UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`NETSKOPE, INC.,
`Petitioner,
`
`v.
`
`BITGLASS, INC.,
`Patent Owner.
`
`
`
`
`
`PTAB Case No. PGR2021-00091
`
`U.S. Patent No. 10,855,671
`
`
`
`
`
`PETITION FOR POST-GRANT REVIEW
`OF U.S. PATENT NO. 10,855,671
`
`
`
`
`
`
`
`

`

`TABLE OF CONTENTS
`
`
`Page
`
`
`EXHIBIT LIST ........................................................................................................ vi 
`I. 
`INTRODUCTION .......................................................................................... 1 
`II.  MANDATORY NOTICES ............................................................................ 2 
`A. 
`Real party-in-interest ............................................................................ 2 
`B. 
`Related matters ..................................................................................... 2 
`C. 
`Counsel and service information .......................................................... 2 
`III.  REQUIREMENTS FOR POST-GRANT REVIEW ...................................... 3 
`A.  Grounds for standing ............................................................................ 3 
`B. 
`Overview of challenge and relief requested ......................................... 3 
`1. 
`Identification of prior art ............................................................ 3 
`2. 
`Grounds for challenge and challenged claims ........................... 4 
`IV.  TECHNOLOGY DESCRIPTION .................................................................. 5 
`A.  Overview .............................................................................................. 5 
`1. 
`Single Sign-On ........................................................................... 5 
`2. 
`Proxy Servers, URL Rewriting, and HTTP Redirects ............... 7 
`3. 
`“Man-in-the-Middle” ................................................................. 9 
`’671 Patent Overview ......................................................................... 12 
`1. 
`The Alleged Invention ............................................................. 12 
`2. 
`Prosecution history ................................................................... 15 
`3. 
`Priority Date ............................................................................. 16 
`SECTION 325(D) ANALYSIS .................................................................... 23 
`V. 
`VI.  CLAIM CONSTRUCTION ......................................................................... 25 
`VII.  LEVEL OF ORDINARY SKILL IN THE ART .......................................... 25 
`VIII.  SPECIFIC GROUNDS FOR PETITION ..................................................... 26 
`A.  Ground 1: Combination of Sarukkai and Rowley renders claims
`1-2, 4-5, 9-10, and 12-13 obvious. ..................................................... 26 
`1.  Motivations to combine ........................................................... 29 
`
`B. 
`
`
`
`-i-
`
`

`

`TABLE OF CONTENTS
`(continued)
`
`Page
`
`B. 
`
`C. 
`
`Claims 1 and 9: ........................................................................ 31 
`2. 
`Claims 2 and 10: ...................................................................... 51 
`3. 
`Claims 4 and 12: ...................................................................... 52 
`4. 
`Claims 5 and 13: ...................................................................... 54 
`5. 
`Ground 2: Combination of Sarukkai, Rowley, and Song renders
`claims 6 and 14 obvious. .................................................................... 56 
`1.  Motivations to combine ........................................................... 59 
`2. 
`Claims 6 and 14: ...................................................................... 61 
`Ground 3: Combination of Sarukkai, Rowley, and Guccione
`renders claims 7 and 15 obvious. ....................................................... 62 
`1.  Motivations to combine ........................................................... 64 
`2. 
`Claims 7 and 15: ...................................................................... 65 
`D.  Ground 4: Combination of Cronk and Woelfel renders claims 1-
`2, 4-5, 9-10, and 12-13 obvious. ........................................................ 66 
`1.  Motivations to combine ........................................................... 70 
`2. 
`Claims 1 and 9: ........................................................................ 72 
`3. 
`Claims 2 and 10: ...................................................................... 89 
`4. 
`Claims 4 and 12: ...................................................................... 91 
`5. 
