`Tel: 571-272-7822
`
`
`
`
`
`
`Paper 12
`Entered: May 10, 2018
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_______________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_______________
`
`INAUTH, INC.,
`Petitioner,
`v.
`MSIGNIA, INC.,
`Patent Owner.
`____________
`
`Case IPR2018-00150
`Patent 9,559,852 B2
`____________
`
`
`Before TREVOR M. JEFFERSON, JAMES B. ARPIN, and
`GREGG I. ANDERSON, Administrative Patent Judges.
`
`ARPIN, Administrative Patent Judge.
`
`
`
`
`DECISION
`Denying Institution of Inter Partes Review
`35 U.S.C. § 314(a)
`
`
`
`
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`I. INTRODUCTION
`A. Background
`
`InAuth, Inc. (“Petitioner”) filed a Petition requesting an inter partes
`review of claims 1–25 of U.S. Patent No. 9,559,852 B2 (Ex. 1001, “the ’852
`patent”). Paper 2 (“Pet.”). mSIGNIA, Inc. (“Patent Owner”) filed a
`Preliminary Response. Paper 9 (“Prelim. Resp.”). Having considered the
`Petition, the Preliminary Response, and the evidence of record, and applying
`the standard set forth in 35 U.S.C. § 314(a), which requires that Petitioner
`demonstrate a reasonable likelihood that it would prevail with respect to at
`least one challenged claim; we deny institution of inter partes review of
`claims 1–25 of the ’852 patent.
`
`B. Related Matters
`
`The parties indicate that the ’852 patent is the subject of a civil action
`identified as mSIGNIA, Inc. v. InAuth, Inc., 8:17-cv-01289 (C.D. Cal.), filed
`July 26, 2017. Pet. 71 (citing Ex. 1027); Paper 5, 1. Petitioner states that
`InAuth, Inc. is a wholly owned subsidiary of American Express Travel
`Related Services Company, Inc., the corporate parent of which is American
`Express Company. Pet. 70. Thus, Petitioner states that InAuth, Inc., the
`American Express Company, and American Express Travel Related Services
`Company, Inc. are real parties-in-interest. Id. at 70–71. Patent Owner states
`that mSIGNIA is the real party-in-interest. Paper 5, 1.
`
`2
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`C. The ’852 Patent
`
`The ’852 patent is entitled “Cryptographic Security Functions Based
`on Anticipated Changes in Dynamic Minutiae” and is directed to “methods
`and systems for dynamic key cryptography us[ing] a wide range of minutiae
`as key material including computer hardware, firmware, software, user
`secrets, and user biometrics rather than stor[ing] a random number as a
`cryptographic key on the computer.” Ex. 1001, 3:7–11. The ’852 patent
`claims priority to U.S. Provisional Patent Application No. 61/462,474, filed
`February 3, 2011. Id. at [60]. Although Petitioner does not concede that the
`’852 patent is entitled to that priority date, the applied references predate that
`date, so, for purposes of this Decision, we accept the provisional
`application’s filing date as the earliest effective filing date of the ’852 patent.
`See Pet. 6 n.2.
`The ’852 patent recognizes that, in known authentication methods
`using “computer fingerprints,” “[a] typical computer identifier is computed
`and remains static; to ensure reliability the computer fingerprint typically
`uses computer minutiae (e.g., serial numbers) that normally do not change.
`Thus, current computer fingerprints typically use a relatively small set of
`static minutia which may be prone to spoofing.” Ex. 1001, 2:51–56
`(emphases added); see Prelim. Resp. 1. Known methods, however,
`“allegedly did not provide for the use of minutia that is subject to change
`because routine changes to the minutia, e.g., an upgrade to a component,
`would alter the fingerprint and cause false identification of a device as
`‘different’ (a ‘false negative’).” Pet. 1–2 (citing Ex. 1001, 2:56–3:2). The
`Specification of the ’852 patent system explains that the disclosed systems
`and methods permit use of minutia that is subject to change, such as location
`
`3
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`or hardware, firmware, or software versions, in the authentication process.
`Pet. 2; Prelim. Resp. 2. In particular, these systems and methods use
`information regarding “anticipated changes” to the minutia to “deliver[] a
`tolerant, yet secure authentication with fewer false negatives.” Pet. 2
`(quoting Ex. 1001, 5:40–44).
`Figures 2A and 2B of the ’852 patent are reproduced below.
