15141567 - (D) (P.T.A.B. May. 17, 2019)

Ex Parte Gross et al

Patent Trials and Appeals BoardMay 17, 2019

15141567 - (D) (P.T.A.B. May. 17, 2019)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 15/141,567 04/28/2016 23694 7590 05/21/2019 Law Office of J. Nicholas Gross, Prof. Corp. POBOX9489 BERKELEY, CA 94709 FIRST NAMED INVENTOR John Nicholas Gross UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. JONK 2015-2CIP2 7332 EXAMINER KING, DOUGLAS ART UNIT PAPER NUMBER 2824 NOTIFICATION DATE DELIVERY MODE 05/21/2019 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): eofficeaction@appcoll.com j ngross@pac bell. net PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte JOHN NICOLAS GROSS AND DAVID K.Y. LIU Appeal2018-006248 Application 15/141,567 Technology Center 2800 Before KAREN M. HASTINGS, JENNIFER R. GUPTA, and LILAN REN, Administrative Patent Judges. HASTINGS, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellant1 appeals under 35 U.S.C. Â§ 134(a) from the Examiner's Final Rejection of claims 1-3 and 14--20 rejected under 35 U.S.C. 103 as being unpatentable over Logan (US 2011/0213845 Al, pub. Sep. 1, 2011) with Starek (US 6,256,646 Bl, pat. Jul. 3, 2001) (Ans. 2), and claims 4--13 as being unpatentable over Logan, Starek, and Banerjee (US 2011/0142014 Al, pub. Jun. 16, 2011) (Id.). The Examiner also rejected claim 5 under 35 U.S.C. Â§ l 12(a) as failing to comply with the written description 1 Appellant is the applicant, Jonker LLC, which is also stated to be the real party in interest (Appeal Br. 2). Appeal2018-006248 Application 15/141,567 requirement (Final Act. 3; Ans. 2); and claims 4--13 under 35 U.S.C. Â§ 112(b) as being indefinite (Id.). 2 We have jurisdiction over the Appeal under 35 U.S.C. Â§ 6(b ). We affirm. CLAIMED SUBJECT MATTER Claim 5 is representative ( emphasis added to highlight key disputed limitations): 5. A method of implementing a secure communications channel compnsmg: receiving a request at a first wireless communications device for a secure wireless data session with a second communications device; in response to said request, establishing a connection to said second communications device during which any wireless data received by said first device is treated by such device as ephemeral data in accordance with a set of ephemeral parameters specified for such data; processing said received ephemeral data and storing it in an ephemeral nonvolatile memory device that is coupled to but separate from said first communications device; wherein said received ephemeral data from said second communications device is not stored in any non-ephemeral non- volatile memory circuit contained within the first communications device; automatically erasing said received ephemeral data from the second communications device based on said set of ephemeral parameters, including in response to one of: a) a read access; b) a time expiration; c) a predetermined event relating to said ephemeral memory device; 2 The Examiner withdrew theÂ§ 112(a) rejection of claims 10, 11, 16, and 17, and also withdrew theÂ§ 112(b) rejection of claims 1-3 and 14-20 (Ans. 2). 2 Appeal2018-006248 Application 15/141,567 wherein said automatically erasing effectuates an ephemeral treatment of said received ephemeral data by irreversibly destroying said data at a physical level and such that said data cannot be read again after any first read access is made to such data within the ephemeral non-volatile memory device; processing any transmitted data by said first communications device as ephemeral data such that it is also not stored in any non- volatile memory circuit of the first communications device; wherein said set of ephemeral parameters further operate to effectuate an end-to-end ephemeral channel, by specifying and controlling data treatment by any intermediary processing systems between the first wireless communications device and said second communications device such that such intermediary processing systems store such ephemeral data in an ephemeral non-volatile memory or an ephemeral storage. Independent claim 1 is also directed towards a method for implementing a secure communications device but is somewhat broader than claim 5 in that, e.g., it lacks the last clause of claim 5 (Claims Appendix 21 ). OPINION Upon consideration of the evidence of record and each of Appellant's contentions as set forth in the Appeal Brief filed December 18, 2017, as well as the Reply Brief filed May 29, 2018, we determine that Appellant has not demonstrated reversible error in the Examiner's rejection (e.g., Ans. 3-17 (mailed March 27, 2018)). In re Jung, 637 F.3d 1356, 1365---66 (Fed. Cir. 2011) ( explaining the Board's long-held practice of requiring Appellants to identify the alleged error in the Examiner's rejection.). We sustain the rejections for the reasons expressed by the Examiner in the Final Office Action and the Answer. We add the following for emphasis. 3 Appeal2018-006248 Application 15/141,567 Â§112 (a): Written Description rejection The written description "must clearly allow persons of ordinary skill in the art to recognize that [the inventor] invented what is claimed." Ariad Pharm., Inc. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010) (en bane) ( citation and quotations omitted, alteration in the original). The test is whether the disclosure "conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date." Id. Moreover, the Federal Circuit also stated that the written description clause of section 112 has been construed to mandate that the specification satisfy two closely related requirements - it must describe the manner and process of making and using the invention so as to enable a person of skill in the art to make and use the full scope of the invention without undue experimentation and "it must describe the invention sufficiently to convey to a person of skill in the art that the patentee had possession of the claimed invention at the time of the application, i.e., that the patentee invented what is claimed." LizardTech, Inc. v. Earth Resource Mapping, Inc., 424 F.3d 1336, 1344--1345 (Fed. Cir. 2005) (while the inventor had the intent to cover generic methods with his patent, he did not disclose enough in the specification to enable one skilled in the art to make and use the generic invention and thus did not show possession of the generic claims). The