T 1121/10 (Secure transactions/FUJITSU) 26-03-2014

1. Article 13 (1) RPBA provides that any amendment to a party's case after it has filed its grounds of appeal may be admitted and considered at the board's discre­tion, which will be exercised in view of inter alia the com­plexity of the new subject matter submitted, the current state of the proceedings and the need for pro­ce­­dural economy. The new main and auxiliary requests were amended in response to the board's clarity objections set out in the annex to the summons to oral pro­ceedings. The board is satisfied that the amendments do not introduce matter going beyond the contents of the application documents as originally filed, do not in­tro­duce any complex new issue nor, in fact, change sub­stantially the issues to be addressed under inven­tive step. The board therefore exercises its discretion accorded to it under Article 13 (1) RPBA and admits both requests.

The invention

2. The application generally concerns the safety of compu­ting transactions, in particular of electronic commerce transactions initiated from a ­­mobile tele­phone. The claims refer more generally to an "infor­ma­tion pro­cessing apparatus" which, as the description states, could also be any PC, fax machine, refrigerator or micro­­wave oven (see original application, p. 1, lines 16-21).

2.1 When the "information processing apparatus" has initi­a­ted the "transaction" (e.g. by a customer pressing a BUY button on the web page of an online shop, see fig. 6 and p. 45, lines 8-23), a "safety judg­ment sub­rou­tine" is entered which checks a number of "creden­tials" be­fore the transaction is cleared. This safety judgment sub­routine involves three devices: An "infor­ma­tion pro­cessing apparatus for pro­­cessing a trans­action" (e.g. the mobile telephone), a "first authen­tication appa­­ra­tus (or "safety judgment center", see fig. 1) and a "se­­cond authentication server" (or "cer­ti­­ficate autho­ri­ty", see fig. 1).

2.2 The safety judgment subroutine validates three diffe­rent credentials relating to the information processing apparatus or its user: Bio­me­tric information of the user, a certificate authenticating a public key, and the "safety posture" of the apparatus. When the bio­metrics and the certificate are validated and the safe­ty posture is verified to be high enough in view of "the degree of security of the transaction infor­ma­tion" (e.g. the higher the value of a transaction the higher the required security level) the safety test is determined to be successful and the transaction is cleared. "Trans­action informa­tion", typically compri­sing "order information" such as price and product in­for­mation, will then be transmitted to the shop compu­ter (see fig. 12, no. 122).

2.3 The biometric measurement of the user is made at the information processing apparatus: Typically a finger­print is taken, but alternatives are also disclosed (see p. 37, lines 6- 19). This data is verified (for be­ing "pro­per") by the infor­ma­tion processing apparatus or either of the authenti­ca­tion apparatus (compare claim 1). Then, also at the infor­ma­tion processing appa­ratus, "environment informa­tion" is "collected". This in­formation relates to the information processing apparatus (device name and version), peripheral equip­ment connected to it ­and to software installed on it. The environment in­formation is used to assess, at the "first au­then­­tication appa­ratus", the security level of the first appara­tus.

2.4 The transaction information (e.g. the order and payment information) is digitally signed (encryp­ted) using the secret key issued to the information processing appara­tus. The first authen­tication apparatus validates the trans­action information by decrypting the signature with a public key issued to the information processing appar­atus. This public key is obtained from a certifi­cate signed by the second authentication apparatus, i.e. the cer­tification authority, which in turn is va­li­dated via the certification authority's public key.

The prior art

3. D4 discloses a network server establishing whether a workstation requesting a network service is a suffi­ciently "trusted" platform or not. Online shopping is not specifically mentioned. But in its background section, D4 discusses "Web sites" which "attempt to verify the security of the client host before allowing trans­actions from that host" and, more specifically, "bank­ing applications" (p. 3, lines 7-10). The net­work ser­ver makes the decision whe­ther to process the re­quest by the workstation "based on the user cre­den­tials and/or the workstation creden­tials" in view of a given "security policy" or which "level of network service" may alternatively "be supplied to the worksta­tion" (see p. 4, lines 25-29; p. 6, 1st par.).

