DISTRIBUTION OF PRIVATE SESSION KEY AND OFFLOADING A PROTOCOL STACK TO A NETWORK COMMUNICATION DEVICE FOR SECURED COMMUNICATIONS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendments / Arguments Regarding the rejection(s) of claims under 35 USC 103: The Applicant's arguments, filed 11/06/2025, have been fully considered and are not persuasive. Applicant argues that Li does not teach "pausing the communication session between the user space software and the client device" and "generating, based on the pausing of the communication session, a private session key for the communication session." However, Li clearly describes a staged operational approach where normal communication operations are suspended during key provisioning. Specifically, Li recites at [0048-0049] that "operations 202-206 may be part of a configuration stage" and [0059] "operations 208-224 may be part of an initialization stage. During the initialization stage, one or more cryptographic keys may be distributed to different entities in a secure manner" before transitioning to the operation stage described in Figure 3. Li further recites at [0038] that "during an initialization stage, the component(s) 124 (e.g., a NIC) may be configured to communicate with just the service provider 102 due to a static cryptographic key." This describes pausing broader communication sessions while keys are being provisioned. Additionally, Li describes at [0051-0052] generating a "rotated static key" during this initialization stage, which constitutes generating a private session key based on the pausing of communications. Applicant further argues that Li does not teach "receiving, by the user space software from the network communication device, a status message indicating that reception and storage of the private session key by the network communication device is complete" and "restarting the paused communication session based on the receiving of the status message." However, Li describes an acknowledgment mechanism. At [0058], Li recites that "the component(s) 124 may calculate a hash of data within the key package" and "If verified, the component(s) 124 may trust the key package and data within the key package (e.g., store and/or use the data for further processing)." The secure communication channel 134 shown in Figure 1 enables this verification information to be communicated back to the TEE component. Li further describes at [0060] and [0069] the transition from the initialization stage to the "operation stage" where "data may be sent over a secure channel to various entities (e.g., at runtime of the TEE component 128 or other entities)," which teaches restarting communication sessions based on successful key verification and storage. Applicant argues that Li "merely describes transmission of cryptographic keys from the Trusted Execution Environment (TEE) to the Network Interface Controllers" without the claimed pausing/restarting sequence mischaracterizes the reference. The staged approach (configuration into initialization into operation) creates the claimed pause and resume pattern, with key generation occurring during the pause and communication resumption following successful verification. Therefore, the identified claim language is considered to be taught by the combination of Daly, Li, and Rogers, and the rejection is maintained. Further, since Applicant has not presented persuasive arguments distinguishing the dependent claims, their rejections are likewise maintained. DETAILED ACTION This is a reply to the arguments filed on 11/06/2025, in which, claims 1-20 are pending. Claims 1, 8, and 15 are independent. When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3-8, 10-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Daly et al. (US 20220103530 A1, referred to as Daly), in view of Li et al. (US 20200220713 A1, referred to as Li) in further view of Rogers et al. (US 20230103518 A1) Tan et al. (US 20110153793 A1, referred to as Tan) in view of Grondal et al. (US 20160088029 A1, referred to as Grondal). In reference to claim 1, A computer implemented method, comprising: offloading a protocol stack to a network communication device (Daly: [0063] and [0089] Provides for offloading protocol stack functions (TLS and reliable packet transport) to a network interface device. Daly paragraphs [0020] and [0095] further provides for offloading of TLS encryption and decryption, which is a part of the protocol stack, to a network communication device.) Communicating, from the user space software to the network communication device, outbound session packets (Daly: [0087] Provides communicating outbound data from user space to the network device. Daly paragraph [0067] further provides for the communication between user space processes and the network device over specified interfaces.) Wherein the network communication device is programmed to initiate operations comprising: processing, by the network communication device, headers in the outbound session packets (Daly: [0089] Provides for the network device processing packet headers (determining destination, applying forwarding rules).) Generating, by the network communication device, encrypted outbound session packets by encrypting the outbound session packets using the private session key (Daly: [0092] Provides for the network device encrypting outbound data using a key. Daly paragraphs [0107] and [0111] further provides for directly addressing the processing of headers in packets, including both outbound (assembling packets with headers) and inbound (processing MAC headers) scenarios.) Communicating, by the network communication device to a client device via a secured communication tunnel, the encrypted outbound session packets (Daly: [0090] Provides transmission of packets from the network device. Daly paragraph [0084] further provides for the transmission of encrypted packets. Receiving, by the network communication device from the client device, via the secured communication tunnel, inbound session packets (Daly: [0096] Provides for the network device receiving packets. Daly paragraph [0099] further provides the reception of packets by the network interface device. Generating, by