United Services Automobile Associationv.Nader Asghari-KamraniDownload PDFPatent Trial and Appeal BoardFeb 26, 201612210926 (P.T.A.B. Feb. 26, 2016) Copy Citation Trials@uspto.gov Paper 13 571-272-7822 Entered: February 26, 2016 UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ UNITED SERVICES AUTOMOBILE ASSOCIATION, Petitioner, v. NADER ASGHARI-KAMRANI and KAMRAN ASGHARI-KAMRANI, Patent Owner. ____________ Case IPR2015-01842 Patent 8,266,432 B2 ____________ Before SALLY C. MEDLEY, JUSTIN T. ARBES, and KIMBERLY McGRAW, Administrative Patent Judges. McGRAW, Administrative Patent Judge. DECISION Denying Institution of Inter Partes Review 37 C.F.R. § 42.108 IPR2015-01842 Patent 8,266,432 B2 2 I. INTRODUCTION Petitioner, United Services Automobile Association, filed a Petition requesting an inter partes review of claims 1–551 of U.S. Patent No. 8,266,432 B2 (Ex. 1001, “the ’432 patent”). Paper 2 (“Pet.”). Patent Owner, Nader Asghari-Kamrani and Kamran Asghari-Kamrani, filed a Preliminary Response. Paper 7 (“Prelim. Resp.”). We have jurisdiction under 35 U.S.C. § 314(a), which provides that an inter partes review may not be instituted “unless . . . the information presented in the petition . . . and any response . . . shows that there is a reasonable likelihood that the petitioner would prevail with respect to at least 1 of the claims challenged in the petition.” For the reasons that follow, we do not institute an inter partes review of the ’432 patent. A. Related Proceedings According to Patent Owner, the ’432 patent is involved in the following lawsuit: Asghari-Kamrani et al. v. United Services Automobile Association, Case No. 2:15-cv-00478-RGD-LRL (E.D. Va.). Papers 6, 10. B. The ’432 Patent (Ex. 1001) The ’432 patent, titled “Centralized Identification and Authentication System and Method,” is directed to computerized methods and systems for verifying the identity of network users using dynamic, non-predictable, and 1 Petitioner states on page 1 of the Petition that it is challenging claims 1–54. Given the substance of Petitioner’s arguments, we presume that this is a typographical error. IPR2015-01842 Patent 8,266,432 B2 3 time dependent SecureCodes. See Ex. 1001, Abstract, 1:21–28. In one embodiment, the user signs up at a “central-entity” by providing his personal or financial information. Id., Abstract, Figs. 2, 3. Examples of central- entities include banks and credit card issuing companies. Id. at 2:13–16. When the user wants to buy goods or services from an external-entity, such as a merchant or an online site, the user requests, and then receives, a “SecureCode” from the central-entity. Id., Abstract, Figs. 2, 4. The user then provides his UserName and SecureCode as his digital identity to the external-entity, which then forwards the user’s digital identity along with an authentication request to the central-entity. Id., Abstract, 3:19–26; Figs. 2, 4, 5. The central-entity then authenticates the user’s digital identity and sends an approval identification and authorization message to the external- entity. Id., Abstract, Figs. 2, 5. C. Claims Petitioner challenges independent claims 1 through 55. Claims 1, 25, 48, and 52 are independent. Claim 1 is reproduced below: 1. A method for authenticating a user during an electronic transaction between the user and an external-entity, the method comprising: receiving electronically a request for a dynamic code for the user by a computer associated with a central-entity during the transaction between the user and the external entity; generating by the central-entity during the transaction a dynamic code for the user in response to the request, wherein the dynamic code is valid for a predetermined time and becomes invalid after being used; providing by the computer associated with the central entity said generated dynamic code to the user during the transaction; receiving electronically by the central-entity a request for IPR2015-01842 Patent 8,266,432 B2 4 authenticating the user from a computer associated with the external-entity based on a user-specific information and the dynamic code as a digital identity included in the request which said dynamic code was received by the user during the transaction and was provided to the external-entity by the user during the transaction; and authenticating by the central-entity the user and providing a result of the authenticating to the external-entity during the transaction if the digital identity is valid. D. Prior Art Petitioner relies upon the following prior art references: Brown, U.S. Patent No. 5,740,361, issued April 14, 1998 (“Brown,” Ex. 1010). Myers, et. al., X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, RFC 2560, Network Working Group (June 1999) (“Myers,” Ex. 1011). Neuman, B.C. and Ts’o, T., Kerberos: An Authentication Service for Computer Networks, ISI Research Report, ISI/RS- 94-399, IEEE Communications Magazine (September 1994) (“Neuman,” Ex. 1012). E. Asserted Grounds of Unpatentability Petitioner argues the challenged claims are unpatentable based upon the following grounds: References Basis Challenged Claims Brown and Myers § 103 1–55 Neuman § 102(b) 1–3, 6–28, and 31–55 Neuman § 103 4, 5, 29, and 30 Pet. 2. IPR2015-01842 Patent 8,266,432 B2 5 II. ANALYSIS A. Claim Construction In an inter partes review, claim terms in an unexpired patent are given their broadest reasonable construction in light of the specification of the patent in which they appear. 