United States District Court, D. Massachusetts
STRIKEFORCE TECHNOLOGIES, INC.
GEMALTO, INC., ET AL. STRIKEFORCE TECHNOLOGIES, INC.
VASCO DATA SECURITY, INC.
MEMORANDUM AND ORDER ON PRE-DISCOVERY CLAIM
RICHARD G. STEARNS, UNITED STATES DISTRICT JUDGE.
these intellectual property disputes, plaintiff StrikeForce
Technologies, Inc., asserts infringement claims of U.S.
Patents Nos. 8, 484, 698 (the '698 patent) and 8, 713,
701 (the '701 patent) against two sets of defendants:
Gemalto, Inc., Gemalto N.V., and SafeNet, Inc. (collectively
Gemalto); and Vasco Data Security, Inc. Given the similar
subject matter, the parties elected to consolidate pre-trial
proceedings. Accepting their proposal, the court bifurcated
the Markman hearing and agreed to undertake
pre-discovery claim construction of three groups of key
disputed terms. See Markman v. Westview Instruments,
Inc., 517 U.S. 370 (1996). The court received tutorials
in the underlying technology and heard argument on August 30,
the '698 and '701 patents are entitled
“Multichannel Device Utilizing a Centralized
Out-of-Band Authentication System (COBAS).” Both
patents list Ram Pemmaraju as the sole inventor. The '698
patent was issued on July 9, 2013. The '701 patent was
issued on April 29, 2014.
'701 patent's application is a continuation of the
application that led to the issuance of the '698
patent. Both patents are directed to “[a]
multichannel security system . . . for granting and denying
access to a host computer in response to a demand from an
access-seeking individual and computer.” '698
patent, Abstract. According to the inventor, at the time of
the invention, computer security “access control
products authenticate[d] only the user and not the
location.” Id. col. 2, ll. 40-41.
Typically, access-control security products [such as simple
password, random password, and biometric systems] are in-band
authentication systems with the data and the authentication
information on the same network. Thus, upon accessing a
computer, a computer prompt requests that you enter your
password and, upon clearance, access is granted. In this
example, all information exchanged is on the same network or
in-band. The technical problem created thereby is that the
hacker is in a self-authenticating environment.
Id. col. 2, ll. 31-36. Dialing back to the
originating modem was a feasible means of location
verification when computer networks could be accessed only
through modems. See Id. col. 2, ll. 42-45. However,
today's computer networks are typically accessible by
modem-independent internet connections and “there is no
necessary connection between the internet address and a
location.” Id. col. 2, ll. 46-53.
asserted patents address the perceived security weakness
through a “unique combination of user and host
authentication.” Id. col. 4, ll. 34-35.
The security system of the present invention is out-of-band
with respect to the host computer and is configured to
intercept requests for access. The first step in controlling
the incoming access flow is a user authentication provided in
response to prompts for a user identification and password.
After verification at the security system, the system
operating in an out-of-band mode, uses telephone dialup for
location authentication and user authentication via a
password entered using a telephone keypad.
Id. col. 4, ll. 34-42. Figure 1A, reproduced below,
exemplifies an embodiment of the invention in a wide area
network (WAN) environment.
the accessor is the computer equipment 22, including the
central processing unit and the operating system thereof, and
the person or user 24 whose voice is transmittable by the
telephone 26 over telephone lines 28. The access network 30
is constructed in such a manner that, when user 24 requests
access to a web page 32 located at a host computer or web
server 34 through computer 22, the request-for-access is
diverted by a router 36 internal to the corporate network 38
to an out-of-band security network 40. Authentication occurs
in the out-of-band security network 40.
col. 6, ll. 33-43.
patents also disclose embodiments in local area network (LAN)
and internet settings. The second embodiment is
“applied to the intranet in which an internal accessor
in a local area network seeks entry into a restricted portion
of the host system.” Id. col. 5, ll. 46-48.
The access network 230 is constructed in such a manner that,
when user 224 requests access to a high security database 232
located at a host computer 234 through computer 222, the
request-for-access is diverted by a router 236 internal to
the corporate network 238 to an out-of-band security network
240. Here the emphasis is upon right-to-know classifications
within an organization rather than on avoiding entry by
Id. col. 12, ll. 43-50; see also Fig. 10.
“Th[e third] embodiment describes the application of
the security system to access over the Internet.”
Id. col. 12, ll. 65-67.
The [is the] case of [a] user accessing a web application,
such as an online banking application, (located on a web
server 334) over the internet 330. The user from a computer
322 accesses the web application over an access channel and
enters their USER Id. The web server 334 sends the
USER ID to the security system 340, also referred to as the
centralized out-of-band authentication system (COBAS). COBAS
340 proceeds with authenticating the user through the
user's cellular telephone over an authentication channel.
The security system 340 calls the access-seeking user at the
cellular telephone 326. The user answers the phone and is
prompted to enter a password for password verification and to
enter a biometric identifier, such as a fingerprint. The
security system 340 authenticates the user and sends the
result to the web server 334. Upon a positive authentication
and after disconnecting from the authentication channel,
access is granted along the access channel to the USER'S
PC device 322.
Id. col. 13, ll. 7-23; see also Fig.
of each asserted patent is emblematic.
patent claim 1.
software method for employing a multichannel security
system to control access to a computer, comprising the
receiving at an interception device in a first
channel a login identification demand to access a
host computer also in the first channel;
verifying the login identification;
receiving at a security computer in a second channel
the demand for access and the login identification;
outputting from the security computer a prompt requesting
transmission of data;
receiving the transmitted data at the security computer;
comparing the transmitted data to predetermined data; and
depending on the comparison of the transmitted and the
predetermined data, outputting an instruction from the
security computer to the host computer to grant