Ex Parte WalkerDownload PDFBoard of Patent Appeals and InterferencesAug 30, 201010387182 (B.P.A.I. Aug. 30, 2010) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 10/387,182 03/11/2003 William T. Walker 4366-116 6729 48500 7590 08/31/2010 SHERIDAN ROSS P.C. 1560 BROADWAY, SUITE 1200 DENVER, CO 80202 EXAMINER PAN, JOSEPH T ART UNIT PAPER NUMBER 2435 MAIL DATE DELIVERY MODE 08/31/2010 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________________ Ex parte WILLIAM T. WALKER ____________________ Appeal 2009-004906 Application 10/387,182 Technology Center 2100 ____________________ Before LANCE LEONARD BARRY, JEAN R. HOMERE, and DEBRA K. STEPHENS, Administrative Patent Judges. STEPHENS, Administrative Patent Judge. DECISION ON APPEAL1 1 The two-month time period for filing an appeal or commencing a civil action, as recited in 37 C.F.R. § 1.304, or for filing a request for rehearing, as recited in 37 C.F.R. § 41.52, begins to run from the “MAIL DATE” (paper delivery mode) or the “NOTIFICATION DATE” (electronic delivery mode) shown on the PTOL-90A cover letter attached to this decision. Appeal 2009-004906 Application 10/387,182 2 Appellant appeals under 35 U.S.C. § 134(a) (2002) from a final rejection of claims 25-48. Claims 1-24 have been canceled (App. Br. 1, Claims App.x 13). We have jurisdiction under 35 U.S.C. § 6(b) (2008). We AFFIRM. Introduction According to Appellant, the invention is a system and method for authenticating user using a first, typically dynamic, password and after successfully authenticating, providing and enabling a second, temporary, and typically static password useable for an assigned life (Abstract). STATEMENT OF THE CASE Exemplary Claims Claims 25 and 46 are exemplary claims and are reproduced below: 25. A method for providing access to a computational component, comprising: (a) authenticating a first user using a first password, the first password being generated dynamically and the authentication being done during a first session with the first user; (b) after the first user is successfully authenticated using the first password, receiving, as part of the first session, a request from the first user for a second password to be authorized for at least one of the first user and a first login associated with the first user, the second password being a static password; (c) during the first session, providing the user with the second password, the second password being valid only for a selected time; (d) during the first session, initiating a timer to determine when the selected time has passed; and Appeal 2009-004906 Application 10/387,182 3 (e) when the selected time has passed, deactivating the second password. 46. A method for authenticating a user, comprising: (a) during a first login attempt, receiving a set of characters from a first user; (b) during the first login attempt, first determining whether an unexpired temporary password has been activated for the first user; (c) when an unexpired temporary password has been activated for the first user, second comparing, during the first login attempt, the sequence of characters with the temporary password; and (d) when the set of characters is identical to the temporary password, authenticating successfully the first user; (e) when the set of characters is not identical to the temporary password, thereafter comparing, during the first login attempt, the set of characters with a correct response to a challenge previously provided to the first user, the challenge and correct response being determined using a secret key; (f) when the set of characters is identical to the correct response, authenticating successfully the first user. Prior Art Band US 2004/0103324 A1 May 27, 2004 (filed Nov. 27, 2002) Yoshizawa US 6,928,166 B2 Aug. 9, 2005 (filed Mar. 1, 2001) Rejections Claims 25-48 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Band and Yoshizawa (Ans. 4). Appeal 2009-004906 Application 10/387,182 4 GROUPING OF CLAIMS (1) Appellant argues claims 25-27, 31, 32, 35-38, and 40-43 as a group on the basis of independent claims 25 and 36 (App. Br. 7-9). We select independent claim 25 as the representative claim. We will, therefore, treat dependent claims 26, 27, 31, 32, 35, 37, 38, and 40-43 as standing or falling with representative claim 25 and treat the disputed element recited commensurately in independent claim 36 as standing or falling with representative claim 26. (2) Appellant argues claims 29, 30, and 36 as a group without specifying a representative claim (id. at 9). We select independent claim 36 as the representative claim in this rejection. We will, therefore, treat claims 29 and 30 as standing or falling with representative claim 36. (3) Appellant argues claims 28, 33, 34, 39, and 44-46 as a group without specifying a representative claim (id. at 9-11).2 We select independent claim 46 as the representative claim in this rejection. We will, therefore, treat claims 28, 33, 34, 39, 44-45, 47, and 48 as standing or falling with representative claim. We accept Appellant’s grouping of the claims. See 37 C.F.R. § 41.37(c)(1)(vii). 