The Opponent appealed against the decision of the Opposition Division (OD) to reject the opposition. The patent in question concerns secure communications, in particular the integrity and authentication of warning messages in systems such as a Public Warning System or an Earthquake and Tsunami Warning System. The appeal focused on the issue of inventive step.
Claim 1 as granted features an authentication method for a warning message [feature V.3.1] and was outlined by the Board as follows:
1. A method for use at a server, said method comprising:
(V.1) sending a certificate request to the certificate authority server of a certification authority, CA;
(V.2) receiving a certificate from the certificate authority server,
(V.2.1) the certificate including an identity of the server that owns a private key,
(V.2.2) a public key associated with the private key and
(V.2.3) a CA's signature that binds the identity and the public key;
(V.3) obtaining a broadcast message,
(V.3.1) the broadcast message is a warning message;
(V.4) computing a signature for said broadcast message using the private key associated with the certificate;
(V.5) sending a single transmission to a communication device,
(V.5.1) said single transmission comprising said signature, said broadcast message and the certificate,
(V.6) the certificate includes the public key associated with the private key,
(V.6.1) the public key can be used in verification of said signature;
(V.7) the server is operated by an Emergency Operations Center (EOC);
(V.8) the certificate is signed with an Elliptic Curve Digital Signature Algorithm (ECDSA).
The Board agreed with the OD that D9 was an appropriate closest prior art, as D9 was about authentication of a broadcast warning message in an Earthquake and Tsunami Warning System.
In agreement with the OD, the Board considered the following aspects as distinguishing from D9:
(a) The use of an asymmetric signature scheme for the broadcast message as opposed to a symmetric signature scheme of D9 [features V2.1-2.3, V4, V6 and V6.1];
(b) The inclusion of a public-key certificate signed with an ECDSA in the single warning transmission [features V5.1 and V8]; and
(c) Requesting and receiving a certificate from a certificate authority server [features V1 and V2].
The OD had defined the objective technical problem as how to provide an alternative authentication method for the warning message of D9.
According to the Appellant-Opponent, each of the aspects (a)-(c) would increase security but did so independently, without synergy. Security was merely increased because (a) in asymmetric cryptography the private key is never distributed, (b) ECDSA was known to provide higher security as compared to other encryptions, and aspect (c) merely offered the possibility to check the authenticity of the source.
According to the Patentee, the single transmission [feature V.5] contained all of the information required to maintain trust of and verify a warning message in the system, so that the patented invention achieved the purpose of securing the warning message without requiring repeated distribution of a shared secret.
The Board understood that the claimed method enabled the receiving device to verify the warning message with a reduced bandwidth use, for example because the public key did not require continuous updates, ECDSA reduced the number of bits, and the use of the single transmission decreased overhead.
Therefore, the Board re-framed the objective technical problem as “how to enable a reliable verification of the warning messages of D9 at the receiving device in a bandwidth-efficient way”.
The Appellant-Opponent argued that the skilled person would have recognized that the use of D9’s shared secret was inefficient in terms of bandwidth and would have replaced it by ECDSA, which was known to be more compact and moreover required public-key cryptography. The Patentee contended that using multiple separate messages was essential to D9, and to arrive at claim 1, the skilled person would have to dismiss the explicit teaching of D9.
According to the Board, in D9, the amount of bits available for the signature was very limited, to about 30 bits. This limited amount of bits was considered teaching away from the claimed invention, because “accommodating a public key and a certificate within few bits would be insufficient to provide a level of security at least at the level of the frequently-updated shared secret key” and the alternative of increasing the number of bits in a single “paging message” in D9 would require a re-design of the underlying network.
To solve the objective technical problem, the skilled person would have kept the signature in a “paging message” in D9 and would have instead reduced the update frequency of the shared secret key to an acceptable minimum. Alternatively, the skilled person would have introduced ECDSA in “Security Data” in D9 sent on the higher-bandwidth channel to reduce its size, yet still keeping a “first notification” in D9.
The Board concluded the claim 1 involved an inventive step.