`Claims 5 and 13: ...................................................................... 93 
`Ground 5: Combination of Cronk, Woelfel, and Song renders
`claims 6 and 14 obvious. .................................................................... 95 
`Ground 6: Combination of Cronk, Woelfel, and Guccione
`renders claims 7 and 15 obvious. ....................................................... 95 
`G.  Ground 7: Combination of Kahol and Parla renders claims 1-2,
`4-5, 8-10, 12-13, and 16 obvious. ...................................................... 96 
`1.  Motivations to combine ........................................................... 98 
`2. 
`Claims 1 and 9: ........................................................................ 99 
`3. 
`Claims 2 and 10: .................................................................... 115 
`
`E. 
`
`F. 
`
`-ii-
`
`
`
`
`
`
`
`
`
`

`

`TABLE OF CONTENTS
`(continued)
`
`Page
`
`
`
`Claims 4 and 12: .................................................................... 116 
`4. 
`Claims 5 and 13: .................................................................... 117 
`5. 
`Claims 8 and 16: .................................................................... 118 
`6. 
`H.  Ground 8: Claims 7-8 and 15-16 are invalid under Section 112. .... 120 
`1. 
`Claims 7 and 15: .................................................................... 121 
`2. 
`Claims 8 and 16: .................................................................... 123 
`IX.  CONCLUSION ........................................................................................... 127 
`
`
`
`
`
`
`-iii-
`
`
`
`

`

`
`
`TABLE OF AUTHORITIES
`
`PAGE(S)
`
`CASES
`Advanced Bionics, LLC v. Med-El Electromedizinishce Geräte GMBH,
`IPR2019-01469 (P.T.A.B. Feb. 13, 2020) .......................................................... 23
`Ariad Pharms., Inc. v. Eli Lilly & Co.,
`598 F.3d 1336 (Fed. Cir. 2010) ........................................................................ 121
`Becton, Dickinson & Co. v. B. Braun Melsungen AG,
`IPR2017-01586 (P.T.A.B. Dec. 15, 2017) ......................................................... 23
`Bowtech, Inc. v. MCP IP, LLC,
`
`IPR2019-00379 (P.T.A.B. July 3, 2019) ........................................................... 24
`Coolit Sys., Inc. v. Asetek Danmark A/S,
`IPR2020-00522 (P.T.A.B. Mar. 17, 2021) ......................................................... 22
`Genentech Inc. v. Novo Nordisk A/S,
`108 F.3d 1361 (Fed. Cir. 1997) ........................................................................ 121
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005) .......................................................................... 25
`Purdue Pharma L.P. v. Faulding Inc.,
`230 F.3d 1320 (Fed. Cir. 2000) ........................................................................ 122
`Studiengesellschaft Kohle, M.B.H. v. Shell Oil Co.,
`112 F.3d 1561 (Fed. Cir. 1997) .......................................................................... 16
`STATUTES
`35 U.S.C. 112(a) .............................................................................................. 16, 120
`35 U.S.C. § 102(a)(1) ................................................................................................. 4
`35 U.S.C. § 102(a)(2) ................................................................................................. 4
`35 U.S.C. § 103 ...................................................................................................... 3, 4
`35 U.S.C. § 112 .................................................................................................passim
`
`
`
`
`-iv-
`
`

`

`TABLE OF AUTHORITIES
`(continued)
`
`Page(s)
`
`OTHER AUTHORITIES
`37 C.F.R. § 42.200(b) .............................................................................................. 25
`MPEP § 211.05(I) .................................................................................................... 16
`MPEP § 211.05(I)(B) ............................................................................................... 16
`
`
`
`
`
`
`
`-v-
`
`
