13769059 - (D) (P.T.A.B. Jul. 30, 2019)

Colin Tanner et al.

Patent Trials and Appeals BoardJul 30, 2019

13769059 - (D) (P.T.A.B. Jul. 30, 2019)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/769,059 02/15/2013 Colin TANNER 0076412-000111 1274 21839 7590 07/30/2019 BUCHANAN, INGERSOLL & ROONEY PC POST OFFICE BOX 1404 ALEXANDRIA, VA 22313-1404 EXAMINER TROTTER, SCOTT S ART UNIT PAPER NUMBER 3696 NOTIFICATION DATE DELIVERY MODE 07/30/2019 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ADIPDOC1@BIPC.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte COLIN TANNER, DAVID ANTHONY ROBERTS, SUSAN THOMPSON, and CLIVE LEADER ____________ Appeal 2017-006677 Application 13/769,059 Technology Center 3600 ____________ Before JOSEPH A. FISCHETTI, AMEE A. SHAH, and MATTHEW S. MEYERS, Administrative Patent Judges. SHAH, Administrative Patent Judge. DECISION ON APPEAL1 The Appellants2 appeal under 35 U.S.C. § 134(a) from the Examiner’s final decision rejecting claims 1–20, which are all of the pending claims. The Appellants’ representative appeared for Oral Argument on July 23, 2019. We have jurisdiction under 35 U.S.C. § 6(b). We REVERSE. 1 Throughout this Decision, we refer to the Appellants’ Appeal Brief (“Appeal Br.,” filed Sept. 6, 2016), Reply Brief (“Reply Br.,” filed Mar. 24, 2017), and Specification (“Spec.,” filed Feb. 15, 2013), and to the Examiner’s Answer (“Ans.,” mailed Jan. 25, 2017) and Final Office Action (“Final Act.,” mailed Apr. 8, 2016). 2 According to the Appellants, the real party in interest is “MasterCard International Incorporated.” Appeal Br. 2. Appeal 2017-006677 Application 13/769,059 2 STATEMENT OF THE CASE The Appellants’ invention “relates to the transmission of authorization requests and the authentication of the same, specifically the use of an integrated circuit card dynamic number to authenticate the authorization request prior to the request arriving at the payment processor.” Spec. ¶ 1. Claims 1, 6, 11, and 16 are the independent claims on appeal. Claim 1 (Appeal Br. 19 (Claims App’x)) is illustrative of the subject matter on appeal and is reproduced below (with added bracketing for reference): 1. A method for verifying the source of an authorization request, comprising: [(a)] receiving, at a server and from an issuer computer system, an integrated circuit card (ICC) master key; [(b)] storing, in a database of the server, the integrated circuit card (ICC) master key; [(c)] receiving, by a receiving device of the server and from a mobile device, an authorization request for a transaction, wherein [(c1)] the authorization request (i) is generated as part of a transaction conducted between the mobile device and a terminal and (ii) includes at least an ICC dynamic number, [(c2)] the ICC dynamic number (i) is produced by a one-off session key derived from the ICC master key, (ii) corresponds to data exchanged between the mobile device and the terminal during the transaction and, (iii) is extracted, by an application program executed by the mobile device, from signed data generated by a payment card during combined data authentication (CDA) occurring during the transaction between the mobile device and the terminal, and [(c3)] the signed data is based on the ICC master key; Appeal 2017-006677 Application 13/769,059 3 [(d)] verifying, by a processing device of the server, the authenticity of the ICC dynamic number received from the mobile device using the stored ICC master key; and [(e)] transmitting, by a transmitting device, the authorization request to a third party, when the authenticity of the ICC dynamic number is verified. REJECTIONS3 Claims 1–6, 8–16, and 18–20 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Coppinger (US 2011/0238579 A1, pub. Sept. 29, 2011), Ates (US 2005/0119978 A1, pub. June 2, 2005) and Bruce Schneier, APPLIED CRYPTOGRAPHY, SECOND EDITION PROTOCOLS, ALGORITHMS, AND SOURCE CODE IN C 32–44 (1996) (“Schneier”). Claims 7 and 17 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Coppinger, Ates, Schneier, and lshimi et al. (US 2003/0140011 A1, pub. July 24, 2003) (“Ishimi”). ANALYSIS The Appellants contend, in relevant part, that the Examiner’s rejection of the independent claims is in error because the prior art does not teach “generating a number from ‘a one-off session key derived from the ICC master key,’ or extracting the ICC number from ‘signed data generated by a payment card during combined data authentication’ during the transaction between the mobile device and the terminal,” the signed data based on the master key, as recited in limitations (c2) and (c3) of claim 1 and similarly 3 The Examiner withdraws the rejection under 35 U.S.C. § 101 of claims 1–20. Ans. 14. Appeal 2017-006677 Application 13/769,059 4 recited in claims 6, 11, and 16. Appeal Br. 16–17; see also Reply Br. 2–4. After careful review of the record, we agree that the Examiner has not adequately shown how the prior art, alone or in combination, teaches these limitations. The Examiner finds that Coppinger teaches receiving an authorization request including “at least an ICC dynamic number, the ICC dynamic number is extracted from signed data generated by a payment card during combined data authentication (CDA), and the signed data is based on the ICC master key [Coppinger’s token]” in that Coppinger teaches “[v]erifying a validation request.” Final Act. 7–8 (citing Coppinger ¶ 34). The Examiner does not explicitly state what in Coppinger meets the dynamic number. The Examiner acknowledges that “[w]hile Coppinger teaches authorizing transaction[,] it is not explicit about using an integrated circuit card,” for which the Examiner cites to Ates as teaching. Id. at 8 (citing Ates, Abstract). The Examiner also acknowledges that Coppinger does not teach “the server and mobile device having [the claimed] particular roles in the encrypted communication,” and relies on