Ex Parte KocherDownload PDFPatent Trial and Appeal BoardJun 6, 201713245054 (P.T.A.B. Jun. 6, 2017) Copy Citation United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/245,054 09/26/2011 PAUL C. KOCHER 10314.0052-04000 8560 15695 7590 Rambus/Finnegan 901 New York Ave., NW Washington, DC 20001 06/08/2017 EXAMINER MANDEL, MONICA A ART UNIT PAPER NUMBER 3621 NOTIFICATION DATE DELIVERY MODE 06/08/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): regional-desk @ finnegan. com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte PAUL C. KOCHER Appeal 2015-0037781 Application 13/245,0542 Technology Center 3600 Before PHILIP J. HOFFMANN, BRADLEY B. BAYAT, and TARA L. HUTCHINGS, Administrative Patent Judges. HUTCHINGS, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellant appeals under 35 U.S.C. § 134(a) from the Examiner’s final rejection of claims 1—7 and 27-40. We have jurisdiction under 35 U.S.C. § 6(b). We REVERSE. 1 Our decision references Appellant’s Appeal Brief (“App. Br.,” filed Oct. 6, 2014) and Reply Brief (“Reply Br.,” filed Jan. 28, 2015), and the Examiner’s Answer (“Ans.,” mailed Nov. 28, 2014) and Final Office Action (“Final Act.,” mailed Jan. 29, 2014). 2 Appellant identifies Cryptography Research, Inc. as the real party in interest. App. Br. 1. Appeal 2015-003778 Application 13/245,054 CLAIMED INVENTION Appellant’s claimed invention relates to “methods and apparatuses for securing payment cards against external monitoring attacks.” Spec. 1, 11. 12-14. Claims 1, 27, and 34 are the independent claims on appeal. Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A portable cryptographic hardware token for deriving cryptographic authentication codes for securing transactions, said token operable to limit the number of times secret keys are used, thereby providing protection against external monitoring attacks, comprising: (a) a memory configured to store a value for each of a plurality of keys, each of said plurality of keys associated with a different one of a plurality of levels, said plurality of keys comprising a top-level key, a plurality of intermediate-level keys, and a lowest-level key, said plurality of intermediate-level keys comprising at least a second-to-lowest level key, a third-to-lowest level key, and a fourth-to-lowest level key; (b) a processor configured to perform a key update operation, wherein said key update operation comprises communicating with said memory, receiving as an input from said memory a stored value of one of said keys at a particular one of said plurality of levels, and operating on said received key value using a block cipher to generate a value for a key one level below said particular level; and (c) a timer; wherein said processor is further configured to use said key update operation and said timer to periodically derive new key values comprising: (i) at least one new value for said lowest-level key, where said stored value of said second-to-lowest level key is an input to said key update operation; 2 Appeal 2015-003778 Application 13/245,054 (ii) at least one new value for said second-to-lowest level key, where said stored value of said third-to-lowest level key is an input to said key update operation, and where said at least one new value for said second-to- lowest level key is derived after deriving said at least one new value for said lowest-level key; and (iii) at least one new value for said third-to-lowest level key, where said stored value of said fourth-to-lowest level key is an input to said key update operation, and where said at least one new value for said third-to-lowest level key is derived after deriving said at least one new value for said second-to-lowest level key; and wherein said token is operable to secure a transaction with a server based on a value derived from said at least one new value for said lowest-level key. REJECTIONS Claims 1—7 and 27-40 are rejected under 35 U.S.C. § 101 as directed to non-statutory subject matter. Claims 5—7, 31—33, 35, 39, and 40 are rejected under 35 U.S.C. § 112, first paragraph, as failing to comply with the written description requirement. Claims 1—7 and 27-40 are rejected under 35 U.S.C. § 112, second paragraph, as indefinite for failing to particularly point out and distinctly claim the subject matter that Appellant regards as the invention. Claims 1—3, 