`
`
`
`4
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`
`Figures 2A and 2B depict a system diagram illustrating a challenge,
`response and validation process performed by the system of Figure 1.
`Ex. 1001, 4:35–38.
`More specifically, Figures 2A and 2B depict an example for providing
`and using dynamic key cryptography to ensure valid service user 20 is using
`authenticated computer 18 in system 200. Id. at 10:24–27. System 200
`collects and catalogs minutiae values of computer 18 and service user 20
`that may identify computer 18 and service user 20, such that computer
`minutia 64 and secrets and biometric minutia 26 may be used by dynamic
`key crypto provider 10 to form dynamic keys unique to each and every
`distinct computer 18 and service user 20. Id. at 10:27–34. Consequently,
`each distinct computer 18 may use unique computer minutia 64 and secrets
`and biometric minutia 26 in system 200 that correspond to that distinct
`computer 18 and service user 20, respectively, and “each uniquely identified
`computer 18 corresponds to one and only one distinct computer 18 and each
`uniquely identified service user 20 may correspond to one and only one
`
`5
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`distinct service user 20.” Id. at 10:34–41. “The unique identification of a
`computer 18 may be processed by system [200], for example, by a service
`provider 14 or by the dynamic key crypto provider 10, and there [may] be no
`meaningful single identifier or identity key itself stored on the computer 18.”
`Id. at 10:42–46.
`System 200 depicts a system for identifying and authenticating a
`specific computer 18 and service user 20 via challenge, response, and
`validation sequences performed by dynamic key crypto provider 10. Id. at
`10:46–50. Each distinct computer 18 and service user 20 is recognized by
`specific computer minutia 64, specific secrets and biometric minutia 26, or
`combinations thereof found on computer 18 or collected by computer 18
`from service user 20 as cataloged by dynamic key crypto provider 10. See
`id. at 10:50–58.
`As shown in Figure 2A, at step 2001, “computer minutia 64 can
`represent a set of 390 distinct minutiae values that may be chosen for
`collecting and cataloging from the computer 18.” Id. at 11:22–24. For
`example, hardware minutia (Hx) may represent 40 categories or types of the
`minutia, firmware minutia (Fx) may represent 70 categories or types of the
`minutia, software minutia (Sx) may represent 280 categories or types of the
`minutia, service user 20 secrets (?x) may represent 2 specific secrets, and
`service user 20 biometric minutia (Bx) may represent 5 categories or types
`of the minutia, from which it may be possible to accurately and uniquely
`identify specific computer 18 and associated service user 20 for computer
`18. Id. at 11:21–28, 12:37–49. “Hardware minutia values typically cannot
`change without changing a physical component of the computer 18.
`Firmware minutia can be updated but usually their update is controlled by
`
`6
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`someone other than the service user 20. Software minutia changes
`dynamically via various individual instantiations of service user 20 and
`includes elements that may require predictable, constant change in normal
`situations (i.e., frequently called contact phone numbers).” Id. at 11:38–46.
`Software minutiae values, however, may reflect customizations performed
`by service user 20. Thus, “software minutiae values can accurately identify
`computer 18 devices that are otherwise extremely similar in hardware and
`firmware.” Id. at 11:49–51.
`Referring to Figure 2B, at step 2020, formulate challenge 116 process
`computes a cryptographic key based on a combination of minutia (e.g., Hx-
`Fy-Sz for the illustrated example). Id. at 15:43–46. At step 2030, dynamic
`key crypto provider 10 computes all responses that are acceptable from
`computer 10. Id. at 16:8–10.
`At step 2040, the particular computer 18 being challenged
`may receive the challenge and unpack the challenge to determine
`which minutia it should collect and use the values of to form its
`response to the challenge. Having unpacked the challenge using
`information and algorithms stored in the dynamic key crypto
`library 56, the response process 112 can use the computer 18 to
`fetch the values of the selected computer minutia 64 or collect
`the values of selected service and biometrics minutia 26 and
`build a key that may be identical to the key computed by the
`dynamic key crypto provider 10 at step 2020.
`. . .
`
`As illustrated at step 2050, the validate response from
`computer 120 process can therefore be determined by simply
`comparing the actual response received from the computer 18 to
`the allowable responses that are pre-processed by the dynamic
`key crypto provider 10 to determine if there is a match.
