Verint Systems Inc v. Keysee Software Ltd

1. Case Identification

• Case #: IPR2018-01579
• Patent #: 9,038,192
• Filed: August 22, 2018
• Petitioner(s): Verint Systems Inc.
• Patent Owner(s): Elad Barkan
• Challenged Claims: 1-29

2. Patent Overview

• Title: Cryptanalysis of Encrypted Communications
• Brief Description: The ’192 patent discloses methods and systems for cryptanalyzing encrypted communications over a Global System for Mobile Communications (GSM) network. The invention involves recovering a session encryption key from a communication encrypted with a first, weaker encryption scheme and then using that same key to decrypt or encrypt other communications that use a second, stronger encryption scheme.

3. Grounds for Unpatentability

Ground 1: Obviousness over Pesonen and Known Impersonation Attacks - Claims 1-29 are obvious over Pesonen, Known GSM Impersonation Attacks (e.g., Mitchell, Horn & Howard, the ’407 Publication), and the knowledge of a POSITA.

• Prior Art Relied Upon: Pesonen (a 1999 publication on GSM interception), Mitchell (a 2001 technical report on GSM security), Horn & Howard (a 2000 publication on mobile system security), and the ’407 publication (Application # 2006/0288407 to Naslund).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that the claimed method was a straightforward combination of known techniques. The "Known GSM Impersonation Attacks" (e.g., Mitchell, Horn & Howard) taught how to perform a man-in-the-middle (MITM) or "rollback" attack to force a mobile device to use a weaker, known-to-be-vulnerable encryption scheme, such as A5/2. Pesonen taught that a brute-force attack—a form of ciphertext-only cryptanalysis—was a feasible method for recovering the GSM session key (Kc) from communications encrypted with weak algorithms like A5/2 in a relatively short time.
  • Motivation to Combine: A person of ordinary skill in the art (POSITA) seeking to decrypt GSM communications for security or law enforcement purposes would combine these techniques. A POSITA would first use a known impersonation attack to downgrade the encryption to the weaker A5/2 standard, making it more susceptible to cryptanalysis. The POSITA would then apply a known brute-force method, as detailed by Pesonen, to recover the session key from the weakly encrypted communication. The patent itself admits that once the session key is recovered, it can be used to decrypt communications using stronger schemes (e.g., A5/1), as the GSM standard reuses the same key for different algorithms associated with a single device.
  • Expectation of Success: A POSITA would have a high expectation of success, as impersonation attacks were described as "relatively easy to mount," and brute-force key recovery was a well-understood and computationally feasible process for weak ciphers at the time.

Ground 2: Obviousness over the GSM Standard and Known Impersonation Attacks - Claims 1-29 are obvious over the GSM Standard, Known GSM Impersonation Attacks (e.g., Mitchell, Horn & Howard, the ’407 Publication), and the knowledge of a POSITA.

• Prior Art Relied Upon: The GSM Standard itself, supplemented by the same "Known GSM Impersonation Attacks" references from Ground 1.

• Core Argument for this Ground:

  • Prior Art Mapping: This ground asserted that the purported invention—transforming a known-plaintext attack into a ciphertext-only attack—was made obvious by information publicly available in the GSM Standard. The ’192 patent’s key “observation” was that GSM employs error-correction codes before encryption, creating a publicly disclosed redundancy. Petitioner argued, citing admissions from the patent owner in a related proceeding, that this redundancy was the "missing link" that would allow any "average professional" to convert existing known-plaintext attacks into more powerful ciphertext-only attacks. Therefore, the core inventive concept was already enabled by the public GSM Standard.
  • Motivation to Combine: The motivation was to create a more effective cryptanalytic attack. A POSITA, knowing of the redundancy in the GSM Standard, would be motivated to leverage it to improve existing attack methods. This would allow them to perform cryptanalysis without needing access to the original plaintext, overcoming a major hurdle of many prior art attacks.
  • Expectation of Success: A POSITA would expect this transformation to succeed because it relied on a known, fundamental characteristic of the GSM protocol and well-understood cryptanalytic techniques for leveraging such redundancies.

• Additional Grounds: Petitioner asserted that claims 16-29, which do not require "ciphertext-only" cryptanalysis, are obvious over Admitted Prior Art (APA) known-plaintext attacks combined with the Known GSM Impersonation Attacks.

4. Key Claim Construction Positions

• "Cryptanalysis" / "cryptanalyzing": Petitioner argued for the patent's broad express definition: "the process of being able to encrypt/decrypt communication without the prior knowledge of the used session key." This construction is critical because it encompasses any method of breaking the encryption, including the well-known brute-force attacks described in the prior art, and is not limited to the specific algebraic methods detailed in the ’192 patent’s specification.
• "Ciphertext Only": Petitioner relied on the patent's definition that "the attacker has access only to the encrypted messages, and has no access to the messages before they were encrypted." This construction was used to argue that prior art brute-force attacks, which operate only on the encrypted data to find the key, directly meet this claim limitation.

5. Key Technical Contentions (Beyond Claim Construction)

• Session Key (Kc) Reuse: A central technical argument was that the GSM standard's design is inherently flawed because the same session key (Kc) is used for all encryption schemes (e.g., A5/1, A5/2, A5/3) during a session. This known vulnerability meant that once the key was recovered by breaking the weakest scheme (A5/2), it could be trivially "replayed" to decrypt communications protected by much stronger schemes, a core step of the challenged claims.
• Pre-Encryption Redundancy: Petitioner contended that the GSM standard's public requirement to apply error-correction coding before encryption created a known redundancy. This redundancy provided enough structural information in the ciphertext to allow a POSITA to convert known-plaintext attacks into ciphertext-only attacks, rendering the patent's primary contribution obvious.

6. Relief Requested

• Petitioner requested the institution of an inter partes review and cancellation of claims 1-29 of the ’192 patent as unpatentable under 35 U.S.C. §103.