3.1 When a workstation requests some service at a server, a "workstation assess­ment service" examines the worksta­tion so as to determine "actual or potential vul­­nera­bilites" or "security risks" of the workstation (see p. 11, lines 33-35; p. 12, lines 33-35; p. 15, lines 6-12). D4 does not disclose in details the "workstation cre­den­tials" on which this assessment are based, but gene­ral­ly refers to ­"work­­­station integrity information" and "work­sta­tion secu­ri­ty posture" (p. 9, line 1; p. 20, line 1). Based on this assess­ment, a "score" is compu­ted. In the system of D4, diffe­­­rent "le­vels of ser­vice" are defined, each re­qui­ring a mi­ni­mal such score. That is, in view of the se­cu­rity score, a reques­­ted level of service may not be gran­ted. Pro­posals may be made how to repair a detected vulne­ra­bi­li­ty and some­times a sui­table tool may be able do this automa­ti­cally (p. 15, lines 33-35; p. 8, lines 2-3).

3.2 After the workstation credentials the system assesses user credentials - as examples of which D4 discloses passwords, biometrics and smart cards (p. 2, lines 9-11 and last par.; p. 3, lines 1-2). D4 teaches that check­ing user credentials after successful checking work­sta­tion cre­den­tials has the benefit of reducing the risk that user credentials are sto­len (p. 13, lines 27-30).

3.3 This process is referred to as an "extend[ed] ... log-in process" (abstract and p. 7, lines 25-31). Accor­ding to the security assessment the network ser­vice decides whether to process the service request. Optio­nally, it may decide to provide a "degraded level of service" which is con­­sistent with the perceived security vul­ne­ra­bility of the workstation (see p. 4, 1st and pen­ult. par.; p. 6, 1st par.; p. 19, line 33 - p. 20, line 2).

Security posture

4. The disclosure of D4 crucially relies on the term "work­­­­­­station security posture" which is assessed on the basis of "workstation credentials" obtained, for in­stance, by "remotely examining" (or "scan[ning]") "the work­station", and evaluated against a "work­sta­tion se­cu­rity policy" (see e.g. p. 9, 1st par., p. 11, last par., p. 12, last four lines). D4 does not however de­fine any of these terms in detail. For the assessment of inventive step it is thus central how the skilled reader of D4 would ­have understood the term "security posture" at the priority date of the present applica­tion.

4.1 The appellant argued in the grounds of appeal that the "security posture" accor­ding to D4 is confined to "software capabilities" of the workstation and that the scan of the workstation for "vulnerability risks" which are "present at the workstation" (p. 15, line 11) has to be likened to a conventional virus scan. In support of this argument, the appellant refers to the fact that, accor­ding to D4, the "security risk assess­ment may be per­formed using a remote examination by a ser­ver" and that­ "it is envi­saged that the remote ser­ver by it­self may be able to repair the vulnerability of the work­station" (grounds of appeal, par. brid­ging pp. 3-4).

4.2 The board does not find the appellant's inter­pre­tation of D4 convincing. On the one hand, D4 discloses the possibility of automatic repair only as an option; elsewhere D4 discloses that the user is informed about actions he could take "to bring the host into compli­ance" (see p. 14, lines 19-26). In the board's judg­ment, this language does not exclude actions that re­late to peripheral de­vices. On the other hand, the board cannot see why the "remote examination" of a workstation could not produce information relating to peripheral devices either. Also the reference in D4 to a possible "misconfi­gu­r[a­tion]" (see p. 2, lines 27-28) does not appear to be limi­­ted to software.

4.3 The board thus concedes that D4 does not ex­plicitly dis­close that "security posture" of a work­station sub­sumes aspects of hardware and peripheral de­vices but at the same time does not accept the argument that this option is specifically excluded by the disclosure of D4.

4.4 The board further considers that the term "security pos­­ture" itself was an established one in the art well be­fore the priority date of the application. Security pos­ture in the compu­ting con­text was and is meant to subsume the totality of mea­sures taken by a company to secure their compu­ting sys­tems and networks, including non-technical ones re­la­ting to policies, procedures and controls, and tech­ni­cal ones relating to software and hardware. In the annex to the summons, this argument was put to the appellant who did not challenge it.