`Decrypting or decoding of a response is not necessary so the
`validation can occur very quickly.
`
`7
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`Id. at 16:42–52, 17:1–7.
`
`D. Illustrative Claim
`
`Claims 1, 24, and 25 are independent, and each is directed to an
`identity recognition system. Id. at 34:18–47 (claim 1), 36:6–38 (claim 24),1
`36:39–37:7 (claim 25). Each of claims 2–23 depends directly or indirectly
`from claim 1. Id. at 34:48–36:5. Claim 1 is illustrative and is reproduced
`below, with emphasis added.
`
`A identity recognition system comprising:
`
`1.
`
` a
`
` non-transitory memory storing information associated with one
`or more identities, wherein the information stored for an identity
`includes (a) data values associated with that identity; and
`(b) information regarding anticipated changes to one or more of
`the stored data values associated with that identity;
`
`one or more hardware processors in communication with the
`memory and configured to execute instructions to cause the
`identity recognition system to recognize that the presentation of
`identity information by a computer is authentic, by performing
`operations comprising:
`
`
`generating a challenge to the computer, wherein the
`challenge prompts the computer to provide a response based on
`one or more data values from the computer that correspond to
`one or more of the stored data values associated with the identity;
`
`
`receiving, from the computer, the response to the
`challenge;
`
`
`determining whether the response is allowable, wherein
`such determining comprises using the stored information
`regarding anticipated changes to the stored data values
`
`
`1 Claim 24 is corrected by a Certificate of Correction.
`
`8
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`associated with the identity to determine whether a data value
`used to form the response is based on an acceptable change to a
`corresponding stored data value; and
`
`
`recognizing that the presentation of identity information
`by the computer is authentic, according to whether the computer
`has provided an allowable response to the challenge.
`Id. at 34:18–47 (disputed limitations emphasized).
`E. Applied References and Declaration
`Petitioner relies on the following references and declaration in support
`of its asserted grounds for unpatentability.
`
`Exhibit No.
`1003
`1004
`
`1005
`
`1006
`
`Pet. iv, 9, 11.
`
`Declaration or Reference
`Declaration of Patrick Traynor, Ph.D.
`U.S. Patent No. 8,316,421 B2 to Etchegoyen et al., filed
`October 13, 2010; published April 21, 2011; and issued
`November 20, 2012 (“Etchegoyen”)2
`U.S. Patent Publication No. 2006/0282660 A1 to Varghese et
`al., filed April 28, 2006, and published December 14, 2006
`(“Varghese”)
`U.S. Patent No. 8,312,157 B2 to Jakobsson et al., filed July
`16, 2009; published January 20, 2011; issued November 13,
`2012 (“Jakobsson”)
`
`F. Asserted Grounds of Unpatentability
`
`Petitioner argues that claims 1–25 of the ’852 patent are unpatentable
`based on the following grounds:
`Reference(s)
`Basis
`Etchegoyen
`35 U.S.C. § 102
`
`2 Based on its claim of priority to U.S. Provisional Patent Application No.
`61/252,960, filed October 19, 2009, Dr. Traynor argues that Etchegoyen is
`entitled to a priority date of October 19, 2009. Ex. 1003 ¶¶ 61–64.
`
`Claim(s)
`1–5, 7, 14–21, 24, and 25
`
`9
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`35 U.S.C. § 103
`Etchegoyen
`Etchegoyen and Jakobsson 35 U.S.C. § 103
`Etchegoyen and Varghese
`35 U.S.C. § 102
`Varghese
`35 U.S.C. § 102
`Varghese
`35 U.S.C. § 103
`Pet. 5.
`
`II. ANALYSIS
`A. Claim Construction
`
`1–5, 7, 14–21, 24, and 25
`6 and 8–12
`13, 22, and 23
`1–23 and 25
`24
`
`In an inter partes review, “[a] claim in an unexpired patent that will
`not expire before a final written decision is issued shall be given its broadest
`reasonable construction in light of the specification of the patent in which it
`appears.” 37 C.F.R. § 42.100(b). In determining the broadest reasonable
`construction, we presume that claim terms carry their ordinary and
`customary meaning. See In re Translogic Tech., Inc., 504 F.3d 1249, 1257
`(Fed. Cir. 2007). This presumption may be rebutted when a patentee, acting
`as a lexicographer, sets forth an alternate definition of a term in the
`specification with reasonable clarity, deliberateness, and precision. In re
`Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994).