37 C.F.R. § 42.100(b); see also In re Cuozzo Speed Techs., LLC, 778 F.3d 1271, 1279–81 (Fed. Cir. 2015), cert. granted sub nom., Cuozzo Speed Techs., LLC v. Lee, No. 15–446, 2016 WL 205946 (U.S. Jan. 15, 2016). Under that standard, and absent any special definitions, we give claim terms their ordinary and customary meaning, as would be understood by one of ordinary skill in the art at the time of the invention. See In re Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007). Any special definitions for claim terms must be set forth with reasonable clarity, deliberateness, and precision. See In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994). The Board, however, may not “construe claims during IPR so broadly that its constructions are unreasonable under general claim construction principles. . . . [T]he protocol of giving claims their broadest reasonable interpretation . . . does not include giving claims a legally incorrect interpretation.” Microsoft Corp. v. Proxyconn, Inc., 789 F.3d 1292, 1298 (Fed. Cir. 2015) (citation omitted). Rather, “claims should always be read in light of the specification and teachings in the underlying patent.” Id. “Central-Entity” and “External-Entity” The terms “central-entity” and “external-entity” are recited in independent claims 1, 25, 48, and 52. The Specification of the ’432 Patent defines a central-entity as “any party that has [a] user’s personal and/or IPR2015-01842 Patent 8,266,432 B2 6 financial information, UserName, [and] Password and generates [a] dynamic, non-predictable and time dependable SecureCode for the user.” Ex. 1001, 2:13–16. Examples of a central-entity include banks, credit card issuing companies, or any intermediary service companies. Id. at 2:16–18. The Specification defines an external-entity as “any party offering goods or services that users utilize by directly providing their UserName and SecureCode as digital identity.” Id. at 2:19–21. Examples of an external- entity include a merchant, service provider, or online site. Id. at 2:22–23. The Specification further states that an external-entity can also be an entity that receives the user’s digital identity indirectly from the user through another external-entity, in order to authenticate the user, such as a bank or credit card issuing company. Id. at 2:24–26. Petitioner asserts these two terms should be construed broadly enough for the “central-entity” to perform the operations of the “external-entity” and vice versa, because dependent claims 11, 46, 49, and 53 recite that the central-entity and external-entity are the “same entity.” Pet. 4–5. Petitioner asserts this interpretation is also consistent with the specification of the ’432 Patent, which states the central-entity and the external-entity can both be “banks” or “credit card issuing companies.” Pet. 5 (citing Ex. 1001, 2:13– 26; Ex. 1003 ¶ 31). We agree that the Specification and claims 11, 46, 49, and 53 describe embodiments in which the central-entity and the external-entity can be the same entity. In these circumstances, the same/single entity can perform the operations of both the external and central entity. However, we disagree with Petitioner that the terms should be interpreted so broadly so to construe an external-entity as an entity that can perform the claimed operations of IPR2015-01842 Patent 8,266,432 B2 7 either the central or external entity, or vice versa (i.e., that the central-entity should be interpreted as an entity that can perform the operations of either the central or external entities). Petitioner does not direct us to a description in the Specification that would support such a construction. Thus, although we agree that the Specification describes embodiments where the central- entity and the external-entity can be the same entity, and, thus, the same entity can perform the operations of both the external and central entity, we do not construe independent claims 1, 25, 48, and 52 as meaning an entity that performs the claimed operations of an external-entity constitutes a central-entity, or that an entity that performs the claimed operations of a central-entity constitutes an external-entity. Patent Owner asserts that under a proper construction, the central- entity and the external-entity must “use separated computers which communicate between each other via a communication network.” Prelim. Resp. 10. Patent Owner contends the Specification describes a computerized network system, where three parties –– a user, a central entity and an external entity –– communicate with each other via a communication network. Prelim. Resp. 12 (citing Ex. 1001, 4:40–43, 5:32–35, Fig. 2). Patent Owner states that because the “central entity computer and external entity computer communicate between each other via a communication network, the computers must be separated.” Id. We are not persuaded by Patent Owner’s assertions