27—29, 34, 36, and 37 are rejected under 35 U.S.C. § 103(a) as unpatentable over Richards (US 6,069,957, iss. May 20, 2000) and Akiyama (US 5,784,464, iss. July 21, 1998). Claims 4, 30, and 38 are rejected under 35 U.S.C. § 103(a) as unpatentable over Richards, Akiyama, and admitted prior art. 3 Appeal 2015-003778 Application 13/245,054 Claims 5—7, 31—33, 35, 39, and 40 are rejected under 35 U.S.C. § 103(a) as unpatentable over Richards, Akiyama, and Schwenk (US 6,222,923 Bl, iss. Apr. 24, 2001). Claims 1—7 are rejected under 35 U.S.C. § 102(e) as anticipated by Akiyama. ANALYSIS Non-Statutory Subject Matter In rejecting claims 1—7 and 27-40 under 35 U.S.C. § 101, the Examiner finds that “the claims are directed to the abstract idea of formulating mathematical relationships between values.” Ans. 2.3 However, when considering whether the claims are directed to a patent ineligible concept, such as an abstract idea, the inquiry is not whether the invention involves an abstract idea. Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1335, 1335 (Fed. Cir. 2016) (citing Mayo Collaborative Services v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1293 (2012)). Rather, the claims are considered in their entirety, in light of the Specification, to ascertain whether their character as a whole is directed to excluded subject matter. Id. (citing Internet Patents Corp. v. Active Network, Inc., 790 F.3d 1343, 1346 (Fed. Cir. 2015)). We disagree with the Examiner’s conclusion that the claims are directed to an abstract idea of formulating mathematical relationships between values. Rather, we conclude that the character of the claims as a 3 The Answer identifies each page as “Page 1.” We refer to the pages in the Answer sequentially, beginning with the page entitled “EXAMINER’S ANSWER” as page 1. 4 Appeal 2015-003778 Application 13/245,054 whole is directed to improving an existing technology, encryption security. Our conclusion is supported by the Specification’s description of the invention as directed to “securing payment cards against external monitoring attacks,” as well as the description of problems inadequacies in conventional technology resulting in attackers gaining access to cryptographic keys. Spec. 1-3. Because we find that the claims are not directed to ineligible subject matter, we do not reach step two of the test set forth in Alice Corp. Pty Ltd. v. CLSBankInt 7, 134 S. Ct. 2347, 2354 (2014). Enfish, 822 F. 3d at 1339. Therefore, we do not sustain the Examiner’s rejection of claims 1—7 and 27— 40 under 35 U.S.C. § 101. Written Description Whether a specification complies with the written description requirement of 35 U.S.C. § 112, first paragraph, is a question of fact, and is assessed on a case-by-case basis. See, e.g., Purdue Pharma L.P. v. Faulding, Inc., 230 F.3d 1320, 1323 (Fed. Cir. 2000) (citing Vas-Cath, Inc. v. Mahurkar, 935 F.2d 1555, 1561 (Fed. Cir. 1991)). The disclosure, as originally filed, need not literally describe the claimed subject matter (i.e., using the same terms or in haec verba) in order to satisfy the written description requirement. But the Specification must convey with reasonable clarity to those skilled in the art that, as of the filing date, Appellant was in possession of the claimed invention. See id. Claim 5 depends from claim 1, and further recites that the server is configured to authenticate the token by “(e) using a value derived from said server-side lowest-level key value during an attempt to authenticate said 5 Appeal 2015-003778 Application 13/245,054 token;” and “(f) if said attempt to authenticate said token fails, repeating (c) through (e) with another candidate key index value.” Claims 31 and 35 recite similar language. In rejecting claims 5—7, 31—33, 35, 39, and 40 under 35 U.S.C. § 112, first paragraph, the Examiner identifies limitations (e) and (f), as recited in claim 5, and similarly recited in claims 31 and 35, as lacking written description support. Final Act. 5—6. Appellant argues that pages 14—15 of the Specification provide the requisite written description support. In the Answer, the Examiner maintains the rejection, explaining that the cited portions do not describe implementing authentication as part of the invention. See Ans. 4—5. We agree with Appellant that pages 14—15 of the Specification provide the requisite written description support. See, e.g., Spec. 15,11. 