the network communication device, decrypted inbound session packets by decrypting the inbound session packets using the private session key (Daly: [0096] Provides for decryption of inbound packets by the network device. Daly paragraph [0097] further provides the decryption process using TLS keys.) Processing, by the network communication device, headers in the inbound session packets (Daly: [0096] Provides for processing of headers in inbound packets (forwarding and policy enforcement). Daly paragraph [0093] further provides processing packet headers for reliable transport. Daly paragraphs [0107] and [0111] further provides for directly addressing the processing of headers in packets, including both outbound (assembling packets with headers) and inbound (processing MAC headers) scenarios.) Communicating, from the network communication device to the user space software, the decrypted inbound session packets (Daly: [0098] Provides for communicating decrypted inbound data from the network device to user space.) Although Daly teaches communicating a key index from user space to the network device, which is used to identify the encryption/decryption key from a key storage (Daly: [0070]-[0071]), Daly does not explicitly disclose sending to the network communication device the private session key itself. However, Li discloses: Establishing, a secured communication tunnel for a communication session between a user space software of the data processing system and a client device, wherein the user space software is stored and executed in the user space (Li: [0026]-[0031] and Fig. 1 Provides for multiple secure communication channels (130, 134, 140, 142) forming tunnels between different components.) pausing the communication session between the user space software and the client device (Li: [0038], and [0048]-[0049] Provides for initially only secure communication channel 130 exists between TEE and service provider. The system must pause broader communications until channels 134, 140, and 142 are established through the key provisioning process. Li: Fig. 2 after the configuration and initialization stages it would pause normal operations while keys are being set up and distributed.) Generating, based on the pausing of the communication session, a private session key for the communication session (Li: [0026] and [0049] Provides for generating session keys for communication. Li: [0051]-[0052] Provides for rotated static key is generated during the paused state.) Communicating, from user space software to the network communication device, a private session key (Li: [0044]-[0046, [0049], [0053], [0072] and [0087] Provides for transmission of cryptographic keys from a TEE (user space software) to a NIC.) Receiving, by the user space software from the network communication device, a status message indicating that reception and storage of the private session key by the network communication device is complete (Li: [0052]-[0058] Provides for provides acknowledgment of successful key reception and storage.) Restarting the paused communication session based on the receiving of the status message (Li: [0052]-[0058] and [0060]-[0069] and Fig.2-3 Provides for the transition from the initialization stage (Figure 2) to the operation stage (Figure 3) represents the restart of communication sessions.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Daly, which disclose offloading protocol stack functions to a network communication device and communicating key indices from user space software for the device to retrieve keys from a secure storage, with the teachings of Li, which disclose directly sending a private session key from user space software to a network communication device. One of ordinary skill in the art would recognize the ability to directly transmit the private session key to simplify the key retrieval process and enhance the speed and security of the encryption and decryption processes in network communications. One of ordinary skill in the art would be motivated to make this modification to reduce the overhead of key indexing and improve the efficiency of secure communication setups. Daly in view of Li does not explicitly disclose allocating, by a data processing system, a first portion of a memory to a user space, wherein, the memory is associated with a virtual machine hosted by the data processing system, a second portion of the memory is allocated for an operating system space, the first portion of the memory is different from the second portion of the Memory, and the user space software is stored and executed in the user space allocated to the first portion of the memory. However, Rogers Teaches: allocating, by a data processing system, a first portion of a memory to a user space, wherein the memory is associated with a virtual machine hosted by the data processing system (Rogers: [0059] Provides for allocating a secure region of system memory to a trusted execution environment (TEE). It also further provides memory associated with a virtual machine hosted by the system.) A second portion of the memory is allocated for an operating system space (Rogers: [0059]-[0060] Provides for a portion of memory that is unsecure (operating system space) where the hypervisor (system software layer) operates, which is different from the secure memory used by the virtual machine.) The first portion of the memory is different from the second portion of the memory (Rogers: [0059] Provides for secure memory regions (first portion) that are encrypted and used for application data within the TEE, and unsecure memory regions (second portion) that are accessible to the hypervisor and system components.) The user space software is stored and executed in the user space allocated to the first portion of the memory (Rogers: [0058]-[0061] Provides for applications executing within the TEE (user space) which is allocated to the secure portion of memory.