2015-007468 Application 12/716,845 DECISION We affirm the Examiner's decision to reject claims 1-20. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l )(iv). AFFIRMED 9