21—23 (describing “additional cryptographic authentication” for large jumps in the value C). In addition to the disclosure cited by Appellant, we note that claim 5, as originally filed, recited “(e) using a value derived from said re-derived lowest-level key value to attempt to authenticate said token;” and “(f) if said authentication attempt fails, repeating (c) through (e) with another candidate key index value close to said key index value obtained in (a).” Spec. 20, 11. 19—22. This originally-filed claim language is nearly identical to the claimed subject matter at issue, and also conveys with reasonable clarity to those skilled in the art that, as of the filing date, Appellant was in possession of the claimed invention. In view of the foregoing, we do not sustain the Examiner’s rejection of dependent claims 5, 6, 7, 31—33, 35, 39, and 40 under 35 U.S.C. § 112, first paragraph. 6 Appeal 2015-003778 Application 13/245,054 Indefiniteness In rejecting independent claim 1 under 35 U.S.C. § 112, second paragraph, the Examiner takes the position that claim 1 is “unclear how the token limits the number of times secret keys are used because it is unclear what constitutes usage of the keys;” “it is unclear what constitutes limiting the usage;” it is “unclear if the limiting and the usage recited in the preamble is an additional function to the functions recited in the body of the claim;” and it is “unclear what constitutes an ‘external monitoring attack.’” Final Act. 7. But we find that a person of ordinary skill in the art would understand what is claimed when the claim is read in light of the Specification. Namely, that “use” and “limits” in the preamble do not recite additional functionality but rather describe the functionality achieved by the ordered combination of elements recited in claims. See Reply Br. 9. With respect to the phrase “external monitoring attack,” as recited in claim 1 and similarly recited in claim 27, the Examiner finds that “the determination of an attack is subjective” (Final Act. 7), and explains, in response to Appellant’s arguments in the Appeal Brief, that “understanding what an abstract or subjective thing is, such as beauty, does not preclude it from being abstract or subjective” (Ans. 6). We disagree that an external monitoring attack is an abstract or subjective thing, like beauty. Moreover, the Examiner’s reply implicitly acknowledges that a person of ordinary skill in the art would understand what is claimed when the claims are read in light of the Specification. See Orthokinetics, Inc. v. Safety Travel Chairs, Inc., 806 F.2d 1565, 1576 (Fed. Cir. 1986) (The test for definiteness under 35 U.S.C. § 112, second paragraph is whether “those skilled in the art would 7 Appeal 2015-003778 Application 13/245,054 understand what is claimed when the claim is read in light of the specification.”). We find that a person of ordinary skill in the art would understand what is claimed when claims 1 and 27 are read in light of the Specification, namely, than an external monitoring attack is an attack using external monitoring to gather information correlated to a client device’s internal operations. See, e.g., Spec. 3,11. 5—7. The Examiner finds that claim 1 is indefinite because the term “stored values of keys,” i.e., limitation (b), lacks antecedent basis. Final Act. 7. However, in our view a person of ordinary skill in the art would understand what is claimed when the claim is read in light of the Specification. Specifically, we agree with Appellant that one of ordinary skill would understand that the stored value refers to a value stored in memory of one of the keys recited in limitation (a). See App. Br. 20—21. With respect to claims 5, 31, and 35 the Examiner maintains that it is unclear whether authentication occurs in the claim, because the claim “positively recites an attempt to authenticate the token and also recites the possibility that the attempt is not carried out.” Final Act. 8—9. But we agree with Appellant that one of ordinary skill would understand that the server is configured to use the value to attempt to authenticate the token, and steps (c) through (e) are repeated if the token is not authenticated during the attempt to authenticate. App. Br. 21—22. With respect to claims 7 and 33, the