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Daly in view of Li, which together provide a method for offloading protocol stack functions to network devices with direct private session key transmission, with the teachings of Rogers, which introduces memory allocation schemes for virtual machines with separate user space and operating system space regions. One of ordinary skill in the art would recognize the ability to incorporate Rogers's secure memory allocation architecture into the combined network communication system to enhance security isolation between user applications and system components. One of ordinary skill in the art would be motivated to make this modification in order to improve security by isolating user space software handling cryptographic keys from operating system components. In reference to claim 3, The computer implemented method of claim 1, further comprising: receiving from the operating system space a port identifier for a port provided by the operating system space to be used by the user space software for the communication session (Daly: [0066] and [0084] Provides for the network device receiving a socket handle from the OS, which includes a connection identifier.) Wherein the communicating, from the user space software to the network communication device, the private session key comprises communicating, from the user space software to the network communication device, the private session key via the port identified by the port identifier (Daly: [0070], [0087] and [0095] Provides for receiving buffers and packet reception events which teaches the use of port identifiers for communication.) In reference to claim 4, The computer implemented method of claim 3, wherein the communicating, from the user space software to the network communication device, the outbound session packets comprises communicating the outbound session packets to the network communication device via the port identified by the port identifier (Daly: [0087] Provides for communicating outbound data from user space to the network device using a specific interface (TX offload interface) Daly paragraph [0084] further provides for how the communication channel is established and identified. The socket handle, which includes a connection identifier, is associated with specific hardware queues for transmitting messages.) In reference to claim 5, The computer implemented method of claim 3, further comprising: receiving, by the user space software from the network communication device, via the port identified by the port identifier, a status message indicating that reception and storage of the private session key by the network communication device is complete (Daly: [0063] and [0093] Provides for acknowledgment packets indicating receipt of data which teaches status messages indicating the completion of key reception and storage.) In reference to claim 6, The computer implemented method of claim 1, wherein the communicating, from the user space software to the network communication device, the private session key comprises communicating, from the user space software to the network communication device, the private session key via a programming interface provided in the virtual machine by an input/output virtualization framework (Daly: [0022], [0064], [0067] and [0070] Provides for Infrastructure Programmer's Development Kit (IPDK) for sharing state information between the OS and network interface device which teaches communicating the private session key via a programming interface provided in a virtual machine by an input/output virtualization framework. The IPDK facilitates communication between the OS and the network interface device.) In reference to claim 7, The computer implemented method of claim 1, wherein the private session key is not known to, nor discovered by, a hypervisor stack nor the operating system space of the data processing system hosting the user space software (Li: [0018]-[0020] ,[0024], [0026], [0029] and [0030] Provides for the use of a TEE for isolating sensitive data such as cryptographic keys from the main operating system and hypervisor environments.) In reference to claim 8, A system, comprising: a processor configured to initiate executable operations comprising: offloading a protocol stack to a network communication device (Daly: [0063] and [0089] Provides for offloading protocol stack functions (TLS and reliable packet transport) to a network interface device. Daly paragraphs [0020] and [0095] further provides for offloading of TLS encryption and decryption, which is a part of the protocol stack, to a network communication device.) Communicating, from the user space software to the network communication device, outbound session packets (Daly: [0087] Provides communicating outbound data from user space to the network device. Daly paragraph [0067] further provides for the communication between user space processes and the network device over specified interfaces.) Wherein the network communication device is programmed to initiate operations comprising: processing, by the network communication device, headers in the outbound session packets (Daly: [0089] Provides for the network device processing packet headers (determining destination, applying forwarding rules).) Generate, by the network communication device, encrypted outbound session packets by encrypting the outbound session packets using the private session key (Daly: [0092] Provides for the network device encrypting outbound data using a key. Daly paragraphs [0107] and [0111] further provides for directly addressing the processing of headers in packets, including both outbound (assembling packets with headers) and inbound (processing MAC headers) scenarios.) Communicate, by the network communication device to a client device via a secured communication tunnel, the encrypted outbound session packets (Daly: [0090] Provides transmission of packets from the network device. Daly paragraph [0084] further provides for the transmission of encrypted packets. Receive, by the network communication device from the client device, via the secured communication tunnel, inbound session packets (Daly: [0096] Provides for the network device receiving packets. Daly paragraph [0099] further provides the reception of packets by the network interface device. Generate, by the network communication device, decrypted inbound session packets by decrypting the inbound session packets using the private session