Examiner found that the Specification lacks written description for the limitation of "any intermediary processing systems" between the wireless communications device and the second communications device in claim 5. Appellant urges that because this limitation was presented in the original claims, that limitation in dispute should "enjoy[] ... a 'strong presumption' of adequate written description." (Appeal Br. 17; internal 4 Appeal2018-006248 Application 15/141,567 citation omitted). Appellant argues that the "end-to-end ephemeral channel" would "clearly encompass any intermediary processing point, and it would defeat the purpose of Claim 5 to have intermediaries that did not comply with such specification." (Appeal Br. 17-18). Further, Appellant states that they are not "required to identify or disclose every possible variety." (Appeal Br. 18). Appellant restates his position that Appellant's "need only to describe how such systems, irrespective of form, might achieve such function" (Reply Br. 11 ). These arguments are not persuasive of reversible error in the Examiner's rejection. As the Examiner stated, the limitation "any intermediary processing systems" on its face means that claim 5 may encompass all intermediary devices that Appellant has not invented and devices yet to be invented (Ans. 12). In light of this, it can not be said that Appellant was in possession of the full scope of the invention as generically recited (that is, any intermediary systems). See LizardTech, Inc. at 1345 ( citing O'Reilly v. Morse, 56 U.S. 62, 112-13 (1853)). Accordingly, for this reason, as well as reasons set out by the Examiner (Ans. 11-12), we affirm the rejection of claim 5 as lacking written description support in the Specification. Â§112 (b): Indefiniteness rejection During prosecution, claims are definite if they "set out and circumscribe a particular area with a reasonable degree of precision and particularity." In re Moore, 439 F.2d 1232, 1235 (CCPA 1971). In prosecution before the PTO "[i]t is the applicants' burden to precisely define the invention, not the PTO's." In re Morris, 127 F.3d 1048, 1056 (Fed. Cir. 5 Appeal2018-006248 Application 15/141,567 1997). The purpose of this requirement is to provide the public with adequate notice of the boundaries of protection involved. The time to do so is during prosecution where an applicant has the ability to amend the claims to more precisely define the metes and bounds of the claimed invention. See Ex Parte Miyazaki, 89 USPQ2d 1207, 1210-12 (PTAB 2008). The Examiner found the language of dependent claim 4 and claim 5- 133 as indefinite (Final Act. 3, Ans. 2). Claim 4 recites "data from" (Claim Appendix 2). Appellant merely argues that the metes and bounds for "data" "is fairly apparent" in context of claim 1 (Appeal Br. 19; Reply Br. 11 ). The Examiner presented multiple reasonable interpretations regarding what data is included or not in the term "data from" (Ans. 12). Appellant does not provide any persuasive technical reasoning or adequate evidence to support their interpretation of "data from" as recited in claim 4. We do not, therefore, find Appellant's argument persuasive. Similarly regarding independent claim 5, Examiner identifies the limitation "also not stored in any non-volatile memory circuit of the first communications device" as indefinite (Final Act. 3; Ans. 12-13). Appellant argues that the limitation in context should be clearly defined for the skilled artisan. (Appeal Br. 19-20; Reply Br. 12). We agree with Examiner's position as presented in the Examiner's Answer. (Ans. 13 (Examiner suggested language to cure the indefiniteness which Appellant has adopted 3 Claim 6-8 and 10-13 are dependent upon claim 5 or other claims dependent on 5 with claim 9 dependent upon itself. (Appeal Br. 19 and 24; Reply Br. 12). Accordingly the remaining dependent claims stand or fall with independent claim 5 and claim 9 should be corrected to depend from claim 5 in any further prosecution. 6 Appeal2018-006248 Application 15/141,567 in the argument but has not changed the claim)). Appellant merely asserts their position, but do not present any further evidence to support their position; therefore, we find Appellant's argument unpersuasive. TheÂ§ 103 rejections It has been established that "the [obviousness] analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ." KSR Int 'l Co. v. Teleflex Inc., 550 U.S. 398,418 (2007); see also In re Fritch, 972 F.2d 1260, 1264-- 65 (Fed. Cir. 1992) (A reference stands for all of the specific teachings thereof as well as the inferences one of ordinary skill in the art would have reasonably been expected to draw therefrom). Although Appellant separately addresses claims 1 and 5 (Appeal Br. generally), all of the arguments for claim 5 (Appeal Br. 15) were made for in claim 1 (Appeal Br. 7-14; Reply Br. 2-9) and Appellant argues an additional limitation in claim 5 (Appeal Br. 15). Thus, we address the arguments common to claims 1 and 5 together in this analysis and will separately address the additional limitation in claim 5. Appellant first contends that Examiner failed to appreciate the meaning of "ephemeral" in the presented claim language (Appeal Br. 5---6; Reply Br. 2-3). Appellant further asserts that the relied upon "flash memory" is silent as the "ephemeral treatment of data by irreversibly destroying the data after any first read access is made to such data." (Appeal Br. 8-9; Reply Br. 6-7). Appellant also argues that the Examiner "mistyped or miscopied" the claim language which produced an "analysis that is simply 7 Appeal2018-006248 Application 15/141,567 not relevant' because the Examiner failed to address that "an ephemeral non- volatile memory device is coupled to but separate from said first communication device" (Appeal Br. 1 O; Reply Br. 7). Appellant also contends that the Examiner failed to provide proper reasoning to modify Logan with the teachings from Starek (Appeal Br. 11-14). These arguments are not persuasive. Appellant has not identified reversible error in the Examiner's position that "ephemeral" should only be given its broadest reasonable interpretation. It is well established that "during examination proceedings, claims are given their broadest reasonable interpretation consistent with the specification." In re Hyatt, 211 F.3d 1367, 1372 (Fed. Cir. 2000). In this case, the Examiner explained that Appellant uses "ephemeral" as a descriptive word and that "ephemeral memory," "ephemeral data," and "ephemeral parameters" are not standard terms in the art (Ans. 3). "Ephemeral" does not offer any additional structure or function to the recited structure (Id.). The Appellant has not directed us to any portion of the Specification to assign any particular meaning for "ephemeral"; therefore, "ephemeral" is properly given its broadest reasonable interpretation by the Examiner ( e.g., the plain and ordinary meaning). 