`
`1. “generating a challenge” (Claims 1, 24, and 25)
`
`Petitioner and Patent Owner agree that only the term: “generating a
`challenge” recited in each independent claim requires express construction.
`Pet. 13; Prelim. Resp. 4–5; see Paper 11. Moreover, Petitioner and Patent
`Owner agree that “generating a challenge” should be construed as
`“generating a request for information.” Pet. 13; Prelim. Resp. 4.
`Nevertheless, Patent Owner further clarifies that the “challenge” is a
`challenge to the computer that is to be authenticated. Prelim. Resp. 4. We
`
`10
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`believe that this clarification is apparent from the context in which the
`construed term is used in the independent claims. See Pet. 13 (“As used in
`the specification, the challenge is a request to the computer to provide
`information based on selected minutia.”). On this record and for purposes of
`this Decision, we adopt the parties’ agreed upon construction, in view of
`Patent Owner’s clarification that the challenge is to the computer seeking
`authentication, as the broadest reasonable interpretation of this term.
`
`2. Other Claim Terms
`
`Only terms which are in controversy need to be construed, and then
`only to the extent necessary to resolve the controversy. See, e.g., Nidec
`Motor Corp. v. Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017
`(Fed. Cir. 2017) (“[W]e need only construe terms ‘that are in controversy,
`and only to the extent necessary to resolve the controversy.’” (quoting Vivid
`Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999))).
`For purposes of this Decision, no other claim terms require express
`construction.
`
`B. Asserted Grounds
`
`1. Overview
`
`Petitioner argues that claims 1–5, 7, 14–21, 24, and 25 of the ’852
`patent are anticipated by or, in the alternative, rendered obvious over the
`teachings of Etchegoyen and relies upon the Declaration of Dr. Traynor
`(Ex. 1003) to support its arguments. Pet. 5, 14–38; see supra Section I.F.
`Further, Petitioner argues that each of claims 6, 8–13, 22, and 23 are
`rendered obvious over the teachings of Etchegoyen in combination with
`those of Jakobsson or Varghese, and again relies upon the Declaration of
`
`11
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`Dr. Traynor (Ex. 1003) to support its arguments. Pet. 5, 38–47; see supra
`Section I.F. In addition, Petitioner argues that claims 1–25 of the ’852
`patent are anticipated by or, in the alternative, rendered obvious over the
`teachings of Varghese and relies upon the Declaration of Dr. Traynor
`(Ex. 1003) to support its arguments. Pet. 5, 47–70; see supra Section I.F.
`As noted above, each of claims 2–23 depends directly from
`independent claim 1, and Patent Owner focuses its opposition primarily to
`the asserted grounds for unpatentability on the application of the teachings
`of Etchegoyen or Varghese to claims 1, 24, and 25. Prelim. Resp. 11–20,
`25–28.
`After reviewing Petitioner’s and Patent Owner’s arguments and
`evidence, for the reasons set forth below, we are not persuaded that
`Petitioner has demonstrated a reasonable likelihood of prevailing in showing
`that any of claims 1–25 of the ’852 patent is unpatentable with respect to the
`grounds based, in whole or in part, on Etchegoyen or Varghese.
`Consequently, we deny institution of inter partes review of claims 1–25 of
`the ’852 patent as to the asserted grounds.
`
`2. Legal Principles
`
`“A claim is anticipated only if each and every element as set forth in
`the claim is found, either expressly or inherently described, in a single prior
`art reference.” Verdegaal Bros. v. Union Oil Co., 814 F.2d 628, 631 (Fed.
`Cir. 1987). The elements must be arranged as required by the claim, but this
`is not an ipsissimis verbis test. See In re Bond, 910 F.2d 831, 832 (Fed. Cir.
`1990). Moreover, “it is proper to take into account not only specific
`teachings of the reference but also the inferences which one skilled in the art
`
`12
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`would reasonably be expected to draw therefrom.” Application of Preda,
`401 F.2d 825, 826 (CCPA 1968). Nevertheless,
`unless a reference discloses within the four corners of the
`document not only all of the limitations claimed but also all of
`the limitations arranged or combined in the same way as recited
`in the claim, it cannot be said to prove prior invention of the thing
`claimed, and thus, cannot anticipate under 35 U.S.C. § 102.