Schneier to cure this deficiency. Id. (citing Schneier 33, 37–44). The Examiner elaborates in the Answer that “[t]he one-off session keys and master keys are taught by Schneier which also teaches electronic signatures. Therefore no matter what they want to call the pieces sending encryption keys between devices and confirming authorizations by electronic signatures are obvious applications of Schneier.” Ans. 14. The Examiner equates the claimed extracting of an ICC dynamic number from signed data as “simply receiving an encrypted communication included in an authentication statement by a digital signature.” Id. Appeal 2017-006677 Application 13/769,059 5 Coppinger teaches that an “NACV [Network Access and Credential Verification] module maintains information that provides access to a wireless network and secure personal token features.” Coppinger ¶ 19. The NACV module creates transaction parameters based on a received and processed network, identity, or transaction instrument profile, and uses the parameters to retrieve a token. Id. A “computing system searches a database to locate a record corresponding to the token.” Id. If the search is successful, the computing system retrieves account information from a database and transforms the information into an authorization request sent by the computing system to the NACV module. Id. “For example, a smart card may execute a credential verification application in response to receiving a validation request from a POS device.” Id. ¶ 34. Or, the NACV module “may invoke a credential verification application in response to receiving a verification request from a profile or payment gateway.” Id. Schneier teaches a “hybrid cryptosystem” whereby a “public-key cryptography is used to secure and distribute session keys, [and] those session keys are used with symmetric algorithms to secure message traffic.” Schneier 33 (emphasis omitted). For example, a first entity “Bob” sends a second entity “Alice” a public key. Id. Alice then generates a random session key using the public key and sends the session key to Bob, who decrypts Alice’s message using his private key to recover the session key. Id. “Both of them encrypt their communications using the same session key.” Id. Schneier also teaches processes for signing documents with public key cryptography and digital signatures with encryption. Id. at 37–44. One such process is a basic protocol of, using the entities above, Alice encrypting a document with her private key that signs the document and sending the Appeal 2017-006677 Application 13/769,059 6 signed document to Bob who then decrypts the document with Alice’s public key, from a secure database, thus verifying the signature. Id. at 37, 43. Another process is a protocol with one-way hash functions whereby Alice produces a one-way hash of a document, encrypts the hash with her private key that signs the document, and sends the document and signed hash to Bob who then produces a one-way hash of the sent document and uses a digital signature algorithm to decrypt the signed hash with Alice’s public key. Id. at 38. If the signed hash matches Bob’s generated hash, the signature is valid. Id. Schneier discusses that a benefit of digital signatures with encryption is that it “combines the security of encryption with the authenticity of digital signatures.” Id. at 41. The claims require that an ICC dynamic number is “extracted . . . from signed data generated by a payment card during combined data authentication,” the signed data being “based on the ICC master key” (claims 1 and 11) or “extracting, from the generated signed data and by the mobile device, an ICC dynamic number based on the ICC master key,” the signed data generated from “authenticating . . . the data related to the payment card using combined data authentication” (claims 6 and 16). Appeal Br. 19–22 (Claims App’x). As such, the Examiner’s interpretation of signed data as communication included during authentication by a digital signature is reasonable. However, the Examiner does not adequately explain how Coppinger or Schneier teaches that the ICC number is extracted from this signed data. The Examiner does not explain how Coppinger’s verification process of locating a record based on the token, i.e., master key, teaches an ICC, or any, number or receiving a number that is extracted from communication during authentication by a digital signature. The Examiner Appeal 2017-006677 Application 13/769,059 7 further does not explain how Schneier’s protocols regarding generating and sending a key and using the key to verify a signature teaches receiving a number that is based on information extracted during the authentication process. The Examiner’s statement that extracting an ICC number from signed data is equivalent to “receiving an encrypted communication included in an authentication statement by a digital signature” (Ans. 14) is not supported by adequate reasoning or evidence. And, the Examiner does not adequately explain how Coppinger’s teaching of a validation process is combined with Ates’s teaching of an ICC card and Schneier’s teaching of an electronic signature to teach the claimed ICC number extracted from signed data generated by a payment card during authentication based on the master key or generated by payment authentication data. See Reply Br. 2–4. Based on the foregoing, we are persuaded of error in the Examiner’s rejection of independent claims 1, 6, 11, and 16 under 35 U.S.C. § 103(a), and we do not sustain the rejection of claims 1–6, 8–16, and 18–20. For the rejection of dependent claims 7 and 17, the Examiner relies on the same deficient finding of independent claims 6 and 16. Thus, for the same reasons as for claims 6 and 16, we also do not sustain the rejection of dependent claims 7 and 17. DECISION The Examiner’s rejections of claims 1–20 under 35 U.S.C. § 103(a) are REVERSED. REVERSED