Inventive Step, Main request

5. The appellant argued during oral proceedings that D4 disclosed a negotiation to determine whether or not a user at a workstation was allowed to access a network ser­vice (see D4 p. 3, lines 16-18), whereas the inven­tion pre­supposed the network service to be available and was concerned with allowing or prohibiting a trans­action over the network. The board disagrees, conside­ring that the extended login procedure accor­ding to D4 - starting with a service request and ending, possibly, with the provision of some service - consti­tutes a trans­action in the sense of the claims and that the information de­fi­ning the ser­vice request qua­li­fies as "transaction information". The board accepts how­ever that the work­station assessment service according to D4 is provided by the network server which also pro­vides the requested network service, and, hence, that D4 does not dis­close the claimed separation be­tween the first authen­ti­cation apparatus and the shop computer.

6. The decision under appeal considered claim 1 to differ from D4 in requiring biometric information to be part of the user credentials. The board does not concede this difference, because biome­tric information is dis­closed in D4 as an example of user credentials (p. 2, lines 11-14 and p. 3, lines 1-2). The appellant argues that, according to D4, user credentials are authen­ti­ca­ted only after the vulnerability analysis of the work­station (p. 13, lines 27-30) whereas, according to the application, biometric information is authen­ticated be­fore the environment information (see e.g. figs. 34 and 37, nos. S343 and S372). Even though it seems ques­tion­able whether the claim language implies this order of steps, the board is satisfied that the de­scrip­­tion pro­vides basis for a potential clarifying amendment and thus, to the appellant's benefit, adopts the inter­pre­tation that it does.

7. Therefore, in the board's present view, claim 1 of the main re­quest differs from D4 by the following features.

i) D4 discloses that user credentials are authen­tic­a­ted before the workstation credentials while the in­ven­tion, in view of the description, implies the inverse order.

ii) D4 does not disclose a first authentication appa­ra­tus transmitting the transaction information to a separate "shop computer" after authentication.

iii) D4 does not disclose that transmitted information is digitally signed (via encryption and decryp­tion) nor the claimed transmission and­­ use of cer­ti­ficates provi­ding ­­the relevant keys.

iv) D4 does not disclose the environment information to include the specifically claimed items, that is de­vice name and version of the information pro­cess­ing appa­ra­tus, name and version of (operating system) software in­stalled on the information pro­cessing apparatus, and name and version of peri­phe­­ral equip­ment connected to it.

v) D4 discloses that the individual results of the "workstation assessment result set" are combined into an overall security score by means of some kind of cal­cu­lation (see p. 6, lines 1-7) but does not disclose the use of an "environment infor­ma­tion database storing environment conditions" mapping "multiple combinations of" environment conditions to a "degree of security of the trans­action information".

Differences iii) and iv) broadly correspond to the diffe­rences 2) and 3) as determined in the decision under appeal (see p. 4, last par. - p. 5, 1st par.).

Re. difference i)

8. The appellant argued that collecting the "environment in­formation" after authenticating the biometrics im­plied that the environment information had a better chance of being up-to-date.

8.1 In principle, the board concedes a safety judgment made on some environment information may become invalid if the environment information changes after it has been collected: For example, if an SD card was inserted into the requesting apparatus only after a transaction was cleared on the basis that it did not have any de­ta­chable storage device. However, the application does not discuss this advantage, neither in general nor by way of example, nor do the claims imply how up-to-date the "environment information" actually is when "collected" because they leave open details and fre­quency of this collection.

8.2 Moreover, checking the user credentials early also means that workstation cre­dentials need not be deter­mined, let alone checked, if the user credentials can­not be authenticated, which may be computationally advantageous and reduces the risk that workstation cre­den­tials are tampered with by an intruder.

8.3 The board considers that the skilled person would be aware of these­ respective advantages and disadvantages of the different orders of steps and would balance them routinely and ­­without exercising an inventive step.

Re. difference ii)

9. D4 discloses - or at least directly suggests - online banking as a possible application domain for the disclosed network service negotiation. In this context it would appear commonly known to use a Web server as the frontend to some legacy service running on a separate backend server. More generally, too, the board deems it to be obvious that a requested network service - or a part of it - may be provided on two separate computers.

