DCT

2:17-cv-04294

Entrust Inc v. StrikeForce Tech Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:17-cv-04294, D.N.J., 06/12/2017
  • Venue Allegations: Venue is alleged to be proper in the District of New Jersey because Defendant StrikeForce Technologies, Inc. maintains a regular and established place of business in Edison, New Jersey.
  • Core Dispute: Plaintiff alleges that Defendant’s "ProtectID" authentication product infringes two patents related to methods for managing user access across multiple computer systems and security domains.
  • Technical Context: The technology concerns enterprise-level and web-based identity and access management, a field focused on providing users with secure and streamlined access to protected digital resources.
  • Key Procedural History: The complaint alleges that the defendant has had knowledge of the patents-in-suit and the alleged infringement since at least the date the complaint was served, which may form the basis for a post-filing willfulness claim. No prior litigation or administrative proceedings are mentioned.

Case Timeline

Date Event
1999-10-01 Priority Date for U.S. Patent No. 6,728,884
2000-06-26 Priority Date for U.S. Patent No. 7,010,582
2004-04-27 U.S. Patent No. 6728884 Issues
2006-03-07 U.S. Patent No. 7,010,582 Issues
2017-06-12 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,728,884 - Integrating Heterogeneous Authentication and Authorization Mechanisms into an Application Access Control System (Issued Apr. 27, 2004)

The Invention Explained

  • Problem Addressed: The patent's background section describes the technical and administrative burdens of managing distinct security systems for different applications within an organization. This "heterogeneous set of security mechanisms" requires users to track multiple credentials and administrators to perform redundant management tasks, while making it costly and difficult to integrate new security technologies like retinal scanners (’884 Patent, col. 2:1-25).
  • The Patented Solution: The invention proposes a centralized access control system that uses a "proxy security server" to act as an intermediary between an application access server and various disparate "remote security servers" (e.g., legacy authentication systems). This proxy architecture is designed to receive authentication requests, interact with the appropriate remote system, and translate the resulting authorizations into a standardized format (e.g., "access roles") for the central system, thereby simplifying the integration of diverse security platforms (’884 Patent, Abstract; col. 2:40-65).
  • Technical Importance: This architectural approach provided a method for enterprises to unify their security infrastructure and adopt new technologies without needing to overhaul or replace existing legacy systems (’884 Patent, col. 2:32-38).

Key Claims at a Glance

  • The complaint asserts at least independent claim 1 (Compl. ¶20).
  • Claim 1 is a method claim for selectively authenticating and authorizing a client, with key elements including:
    • receiving a request of a client to access computer systems;
    • requesting a "proxy security server" to authenticate the client;
    • receiving an authorization from the "proxy security server" based on authentication results from a coupled "remote security server"; and
    • establishing access rights for the client based on access information records received from the "remote security server" through the "proxy security server".
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 7,010,582 - Systems and Methods Providing Interactions Between Multiple Servers and an End Use Device (Issued Mar. 7, 2006)

The Invention Explained

  • Problem Addressed: The patent identifies the inconvenience for a user who must complete separate authentication procedures to access resources across different network domains. It also notes that direct server-to-server communication of user information to solve this problem may violate privacy laws (’582 Patent, col. 1:36-58).
  • The Patented Solution: The invention describes a method where an end-user device, such as a web browser, is used as an intermediary to convey access control information from a first server to a second server in a different domain. The first server provides the user's browser with a response message containing the access information and instructions (e.g., in a hidden form or script) that cause the browser to automatically send a new message containing that information to the second server. This creates a multi-domain single sign-on (MDSSO) capability (’582 Patent, Abstract; Fig. 5).
  • Technical Importance: This technique enabled a single sign-on experience across different web properties without requiring direct communication between the servers, offering a solution that addressed both user convenience and data privacy concerns (’582 Patent, col. 1:44-48).