key (Daly: [0096] Provides for decryption of inbound packets by the network device. Daly paragraph [0097] further provides the decryption process using TLS keys.) Process, by the network communication device, headers in the inbound session packets (Daly: [0096] Provides for processing of headers in inbound packets (forwarding and policy enforcement). Daly paragraph [0093] further provides processing packet headers for reliable transport. Daly paragraphs [0107] and [0111] further provides for directly addressing the processing of headers in packets, including both outbound (assembling packets with headers) and inbound (processing MAC headers) scenarios.) Communicate, from the network communication device to the user space software, the decrypted inbound session packets (Daly: [0098] Provides for communicating decrypted inbound data from the network device to user space.) Although Daly teaches communicating a key index from user space to the network device, which is used to identify the encryption/decryption key from a key storage (Daly: [0070]-[0071]), Daly does not explicitly disclose sending to the network communication device the private session key itself. However, Li discloses: Establishing, a secured communication tunnel for a communication session between a user space software of the data processing system and a client device, wherein the user space software is stored and executed in the user space (Li: [0026]-[0031] and Fig. 1 Provides for multiple secure communication channels (130, 134, 140, 142) forming tunnels between different components.) pausing the communication session between the user space software and the client device (Li: [0038], and [0048]-[0049] Provides for initially only secure communication channel 130 exists between TEE and service provider. The system must pause broader communications until channels 134, 140, and 142 are established through the key provisioning process. Li: Fig. 2 after the configuration and initialization stages it would pause normal operations while keys are being set up and distributed.) Generating, based on the pausing of the communication session, a private session key for the communication session (Li: [0026] and [0049] Provides for generating session keys for communication. Li: [0051]-[0052] Provides for rotated static key is generated during the paused state.) Communicating, from user space software to the network communication device, a private session key (Li: [0044]-[0046, [0049], [0053], [0072] and [0087] Provides for transmission of cryptographic keys from a TEE (user space software) to a NIC.) Receiving, by the user space software from the network communication device, a status message indicating that reception and storage of the private session key by the network communication device is complete (Li: [0052]-[0058] Provides for provides acknowledgment of successful key reception and storage.) Restarting the paused communication session based on the receiving of the status message (Li: [0052]-[0058] and [0060]-[0069] and Fig.2-3 Provides for the transition from the initialization stage (Figure 2) to the operation stage (Figure 3) represents the restart of communication sessions.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Daly, which disclose offloading protocol stack functions to a network communication device and communicating key indices from user space software for the device to retrieve keys from a secure storage, with the teachings of Li, which disclose directly sending a private session key from user space software to a network communication device. One of ordinary skill in the art would recognize the ability to directly transmit the private session key to simplify the key retrieval process and enhance the speed and security of the encryption and decryption processes in network communications. One of ordinary skill in the art would be motivated to make this modification to reduce the overhead of key indexing and improve the efficiency of secure communication setups. Daly in view of Li does not explicitly disclose allocating, by a data processing system, a first portion of a memory to a user space, wherein, the memory is associated with a virtual machine hosted by the data processing system, a second portion of the memory is allocated for an operating system space, the first portion of the memory is different from the second portion of the Memory, and the user space software is stored and executed in the user space allocated to the first portion of the memory. However, Rogers Teaches: allocating, by a data processing system, a first portion of a memory to a user space, wherein the memory is associated with a virtual machine hosted by the data processing system (Rogers: [0059] Provides for allocating a secure region of system memory to a trusted execution environment (TEE). It also further provides memory associated with a virtual machine hosted by the system.) A second portion of the memory is allocated for an operating system space (Rogers: [0059]-[0060] Provides for a portion of memory that is unsecure (operating system space) where the hypervisor (system software layer) operates, which is different from the secure memory used by the virtual machine.) The first portion of the memory is different from the second portion of the memory (Rogers: [0059] Provides for secure memory regions (first portion) that are encrypted and used for application data within the TEE, and unsecure memory regions (second portion) that are accessible to the hypervisor and system components.) The user space software is stored and executed in the user space allocated to the first portion of the memory (Rogers: [0058]-[0061] Provides for applications executing within the TEE (user space) which is allocated to the secure portion of memory.