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`
`EXHIBIT LIST
`Description
`U.S. Patent No. 10,855,671 to Kahol et al. (“’671 Patent”)
`Supporting Declaration of Dr. Michael Franz (“Franz”)
`File History of U.S. Patent Application No. 16/876,163
`(“’671 Patent File Wrapper”)
`U.S. Patent 9,137,131 B1 (“Sarukkai”)
`U.S. Patent Application Publication 2008/0189778 A1
`(“Rowley”)
`U.S. Patent Application Publication 2012/0008786 A1
`(“Cronk”)
`U.S. Patent Application Publication 2012/0278872 A1
`(“Woelfel”)
`U.S. Patent Application Publication 2016/0087970 A1
`(“Kahol”)
`U.S. Patent Application Publication 2015/0200924 A1
`(“Parla”)
`U.S. Patent Application Publication No. 2015/0319156
`(“Guccione”)
`International Patent Application Publication No. WO
`2005/069823 (“Song”)
`Screen capture of https://www.bitglass.com/blog/how-to-
`patent-a-phishing-attack, dated October 1, 2015
`File History of U.S. Patent Application No. 14/954,989
`(“’090 Patent File Wrapper”)
`International Patent Application Publication No. WO
`2014/093613 (“Guccione PCT”)
`File History of U.S. Patent Application No. 61/765,354
`(“Guccione ’354 Provisional”)
`File History of U.S. Patent Application No. 61/736,407
`(“Guccione ’407 Provisional”)
`
`-vi-
`
`Exhibit
`Ex. 1001
`Ex. 1002
`Ex. 1003
`
`Ex. 1004
`Ex. 1005
`
`Ex. 1006
`
`Ex. 1007
`
`Ex. 1008
`
`Ex. 1009
`
`Ex. 1010
`
`Ex. 1011
`
`Ex. 1012
`
`Ex. 1013
`
`Ex. 1014
`
`Ex. 1015
`
`Ex. 1016
`
`
`
`
`
`
`
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`
`I.
`
`INTRODUCTION
`Netskope, Inc. requests post-grant review of claims 1, 2, 4-10, and 12-16 of
`
`U.S. Patent No. 10,855,671 issued to Bitglass, Inc. The Board should institute post-
`
`grant review and cancel the challenged claims for two primary reasons: (1) obvious-
`
`5
`
`ness over the prior art and (2) failure to comply with the written description and
`
`enablement requirements.
`
`First, the challenged claims relate to a well-known sign-in process named
`
`“single sign-on” (“SSO”). In SSO, a user is authenticated and, thereafter, gains ac-
`
`cess to more than one resource (e.g., email, word processing) without needing to
`
`10
`
`authenticate again. SSO schemes were developed over twenty years ago and have
`
`been used extensively, and in various configurations, since. The claimed invention
`
`simply recites a configuration for executing an SSO using common components—
`
`e.g., client devices, application servers, proxies, and identity providers—and known
`
`interactions between those components. It adds nothing novel over the prior art and
`
`15
`
`simply combines well-known industry methods.
`
`The lack of novelty is highlighted by the fact that three, separate combinations
`
`render at least the independent claims of the ’671 patent obvious. These references
`
`in this petition are all concerned with SSO schemes and, like the ’671 patent, disclose
`
`configurations for executing them. Notably, a Bitglass inventor discussed one of the
`
`
`
`
`-1-
`
`
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`references (Sarukkai) on his Bitglass blog before applying for the ’671 patent, but
`
`chose to withhold the reference from the patent office.
`
`Second, claims 7-8 and 15-16 are invalid because they lack written description
`
`and enablement in the detailed description, and the claims themselves do not provide
`
`5
`
`section 112 support because they were added as new claims during prosecution of
`
`the ’671 patent.
`
`II. MANDATORY NOTICES
`A. Real party-in-interest
`Netskope, Inc. is the sole real party-in-interest.
`
`10
`
`B. Related matters
`Petitioner has filed a civil action seeking a declaratory judgment that it does
`
`not infringe the ’671 patent and a related patent, U.S. Patent No. 10,757,090 B2, in
`
`the United States District Court for the Northern District of California, Case No.
`
`3:21-CV-00916-EMC. PGR2021-0092 is being concurrently filed to challenge a
`
`15
`
`different set of claims of the ’671 Patent. Petitioner has challenged the validity of
`
`the ’090 patent in two co-pending inter partes review proceedings (See IPR2021-
`
`01045 & IPR2021-01046).