4 See also, In re ICON Health & Fitness, Inc., 496 F.3d 1374, 1379 (Fed. Cir. 2007) (if the 4 Even if "ephemeral" were given a more specific meaning as urged by Appellant (Reply Br. 2), it appears that prior art exists that the claims would appear to encompass (e.g., Tung et al., Pandora Messaging: An Enhanced Self-Message-Destructing Secure Instant Messaging Architecture for Mobile Devices, 26th International Conference on Advanced Information Networking and Applications Workshops, 2012). 8 Appeal2018-006248 Application 15/141,567 Specification does not provide a definition for claim terms, the PTO applies the broadest reasonable interpretation). Appellant admits that conventional flash memory can be used in the alleged invention (e.g., Spec. 13-14). Appellant's assertion that the "generic flash memory 108" cannot perform the function (Appeal Br. 9, Reply Br. 3- 5) in the claimed manner is not persuasive as embodiments from Appellant's specification use "conventional flash memory" to perform the claimed functions. (Spec. 13-14). An applicant cannot defeat an obviousness rejection by asserting that the cited references fail to teach or suggest elements which the applicant has acknowledged are taught by the prior art. Constant v. Adv. Micro-Devices, Inc., 848 F.2d 1560, 1570 (Fed. Cir. 1988); In re Nomiya, 509 F.2d 566, 571 n.5 (CCPA 1975) (A statement by an applicant that certain matter is prior art is an admission that the matter is prior art for all purposes.). Further, Appellants admit that "the flash memory" stores messages (Spec. ,r 26) and that those messages can be automatically deleted (Spec. ,r 81 ). (Appeal Br. 9 see Appellant's excerpt). The claims merely require that the messages be irreversible and automatically deleted (Ans. 5). Moreover, Logan's paragraph 89 teaches "the message is automatically deleted so that the recipient cannot later use the information contained therein for another purpose" (Final Act. 6-7). Examiner further relies on Logan's paragraph 74 to teach a secure form of permanent deletion. 5 (Final 5 "To enhance the privacy of the message, when the message server 268 deletes the message after transmission, the file containing the message may be overwritten or erased, rather than simply being marked for deletion. Overwriting or erasing the message discourages later recovery of the 9 Appeal2018-006248 Application 15/141,567 Act. 6). Appellant has not offered adequate evidence or persuasive technical reasoning that the Examiner erred in his determination that the claims as written encompass Logan's automatic and permanent deletion scheme. Next, Appellant argued the Examiner failed to address that "an ephemeral non-volatile memory device is coupled to but separate from said first communication device" (Appeal Br. 1 O; Reply Br. 7). To the contrary, the Examiner addressed this limitation in the Final Action (Final Act. 5---6) and reiterated his position in the Answer (Ans. 5---6). Appellant's conclusory assertions (Reply Br. 7-8) are not persuasive of error in the Examiner's position. The final argument that claims 1 and 5 share is Appellant's contention that the Examiner failed to provide proper reasoning to modify Logan with the teachings from Starek (Appeal Br. 11-14). Appellants argue that the Examiner is relying on the "flush operation on a hard drive" to modify the flash memory. (Appeal Br. 13). However, the Examiner points out that this was not his position (Final Act. 5; Ans. 5), and that Starek is merely relied upon to exemplify that a skilled artisan would have known that overwriting data is a form of secure deletion at the time of Appellant's filing (Ans. 5). KSR, 550 U.S. at 421 ("A person of ordinary skill is also a person of ordinary creativity, not an automaton."); Ball Aerosol and Specialty Container, Inc. v. Limited Brands, Inc., 555 F.3d 984, 993 (Fed. Cir. 2009) (Under the flexible inquiry set forth by the Supreme Court, the PTO must message from the message server's storage media." (Logan, ,r 74; emphasis added). 10 Appeal2018-006248 Application 15/141,567 take account of the "inferences and creative steps," as well as routine steps, that an ordinary artisan would employ). For the first time, in the Reply Brief, Appellant argues that the combination relied upon by the Examiner requires the hard drive of Starek to replace the flash memory in Logan (Reply Br. 5). In doing so, Appellant appears to have changed their position with regards to the operation of the flash memory. 6 (Reply Br. 5). The Appellant has not shown good cause why these arguments could not have been presented in the Appeal Brief. Therefore, we need not consider the arguments newly raised in the Reply Brief. 37 C.F.R. Â§ 4I.41(b)(2). Nonetheless, as discussed above, the Examiner did not rely upon the Starek's physical hard drive for the modification, but only that overwriting data is a form of secure deletion. Appellant asserts that the Examiner has not established that the prior art teaches or suggests the limitation "an end-to-end ephemeral channel, by specifying and controlling data treatment by any intermediary processing systems between the first wireless communications device and said second communications device such that such intermediary processing systems store such ephemeral data in an ephemeral non-volatile memory or an ephemeral storage" as required by claim 5 (Appeal Br. 15). As the Examiner points out, to the contrary, this limitation was considered in the Final Action using Banerjee (Final Act. 9; Ans. 9). The Examiner explains that in view of Banerjee an ad hoc secure communication channel between 6 In the Appeal Br., Appellant admits that Logan ,r 26 teaches the flash memory stores messages. (Appeal Br. 9). Appellant is newly arguing that the flash memory is not designed for messages, but rather is designed to run the software such as an operating system. (Reply Br. 5). 