Examiner finds that the language “said server is further configured to obtain said candidate key index value indirectly” is “unclear what comprises being configured to obtain something indirectly since it is not clear with reference to what the obtaining is indirectly.” Final Act. 8. The Examiner makes similar findings regarding 8 Appeal 2015-003778 Application 13/245,054 similar language recited in claim 40. Id. at 9. We agree with Appellant that the inquiry into the particular implementation for indirectly obtaining goes to breadth, not indefmiteness. See App. Br. 22—11; see also In re Miller, 441 F.2d 689, 693 (CCPA 1971) (“[BJreadth is not to be equated with indefmiteness.”). In the Answer, the Examiner does not dispute the Appellant’s argument (App. Br. 22) that “indirectly” means “not directly,” or that the Specification provides exemplary embodiments. Instead, the Examiner reasons that a word having a definition nonetheless can be indefinite, citing the word “beauty” as an example. Ans. 7—8. But the word “indirectly,” unlike the term “beauty,” is not based on a subjective determination of a person. We fail to see why, and the Examiner does not adequately explain why, a person of ordinary skill in the art would be unable to determine the metes and bounds of the claim, which is the test for indefmiteness. See In re Zletz, 893 F.2d 319, 322 (Fed. Cir. 1989) (During examination, after applying the broadest reasonable interpretation to the claim, if the metes and bounds of the claimed invention are not clear, the claim is indefinite and should be rejected). Regarding claim 34, the Examiner finds that the phrase “only the key values affected by a change in said key index value are updated” is “unclear [as to] “what key values are affected . . . because it is unclear if being affected by a change in the key index value is actually the same thing as being updated.” Final Act. 9. The Examiner also determines that “[t]he phrase ‘each key update in said at least one key update operation’ does not make grammatical sense.” Id. at 8. However, we agree with Appellant (App. Br. 23—24) that the meaning is clear from the plain language of the claim. For example, the language preceding steps (a) through (c) specifies 9 Appeal 2015-003778 Application 13/245,054 that each step is performed “in said token.” And the language “each key update” refers to an operation that occurs if there is more than one key update operation performed. In view of the foregoing, we do not sustain the Examiner’s rejection of claims 1—7 and 27^40 under 35 U.S.C. § 112, second paragraph. Obviousness Independent Claims 1, 27, and 34, and Dependent Claims 2, 3, 28, 29, 36, and 37 We are persuaded by Appellant’s argument that the Examiner erred in rejecting independent claims 1, 27, and 34 under 35 U.S.C. § 103(a) because Richards does not disclose or suggest wherein said processor is further configured to use said key update operation and said timer to periodically derive new key values comprising: (i) at least one new value for said lowest-level key, where said stored value of said second-to-lowest level key is an input to said key update operation; (ii) at least one new value for said second-to-lowest level key, where said stored value of said third-to-lowest level key is an input to said key update operation, and where said at least one new value for said second-to- lowest level key is derived after deriving said at least one new value for said lowest-level key; and (iii) at least one new value for said third-to-lowest level key, where said stored value of said fourth-to-lowest level key is an input to said key update operation, and where said at least one new value for said third-to-lowest level key is derived after deriving said at least one new value for said second-to-lowest level key[,] as recited in claim 1, and similarly recited in claims 27 and 34. App. Br. 26— 29. The Examiner relies on Richards as disclosing the argued limitations. 10 Appeal 2015-003778 Application 13/245,054 Final Act. 11 (citing Richards, col. 11,11. 34—36, col. 11,1. 1—col. 12,1. 41, Fig. 14). Richards is directed to encryption and decryption systems for communication systems, such as cable television networks and video conferencing systems. Richards, col. 1,11. 6—8. With reference to Figure 14, Richards describes delivering a group of decryption keys via an in-band channel. Id. at col. 11,11. 