that the proper construction of “external-entity” or “central-entity” requires communication over a communications network or use of separated computers. Patent Owner has not identified a sufficient factual basis to import these limitations into the claims. We must be careful not to read a particular embodiment IPR2015-01842 Patent 8,266,432 B2 8 appearing in the written description into the claim if the claim language is broader than the embodiment. See In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993) (“limitations are not to be read into the claims from the specification”). We, therefore, do not construe external-entity and central- entity as suggested by either Petitioner or Patent Owner, but rather construe the terms as defined in column 2 of the Specification and as described above. For purposes of this Decision, we need not construe any other limitations of the challenged claims. B. Asserted Grounds of Unpatentability 1. Obviousness over Brown and Myers Petitioner contends that claims 1 through 55 are unpatentable under 35 U.S.C. § 103 over the combination of Brown and Myers. Pet. 6–38. To support its contention, Petitioner provides explanations as to how the prior art allegedly teaches each claim limitation of the challenged claims. Id. Petitioner also relies upon a Declaration of Seth Nielson, Ph.D. Ex. 1003. In light of the arguments and evidence submitted, Petitioner has not established a reasonable likelihood that claims 1 through 55 are unpatentable as obvious over Brown and Myers. Analysis A patent claim is unpatentable under 35 U.S.C. § 103 if the differences between the claimed subject matter and the prior art are such that the subject matter, as a whole, would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The question of obviousness is resolved on the basis of underlying IPR2015-01842 Patent 8,266,432 B2 9 factual determinations including: (1) the scope and content of the prior art; (2) any differences between the claimed subject matter and the prior art; (3) the level of ordinary skill in the art; and (4) objective evidence of nonobviousness. Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966). The Supreme Court has made clear that we apply “an expansive and flexible approach” to the question of obviousness. KSR, 550 U.S. at 415. Whether a patent claiming the combination of prior art elements is obvious is determined by whether the improvement is more than the predictable use of prior art elements according to their established functions. Id. at 417. As the Supreme Court recognized, in many cases a person of ordinary skill “will be able to fit the teachings of multiple patents together like pieces of a puzzle,” recognizing that a person of ordinary skill “is also a person of ordinary creativity, not an automaton.” Id. at 420–21. The level of ordinary skill in the art is reflected by the prior art of record. See Okajima v. Bourdeau, 261 F.3d 1350, 1355 (Fed. Cir. 2001); In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995). A dispositive issue concerns whether Petitioner has sufficiently established the cited art teaches or suggests “authenticating by the central- entity the user and providing a result of the authenticating to the external- entity during the transaction if the digital identity is valid” as recited in independent claim 1. Petitioner asserts the “authentication deity” of Brown constitutes a central-entity while the “service” of Brown constitutes an external-entity. See, e.g., Pet. 8, 13. Petitioner admits that Brown does not teach a central- entity that authenticates a user as required by claim 1 because in Brown the service (the asserted external-entity), and not the authentication deity IPR2015-01842 Patent 8,266,432 B2 10 (central-entity), authenticates the user. Id. at 19. However, Petitioner argues that because “under the [broadest reasonable interpretation], the ‘central- entity’ and the ‘external-entity’ can be the same entity,” it is sufficient that Brown’s service authenticates the user. Id. at 19–20 & n1. As noted above, we disagree with Petitioner’s claim construction regarding central and external entities. As such, we disagree with Petitioner’s contention that Brown’s teaching of an external-entity that authenticates a user satisfies the claim limitation requiring authentication by a central-entity. Petitioner alternatively argues that the combination of Myers and Brown teaches the disputed limitation, asserting that Myers teaches a central-entity that receives a service request from an external-entity to “‘provide the requested service,’ which is commonly used to authenticate a user.” Id. at 19. Petitioner contends that because Brown and Myers are both directed to preventing security risks imposed by replay attacks, one skilled in the art would be motivated to modify the method of Brown to have the authentication deity (central-entity), instead of the service (external-entity), perform the user authentication. Id. at 20. However, Petitioner’s argument does not explain how the combination of Myers and Brown teaches “providing a result of the authenticating to the external entity” as required by claim 1. Rather, Petitioner