`
`C. Counsel and service information
`Lead counsel: Thomas N. Millikan (Reg. No. 72,316).
`
`20
`
`Back-up counsel: Babak Tehranchi (Reg. No. 55,937), Kyle R. Canavera (Reg.
`
`No. 72,167), Andrew N. Klein (pro hac vice forthcoming).
`
`
`
`-2-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`These attorneys can be reached by mail at Perkins Coie LLP, 11452 El
`
`Camino Real, Suite 300, San Diego, California, 92130, by phone at (858) 720-5700
`
`and by fax at (858) 720-5799.
`
`Petitioner consents to electronic service. All services and communications to
`
`5
`
`the
`
`attorneys
`
`listed
`
`above may
`
`be
`
`sent
`
`to: Netskope-Bitglass-
`
`PTABService@perkinscoie.com. A Power of Attorney for Petitioner is being filed
`
`concurrently.
`
`III. REQUIREMENTS FOR POST-GRANT REVIEW
`A. Grounds for standing
`Petitioner certifies the ’671 patent, issued on December 1, 2020, is available
`
`10
`
`for post-grant review and Petitioner is not barred or estopped from requesting a post-
`
`grant review of the challenged claims.
`
`B. Overview of challenge and relief requested
`Petitioner respectfully requests cancellation of the challenged claims of
`
`15
`
`the ’671 patent under 35 U.S.C. § 103 and/or 35 U.S.C. § 112.
`
`1.
`Identification of prior art
`Petitioner relies on the references listed in the Table of Exhibits, including:
`
`
`
`
`
`
`
`
`
`20
`
`
`
`U.S. Patent 9,137,131 B1 (“Sarukkai”).
`
`U.S. Patent Application Publication 2008/0189778 A1 (“Rowley”).
`
`U.S. Patent Application Publication 2012/0008786 A1 (“Cronk”).
`
`U.S. Patent Application Publication 2012/0278872 A1 (“Woelfel”).
`-3-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`U.S. Patent Application Publication 2016/0087970 A1 (“Kahol”).
`
`U.S. Patent Application Publication 2015/0200924 A1 (“Parla”).
`
`U.S. Patent Application Publication No. 2015/0319156 (“Guccione”)1.
`
`PCT Publication No. WO 2005/069823 (“Song”).
`
`
`
`
`
`
`
`
`
`5
`
`All references are prior art under 35 U.S.C. §§ 102(a)(1) or 102(a)(2) with
`
`respect to the challenged claims.
`
`Petitioner also relies on the expert declaration of Dr. Michael Franz. (“Franz”).
`
`2. Grounds for challenge and challenged claims
`Challenged Claims
`Ground Basis Reference(s)
`1-2, 4-5, 9-10, 12-13
`1
`§ 103 Sarukkai and Rowley
`6, 14
`2
`§ 103 Sarukkai, Rowley, and Song
`3
`§ 103 Sarukkai, Rowley, and Guccione 7, 15
`4
`§ 103 Cronk and Woelfel
`1-2, 4-5, 9-10, 12-13
`5
`§ 103 Cronk, Woelfel, and Song
`6, 14
`6
`§ 103 Cronk, Woelfel, and Guccione
`7, 15
`7
`§ 103 Kahol and Parla
`1-2, 4-5, 8-10, 12-13, 16
`8
`§ 112 N/A
`7-8, 15-16
`
`
`1 Guccione additionally qualifies as prior art based on the filing date of two provi-
`
`sional applications in its priority chain; the portions of Guccione used in this Peti-
`
`tion have identical disclosures in Guccione’s PCT, and two provisional applica-
`
`tions, which also support Guccione’s claim 14. (See PCT, Claim 14, Fig. 1, ¶¶ 4-5,
`
`22, 33, 37-38; ’354 Provisional, Fig. 1, ¶¶ 3-4, 25-26, 29; ’407 Provisional, Fig. 1
`
`¶¶ 3-4, 22-23, 26.)