11 Appeal2018-006248 Application 15/141,567 two communication devices meets the claim language (i.e. end to end). (Ans. 9). Appellant has not offered adequate evidence or persuasive technical reasoning to identify reversible error in the Examiner's position (Reply Br. 9). Appellant argues for the first time in the Reply Brief that the Examiner presented "a bit of a contradiction" because the Examiner admits Banerjee "shows only a secure point-to-point communication channel" (Reply Br. 9). Appellant has not shown good cause why this argument could not have been presented in the Appeal Brief. Therefore, we need not consider the arguments newly raised in the Reply Brief. 37 C.F.R. Â§ 41.41 (b )(2). Finally, Appellant argued that Logan did not teach a "single operation" as required in dependent claim 3 (Appeal Br. 3; Reply Br. 9). Examiner explained that the claim does not define the "single operation" (Ans. 9) and that a single operation could be the "user data is read from memory and automatically deleted once read by user" (Final Act. 7). Appellant has not provided adequate evidence or persuasive technical reasoning to identify reversible error in the Examiner's position. Thus, a preponderance of the evidence supports the Examiner's position with respect to claims 1, 5 and 3 (Ans. generally). Appellant has not presented any further substantive arguments for the remaining dependent claims. In summary, Appellant has not identified error in the Examiner's position that the claimed subject matter is obvious within the meaning of 35 U.S.C. Â§ 103. 12 Appeal2018-006248 Application 15/141,567 DECISION The decision of the Examiner is affirmed. No time period for taking any subsequent action in connection with this Appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l)(iv). AFFIRMED 13 Application/Control No. Applicant(s)/Patent Under Patent Appeal No. 15/141,567 2018-006248 Notice of References Cited Examiner Art Unit Page 1 of 1 2824 U.S. PATENT DOCUMENTS * Document Number Date Name Classification Country Code-Number-Kind Code MM-YYYY A US- B US- C US- D US- E US- F US- G US- H US- I US- J US- K US- L US- M US- FOREIGN PATENT DOCUMENTS * Document Number Date Country Name Classification Country Code-Number-Kind Code MM-YYYY N 0 p Q R s T NON-PATENT DOCUMENTS * Include as applicable: Author, Title Date, Publisher, Edition or Volume, Pertinent Pages) Tung et al., Pandora Messaging: An Enhanced Self-Message-Destructing Secure Instant Messaging u Architecture for Mobile Devices, 26th International Conference on Advanced Information Networking and Applications Workshops, 2012. V w X *A copy of this reference 1s not being furnished with this Office action. (See MPEP Â§ 707.05(a).) Dates in MM-YYYY format are publication dates. Classifications may be US or foreign. U.S. Patent and Trademark Office PT0-892 (Rev. 01-2001) Notice of References Cited Part of Paper No. 2012 26th International Conference on Advanced Information Networking and Applications Workshops Pandora Messaging: An Enhanced Self-Message-Destructing Secure Instant Messaging Architecture for Mobile Devices Tsai-Yeh Tung Institute of Information Science Academia Sinica, Department of Computer Science and Information Engineering National Taiwan University Taipei, Taiwan Laurent Lin D. T. Lee Research Center for Information Technology Innovation Academia Sinica Institute of Information Science & Research Center for Information Technology Innovation Academia Sinica, Department of Computer Science and Engineering National Chung Hsing University Taichung, Taiwan Taipei, Taiwan e-mail: laurent@citi.sinica.edu. tw e-mail: tytung@iis.sinica.edu.tw Abstract-We propose the Pandora Messaging, an enhanced secure instant messaging architecture which is equipped with a self-message-destructing feature for sensitive personal information applications in a mobile environment. We design the Pandora Message Encryption and Exchange Scheme and the format of a self-destructible message to show how to exchange these messages atop the existing instant messaging service architecture (in this case, XMPP). The Pandora Messaging-based system enables senders to set time, frequency, and location constraints. These conditions determine when the transmitted messages should be destructed and thus become unreadable for receivers. The Pandora Messaging-based system securely sends self- destructible messages to receivers in a way that it uses ephemeral keys to encrypt the messages and transmits the encrypted messages to the designated receivers via the XMPP instant messaging service in real time. When the transmitted messages' constraints are satisfied, the ephemeral key used for encryption will be deleted. Thus, the encrypted messages become unrecoverable. We have implemented a simple messenger application on the Android platform and have evaluated its performance to show that our proposed Pandora Messaging architecture is practical and feasible for sensitive personal information communication on mobile devices. Keywords: self-message-destructing, XMPP, secure instant messaging, encryption, ephemeral key I. INTRODUCTION The popularity of instant messaging has grown in an exponential way. However, most popular instant messaging services often trade speed for security. Thus, the users are subjected to constant eavesdropping, unwanted leakage of confidential information, and even compromises of users' media used in instant messaging. There are several secure instant messaging services for personal or enterprise use [1][2]. The server may contain the unencrypted messages for administrative purposes. Thus, the user cannot guarantee the confidentiality of the message delivered. The unwanted consequence of leaving unencrypted messages on servers may cause leakage of personal information, or even identity theft. For example, the commercial instant messaging 978-0-7695-4652-0/12 $26.00 Â© 2012 IEEE DOI 10.1109/W AINA.2012.112 720 e-mail: dtlee@ieee.org providers may choose to mine these plaintext messages for target advertisements. To solve the aforementioned issues, Kikuchi, et al [3] presented a secure instant messaging protocol preserving confidentiality against administrator. A limitation of their protocol is that it needs to modify the instant messaging server to satisfy the protocol requirements. In addition to encrypting