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Daly in view of Li, which together provide a method for offloading protocol stack functions to network devices with direct private session key transmission, with the teachings of Rogers, which introduces memory allocation schemes for virtual machines with separate user space and operating system space regions. One of ordinary skill in the art would recognize the ability to incorporate Rogers's secure memory allocation architecture into the combined network communication system to enhance security isolation between user applications and system components. One of ordinary skill in the art would be motivated to make this modification in order to improve security by isolating user space software handling cryptographic keys from operating system components In reference to claim 10, The system of claim 8, wherein the processor is further configured to initiate the executable operations to: receive from the operating system space a port identifier for a port provided by the operating system space to be used by the user space software for the communication session (Daly: [0066] and [0084] Provides for the network device receiving a socket handle from the OS, which includes a connection identifier.) Wherein the communication, from the user space software to the network communication device, of the private session key comprises communication, from the user space software to the network communication device, of the private session key via the port identified by the port identifier (Daly: [0070], [0087] and [0095] Provides for receiving buffers and packet reception events which teaches the use of port identifiers for communication.) In reference to claim 11, The system of claim 10, wherein the communication, from the user space software to the network communication device, of the outbound session packets comprises communication of the outbound session packets to the network communication device via the port identified by the port identifier (Daly: [0087] Provides for communicating outbound data from user space to the network device using a specific interface (TX offload interface) Daly paragraph [0084] further provides for how the communication channel is established and identified. The socket handle, which includes a connection identifier, is associated with specific hardware queues for transmitting messages.) In reference to claim 12, The system of claim 10, the processor is further programmed to initiate the executable operations to: receive, by the user space software from the network communication device, via the port identified by the port identifier, the status message indicating that the reception and the storage of the private session key by the network communication device is complete (Daly: [0063] and [0093] Provides for acknowledgment packets indicating receipt of data which teaches status messages indicating the completion of key reception and storage.) In reference to claim 13, The system of claim 8, wherein the communication, from the user space software to the network communication device, of the private session key comprises communicating, from the user space software to the network communication device, the private session key via a programming interface provided in a virtual machine by an input/output virtualization framework (Daly: [0022], [0064], [0067] and [0070] Provides for Infrastructure Programmer's Development Kit (IPDK) for sharing state information between the OS and network interface device which teaches communicating the private session key via a programming interface provided in a virtual machine by an input/output virtualization framework. The IPDK facilitates communication between the OS and the network interface device.) In reference to claim 14, The system of claim 8, wherein the private session key is not known to, nor discovered by, a hypervisor stack nor the operating system space of the data processing system hosting the user space software (Li: [0018]-[0020] ,[0024], [0026], [0029] and [0030] Provides for the use of a TEE for isolating sensitive data such as cryptographic keys from the main operating system and hypervisor environments.) In reference to claim 15, A computer program product, comprising: one or more computer readable storage mediums having program code stored thereon, the program code stored on the one or more computer readable storage mediums collectively executable by a data processing system to initiate operations including: offloading a protocol stack to a network communication device (Daly: [0063] and [0089] Provides for offloading protocol stack functions (TLS and reliable packet transport) to a network interface device. Daly paragraphs [0020] and [0095] further provides for offloading of TLS encryption and decryption, which is a part of the protocol stack, to a network communication device.) Communicating, from the user space software to the network communication device, outbound session packets (Daly: [0087] Provides communicating outbound data from user space to the network device. Daly paragraph [0067] further provides for the communication between user space processes and the network device over specified interfaces.) Wherein the network communication device is programmed to initiate operations comprising: processing, by the network communication device, headers in the outbound session packets (Daly: [0089] Provides for the network device processing packet headers (determining destination, applying forwarding rules).) Generating, by the network communication device, encrypted outbound session packets by encrypting the outbound session packets using the private session key (Daly: [0092] Provides for the network device encrypting outbound data using a key. Daly paragraphs [0107] and [0111] further provides for directly addressing the processing of headers in packets, including both outbound (assembling packets with headers) and inbound (processing MAC headers) scenarios.) Communicating, by the network communication device to a client device via a secured communication tunnel, the encrypted outbound session packets (Daly: [0090] Provides transmission of packets from the network device. Daly paragraph [0084] further provides for the transmission of encrypted packets. Receiving, by the network communication device from the client device, via the secured communication tunnel, inbound session packets (Daly: [0096] Provides for the network device receiving packets. Daly paragraph [0099] further provides the reception of packets by the network interface device. Generating, by the network communication