23—26. The keys are transmitted as a hierarchy, wherein one key unlocks another key, and the last key unlocked is used to decrypt program material. Id. at col. 1,11. 27—29. Specifically, a user encryption variable key is used to decrypt a channel access key (CAK), the CAK decrypts a control channel key (CCK), the CCK is used to decrypt the program key (PK), the PK is used to decrypt the segment key (SK), and the SK is used to decrypt content. Id. at col. 11,11. 15—22, Fig. 14; see also id. at Fig. 19, col. 12,11. 11—17 (describing decrypting new key from old decryption key). The Examiner takes the position that decrypting a key, as described by Richards, discloses the claimed “deriving,” as recited in claim 1, because “decryption obviously derives data.” Ans. 8. More specifically, the Examiner reasons that because Richards describes “the decryption of new keys utilizing] other keys in the hierarchy,” Richards meets the argued claim language. But encrypting and decrypting a key does not change a value of a key; instead, it locks and unlocks a value of the key so that it is not otherwise readily discemable. Richards describes updating its key values over time. Richards col. 11,11. 34—36. But Richards achieves its update via encryption hardware, which generates and sends, over the in-band channel, a new 11 Appeal 2015-003778 Application 13/245,054 hierarchy of keys to the customer’s decryption hardware. See id. at col. 12, 11. 45—60. The customer’s decryption hardware then decrypts the keys (using one key to unlock another, as described above) to learn “the value of these keys.” Id. at col. 12,11. 59-64. Decrypting a hierarchy of keys, as described by Richards, fails to describe or suggest the claimed key update operation that periodically derives “new key values,” as required by the claim language. In view of the foregoing, we do not sustain the Examiner’s rejection of independent claims 1, 27, and 34, and dependent claims 2, 3, 28, 29, 36, and 37 under 35 U.S.C. § 103(a). Dependent Claims 4—7, 30—33, 35, and 38—40 Claims 4—7, 30-33, 35, 38, and 39 each depend from one of claims 1, 27, and 34, respectively. The Examiner’s rejections of claims 4—7, 30—35, and 3 8 40 do not cure the deficiencies in the rejection of independent claims 1, 27, and 34. Therefore, we do not sustain the Examiner’s rejections under 35 U.S.C. § 103(a) of dependent claims 4—7, 30-33, 35, and 38-40 for the same reasons discussed above with respect to the independent claims. Anticipation The Examiner alternatively rejects claims 1—7 under 35 U.S.C. § 102(a) as anticipated by Akiyama, finding that Akiyama describes hardware configurations that include a memory 19, a processor 16, and a timer 17. See Final Act. 23. In the Answer, the Examiner explains that “the structures of the claim were . . . interpreted as hardware configurations,” and under this interpretation “the processor, memory[,] and timer disclosed by Akiyama are in fact ‘configured to’ perform the functions of [cjlaims 1—7.” But the Examiner does not identify, and we do not find, a description in 12 Appeal 2015-003778 Application 13/245,054 Akiyama of any programming rendering Akiyama’s processor, memory, and timer capable of performing the functions recited in claims 1—7. See Typhoon Touch Techs., Inc. v. Dell, Inc., 659 F.3d 1376, 1380—81 (Fed. Cir. 2011) (the apparatus as provided must be programmed so that it is “capable” of performing the recited function) (citing Microprocessor Enhancement Corp. v. Texas Instruments, Inc., 520 F.3d 1367, 1375 (Fed. Cir. 2008). On this record, the Examiner’s findings fail to adequately support a rejection of claims 1—7 under 35 U.S.C. § 102(e). Accordingly, we do not sustain the rejection of claims 1—7 under 35 U.S.C. § 102(e). DECISION The Examiner’s rejection of claims 1—7 and 27 40 under 35 U.S.C. § 101 is reversed. The Examiner’s rejection of claims 5—7, 31—33, 35, 39, and 40 under 35 U.S.C. § 112, first paragraph, is reversed. The Examiner’s rejection of claims 1—7 and 27 40 under 35 U.S.C. §112, second paragraph, is reversed. The Examiner’s rejections of claims 1—7 and 27-40 under 35 U.S.C. § 103(a) are reversed. The Examiner’s rejection of claims 1—7 under 35 U.S.C. § 102(e) is reversed. REVERSED 13 Copy with citationCopy as parenthetical citation