2 Appellant appears to have inadvertently omitted claims 47 and 48 from any arguments although Appellant acknowledged these claims were rejected and being appealed (App. Br. 1 and 6). We, therefore, include claims 47 and 48, which depend from claim 46 in this grouping. Appeal 2009-004906 Application 10/387,182 5 ISSUE 1 35 U.S.C. § 103(a): claims 25-27, 31, 32, 35-38, and 40-43 Appellant asserts that his invention is not obvious over Band and Yoshizawa because “[n]either reference teaches, individually or collectively, the joint use of static and dynamic passwords by a user to authenticate the user to a computational component where the dynamic password must be entered successfully before the static password can be enabled [as recited in] (Claims 25-27, 29-33, 36-38, and 40-44)” (App. Br. 8). Specifically, Appellant alleges Band discloses dynamic and static password authentication by different entities in different directions, not authentication by the same entity in the same direction (id.). According to Appellant, Band teaches the dynamic password, associated with a digital certificate of a remote server, is used in authenticating the remote server to the user’s device and then the use of the user’s credentials are used to authenticate the user to the remote sever (App. Br. 8-9 and Reply Br. 3). Therefore, Appellant asserts that Band does not teach or suggest a user having both dynamic and static passwords for user authentication or that the dynamic password must be verified before the static password is enabled (Reply 3). The Examiner finds that Band discloses joint use of both static and dynamic passwords by a user to authenticate the user to a computational component (Ans. 10). The Examiner further finds Band teaches the dynamic password must be entered successfully before the static password is enabled (id.). The Examiner thus concludes that (a) Band discloses a user using both static and dynamic passwords to authenticate the user to a computational component, where the dynamic password must first be successfully entered Appeal 2009-004906 Application 10/387,182 6 before the static password is enabled and (b) it is well known in the art to use a challenge/response protocol for authentication and initiated by either party in either direction (Ans. 13-14). Issue 1: Has Appellant shown the Examiner erred in finding that the combination of Band and Yoshizawa teaches or suggests “(a) authenticating a first user using a first password, the first password being generated dynamically and the authentication being done during a first session with the first user;” and “(b) after the first user is successfully authenticated using the first password, receiving, as part of the first session, a request from the first user for a second password to be authorized for at least one of the first user and a first login associated with the first user, the second password being a static password” as recited in claim 25 and commensurately recited in claim 36? FINDINGS OF FACT (FF) Band (1) Band teaches a method and system for gaining access to administrative security services without having authenticated access to an operating environment (pg. 1; [0001]). The user may unlock a locked security token, diagnose a security token, activate and deactivate a security token, request a replacement security token or temporary password or report the loss of a security token (Abstract). (2) To ensure that the user is actually communicating with the proper remote server, a host authentication session is performed using public key cryptography methods such as traditional challenge/response or digital certificate exchange. Once the server is Appeal 2009-004906 Application 10/387,182 7 authenticated to the local client, the user may be prompted to supply his or her credentials. Once the user has been authenticated to the remote server, based on comparisons to previously stored credentials, the user may initiate one or more functions including diagnostics of the security token, reactivating or deactivating the security token, requesting a replacement security token, requesting and enabling a temporary password or automatically granting access to previously unavailable services and resources. (pg. 1, [0013]). ANALYSIS After considering the totality of the arguments and evidence before us, we find that Appellant has failed to persuade us of error in the Examiner’s conclusion of obviousness with respect to claims 25-27, 31, 32, 35-38, and 40-43. We find that in Band, the server is authenticated to the user using public key cryptography methods (dynamically generated password) and then, the user is authenticated to the server using previously stored credentials (static password) (FF 1 and FF 2). Thus, we find Band discloses authentication of a first user using a first password which has been generated dynamically (FF 2). We further find that after the first dynamic password has been authenticated, a user requests that a second and static password be authorized (FF 2). Although Appellant argues Band discloses dynamic and static password authentication by different entities in different directions, we agree with the Examiner that one of ordinary skill in the art would possess the knowledge and skill to include dynamic and static password authentication by the same entity in the same direction (Ans. 14). Appeal 2009-004906 Application 10/387,182 8 Indeed, Section 103 forbids issuance of a patent when “the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.” (KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007)). In KSR, the Supreme Court emphasized "the need for caution in granting a patent based on the combination of elements found in the prior art," and discussed circumstances in which a patent might be determined to be obvious. (Id. at 415 (citing Graham v. John Deere Co., 383 U.S. 1, 12 (1966))). The Court reaffirmed principles based on its precedent that "[t]he combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results." (Id. at 416.) The Court noted that “[c]ommon sense teaches . . . that familiar items may have obvious uses beyond their primary purposes, and in many cases a person of ordinary skill will be able to fit the teachings of multiple patents together like pieces of a puzzle.” (Id. at 420.) “A person of ordinary skill is also a person of ordinary creativity, not an automaton.” (Id. at 421.) The Federal Circuit recently recognized that "[a]n obviousness determination is not the result of a rigid formula disassociated from the consideration of the facts of a case. Indeed, the common sense of those skilled in the art demonstrates why some combinations would have been obvious