device, decrypted inbound session packets by decrypting the inbound session packets using the private session key (Daly: [0096] Provides for decryption of inbound packets by the network device. Daly paragraph [0097] further provides the decryption process using TLS keys.) Processing, by the network communication device, headers in the inbound session packets (Daly: [0096] Provides for processing of headers in inbound packets (forwarding and policy enforcement). Daly paragraph [0093] further provides processing packet headers for reliable transport. Daly paragraphs [0107] and [0111] further provides for directly addressing the processing of headers in packets, including both outbound (assembling packets with headers) and inbound (processing MAC headers) scenarios.) Communicating, from the network communication device to the user space software, the decrypted inbound session packets (Daly: [0098] Provides for communicating decrypted inbound data from the network device to user space.) Although Daly teaches communicating a key index from user space to the network device, which is used to identify the encryption/decryption key from a key storage (Daly: [0070]-[0071]), Daly does not explicitly disclose sending to the network communication device the private session key itself. However, Li discloses: Establishing, a secured communication tunnel for a communication session between a user space software of the data processing system and a client device, wherein the user space software is stored and executed in the user space (Li: [0026]-[0031] and Fig. 1 Provides for multiple secure communication channels (130, 134, 140, 142) forming tunnels between different components.) pausing the communication session between the user space software and the client device (Li: [0038], and [0048]-[0049] Provides for initially only secure communication channel 130 exists between TEE and service provider. The system must pause broader communications until channels 134, 140, and 142 are established through the key provisioning process. Li: Fig. 2 after the configuration and initialization stages it would pause normal operations while keys are being set up and distributed.) Generating, based on the pausing of the communication session, a private session key for the communication session (Li: [0026] and [0049] Provides for generating session keys for communication. Li: [0051]-[0052] Provides for rotated static key is generated during the paused state.) Communicating, from user space software to the network communication device, a private session key (Li: [0044]-[0046, [0049], [0053], [0072] and [0087] Provides for transmission of cryptographic keys from a TEE (user space software) to a NIC.) Receiving, by the user space software from the network communication device, a status message indicating that reception and storage of the private session key by the network communication device is complete (Li: [0052]-[0058] Provides for provides acknowledgment of successful key reception and storage.) Restarting the paused communication session based on the receiving of the status message (Li: [0052]-[0058] and [0060]-[0069] and Fig.2-3 Provides for the transition from the initialization stage (Figure 2) to the operation stage (Figure 3) represents the restart of communication sessions.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Daly, which disclose offloading protocol stack functions to a network communication device and communicating key indices from user space software for the device to retrieve keys from a secure storage, with the teachings of Li, which disclose directly sending a private session key from user space software to a network communication device. One of ordinary skill in the art would recognize the ability to directly transmit the private session key to simplify the key retrieval process and enhance the speed and security of the encryption and decryption processes in network communications. One of ordinary skill in the art would be motivated to make this modification to reduce the overhead of key indexing and improve the efficiency of secure communication setups. Daly in view of Li does not explicitly disclose allocating, by a data processing system, a first portion of a memory to a user space, wherein, the memory is associated with a virtual machine hosted by the data processing system, a second portion of the memory is allocated for an operating system space, the first portion of the memory is different from the second portion of the Memory, and the user space software is stored and executed in the user space allocated to the first portion of the memory. However, Rogers Teaches: allocating, by a data processing system, a first portion of a memory to a user space, wherein the memory is associated with a virtual machine hosted by the data processing system (Rogers: [0059] Provides for allocating a secure region of system memory to a trusted execution environment (TEE). It also further provides memory associated with a virtual machine hosted by the system.) A second portion of the memory is allocated for an operating system space (Rogers: [0059]-[0060] Provides for a portion of memory that is unsecure (operating system space) where the hypervisor (system software layer) operates, which is different from the secure memory used by the virtual machine.) The first portion of the memory is different from the second portion of the memory (Rogers: [0059] Provides for secure memory regions (first portion) that are encrypted and used for application data within the TEE, and unsecure memory regions (second portion) that are accessible to the hypervisor and system components.) The user space software is stored and executed in the user space allocated to the first portion of the memory (Rogers: [0058]-[0061] Provides for applications executing within the TEE (user space) which is allocated to the secure portion of memory.