` Net MoneyIN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1371 (Fed. Cir. 2008)
`(emphasis added); accord In re Arkley, 455 F.2d 586 (CCPA 1972).
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time the invention was
`made to a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007).
`Obviousness is a question of law, which is resolved on the basis of
`underlying factual determinations including: (1) the scope and content of
`the prior art; (2) any differences between the claimed subject matter and the
`prior art; (3) the level of ordinary skill in the art;3 and (4) when in evidence,
`
`
`3 Petitioner proposes an assessment of the level of ordinary skill in the art.
`Pet. 12; see Ex. 1003 ¶¶ 22, 23. Petitioner’s declarant, Dr. Traynor, exceeds
`this assessed level. Ex. 1003 ¶¶ 9–20. At this time, Patent Owner does not
`propose an alternative assessment. For purposes of this Decision, and to the
`extent necessary, we adopt Petitioner’s assessment.
`
`13
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`objective evidence of nonobviousness.4 Graham v. John Deere Co., 383
`U.S. 1, 17–18 (1966).
`
`3. Asserted Anticipation by and/or Obviousness Over Etchegoyen
`
`Petitioner argues that claims 1–5, 7, 14–21, 24, and 25 are
`unpatentable under 35 U.S.C. §§ 102(e) or 102(a) as anticipated by
`Etchegoyen or under 35 U.S.C. § 103(a) as rendered obvious over
`Etchegoyen. Pet. 5, 14–38. Relying on the testimony of its declarant,
`Dr. Traynor, Petitioner explains how Etchegoyen allegedly discloses each
`and every element of the challenged claims. Id. (citing Ex. 1003). We begin
`our analysis with an overview of Etchegoyen.
`
`a. Etchegoyen (Ex. 1004)
`
`Etchegoyen is entitled “System and Method for Device Authentication
`with Built-in Tolerance” and describes systems performing the following
`computer-implementable steps:
`(a) receiving and storing a first digital fingerprint of the
`device during a first boot of an authenticating software on the
`device, the first digital fingerprint based on a first set of device
`components, (b) receiving a second digital fingerprint from
`the device at a subsequent time, (c) comparing the second
`digital fingerprint with a plurality of stored digital
`fingerprints of known devices, (d) in response to the
`comparison indicating a mismatch between the second digital
`fingerprint and the plurality of stored digital fingerprints,
`generating a request code comprising instructions for the
`device to generate a third digital fingerprint using the first set
`of device components, (e) sending the request code to the
`remote device, (f) receiving the third digital fingerprint from
`
`4 Patent Owner does not present arguments or evidence of such secondary
`considerations in the Preliminary Response. See Pet. 70.
`
`14
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`the remote device in response to the request code, and
`(g) authenticating the device based on a comparison of the
`first and third digital fingerprints.
`Ex. 1004, [57] (emphases added). Specifically, Etchegoyen describes that:
`The first boot fingerprint may be generated using the
`overall
`environmental
`information
`collected
`by
`the
`authentication module. Alternatively, the first boot fingerprint
`may be generated using specific components of the device as
`predetermined by the authentication client. The specific
`components may include components from a typical-upgrade
`components list or a non-typical-upgrade components list. The
`typical-upgrade components list may include components such
`as: graphic card, random access memory, sound card, network
`adaptor, hard drive, CD/DVD drive, Ethernet controller, or other
`routinely upgraded components. The non-typical-upgrade
`components list may include components such as: motherboard,
`USB host controller, central microprocessor, PCI Bus, System
`CMOS Clock, etc.
`Id. at 4:63–5:9 (emphasis added).
`Etchegoyen’s Figure 4 is reproduced below.
`
`15
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`
`Figure 4 is a process flow chart illustrating an embodiment of computer-
`implementable steps of a method for device authentication with built-in
`tolerance. Id. at 4:16–18; see Ex. 1003 ¶¶ 74–77.
`Figure 4 depicts an exemplary process flow on the authenticating
`server side of method 400 for authenticating a device. Ex. 1004, 12:16–57.
`At step 410, a digital fingerprint is received by the authentication server.
`The digital fingerprint may have a plurality of digital fingerprint portions,
`and each portion represents a digital fingerprint of a component of the
`device. Id. at 12:21–23. For example, the digital fingerprint may include a
`plurality of mini-fingerprints, each associated with a different component of
`
`16
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`the device, which may be combined to form the digital fingerprint. Id. at
`12:23–27.