where others would not." (Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1161 (Fed. Cir. 2007) (citing KSR, 550 U.S. at 416)). The Federal Circuit relied in part on the fact that Leapfrog had presented no evidence that the inclusion of a reader in the combined device was "uniquely challenging or difficult for one of ordinary skill in the art” or “represented an Appeal 2009-004906 Application 10/387,182 9 unobvious step over the prior art." (Id. at 1162 (citing KSR, 550 U.S. at 418)). Since Band teaches using both a dynamic and static password, we conclude that using both the dynamic and static password to authenticate an entity would have yielded predictable results (i.e., another layer of security) to one of ordinary skill in the art at the time of the invention. That is, we find that using both a dynamic and static password is no more than a simple arrangement of old elements, with each performing the same function it had been known to perform, yielding no more than one would expect from such an arrangement. (See KSR, 550 U.S. at 417.) Appellant has presented no evidence that using both types of passwords would have been “uniquely challenging or difficult for one of ordinary skill in the art” or “represented an unobvious step over the prior art.” (Leapfrog, 485 F.3d at 1162 (citing KSR, 550 U.S. at 418-19)). We, therefore, agree with the Examiner’s finding that the combination of Band and Yoshizawa teaches or suggests “(a) authenticating a first user using a first password, the first password being generated dynamically and the authentication being done during a first session with the first user” and “(b) after the first user is successfully authenticated using the first password, receiving, as part of the first session, a request from the first user for a second password to be authorized for at least one of the first user and a first login associated with the first user, the second password being a static password” as recited in claim 25 and commensurately recited in claim 36. Accordingly, we find that Appellant has not shown the Examiner erred in rejecting independent claims 25 and 36 as being obvious over Band Appeal 2009-004906 Application 10/387,182 10 and Yoshizawa and accordingly, claims 26, 27, 31, 32, 35, 37, 38, and 40-43 fall with claims 25 and 36. ISSUE 2 35 U.S.C. § 103(a): claims 29, 30, and 36 Appellant asserts that his invention is not obvious over Band and Yoshizawa because “[n]either reference teaches, individually or collectively, that, after receiving and in response to a command from the first user to deactivate the second password, deactivating the second password, wherein the command is received from the first user and the second password is deactivated before the life of the temporary password has expired [as recited in] (Claims 29, 30, and 36)” (App. Br. 9 and Reply 3-4). Specifically, Appellant asserts that although Yoshizawa teaches that the user can select the timer value, Yoshizawa does not teach or suggest that the user is able to deactivate the temporary password before the selected timer value has run out (App. Br. 9 and Reply 4). Instead, Appellant argues, Yoshizawa teaches that to disable the password, the timer value must be reset and then allowed to expire (App. Br. 9 and Reply 4). The Examiner finds Yoshizawa discloses the temporary password can be set to a time value by the user (Ans. 11). The Examiner further finds that if the user wants to deactivate the temporary password, the user can set the value to zero (id.). Therefore, according to the Examiner, the user can deactivate the temporary password before the time has hit the selected value (id.). Appeal 2009-004906 Application 10/387,182 11 Issue 2: Has the Examiner erred in concluding that the combination of Band and Yoshizawa teach or suggest the limitation of “after receiving and in response to a command from the first user to deactivate the second password, deactivate the second password, wherein the command is received from the first user and the second password deactivated before the selected time has expired” as recited in claim 36 and analogously recited in claims 29 and 30? FURTHER FINDINGS OF FACT (FF) Yoshizawa (3) Yoshizawa teaches a method and system to allow for flexible security level switching by providing a password holding section for device authentication password, e.g., a temporary and a private password (Abstract). (4) The temporary password may be associated with time information using the time control section 15 rather than with the connection. In this case, a timer value for the temporary password can be freely set by the user in the time control section 15. For example, if there is a two-hour conference, then the temporary password is used for two hours and changed to the private password two hours later. (Col. 7, ll. 5-11). ANALYSIS We find a user can freely set the time during which a temporary password is valid (FF 4). Since the time can be freely set, we find Yoshizawa at least suggests that a user can deactivate the temporary password by changing the time. Therefore, we find Yoshizawa suggests the Appeal 2009-004906 Application 10/387,182 12 user sends a command (resets the value in the time control section) to deactivate the second password request (set the value to zero) and thus, the second password is deactivated before the life of the temporary password had expired. Accordingly, Appellant has failed to persuade us of error in the Examiner’s finding that the combination of Band and Yoshizawa teach or suggest “after receiving and in response to a command from the first user to deactivate the second password, deactivating the second password, wherein the command is received from the first user and the second password deactivated before the life of the temporary password has expired” with respect to claims 29, 30, and 36. Therefore, Appellant has not shown