the messages for confidentiality, there are some systems with a "self-data-destructing" feature. These systems focus on making data disappear after a pre- specified time. In other words, data is encrypted and the encryption key is deleted after the expiration time, so that the encrypted data becomes unrecoverable, i.e., self- destructed. To our knowledge, the concept of "self- destructing" data was first mentioned by Boneh and Lipton in a revocable backup system [ 4]. Then some systems such as Ephemerizer [5][6], Vanish [7] and Porter Devices [8] were proposed. However, none of them integrate this concept with the instant messaging service using mobile devices and take account of their limitation. We present a secure instant message encryption and exchange scheme, which can be used directly atop an existing instant messaging service architecture, so that it is easily deployable, leveraging the existing infrastructure. Specifically, we add a self-message-destructing feature to get the enhanced secure instant messaging architecture, named Pandora Messaging. The scope of our mechanism is not limited to instant text messaging. In fact we can extend its usage to enhance the security of transmission channels, such as message push and synchronization technologies among devices connected in the Cloud. To demonstrate the feasibility of our proposed Pandora Messaging architecture, we have implemented a simple messenger application using XMPP (Extensible Messaging and Presence Protocol) instant messaging [9] on the Android platform [10]. A. Contributions This paper introduces the Pandora Messaging, an enhanced secure instant messaging architecture with a self- message-destructing feature for sensitive personal â€¢ IEEc ,\.>-computer . SOClety information applications in a mobile environment. The primary concepts are listed as follows. â€¢ A destructible message encryption and exchange scheme atop the existing instant messaging services to make the message self-destructible. Our approach does not rely on external, special-purpose dedicated services. â€¢ An implementation on Android to demonstrate our Pandora Messaging-based mobile app and evaluate its benchmark performance in terms of key generation and message encryption and decryption time. B. Organization of the Paper This paper is organized as follows. We first present our Pandora Messaging architecture in Section II and introduce the destructible message encryption and exchange schemes in Section III. We then explain the destructible message encapsulation format in Section IV, followed by the description of implementation and benchmark performance in Section V. Finally, we discuss the related work in Section VI and conclude with a summary in Section VII. II. THE PANDO RA MESSAGING ARCHITECTURE In this section, we discuss Pandora Messaging, an enhanced secure instant messaging architecture with a self- message-destructing feature. The Pandora Messaging-based system is for handling the sensitive data encryption and transmission problems in an insecure mobile environment, and making sure the encrypted data is unrecoverable for any one once the destructible message's constraints are satisfied. Its components include: sender, receiver, Instant Messaging Server, and an optional Ephemeral Public Key Manager which is used by the receiver to delegate their ephemeral public keys. We give below the details of each component. A. Sender The sender acts as an instant messaging client. When a sender would like to send a receiver the message containing sensitive personal information, the Pandora Messaging- based application installed in sender's mobile device must be able to do the following tasks: (1) generate a long-term public and private key pair; (2) obtain an ephemeral public key from the receiver via an instant messaging service (IMS) and assign the constraint governing the condition to delete this ephemeral key; (3) generate the encrypted message using this ephemeral public key; (4) send the destructible encrypted message, including the ciphertext encrypted with a secret session key, the related encryption information encrypted with this ephemeral public key, and this ephemeral public key's identifier, to the receiver via an IMS; (5) provide the ephemeral public key when requested by the receiver via an IMS. B. Receiver The receiver also acts as an instant messaging client. To receive the destructible messages, the Pandora Messaging- based application installed in receiver's mobile device must be able to do the following tasks: (1) generate a long-term 721 public and private key pair; (2) generate a series of ephemeral key pairs; (3) receive the destructible encrypted message from the sender via an instant messaging service (IMS); (4) decrypt the destructible encrypted message; (5) provide the ephemeral public key when requested by the sender via an IMS; (6) show the sensitive personal information plaintext on screen after decryption without storing the plaintext in stable storage; (7) securely delete the ephemeral private key (i.e., overwrite it with random data) when the destructible encrypted message's constraints are satisfied. Note that the following assumptions are made. We distribute our executable binary code in a certified form, so we assume the software code is well-behaved. The program installed in receiver's mobile device only saves the encrypted personal information, and leaves no plaintext trace. Besides, the receiver cannot take pictures of the plaintext or use any similar methods to retain the plaintext. As a result, we consider that the sender's encrypted personal information, when the specified constraints are satisfied, becomes unrecoverable (i.e., self-destructed) for everyone. C. Instant Messaging Server An instance messaging server is a communication server which includes the basic features such as the authentication of the user accounts, the management of the user's presence status, and the instant message transmission between users. It may also support the enhanced features, such as the encryptions of the authentication process and the transmission channel, to protect the authentication information and the confidentiality of messages respectively. D. Ephemeral Public Key Manager Ephemeral Public Key Manager is an instance messaging agent which runs on a server to keep itself available for senders and receivers, and supports