Key Claims at a Glance

  • The complaint asserts at least independent claim 14 (Compl. ¶34).
  • Claim 14 is a method claim for a network device to respond to an input message, with key elements including:
    • responding with a "response message" having a "header portion" and a "content portion";
    • the "response message" containing "access control information" in the "header portion";
    • the "content portion" containing the "access control information" and also containing "instructions to send a subsequent message" to another network device on a different domain; and
    • the "subsequent message" having a "content portion" containing at least part of the "access control information".
  • The complaint does not explicitly reserve the right to assert dependent claims.

III. The Accused Instrumentality

Product Identification

  • The accused instrumentality is Defendant's product branded as "ProtectID" (Compl. ¶9).

Functionality and Market Context

  • The complaint alleges that ProtectID is an "integrated authentication platform" composed of a "Core" (including a "Controller"), "Agents," and "Authentication Servers" (Compl. ¶¶10-11). The ProtectID Architecture is depicted in a diagram showing how user populations interact with applications requiring authentication via various interfaces and a central "PID Core" (Compl. at 4).
  • Functionally, the system is alleged to provide services like "'out-of-band' two factor authentication" (Compl. ¶14). The complaint further alleges that ProtectID acts as an Identity Provider in a "Federated Identity scenario" through its implementation of the Security Assertion Markup Language 2.0 ("SAML 2.0") standard, which enables cross-domain single sign-on (Compl. ¶16).
  • The complaint provides a diagram illustrating the message exchange under the SAML 2.0 standard, which involves a User Agent, a SAML Requester, and a SAML Responder (Compl. at 7).

IV. Analysis of Infringement Allegations

'884 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
A method of selectively authenticating and authorizing a client seeking access to one or more networked computer systems that are protected by an access control system... ProtectID practices a computer-implemented method of selectively authenticating and authorizing a client seeking access to networked computer systems. ¶14, ¶21 col. 1:49-56
receiving a request of a client to access one of the computer systems; The "ProtectID Agents component receives a request of a client to access one or more computer systems." ¶15, ¶21 col. 13:40-44
requesting a proxy security server to authenticate the client using information identifying the client; The "ProtectID Agents component then requests a proxy security server (e.g., the Controller) to authenticate the client using information identifying the client." ¶15, ¶21 col. 13:45-51
receiving an authorization of the client from the proxy security server based on authentication results received from a remote security server that is coupled to the proxy security server; The "ProtectID Agents component then receives an authorization of the client from the proxy security server (e.g., the Controller) based on authentication results received from a remote security server (e.g., the ProtectID Authentication Servers component) that is coupled to the proxy security server (e.g., the Controller)." ¶15, ¶21 col. 13:56-60
establishing access rights of the client, based on one or more access information records received from the remote security server through the proxy security server, for use by the access control system... "ProtectID then establishes access rights of the client, based on one or more access information records received from the remote security server (e.g., the ProtectID Authorization Servers component) through the proxy security server (e.g., the Controller)..." ¶15, ¶21 col. 13:61-66

'582 Patent Infringement Allegations

Claim Element (from Independent Claim 14) Alleged Infringing Functionality Complaint Citation Patent Citation
responding with a response message having a header portion and a content portion, ProtectID, acting as a SAML Responder, "responds with a response message having a header portion and a content portion." ¶18, ¶35 col. 3:1-10
with the response message containing the access control information in the header portion The response message allegedly contains access control information in the header portion. ¶18, ¶35 col. 3:2-4
and having a content portion containing the access control information and also containing instructions to send a subsequent message to another network device on a different network domain, The response message allegedly has a content portion that contains "the access control information and also containing instructions to send a subsequent message to another network device on a different network domain." This is allegedly part of the SAML 2.0 exchange. ¶18, ¶35 col. 3:4-9
the subsequent message having a content portion containing at least part of the access control information. The subsequent message allegedly has a "content portion containing at least part of the access control information." ¶18, ¶35 col. 3:9-10
  • Identified Points of Contention:
    • Scope Questions: For the ’884 Patent, a central question will be whether the components of the accused ProtectID product map onto the claimed architectural elements. The complaint equates the ProtectID "Controller" with the claimed "proxy security server" and the "Authentication Servers" with the "remote security server" (Compl. ¶¶15, 21). The defense may argue that the functionality and relationship of these components differ from what the patent specifies and requires for a "proxy."
    • Technical Questions: For the ’582 Patent, the dispute may focus on whether the SAML 2.0 protocol as implemented by ProtectID meets the specific structural requirements of claim 14. The claim requires access control information to be present in both the header and content portions of the response message. The provided SAML diagram shows a response returned in an XHTML form, which constitutes the content portion (Compl. at 7). A technical question for the court will be whether evidence shows the accused SAML messages also place the required access control information in the message header, as strictly required by the claim language.