`
`
`
`-4-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`
`
`
`IV. TECHNOLOGY DESCRIPTION
`A. Overview
`1.
`Single Sign-On
`Single sign-on (“SSO”) describes a scheme in which a user signs-on once in
`
`5
`
`order to gain access to various resources. For example, a user logs-in once to gain
`
`access to a suite of applications (e.g., word processing, email), rather than logging-
`
`in each time the user requests access to an application. An aspect of SSO is having
`
`a central party that authenticates users. (Franz, ¶¶ 34-43.)
`
`10
`
`The concept of using a central party to authenticate a user has been around
`
`since at least the mid-1980’s and has evolved since then. (Franz, ¶ 34.) In the 1990’s,
`
`standards were developed to define specific protocols for enabling SSO, like Light-
`
`weight Directory Access Protocol in the early 1990’s and Microsoft Active Directory,
`
`which was released with Windows 2000 Server Edition. (Id.) Early SSO technolo-
`
`15
`
`gies were typically deployed within an organization so users in the organization
`
`could access organizational resources using an organization-wide “digital identity.”
`
`(Id.)
`
`With the rise of web-based services in the early 2000’s, SSO schemes began
`
`to broaden the concept of a “digital identity”. (Id., ¶ 35.) The goal was to create a
`
`20
`
`“federated” architecture that enabled a user’s credentials to be trusted across multi-
`
`ple service providers. (Id.) A service provider would not need to create a separate
`-5-
`
`
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`trusted identity for each of its users; rather, it would rely on a trust relationship with
`
`another organization and would accept the other organizations’ users if the other
`
`organization vouches for them. (Id.) This well-known architecture, referred to as
`
`“single sign-on,” allows for a user’s digital identity to be used across several inde-
`
`5
`
`pendent services, using a variety of identity providers (IdPs). (Franz, ¶ 36.)
`
`To facilitate SSO, the industry developed a standard for authentication: Secu-
`
`rity Assertion Markup Language (SAML). (Id., ¶ 39.) First standardized in 2002,
`
`SAML is an XML-based markup language that defines a protocol for exchanging
`
`authentication and authorization data between parties in SSO protocols. (Id.) SAML
`
`10
`
`uses an “assertion” as a standardized way for exchanging information between dif-
`
`ferent entities. (Id., ¶ 40.) SAML has been implemented in broader SSO architec-
`
`tures, including the very widespread open-source Shibboleth SSO architecture that
`
`was first released in 2003. (Id., ¶¶ 38-39.) Other identity standards have been re-
`
`leased over the years; for example, OpenID was first released in 2005 and OAuth
`
`15
`
`was first released in 2010. (Id.)
`
`More recently, web-based services have taken these well-known concepts and
`
`applied them so users can sign-in using another portal that can authenticate the user
`
`(e.g., “sign in with Facebook”). (Id., ¶ 36.) The ability to “sign in with Facebook,”
`
`for example, has been around for roughly a decade. (Id.) If a user elects to sign-in
`
`20
`
`using Facebook (i.e., the IdP), the web-based service delegates provision of
`
`
`
`-6-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`credentials to Facebook. (Id.) The web-service provider and the IdP have a trust
`
`relationship, so the service provider grants a user access to the resource if verified
`
`by the IdP. (Id.; see also¸ id., ¶ 43)
`
`There are different ways to implement a SAML-based sign-on. In some con-
`
`5
`
`figurations, there is no proxy between the service provider and IdP. This configura-
`
`tion is typically used when there are few IdPs and the service provider wants more
`
`control over traffic. (Id., ¶ 41.) In other configurations, a SAML IdP proxy may be
`
`inserted between the service provider and IdP when there are many IdPs used by
`
`many service providers. (Id., ¶ 42.)
`
`10
`
`2.
`Proxy Servers, URL Rewriting, and HTTP Redirects
`A proxy server generally refers to a software program running on hardware
`
`that intermediates traffic between devices. (Id., ¶ 44.) Historically, proxy servers
`
`have come in two different forms, depending on whether the proxy bundled client
`
`communications or server communications. (Id., ¶ 45.) In one form—known as a
`
`15
`
`“proxy server”—multiple client computers were bundled and proxied at a gateway
`
`point, as shown below. (Id.)