the Examiner erred in rejecting claims 29, 30, and 36. ISSUE 3 35 U.S.C. § 103(a): claims 28, 33, 34, 39, and 44-46 Appellant asserts that Band and Yoshizawa do not teach or suggest the invention as recited because “[ne]ither reference teaches, individually or collectively, (a) that, when a temporary password is active, login via a nontemporary (e.g., dynamic) password for a selected login is still enabled or (b), that, when a password is received for a login, it is first determined whether an unexpired temporary password is enabled for the login and, if so, the entered password is first compared against the unexpired temporary password before being assumed to be a dynamic password” (App. Br. 9). The Examiner finds Band discloses a static and dynamic password (Ans. 12). The Examiner then relies on Yoshizawa as disclosing (a) multiple passwords are enabled for a process and (b) the process will select Appeal 2009-004906 Application 10/387,182 13 the most suitable password to use (Ans. 13). Then Examiner finds that the combination of Band’s static and dynamic passwords and Yoshizawa’s selection for use of the most suitable password of multiple enabled passwords teaches the invention as recited (id.). Issue 3: Has the Examiner erred in concluding that the combination of Band and Yoshizawa teaches (a) determining whether an unexpired temporary password has been activated; (b) when an unexpired temporary password has been activated, comparing the sequence of characters with the temporary password; and (c) when the set of characters is identical to the temporary password, authenticating successfully the user; (d) when the set of characters is not identical to the temporary password, thereafter comparing the set of characters with a correct response to a challenge previously provided to the user, the challenge and correct response being determined using a secret key as recited in claim 46? FURTHER FINDINGS OF FACT (FF) Yoshizawa (5) The password selecting section 18 selects the most suitable password for current connection from among the passwords stored in the password holding section 16 according to the user events 21, information acquired by the external factor acquisition section 14, and information from the time control section 15 and sends it to the password checking section 19. The password selecting section is configured to be able to establish priority among the user event 21, the external factor acquisition section 14, and the time control section 15. (Col. 5, ll. 4-14). Appeal 2009-004906 Application 10/387,182 14 (6) Switching between authentication passwords allows for lowering of the security level of an information device, for example, when it is inside an office permitting anybody to access the device and enhancing the security level when outside of an office to prevent third party access (col. 7, ll. 43-48). ANALYSIS We agree with the Examiner that Yoshizawa discloses that, when a temporary password is active, login via a non-temporary password for a selected login is still enabled or that, when a password is received for a login, it is first determined whether an unexpired temporary password is enabled for the login and, if so, the entered password is first compared against the unexpired temporary password before being assumed to be a dynamic password. Yoshizawa teaches multiple passwords are enabled to be used and the particular password to be selected depends upon suitability (FF 5). Yoshizawa provides examples of environments when one password is chosen to be used over another (FF 6). Therefore, we find Yoshizawa teaches that even when the temporary password is active, login via a private (non-temporary) password for a selected login is still enabled. As set forth above in Issue 1, we find Band suggests use of a dynamic and a temporary (static) password (FF 2) by a user for authentication. Yoshikawa suggests enabling multiple passwords and selecting the most suitable password to use based on various factors (FF 5 and 6). Accordingly, we conclude that one of ordinary skill in the art would have found combining use of a dynamic and a static password taught by Band with Yoshizawa’s teaching of selecting the most suitable password of Appeal 2009-004906 Application 10/387,182 15 multiple enabled passwords for authentication to have been obvious. We further conclude that one of ordinary skill in the art would have found the combination of Band and Yoshizawa teach or suggest comparing an entered sequence of characters to one saved password and then, if identical, authenticating the user, and if not, comparing it to a second saved password. Accordingly, we conclude that the combination of Band’s and Yoshizawa’s techniques renders obvious (a) determining whether an unexpired temporary password has been activated; (b) when an unexpired temporary password has been activated, comparing the sequence of characters with the temporary password; and (c) when the set of characters is identical to the temporary password, authenticating successfully the user; (d) when the set of characters is not identical to the temporary password, thereafter comparing the set of characters with a correct response to a challenge previously provided to the user, the challenge and correct response being determined using a secret key. Thus, Appellant has failed to persuade us of error in the Examiner’s findings with respect to independent claim 46 and therefore, claims 28, 33, 34, 39, 44, and 45, which were grouped with and argued concurrently with claim 46. DECISION The Examiner’s rejection of claims 25-48 under 35 U.S.C. § 103(a) as being obvious over Band and Yoshizawa is affirmed. Appeal 2009-004906 Application 10/387,182 16 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv) (2009). AFFIRMED rwk SHERIDAN ROSS P.C. 1560 BROADWAY, SUITE 1200 DENVER, CO 80202 Copy with citationCopy as parenthetical citation