merely alleges that after the service in Brown verifies the results Ru, it calculates Rs, which “is sent to the user.” Id. (citing Ex. 1010, 10:15– 20) (emphasis added). Petitioner further states that Brown describes Ru and Rs as being used by the “user and service to ‘mutually authenticate one another’” and thus, under the modified authentication protocol of Brown in view of Myers, the authentication deity verifies the user response, Ru, and IPR2015-01842 Patent 8,266,432 B2 11 transmits the response Rs to the user after determining Ru is correct. Pet. 21. Petitioner concludes that the “authentication deity . . . performing the authentication operations of the service during the reauthentication process, which includes verifying the user response, Ru, and transmitting the response, Rs, to the user if Ru is correct, discloses these limitations of the claim.” Id. (emphasis added). Notably, nowhere does Petitioner explain or allege how transmitting a response to a user teaches or suggests providing a result to an external-entity, as required by the claim. As such, we are not persuaded that Petitioner has presented sufficient evidence or argument to establish a reasonable likelihood that either Brown or the combination of Brown and Myers teaches “authenticating by the central-entity the user and providing a result of the authenticating to the external-entity during the transaction if the digital identity is valid” as recited in independent claim 1. Nor does Petitioner provide sufficient argument or evidence to establish a reasonable likelihood that either Brown or the combination of Brown and Myers teaches or suggests similar limitations found in independent claim 25 (“second central-entity computer adapted to . . . authenticate the user . . . and to provide a result of the authentication of the user to the external-entity”), claim 48 (“authenticating by the central-entity the user and providing a result of the authentication of the user to the external entity during the transaction if the digital identity is valid”), or claim 52 (“second central-entity computer adapted to . . . authenticate the user . . . and to provide a result of the authentication of the user to the external-entity during the electronic transaction”). For these reasons, we determine that Petitioner has not demonstrated a reasonable likelihood of prevailing on its challenge to independent claims 1, IPR2015-01842 Patent 8,266,432 B2 12 25, 48, and 52 of the ’432 patent, or to dependent claims 2–24, 26–47, 49– 51, and 53–55 as obvious over Brown and Myers. 2. Anticipation of Claims 1–3, 6–28, and 31–55 by Neuman Petitioner contends that claims 1–3, 6–28, and 31–55 are anticipated under 35 U.S.C. § 102(b) by Neuman, a 1994 magazine article describing “Kerberos,” which is an authentication service for computer networks. Ex. 1012. To support its contention, Petitioner provides explanations as to how the prior art allegedly teaches each claim limitation of the challenged claims. Pet. 38–59. Petitioner also relies upon the Declaration of Seth Nielson, Ph.D. Ex. 1003. For the reasons that follow, we do not institute a review based on this challenge. Analysis “A claim is anticipated only if each and every element as set forth in the claim is found, either expressly or inherently described, in a single prior art reference.” Verdegaal Bros. v. Union Oil Co., 814 F.2d 628, 631 (Fed. Cir. 1987). The elements must be arranged as required by the claim, but this is not an ipsissimis verbis test, i.e., identity of terminology is not required. In re Bond, 910 F.2d 831, 832 (Fed. Cir. 1990). Petitioner contends Neuman discloses a distributed authentication service that allows a user to prove its identity to a verifier without sending data across a network. Pet. 38–39. Petitioner further contends that Neuman discloses a central-entity (the “authentication server”), an external-entity (the “verifier”), and a computer associated with a central-entity (the “client”). Id. (citing Ex. 1012, 34–35, Fig. 1; Ex. 1003 ¶ 97). A copy of Neuman Figure 1 as annotated by Petitioner on page 39 of the Petition is reproduced below. IPR2015-01842 Patent 8,266,432 B2 13 Annotated Figure 1 of Neuman depicts a diagram illustrating the messages exchanged between a client (C) and either the authentication server (AS) or the verifier (V). Ex. 1012, 35. A dispositive issue for this challenge is whether Petitioner has sufficiently established Neuman discloses “authenticating by the central- entity the user and providing a result of the authenticating to the external- entity during the transaction if the digital identity is valid” as recited in independent claim 1. Petitioner contends Neuman describes a verifier (the asserted external- entity) authenticating a user, by disclosing “the verifier decrypting the ticket, the authenticator, and the time stamp included in the application response.” Pet. 42–43 (citing Ex. 1012, 35; Ex. 1003 ¶ 105); see also Ex. 1012, Fig. 1 (steps 3 and 4). Petitioner further contends “under the broadest reasonable interpretation, when the verifier [authenticates the user], the authentication server thereby also performs these operations since