ephemeral public keys management. It is needed if we intend to support off-line messaging that allows a sender to send the messages to an off-line receiver. Receivers can delegate their ephemeral public keys to the Ephemeral Public Key Manager's database prior to getting off-line, so that senders can still get the required ephemeral keys from the Ephemeral Public Key Manager, rather than awaiting receivers to become on-line later. The key manager is an important role to support the message push and synchronization technologies among mobile devices connected in the Cloud because mobile devices are not always online. III. DESTRUCTIBLE MESSAGE ENCRYPTION AND EXCHANGE SCHEMES Our schemes are designed for the mobile devices, so some limits of the mobile devices, e.g. availability of the network connection and computing power, are under our consideration deliberately. Fig. I shows a basic encryption and exchange scheme under the situation that the receiver is on-line. Then we extend our basic scheme to support the situation that the receiver is off-line in Fig. 2. Receiver (Bob) Obtain an ephemeral public ke {M}S HMAC(M,S) {S, {C}privKeyA}ePubKey keyld Sender (Alice) Figure 1. Basic scheme: send messages when the receiver is on-line. A. Basic Scheme 1) Setup: Bob generates his long-term public and private key pair and a series of ephemeral key pairs EKey = (keyid, ePubKey, ePrivKey) at setup stage where keyid is the ephemeral key identifier, ePubKey is the ephemeral public key, and ePrivKey is the ephemeral private key. 2) Obtain an ephemeral public key: For Alice to send a destructible message to Bob, it is necessary to obtain Bob's {keyid, ePubKey}, optionally signed with his long-term private key privKeyB, from Bob first. 3) Encrytpion: Using Bob's ephemeral public key ePubKey, along with Alice's long-term private key privKeyA, Alice can encrypt her message M with a secret session key S to obtain {M}S, calculate the HMAC value of M and S, and encrypt S and constraint C, optionally signed with privKeyA, with Bob's ePubKey to obtain {S, {C}privKeyA}ePubKey. Then Alice concatenates them with the corresponding ephemeral public key Id to form a single message encapsulation and sends it to Bob. 4) Decrytpion: After receiving Alice's encrypted message, the constraint interpreter inside Bob's mobile device can determine whether to decrypt {M} S by decrypting C and validating C's condition. If necessary, the message can even be deleted upon this stage. B. Enhanced Scheme 1) Setup: As in the basic scheme. In addition, Bob sends {keyid, ePubKey}privKeyB to the Ephemeral Public Key Manager. 2) Obtain an ephemeral public key: For Alice to send a destructible message to Bob, it is necessary to obtain Bob's {keyid, ePubKey}privKeyB from the Ephemeral Public Key Manager first. 3) Encrytpion: As in the basic scheme. 4) Decrytpion: As in the basic scheme. In addition, Bob needs to upload a new pair of {keyid, ePubKey}privKeyB to the Ephemeral Public Key Manager after this stage. C. Security Analysis Note that message M is encrypted with sender's secret session key S, and S is encrypted with Alice's ephemeral public key ePubKey. Thus when Alice's ephemeral private key ePrivKey is deleted, M will become unrecoverable even if Alice's device is compromised. This is because no one can decrypt {S, {C}privKeyA}ePubKey to obtain S, with which 722 Receiver (Bob) Ephemeral Public Key Manager {keyld, ePubKey}privKeyB Sender (Alice) ; Obtain an ephemeral public key -{M}S HMAC(M,S) {keyld, ePubKey}privKeyB {S, {C}privKeyA}ePubKey --keyld - Figure 2. Enhanced scheme: send messages when the receiver is off-line. to obtain M. If we use a long-term public key to protect S, e.g. {S}privKeyA, we cannot guarantee M is unrecoverable forever because an attacker can compromise Alice's device to get her long-term private key and decrypt {S}privKeyA to get S, with which to obtain M. Alternatively, instead of ePubKey, a session key can also be used to establish a secure two-party communication and ensure M's unrecoverability (by deleting M after it expires). However, when the receiver is off-line, we may need some special effort to upload the authenticated Diffie-Hellman key exchange pair to the key server to complete the session key negotiation process. We therefore, without loss of generality, elect the current scheme. IV. DESTRUCTIBLE MESSAGE ENCAPSULATION FORMAT In order to exchange our system-specific messages, we adopt JSON [11] to describe and encapsulate the encrypted sensitive data along with the public information, e.g. public key and key identifier, into a single message encapsulation, called the Pandora Message as described below. A. Public_ Key_ Request Fig. 3 shows the content of a long-term public key request message sent to the receiver. The "PandoraMessage" field is an identifier which indicates this message is for the Pandora Messaging-based applications. The "version" field is reserved for further upgrade. The "type" field is for the purpose of this n::i:~.Â§.Â§!!;g_\\ ................................................... . L ... Â·::fa.i;~f !!.;~;~~?~~~.~.~.~.'.'.'.:.! ..... ...! Figure 3. Long-term public key request message B. Public_ Key_ Response A sample of the long-term public key response message received from the receiver is shown in Fig. 4. The "version" and "type" fields are the same as in the request message. The "public_key" field is the content of the receiver's long-term public key, an OpenPGP [12] public key in this example. OpenPGP is used because it supports the passphrase protection for the OpenPGP private key which is required when. we .. store.the .Private .key in receiver's.mobile. device ..... "PandoraMessage": { "version": 1, "type": "Public_ Key_ Response", "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: BCPG v l .46\n\nmI0ETp2w YQEEAll 7 /0yqPpHP9wY3mcLJE5IB+ lmTr Nvylpk Yv lfQfqeZ jyoyk axO\nsLdb ... (skip) ... Rlehoc\nlgcc~\n~Sjdy\n-----END PGP PUBLIC KEY BLOCK-----\n" } Figure 4. Long-term public key response message C. Ephemeral _Public_ Key_ Request Fig. 5 shows the content of an ephemeral public key request message sent to the receiver. The "version" and "type" fields!,,_Â·_ar~<;:;_i;;:~_-.