`
`
`
`-7-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`
`user devices
`
`proxy /
`gateway
`
`Internet
`
`
`
`In the other form—known as a “reverse proxy”—several server computers were
`
`concentrated and proxied. (Id.) This second form was typically used to distribute
`
`incoming requests among multiple servers, known as load balancing. (Id.) Figure
`
`5
`
`2 (below) shows an exemplary “reverse proxy.”
`
`Internet
`
`reverse
`proxy
`
`servers
`
`
`
`In modern parlance, the term “proxy” can be used for both kinds of traffic multi-
`
`plexers. (Id.)
`
`Today, proxies are ubiquitous. (Id., ¶ 47.) Most content distributed on the
`
`10
`
`internet, for example, comes from servers in content delivery networks (CDNs). (Id.)
`
`
`
`-8-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`When a subscriber watches a movie on a streaming platform, the video is often sent
`
`from a local CDN server that sits closer to the user. (Id.)
`
`To substitute the proxy for the server to which the request was sent, HTTP
`
`redirects and URL rewriting would be used. (Id., ¶ 48. For example, a user in Or-
`
`5
`
`ange County, California might
`
`request
`
`the URL http://mystreamingplat-
`
`form.com/mymovie. The proxy operated by mystreamingplatform.com would re-
`
`ceive and rewrite that URL into http://occalifornia.akamai.net/mystreamingplat-
`
`form/mymovie and redirect the user to the new Akamai URL. Thereafter, the stream
`
`would be served by Akamai’s Orange County-based servers instead of a server at
`
`10
`
`the streaming platform’s distant location. (Id.)
`
`Another form of proxy known since at least 1998 was the “application proxy,”
`
`which has been used to describe a firewall at the application layer. (Id., ¶ 46.)
`
`3.
`
` “Man-in-the-Middle”
`a.
`“Man-in-the-Middle” Attacks
`Although SSO schemes provide convenience and security, they can be ex-
`
`15
`
`ploited through a “man-in-the-middle” attack. (Franz, ¶ 50.) In such an attack, a
`
`malicious party intercepts a user’s credentials; for example, the malicious party may
`
`occupy a proxy residing between a client and IdP and impersonate the IdP. (Id.)
`
`Once the malicious party receives the user’s credentials, it can impersonate the user,
`
`20
`
`eavesdrop on communications, and/or modify data. (Id.) “Man-in-the-middle”
`
`
`
`-9-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`attacks have been around since at least the early 2000’s and even been the subject of
`
`academic scrutiny since SSO systems were first proposed. (Id.)
`
`Bitglass itself has recognized this well-known problem and explained how
`
`industry standards addressed it. (Ex. 1012.) In a 2015 blog post entitled, “How to
`
`5
`
`Patent a Phishing Attack” and authored by Bitglass inventor and CEO Mr. Kausik,
`
`Bitglass criticized the system described in Sarukkai. (Id.) Bitglass explained that
`
`“[a] key security aspect of the SAML standard is that a user only enters his password
`
`into a trusted identity provider.” (Id.) Yet Sarukkai disclosed an invention in which
`
`“a user [] enter[ed] his password into a proxy, which then passe[d] the credentials
`
`10
`
`on to the identity provider.” This scheme, according to Bitglass, broke “the security
`
`of the SAML standard via what is essentially a phishing attack.” (Id.) Bitglass even
`
`noted that proxy phishing had caused several high-profile security breaches. (Id.)
`
`Bitglass remarked that, while some companies had taken steps to prevent users from
`
`entering credentials into proxies, “all bets [were] off if a customer explicity [sic]
`
`15
`
`purchase[d] a product embodying the invention of [Sarukkai] thereby authorizing
`
`phishing attacks on his own users.” (Id.) Although Bitglass was aware of Sarukkai
`
`years before filing the application for the ’671 patent, it never disclosed Sarukkai to
`
`the USPTO during prosecution of the ’671 patent.