`At step 420, the received digital fingerprint is authenticated by
`comparing it against stored digital fingerprints. Id. at 12:28–29. In
`particular, each portion of the received digital fingerprint may be compared
`with portions of a stored digital fingerprint. Id. at 12:29–31. If a portion of
`the received digital fingerprint matches any portion(s) of a stored digital
`fingerprint, a match of that portion is recognized. Id. at 12:31–34. If,
`however, the authenticating server fails to find a match for a portion of the
`received digital fingerprint, as indicated in step 430, that portion may be
`flagged as failed. Id. at 12:34–36. Alternatively, received digital fingerprint
`portions with matched portions in a stored digital fingerprint may be flagged
`as passed. Id. at 12:36–38.
`In one embodiment, the device may be authenticated
`solely based on the ratio of passed and failed digital fingerprint
`portions. For example, if 80% of the portions are flagged as
`passed, then the device may be validly authenticated. However,
`additional safeguards may be added to the authentication
`process by breaking down the components responsible for the
`errors.
`Id. at 39–45 (emphasis added); see id. at 13:22–38 (describing step 450). In
`step 440, each portion of the digital fingerprint may be categorized by its
`associated component. Ex. 1004, 12:45–46. By decoding the fingerprint
`portion, information about the component, such as the type of component
`used to generate the digital fingerprint portion, may be determined; and
`when the component information is analyzed, the component may be
`categorized as a typical-upgrade component or a non-typical-upgrade
`component. Id. at 12:49–55. “Thus, each fingerprint portion may be
`
`17
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`compared against stored fingerprints, flagged as failed or passed, and
`categorized.” Id. at 12:55–57 (emphasis added).
`
`b. Analysis With Respect to Independent Claims 1, 24, and 25
`
`Petitioner argues that Etchegoyen discloses each and every element
`recited in independent claim 1. Pet. 14–23. Petitioner applies substantially
`the same mapping of Etchegoyen to independent claims 24 (id. at 23–26)
`and 25 (id. at 26–28). In the alternative, Petitioner argues that:
`With respect to Claims 1, 24, and 25, to the extent Patent
`Owner contends that Etchegoyen does not anticipate because it
`does not disclose a single embodiment that uses both the
`request/response protocol (i.e., challenge/response protocol) to
`obtain a fingerprint and the typical-upgrade ratio to analyze the
`fingerprint, it would have been obvious to a [person of ordinary
`skill in the art] to modify the embodiments disclosed to include
`both aspects.
`Id. at 37 (citing Ex. 1003 ¶ 151). Patent Owner contends, however, that
`Etchegoyen fails to disclose the limitations of claim 1 relating to
`“anticipated changes” including “storing information associated with one or
`more identities, wherein the information stored for an identity includes
`(a) data values associated with that identity; and (b) information regarding
`anticipated changes to one or more of the stored data values associated with
`that identity” and “determining whether the response is allowable, wherein
`such determining comprises using the stored information regarding
`anticipated changes to the stored data values associated with the identity to
`determine whether a data value used to form the response is based on an
`acceptable change to a corresponding stored data value.” Prelim. Resp. 7–
`11. For the reasons discussed below, we are not persuaded that Petitioner
`has shown a reasonable likelihood of prevailing in its assertion that
`
`18
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`Etchegoyen discloses each and every element or teaches or suggests all of
`the limitations recited in independent claims 1, 24, and 25.
`
`i.
`
`Petitioner’s Mapping of Etchegoyen onto Claim 1
`
`Petitioner provides a detailed mapping of the disclosure of
`Etchegoyen onto the elements of independent claim 1. Pet. 14–23; see
`Ex. 1003 ¶¶ 78–95. Specifically, Petitioner argues that Etchegoyen
`discloses a system for authenticating the identity of a device. Ex. 1004,
`1:30–43. Similar to the system recited in claim 1, Etchegoyen’s system
`recognizes that it is “desirable to provide an authentication method with built
`in flexibility or tolerance to allow for some upgrades or changes to the
`device.” Id. (emphasis added). Petitioner argues that Etchegoyen discloses
`“a non-transitory memory storing information associated with one or more
`identities” of the device to be authenticated. Pet. 18–19; see Ex. 1001,
`34:19–21. Specifically, challenged claim 1 recites two types of stored
`information, namely, “(a) data values associated with that identity; and (b)
`information regarding anticipated changes to one or more of the stored data
`values associated with that identity.” Ex. 1001, 34:21–24. Petitioner argues
`that Etchegoyen’s “first boot fingerprint” corresponds to the “data values”
`recited in claim 1. Pet. 15 (citing Ex. 1004, 4:56–62), 19. Further,
`Petitioner argues that Etchegoyen’s “predetermined non-typical-upgrade
`component/typical-upgrade component ratio” and Etchegoyen’s lists of
`typical-upgrade components and non-typical-upgrade components disclose
`the “information regarding anticipated changes to one or more of the stored
`data values.” Id. at 19–20 (citing Ex. 1004, 3:12–17, 4:65–5:2, 12:45–57,
`13:22–38).