Re. differences iii) and iv)

10. The board considers that the three kinds of credentials according to the invention serve different and rather independent purposes. The user authentication serves to protect the user against impersonation and is used to eventually confirm the user's wish to perform the trans­­action (e.g. buy the selected product). Digitally signing the transaction information protects the inte­grity of the transmitted data. And assessing the envi­ronment information protects the security of the trans­action. Each of these security measures may be dis­pensed with, if technical circumstances and the re­qui­red level of trust permit, without any impact on the other ones. In general terms, the board considers that the skilled person would, as a matter of course, con­sider the combination of several different security measures if this appears to be pro­mi­sing under the circumstances.

10.1 Re. difference iii) The board considers that the use of digital signatures was a commonly known way of certifying the origin of trans­mitted information which the skilled person would not hesitate to incorporate into the system of D4 as an additional security measure depending to circumstances. The use of certificates as claimed to provide and authenticate the relevant keys appears to be a standard feature of commonly known public key infra­structures. Hence, once the decision to use digi­tal signatures has been made the specifically claimed features relating to this certificate would have been obvi­ous for the skilled person, too.

10.2 Re. difference iv) In the board's view it will also depend on the circumstances which bits of "environment information" are relevant for assessing security of a given system. De­pen­ding, inter alia, on the kind of com­puter system being protected - its components, archi­­­­tecture, con­fi­gu­ration, etc. - and the threat against which the sys­tem is meant to be protected, it would be appa­rent for the skilled person which aspects of the "environ­ment" are responsible for a vulne­rabili­ty and which are therefore relevant to coun­teract a threat. From this perspective, the board con­siders that each of the listed bits of "environment in­for­mation" would, in general, have been obvious for the skilled person. In particular, the board considers it ob­vious for the skilled person that security of a given system may depend on the software installed on it (e.g. is the operating system still supported?" or "has the latest patch been installed?"), the peripherals connec­ted to it (e.g. "does the device have detachable sto­rage?"), or the device type (e.g. "does this device have a cryp­tographic processor"?).

Re. difference v)

11. The "metric" according to D4 is used to map the set of work­station parameters to a scalar score representing the workstation security. The board deems it to be ob­vi­ous that such a mapping may also be expressed in terms of rules mapping certain sets of parameters direct­­ly to a score. Whether an evaluation based on a met­ric such as that of D4 or a rule-based system as claimed is preferable will typically depend on the kind of "mapping" to be evaluated. The choice between them would have been obvious for the skilled person according to circumstances.

It is a non-technical issue that different levels of security are required depen­ding on the value of a transaction (see point 2.2 above) which follows, for instance, from the economic consideration that higher transaction values - and thus higher possible losses - warrant higher investments in security. There­fore the feature that the required level of security may vary with the "trans­action informa­tion", i.e. may depend on the "degree of security of the transaction informa­tion" (see point 2.2 above), does not, in the board's view, con­tribute to inventive step (see T 641/00, head­note 1). Incorporating such a de­pendency in either means for com­paring the security le­vel provided with the security level required would have been straight­forward to the skilled person, too.

12. Therefore, the board comes to the conclusion that in­dependent claim 1 of the main request lacks an inven­tive step over D4 and common knowledge in the art, Article 56 EPC 1973.

Inventive step, Auxiliary request

13. Claim 1 of the auxiliary request differs from that of the main request by requiring that "transaction infor­mation includ[e] product and price information", that an envi­ron­ment condition be read from the environ­ment information database "related to a class corres­pon­ding to the trans­mitted product information or price infor­ma­tion". This "class" apparently refers to the classi­fication "according to a degree of security" mentioned earlier in the claim in the context of the environment infor­ma­tion database and is therefore construed as "se­curity class". The board considers that the argu­ments made above (point 11) with respect to diffe­rence v) are suffi­cient to address these amend­ments and thus do not change the board's conclusion as to inventive step. Ra­ther, the board finds that also claim 1 of the auxilia­ry request lacks an inventive step, Article 56 EPC 1973.

14. There being no allowable request, the appeal must be dismissed.