`
`
`
`-10-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`Using Proxies and URL Rewriting to Improve Secu-
`rity
`Proxies can also improve SSO schemes. (Franz, ¶¶ 51-52.) Legitimate cloud-
`
`b.
`
`based security services operating as proxies are similar to “man-in-the-middle” at-
`
`5
`
`tacks, but the main difference is that, in the former case, a friendly party is intercept-
`
`ing the communication. (Id., ¶¶ 52-53.)
`
`Since cloud-based security services traditionally sit between a private network
`
`and the Internet, the concept of “man-in-the-middle” also applies to traditional prox-
`
`ies and firewalls. (Id., ¶ 54.) For example, U.S. Patent 8,214,635 (2006) to Wang
`
`10
`
`described a scheme that “splits” an encrypted tunnel between a client and a server at
`
`the proxy, creating two encrypted pipes: one between the client and the proxy and
`
`another between the proxy and the server. (Id.) This allowed the proxy to inspect
`
`and modify the traffic passing through it without compromising security. (Id.)
`
`The proliferation of mobile devices also drove development of proxies. When
`
`15
`
`mobile devices roam outside of an enterprise network, they might still require access
`
`to data inside of the network or the enterprise may need to maintain control over
`
`data. (Id., ¶ 55.) Consequently, a proxy server may be used to connect a roaming
`
`device to the corporate network connect. (Id.) These systems may use URL rewrit-
`
`ing to translate data between secure, external communications and insecure, internal
`
`20
`
`communications. (Id.) The move from a traditional proxy at the gateway between
`
`
`
`-11-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`networks to a cloud-based solution has facilitated the “security as a service” para-
`
`digm that we see today. (Id., ¶¶ 51, 56.)
`
`In addition, URL rewriting at a proxy to inspect and modify internet traffic
`
`has been around for decades. (Id., ¶ 49.) For example, U.S. Patent 6,052,730 to
`
`5
`
`Felciano (2000) described a technique in which a gateway server modified URLs to
`
`other servers contained within requested documents so the URLs point to the gate-
`
`way server instead. (Id.) Interposing a proxy to watch users’ activities and/or pro-
`
`vide monitoring and oversight can be accomplished in different ways, including us-
`
`ing HTTP redirects. (Id., ¶ 57.)
`
`10
`
`Proxies and cloud-based security services have also long been used as “control
`
`intermediaries” to monitor network and server performance and redirect clients. (Id.,
`
`¶ 58.)
`
`B.
`
`’671 Patent Overview
`1.
`The Alleged Invention
`The ’671 Patent concerns “data security, and in particular, to securing data on
`
`15
`
`client devices external to corporate infrastructures.” (’671 Patent, 1:21-23.) It de-
`
`scribes a patchwork of various, disparate alleged embodiments; for example, a “re-
`
`mote wipe” of data on a mobile device (id., 3:31-5:62), proxy routing (id., 5:63-7:62),
`
`data tracking and watermarking (id., 8:12-9:26), and browser cache management (id.,
`
`
`
`-12-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`9:27-50). This petition concerns the proxy routing embodiment that is the focus of
`
`the challenged claims.
`
`One arrangement for proxy routing, i.e., using a proxy to manage access to an
`
`application, is discussed in Figure 11 (annotated below). Figure 11 includes five
`
`5
`
`entities: a user agent 1103; an application provider 1101; an application proxy 1102;
`
`an IdP 1105; and a SAML proxy 1104. (Id., 6:48-7:42, Fig. 11.) The user agent
`
`requests access to a resource at the application provider (step 1106), but is redirected
`
`to the SAML proxy (steps 1107-1108), and from there redirected to the IdP (steps
`
`1109, 1110). (Id., 7:8-17.) The IdP then validates the user agent’s single sign on
`
`10
`
`request. (Id., 7:17-19.) The IdP then redirects the user agent back to the SAML
`
`proxy with an assertion (steps 1111-1112), which creates another assertion and re-
`
`directs the user agent with the new assertion to the application proxy (steps 1113,
`
`1114). (Id., 7:17-23.) The user agent forwards the assertion to the application proxy
`
`(step 1114), which forwards it to the application provider (step 1115). (Id., 7:24-27.)