~s ___ in_.the .. first .. messagl.,_Â· "type": "Ephemeral_ Public_ Key_ Request" } Figure 5. Ephemeral public key request message D. Ephemeral _Public_ Key_ Response A sample of the ephemeral public key response message received from the receiver is shown in Fig. 6. The "version" and "type" fields are the same as in the first message. The "ephemeral_public _ key" field includes two sub-fields: "key_ id" and "public_ key" fields are the identifier and the content _of the. receiver's. ephemeral_public. key,_ respectively., "PandoraMessage": { "version": 1, "type": "Ephemeral_ Public_ Key_ Response", "ephemeral_public _ key": { "key_id": "5d878034Â£3314 l eb96f6e639ebcaeaa6", "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: BCPG vl.46m\nm!OETp2xmwEEALSb5/zaXl 76Nms5L/x3trvYbCADIU6lcZuhh0w3qz4MzkFT4 RHL\nlPM ... (skip) ... E3u/iZ5\nigcc~\n~fc4g\n-----END PGP PUBLIC KEY BLOCK-----\n" } } Figure 6. Ephemeral public key response message E. Ephemeral_ Encryption_ Data A sample of the ephemeral encryption data received from the receiver is shown in Fig. 7. The "version" and "type" fields are the same as in the first message. The "ephemeral_encryption_data" field includes four sub-fields: "ciphertext" field is the sender's message encrypted with a secret session key, i.e. {M}S in Sec. III; "hmac" field is the HMAC value of M and S; "encrypted_secrets" field is a JSON object encrypted with the receiver's ephemeral public key, i.e. {S, C}ePubKey in Sec. III; and "ephemeral_ public_key_id" field is the identifier of the receiver's ephemeral public key. When the receiver's corresponding ephemeral private key is deleted, no one can decrypt the "encrypted_ secrets" data to obtain the secret session key, and thus the ciphertext is unrecoverable. Note that we say the sender's message is destructed or deleted in this situation. "PandoraMessage": { "version": 1, "type": "Ephemeral_ Encryption_ Data", "ephemeral_ encryption_ data": { "ciphertext": "kfhfMHrkPWv2ANhs6JN1xvI1yxAHslz0YvuqNfSUjTo=", "hmac": "+dwDkl9FXZU1+reslxN1SwHm/B4=", "encrypted_secrets": " ----BEGIN PGP 1v1ESSAGE ----\nVersion: BCPG v 1.46\n\nhlw Dpk7X yicVRCMBA/9e9DACSCwQ/G V ASkzXBZFWRenjBubgTNnh YD lW Rot0wyld\nj7 Ar ... (skip) ... Vf+q7HKUgcc~\n~MDhg\n-----END PGP MESSAGE-----\n", "ephemeral_public _ key _id": "e86f6960b54e48279efu359643daal 35" } } Figure 7. Message of ephemeral encryption data Regarding when to delete the ephemeral private key, we define the "constraint" field as a JSON object and the sender 723 can bind this constraint with their destructible encrypted message. Different developers can have different interpretations in this "constraint" field and set up different workflows for their specific requirements as long as the sender and the receiver agree to the same "constraint" interpretations. For instance, we define our Pandora Constraint as time, frequency, or location conditions. Fig. 8 shows an example of a JSON object including a secret session key and a time-based Pandora Constraint created by a sender to claim that a message tied to this constraint should be deleted after 24 hours. Note that in a practical implementation, the sender adds the sum of the current NTP (Network Time Protocol) time plus 24 hours to the "time" field. Then the receiver should check the NTP time as well to avoid the situation that either the sender or the receiver doesn't set the correct time in their mobile devices. .................................................................................................. { "constraint": "PandoraConstraint": } }, "time":24, "version":l "secret_ key": "tadhJ5tN o9 gio87U sOVpp g==" } Figure 8. JSON object of the constraint and the secret session key V. IMPLEMENTATION AND EVALUATION The Pandora Messaging uses the customized messages (i.e. the Pandora Message encapsulation format) atop any existing instant messaging services to make the transmitted messages secure and self-destructible. Thus, there's no special-purpose dedicated server needed. We describe our Android implementation using the basic scheme in Section III and give the performance evaluation as follows. A. Implementation To demonstrate the feasibility of our proposed Pandora Messaging architecture, we have developed a mobile application on an Android 2.3 mobile phone. The screenshots are shown_in ~-- ' Â· Â· Â·-, â€¢ 1 â€¢:,. "l. ~~Sl 11~3 ,, â€¢On Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· Â· .:1;::~3};' Â· Â· E 4.nnn ~ 3_,:)0i) ! 2~0:)B RSAkev she Figure I 0. The average time (in milliseconds) of generating the OpenPGP key pairs using RSA algorithm for 50 runs Fig. 11 (a) shows the detailed encryption time, including time for generating a 128-bit AES secret key, using the secret key to encrypt different size of messages, calculating the HMAC value of the secret key and the message, and using a 1024-bit OpenPGP public key to encrypt the message constraint and the secret key. Fig. 11 (b) shows the corresponding detailed decryption time excluding the secret key generation time. The average time for generating a secret key is 0.54 ms, so it is negligible. The average time for encrypting a message with a secret key increases as the message size grows. The average HMAC calculation time also increases as the message size. The OpenPGP key encryption/decryption time is a fixed value because the encrypted/decrypted target is the constraint and the secret session key. And the OpenPGP key decryption time (average 50.40 ms) is about three times of the encryption time (average 16.84 ms). Fig. 11 (c) shows the comparison of the message's total encryption and decryption time. The average encryption or decryption time of small messages of size smaller than 32 Kbytes is less than 100 ms, so that users would not feel the performance penalty. From the experimental results, we conclude that our proposed Pandora Messaging architecture doesn't degrade the performance significantly in terms of the message encryption and decryption time. The only overhead is the ephemeral key generation time, which can be further reduced as mentioned earlier. {a) Message Encryption Time {b) Message Decryption Time (c) Message encryption and decryption time 45!] 4GtJ ~--- 350: 3GO ~ :!50 ~ - - - ................................. 