`
`19
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`
`Claim 1 further recites “one or more hardware processors in
`communication with the memory and configured to execute instructions to
`cause the identity recognition system to recognize that the presentation of
`identity information by a computer is authentic, by performing operations.”
`Ex. 1001, 34:25–29. Petitioner argues that, referring to its Figure 1,
`Etchegoyen’s Processing Module 160 in communication with Storage
`Module 155 discloses this additional hardware. Pet. 16, 20 (citing Ex. 1004,
`3:2–37, 9:49–52).
`Claim 1 recites four method steps performed by the “one or more
`hardware processors.” Ex. 1001, 34:30–47. Petitioner argues that
`Etchegoyen discloses each of these steps. Specifically, claim 1 recites the
`step of “generating a challenge to the computer, wherein the challenge
`prompts the computer to provide a response based on one or more data
`values from the computer that correspond to one or more of the stored data
`values associated with the identity.” Id. at 34:30–34. In view of the agreed
`construction of the term “generating a challenge” (see supra Section II.A.1.),
`Petitioner argues that Etchegoyen discloses “generat[ing] a request code,”
`which corresponds to generating the recited challenge. Pet. 20 (citing
`Ex. 1004, 5:35–39). Petitioner argues that Etchegoyen’s request code
`prompts the challenged computer to “send a response that includes a
`fingerprint or mini-fingerprint, such as a fingerprint based on the same
`components used for the first boot fingerprint.” Id. at 20 (citing Ex. 1004,
`11:13–22); see Ex. 1004, 5:47–51.
`Claim 1 further recites the step of “receiving, from the computer, the
`response to the challenge.” Ex. 1001, 34:35–36. Petitioner argues that
`Etchegoyen discloses that the recited “response to the challenge” in the form
`
`20
`
`
`
`IPR2018-00150
`Patent 9,559,852 B2
`
`of a “response code” that is generated in response to the request code is
`transmitted to the authenticating server. Pet. 21 (citing Ex. 1004, 5:44–63).
`
`Claim 1 further recites “determining whether the response is
`allowable, wherein such determining comprises using the stored information
`regarding anticipated changes to the stored data values associated with the
`identity to determine whether a data value used to form the response is based
`on an acceptable change to a corresponding stored data value.” Ex. 1001,
`34:37–43. Referring to steps 420–450 of Etchegoyen’s Figure 4, discussed
`above, Petitioner argues that:
`At step 420, the system “compar[es] each portion of the
`received digital fingerprint with portions of a stored digital
`fingerprint.” [Ex. 1004], 12:28-29. At step 430, the system
`“flag[s] each digital fingerprint portion creating an error during
`authentication.” Id., 3:10-12. At step 440, the system
`“categorize[s] associated component[s] of each fingerprint
`portion that produced the error.” Id., 3:12-14. As discussed
`above, this step entails categorizing the flagged portions as
`corresponding to “typical-upgrade components” or “non-typical-
`upgrade components.” And lastly at step 450, the system
`“authenticate[s] device based on categorization of flagged
`components.” Id., 15:42-43.
`The determining step of Etchegoyen “us[es] the stored
`information regarding anticipated changes to the stored data
`values associated with the identity” both because it uses the
`predetermined
`typical-upgrade ratio and because
`it uses
`information
`regarding whether a
`failed mini-fingerprint
`corresponds to a “typical” or “non-typical” upgrade component.
`The determining step of Etchegoyen also includes
`“determin[ing] whether a data value used to form the response is
`based on an acceptable change to a corresponding stored data
`value.” Etchegoyen discloses that one way of determining
`whether the response is based on an acceptable