`
`15
`
`The application provider sends the target resource URL to the application proxy
`
`(step 1116), which rewrites it to redirect to the application proxy, and forwards that
`
`rewritten URL to the user agent (step 1117). (Id., 7:27-34.) The user agent subse-
`
`quently accesses the application provider via the application proxy (steps 1118-
`
`1120). (Id., 7:35-42.)
`
`
`
`-13-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`
`
`
`
`
`The ’671 patent also includes an embodiment for proxy routing that is distinct
`
`from Figure 11, shown in Figure 3B, that described a proxy routine scheme typically
`
`used for an internal, enterprise network. The architecture does not use an IdP; rather,
`
`5
`
`it uses a distinct component known as a centralized directory. Nor does the embod-
`
`iment describe a “single sign-on” scheme or use an “assertion” for authenticating a
`
`
`
`-14-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`user. Figure 3B describes an LDAP/ActiveDirectory scheme. The ’671 patent refers
`
`to them as separate embodiments. (’671 patent, 2:7-8, 2:26-27, 6:27, 6:48; Franz,
`
`¶¶ 60-64, 383-84.)
`
`2.
`Prosecution history
`The claims in the application for the ’671 patent were allowed after a non-
`
`5
`
`final office action and an examiner’s amendment. Specifically, the claims were re-
`
`jected for nonstatutory obviousness-type double patenting and obviousness over U.S.
`
`Patent Application Publication No. 2007/0101440 to Bhatia and U.S. Patent Appli-
`
`cation No. 2012/0293597 to Shipon. (Ex. 1003, 91-93.) In response, applicant filed
`
`10
`
`a terminal disclaimer over U.S. Patent No. 10,757, 090 and amended the claims to
`
`recite “the device thereafter communicates with the application program via a URL
`
`rewritten to go through the application proxy server, the URL originally addressed
`
`to the application program” (emphasis in original showing features added; deleted
`
`features omitted). (See id., 56-57, 75.) Applicant also added claims 21-26, which
`
`15
`
`issued as claims 7, 8, 15, 16, 19, and 20. (Id., 81-82.)
`
`After the response, the examiner incorporated a limitation from a dependent
`
`claim into the independent claims (i.e., “wherein the user device sends a request for
`
`access to the cloud-based application program to an application server and receives
`
`the cloud network location of the identity provider from the application server”),
`
`
`
`-15-
`
`

`

`Petition for Post-Grant Review of U.S. Pat. No. 10,855,671
`PTAB Case No. PGR2021-00091
`made minor amendments for consistency and antecedent basis, and then allowed the
`
`claims. (See id., 8-20.)
`
`3.
`Priority Date
`The ’671 Patent issued from U.S. Patent Application No. 16/876,163 filed on
`
`5
`
`May 18, 2020. The ’671 patent claims priority to U.S. Patent Application No.
`
`14/954,989, filed on Nov. 30, 2015. But the challenged claims lack support in the
`
`’989 application because, inter alia, the ’989 application does not disclose an SSO
`
`system without a SAML proxy or how to make such a system. Yet, the claims of
`
`the ’671 patent recite an SSO system that does not have a SAML proxy. Therefore,
`
`10
`
`the challenged claims are entitled to a priority date of no earlier than May 18, 2020,
`
`the date on which the application for the ’671 patent was filed.
`
`For a later-filed application to claim priority to an earlier-filed application,
`
`“the disclosure of the prior-filed application must provide adequate support and en-
`
`ablement for the claimed subject matter of the later-filed application in compliance
`
`15
`
`with the requirements of 3