1. ----------------------------r ~ 1ii ~ ,~o â€¢....... ?; ~ f - . ~ ~ ~ ~ ~ o ~â€¢--â€¢--~--~-~~I I .. ~- E 2K "-K 8< 16K 32K 64:< 123K2SSK Mesogesize(bytH) 1K 2K 4K 8K 16:< 32:< 6.'iK 128!Q5SK Message me {bytes) .... ,, ...... --:-o:a! Encrvptic,n-nme (ms) ...... ~ ... ~ iot;! DecrJptior: Time (rns) 5DO U U U U ~ill~ ~3M Me~sagesi~e {bytff) Figure 11. The average time (in milliseconds) of the message (size in bytes) encryption and decryption for 50 runs 724 VI. RELATED WORK Perlman [5][6] presented a scheme in which a service known as an Ephemerizer creates encryption and decryption functions with expiration time. If the clients, when creating and reading messages, use special software that does not store decrypted messages in a stable storage, expired messages will be unreadable once the Ephemerizer deletes expired keys. Vanish [7] is a proof-of-concept prototype system based on the P2P distributed hash tables (DHTs). Vanish inherits some concepts from the aforementioned Ephemerizer paper, but the responsibility of key management is transferred from Ephemerizer(s), which is a dedicated server or a group of servers, into the P2P network. The Vanish causes sensitive information to irreversibly self-destruct, without any action on the user's part and without any centralized or trusted system. Nevertheless Unvanish [20] has proven that the initial Vanish implementation cannot withstand the Sybil attacks. Besides, it is almost impossible to precisely determine the time period that a threshold subset of P2P nodes stay in the network. Thus, there is no precise guarantee on the expiration time of the sensitive data according to [21]. With regard to the usage of instant messaging, both of Apple's MobileMe [22] and Google's Android C2DM [23] services are using the instant messaging protocols, AIM (OSCAR) protocol and open-standard Jabber (XMPP) protocol respectively, to support the Cloud synchronization and mobile push behaviors. Therefore we can use instant messaging not only to send the text messages but also to support the application-level data synchronization on mobile devices. VII. CONCLUSION The user using the existing instant messaging services is subjected to constant eavesdropping, unwanted leakage of confidential information. Besides, they cannot control the lifespan of their outgoing messages. To solve these issues, we introduce the self-message-destructing feature atop the instant messaging services. Self-destructible messages stored in a mobile device can be considered to satisfy the expiration condition instantly, so the messages become unrecoverable or useless. This 'disabling' reuse is particularly important when one wants to protect personal information. We propose the Pandora Messaging, an enhanced secure instant messaging architecture which is equipped with a self- message-destructing feature for sensitive personal information applications in a mobile environment. The Pandora Messaging-based system enables senders to set time, frequency, and location constraints. These conditions determine when the transmitted messages should be destructed and thus become unreadable for receivers. The Pandora Messaging-based system securely sends self- destructible messages to receivers in a way that it uses ephemeral keys to encrypt the messages and transmits the encrypted messages to the designated receiver via the XMPP instant messaging service in real time. When the transmitted messages' constraints are satisfied, the ephemeral key used 725 for encryption will be deleted, and thus the encrypted messages become unrecoverable. We have implemented a simple messenger application on the Android platform and have evaluated its performance to show that our proposed Pandora Messaging architecture is practical and feasible for sensitive personal information communication on mobile devices. REFERENCES [I] M. Mannan and P. C. Van Oorschot, "Secure Public Instant Messaging: A Survey", in Privacy, Security and Trust, 2004. [2] Declan McCullagh, "How safe is instant messaging? A security and privacy survey", CNET News website. http://news.cnet.com/8301- 13578 3-9962106-38.html [3] H. Kikuchi, M. Tada, and S. Nakanishi, "Secure instant messaging protocol preserving confidentiality against administrator," in 18th International Conference on Advanced Information Networking and Applications, 2004 (AINA 2004), vol. 2, pp. 27- 30. [4] D. Boneh and R. J. Lipton, "A revocable backup system," in Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6, San Jose, California, 1996, pp. 91-96. [5] R. Perlman, "The Ephemerizer: Making Data Disappear", Journal of Information System Security 1(1), 51-68 (2005) [6] R. Perlman, "File system design with assured delete", In SISW 2005 Proceedings of the Third IEEE International Security in Storage Workshop, pp. 83-88. IEEE Computer Society, Los Alamitos (2005) [7] R. Geambasu, T. Kohno, A. Levy, and H. M. Levy, "Vanish: Increasing Data Privacy with Self-Destructing Data", In Proc. of the 18th USENIX Security Symposium, 2009. [8] C. Popper, D. Basin, S. Capkun, and C. Cremers, "Keeping data secret under full compromise using porter devices," in Proceedings of the 26th Annual Computer Security Applications Conference, Austin, Texas, 2010, pp. 241-250. [9] XMPP Standards Foundation. http://xmpp.org/ [!OJ Google Projects for Android. http://code.google.com/android/ [11] JSON web site. http://www.json.org/ [12] The OpenPGP Alliance. http://www.openpgp.org/ [13] Smack, an open source XMPP (Jabber) client library. http://www.igniterealtime.org/projects/smack/index.jsp [14] A. Melnikov and K. Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006. http://tools.ietf.org/html/rfc4422 [15] T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, Auguest 2008. http://tools.ietf.org/html/rfc5246 [16] FIPS PUB 197, NIST, "Advanced Encryption Standard (AES)", November 26, 2001. [17] H. Krawczyk , M. Bellare , and R. Canetti , "RFC2104: HMAC: Keyed-Hashing for Message Authentication", February 1997. [18] Bouncy Castle Java cryptography APis. http://www.bouncycastle.org/java.html [19] RSA Laboratories, "How large a key should be used in the RSA cryptosystem ?" http://www.rsa.com/rsalabs/node.asp?id~22 l 8 [20] S. Wolchok, 0. S. Hofmann, E. W. Felten, J. A. Halderman, C. I.Rossbach, B. Waters, and E. Witchel. "Defeating Vanish with low- cost Sybil attacks against large DHTs", In Proc. ofNDSS, 2010. [21] Qiang Tang, "From Ephemerizer to Timed-Ephemerizer: Achieve Assured Lifecycle Enforcement for Sensitive Data". http ://doc.utwente.nl/69264/ [22] Apple's MobileMe website. http://www.me.com/ [23] Google's Android Cloud to Device Messaging Framework. http ://code.google.com/ e/android/c2dm/