they may be the same entity.” Pet. 43 (citing Ex. 1003 ¶ 107). However as noted above, we do not construe claim 1 as meaning an entity that performs the operations of an external-entity constitutes a central-entity, or vice versa. As such, we are not IPR2015-01842 Patent 8,266,432 B2 14 persuaded by Petitioner’s argument that Neuman’s disclosure of authentication of a user by an external-entity satisfies the claim limitation requiring authentication of a user by a central-entity. Nor has Petitioner provided sufficient argument or evidence that Neuman teaches a central-entity that authenticates a user as required by claim 1. To the extent that Petitioner argues Neuman teaches a central-entity that authenticates a user, this argument is based upon applying Petitioner’s rejected claim construction to the prior art and not upon the express or inherent teachings of the prior art itself. See, e.g., Pet. 41–43; Ex. 1003 ¶¶ 103, 107. Petitioner merely asserts that the authentication server (central- entity) performs the same authentication operations performed by the verifier (external-entity) because under a broadest reasonable interpretation standard, the external and central entities are the same. Id. This allegation is not sufficient to establish that the authentication server does in fact authenticate a user as required by claim 1. Similarly, Dr. Nielson’s statement that “the authentication server and the verifier may be the same entity” because “Neuman does not explicitly suggest that such a configuration would be technically infeasible or would frustrate the purpose of the Kerberos protocol” (Ex. 1003 ¶ 103) is insufficient to establish that the two entities are inherently a single entity. “To establish inherency, the extrinsic evidence ‘must make clear that the missing descriptive matter is necessarily present in the thing described in the reference, and that it would be so recognized by persons of ordinary skill.’” In re Robertson, 169 F.3d 743, 745 (Fed. Cir. 1999) (citation omitted). “Inherency, however, may not be established by probabilities or possibilities. The mere fact that a certain thing may result from a given set of circumstances is not sufficient.” Id. IPR2015-01842 Patent 8,266,432 B2 15 (citation omitted). Here, an allegation that the verifier and authentication server may be the same entity because such a configuration would not be “technically infeasible” or “frustrate the purpose” of the reference is not sufficient to establish Neuman teaches that the authentication server and verifier are in fact the same entity. For these reasons, we determine that Petitioner has not demonstrated a reasonable likelihood of prevailing on its challenge to claim 1. Independent claims 25, 48, and 52 recite similar limitations. Petitioner does not provide any additional argument or evidence directed specifically to these independent claims, instead relying upon its arguments presented with respect to claim 1. For example Petitioner states Neuman anticipates claim 25 “for the same reasons discussed previously with respect to Ground 2, [1.0]-[1.5], supra.” Pet. 56; see also Pet. 59 (claims 48 and 52). For these reasons, we determine that Petitioner has not demonstrated a reasonable likelihood of prevailing on its challenge to independent claims 1, 25, 48, and 52 of the ’432 patent, or to dependent claims 2–3, 6–24, 26–28, 31–47, and 49–51, and 53–55 as anticipated by Neuman. Therefore, we do not institute a review based on this challenge. 3. Obviousness of Claims 4, 5, 29, and 30 over Neuman Petitioner contends that dependent claims 4, 5, 29, and 30 would have been obvious over Neuman. Pet. 59–60. As noted above, we determined that Petitioner has not demonstrated a reasonable likelihood of prevailing on its challenge to independent claims 1 and 25. None of Petitioner’s arguments regarding the dependent claims cure the deficiencies regarding the independent claims. Therefore, Petitioner has not demonstrated a IPR2015-01842 Patent 8,266,432 B2 16 reasonable likelihood of prevailing on its challenge to claims 4, 5, 29, and 30 as obvious over Neuman, and we do not institute a review based on this challenge. III. CONCLUSION For the foregoing reasons, we conclude that Petitioner has not demonstrated a reasonable likelihood of prevailing with respect to at least one claim of the ’432 patent challenged in the Petition. Therefore, we do not institute an inter partes review on any of the asserted grounds as to any of the challenged claims.2 IV. ORDER In consideration of the foregoing, it is ORDERED that the Petition is denied and no trial is instituted. 2 Because we determine that Petitioner has not demonstrated a reasonable likelihood of prevailing in challenging claims 1–55 of the ’432 patent for the reasons set forth above, we need not address Patent Owner’s remaining arguments. IPR2015-01842 Patent 8,266,432 B2 17 FOR PETITIONER: Michael Zoppo Thomas Rozylowicz FISH & RICHARDSON P.C. zoppo@fr.com IPR36137-0007IP1@fr.com FOR PATENT OWNER: Reece Nienstadt Lei Mei Krystyna Colantoni MEI & MARK LLP rnienstadt@meimark.com mei@meimark.com kcolantoni@meimark.com Copy with citationCopy as parenthetical citation