Obviousness

Obviousness Analysis of US Patent 6317838 under 35 U.S.C. § 103

A person having ordinary skill in the art (PHOSITA) in 1998, working in network security and remote access systems, would have been motivated to combine various known techniques to achieve the functionalities described in US patent 6317838. The patent's claims, particularly independent claims 1 and 8, which describe a method and architecture for secured remote access to private resources through a firewall with centralized security means, Single Sign-On (SSO), and optionally One-Time Passwords (OTPs), appear to be an obvious combination of existing prior art.

Person Having Ordinary Skill in the Art (PHOSITA)

A PHOSITA in 1998 would possess knowledge of:

• Network architectures, including Local Area Networks (LANs) and Wide Area Networks (WANs) like the Internet.
• Security devices such as firewalls and proxy servers for network perimeter defense.
• User authentication methods, including traditional password/login systems and more advanced token-based authentication like OTPs.
• The concepts of access control, security profiles, and authorization.
• The challenges of remote access over insecure networks (e.g., the Internet), including data interception and replay attacks.
• The growing demand for user-friendly access to multiple network resources, prompting the development of solutions like Single Sign-On (SSO).

Combinations of Prior Art and Motivations

The claims of US6317838 can be rendered obvious by combining the following prior art references, with clear motivations for a PHOSITA to do so:

1. Combination of US5721908A (Firewall/Proxy) and US5944824A (Single Sign-On)

• US5721908A (IBM): Teaches secure access to a WWW server over the Internet, employing a firewall and proxy servers to protect internal resources. This patent establishes the use of a firewall for external-to-internal network security.

• US5944824A (MCI): Explicitly describes a "system and method for single sign-on to a plurality of network elements." This patent teaches the core functionality of SSO, allowing users to authenticate once and access multiple resources without re-entering credentials.

• Motivation to Combine: A PHOSITA aiming to improve user experience and streamline access to multiple private resources protected by a firewall would be strongly motivated to integrate an SSO mechanism into a firewall-protected network. The background of US6317838 itself notes that existing SSO solutions were not always suitable for the unlimited number of users and dynamic nature of the Internet, or that users still had to remember many authentication details. By combining the firewall protection of US5721908A with the SSO functionality of US5944824A, a PHOSITA would create a system where remote users could securely access multiple internal resources behind a firewall with a single initial authentication. This combination directly addresses the problem of managing multiple authentication data for successive resource accesses, as noted in the US6317838 patent.

• Obviousness of Claims 1, 2, 6, and 8:

  • Claim 1 (Method) and Claim 8 (Network Apparatus): The combined system would inherently involve a "digital data processing system protected by a firewall" (US5721908A), "security storing means" (required by SSO in US5944824A for user authentication data and access profiles), and "centralized security means able to filter remote access requests... and to fetch a security profile... and to provide said first private resource with security data" (a natural implementation of SSO within the firewall or a tightly coupled security module, consistent with centralized management objectives). The operational steps of opening a session, entering security data, authenticating, and then providing access to a resource based on a security profile are directly covered by the integration of SSO with a firewall.
  • Claim 2 (Subsequent access with same security data) and Claim 6 (Security profiles and single authentication): These claims describe the core SSO functionality. US5944824A directly anticipates this, showing a system for "single sign-on to a plurality of network elements." Integrating this functionality into the firewall-controlled access (US5721908A) is a straightforward application.

2. Combination of US5721908A (Firewall), US5944824A (Single Sign-On), and US5657388A (One-Time Passwords)

• US5657388A (Security Dynamics Technologies, Inc.): This patent describes a security system (like "SecureID®") that uses a token to generate one-time passwords (OTPs) for accessing resources, preventing replay attacks. The US6317838 patent itself refers to this as known prior art for OTP technologies.

• US5491752A (Digital Equipment Corporation): Describes a system to increase the difficulty of password guessing using authentication tokens and time-varying authentication information (OTPs).

• Motivation to Combine: Even with an SSO system behind a firewall, the initial authentication using static passwords remains vulnerable to interception and replay attacks, especially over an insecure network like the Internet. US6317838 itself highlights this vulnerability with Figure 3 and the accompanying description of an unauthorized user intercepting SSO data. A PHOSITA, recognizing these inherent insecurities and seeking to significantly strengthen the initial authentication step for the combined Firewall+SSO system, would be highly motivated to incorporate a robust, known authentication method like One-Time Passwords (OTPs), as taught by US5657388A and US5491752A. The motivation is to enhance security without sacrificing the user convenience of SSO for subsequent resource access.

• Obviousness of Claims 7 and 14:

  • Claim 7 (One-time password using Hash function and time-dependent word): US5657388A and US5491752A clearly describe the generation of one-time passwords using cryptographic techniques, often involving a secret and a time component, which would naturally employ a hash function.
  • Claim 14 (User terminal device to generate OTPs, digital data processing system device to decode OTPs): US5657388A describes a system with a user-side token for generating OTPs and a server-side component for decoding and authenticating these OTPs, involving synchronized time signals and shared secrets. Integrating this known OTP technology into the initial authentication phase of the centralized firewall security means (from combination 1) is a straightforward application of a known security enhancement.

3. Other Dependent Claims:

• Claim 3 (Remote user through Internet) and Claim 4 (Internet application protocol with authentication notion): The combined references already implicitly or explicitly deal with Internet access and application protocols. US5721908A specifically mentions "WWW server data access over internet." The nature of the Internet as an "insecure network" (as noted in US6317838) is a foundational motivation for all these security measures.
• Claim 5 (Password and log-in): This is a universally known authentication mechanism present in virtually all prior art related to user access.
• Claim 13 (Firewall comprises proxy devices): US5721908A explicitly teaches the use of "proxy servers" within a firewall for secure access.

Conclusion

The core inventive concepts of US patent 6317838—namely, a method and architecture for secure remote access to private resources behind a firewall, incorporating centralized security, Single Sign-On, and One-Time Passwords—are rendered obvious by the combination of the cited prior art. A PHOSITA, driven by the desire to enhance both security and user convenience for remote network access, would have been motivated to combine these known elements in a predictable manner. The individual components (firewalls, SSO, OTPs) and the problems they solve were well-established, making their combination to achieve the claimed functionality an obvious design choice for improving network security and usability in the late 1990s.