V. Key Claim Terms for Construction

For the '884 Patent:

  • The Term: "proxy security server"
  • Context and Importance: This term defines the core intermediary component of the claimed invention. The infringement case for the ’884 patent hinges on whether the ProtectID "Controller" falls within the scope of this term. Practitioners may focus on this term because the complaint explicitly equates it with an accused component, making the accuracy of that mapping a central point of dispute.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification describes the term functionally, stating a "proxy security server" "serves as an interface between" the central system and a remote security server (’884 Patent, col. 4:16-19). This supports a broad definition based on its role as an intermediary.
    • Evidence for a Narrower Interpretation: The specification also describes the "proxy security server" in a specific object-oriented context as an "instantiation of a subclass of a base class" and notes its compliance with CORBA (’884 Patent, col. 2:54-55; col. 7:40-44). This language could support a narrower construction limited to systems with such specific software architectures.

For the '582 Patent:

  • The Term: "a response message containing the access control information in the header portion and having a content portion containing the access control information"
  • Context and Importance: This limitation recites a very specific structure for the response message, requiring the same type of information to be present in two different parts of the message. Infringement of claim 14 depends entirely on whether the accused SAML messages from ProtectID have this dual-location structure.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent's abstract and summary describe the overall goal as conveying information "through an end user device" (’582 Patent, Abstract). A party might argue the claim should be read in light of this general purpose, without hyper-technical adherence to the location of data.
    • Evidence for a Narrower Interpretation: The plain language of the claim explicitly requires the information in both the header and the content. The patent's own figures illustrate this separation, showing Set-Cookie (access control information) in the header and a hidden form (containing more information and instructions) in the content portion (’582 Patent, Fig. 6). This may support a narrow reading that requires information to be located in both distinct message parts.

VI. Other Allegations

  • Indirect Infringement: For both the ’884 and ’582 patents, the complaint alleges active inducement by "knowingly instruct[ing] and direct[ing] users/customers to use ProtectID" in an infringing manner through marketing, instructions, and support (Compl. ¶¶23, 29, 37, 43). It also alleges contributory infringement, stating that ProtectID constitutes a material component "especially made or adapted for use in an infringement" and is not a staple article of commerce (Compl. ¶¶24, 38).
  • Willful Infringement: For both patents, willfulness is alleged based on Defendant’s knowledge of the patents and the alleged infringement "at least as early as the filing date of this Complaint" (Compl. ¶¶32, 46). This establishes a basis for seeking enhanced damages for any post-filing infringement.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue for the '884 patent will be one of architectural mapping: can the plaintiff prove that Defendant's ProtectID system, with its "Controller" and "Authentication Servers," is structurally and functionally equivalent to the "proxy security server" and "remote security server" architecture required by the patent, or will the defense successfully distinguish the roles and operations of its components?
  • A key evidentiary question for the '582 patent will be one of protocol-to-claim mapping: does the accused SAML 2.0 message flow used by ProtectID meet the precise structural requirements of Claim 14, specifically the placement of "access control information" in both the header and content portions of a single response message, or is there a technical mismatch between the standard protocol and the patent's specific claimed method?