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Daly in view of Li, which together provide a method for offloading protocol stack functions to network devices with direct private session key transmission, with the teachings of Rogers, which introduces memory allocation schemes for virtual machines with separate user space and operating system space regions. One of ordinary skill in the art would recognize the ability to incorporate Rogers's secure memory allocation architecture into the combined network communication system to enhance security isolation between user applications and system components. One of ordinary skill in the art would be motivated to make this modification in order to improve security by isolating user space software handling cryptographic keys from operating system components In reference to claim 17, The computer program product of claim 15, wherein the program code is executable by the data processing system to initiate the operations further comprising: receiving from an operating system space a port identifier for a port provided by the operating system space to be used by the user space software for a communication session (Daly: [0066] and [0084] Provides for the network device receiving a socket handle from the OS, which includes a connection identifier.) Wherein the communicating, from the user space software to the network communication device, the private session key comprises communicating, from the user space software to the network communication device, the private session key via the port identified by the port identifier (Daly: [0070], [0087] and [0095] Provides for receiving buffers and packet reception events which teaches the use of port identifiers for communication.) In reference to claim 18, The computer program product of claim 17, wherein the communicating, from the user space software to the network communication device, the outbound session packets comprises communicating the outbound session packets to the network communication device via the port identified by the port identifier (Daly: [0087] Provides for communicating outbound data from user space to the network device using a specific interface (TX offload interface) Daly paragraph [0084] further provides for how the communication channel is established and identified. The socket handle, which includes a connection identifier, is associated with specific hardware queues for transmitting messages.) In reference to claim 19, The computer program product of claim 17, wherein the program code is executable by the data processing system to initiate the operations further comprising: receiving, by the user space software from the network communication device, via the port identified by the port identifier, a status message indicating that reception and storage of the private session key by the network communication device is complete (Daly: [0063] and [0093] Provides for acknowledgment packets indicating receipt of data which teaches status messages indicating the completion of key reception and storage.) In reference to claim 20, The computer program product of claim 15, wherein the communicating, from the user space software to the network communication device, the private session key comprises communicating, from the user space software to the network communication device, the private session key via a programming interface provided in the virtual machine by an input/output virtualization framework (Daly: [0022], [0064], [0067] and [0070] Provides for Infrastructure Programmer's Development Kit (IPDK) for sharing state information between the OS and network interface device which teaches communicating the private session key via a programming interface provided in a virtual machine by an input/output virtualization framework. The IPDK facilitates communication between the OS and the network interface device.) Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Daly et al. (US 20220103530 A1, referred to as Daly), in view of Li et al. (US 20200220713 A1, referred to as Li) in further view of Rogers et al. (US 20230103518 A1) in further view of Kumar et al. (US 20170063808 A1, referred to as Kumar). In reference to claim 2, The computer implemented method of claim 1, further comprising: communicating, from the user space software to the network communication device, a n-tuple, the n-tuple comprising data indicating a source IP address and a destination IP address, wherein the network communication device stores the n-tuple in association with the private session key to a software stack of the network communication device (Kumar: [0003] and [0037] Provides for storing "IPSec endpoint addresses" (source/destination IPs) along with "keys and certificates" in configuration storage, and mentions "connection information" being sent to the NIC with packets.) In reference to claim 9, The system of claim 8, the executable operations further comprising: communicating, from the user space software to the network communication device, a n-tuple, the n-tuple comprising data indicating a source IP address and a destination IP address, wherein the network communication device stores the n-tuple in association with the private session key to a software stack of the network communication device (Kumar: [0003] and [0037] Provides for storing "IPSec endpoint addresses" (source/destination IPs) along with "keys and certificates" in configuration storage, and mentions "connection information" being sent to the NIC with packets.) In reference to claim 16, The computer program product of claim 15, wherein the program code is executable by the data processing system to initiate operations further comprising: communicating, from the user space software to the network communication device, a n-tuple, the n-tuple comprising data indicating a source IP address and a destination IP address, wherein the network communication device stores the n-tuple in association with the private session key to a software stack of the network communication device (Kumar: [0003] and [0037] Provides for storing "IPSec endpoint addresses" (source/destination IPs) along with "keys and certificates" in configuration storage, and mentions "connection information" being sent to the NIC with packets.) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892. Applicant’s amendment necessitated the new ground(s) of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AIDAN EDWARD SHAUGHNESSY whose telephone number is (703)756-1423. The examiner can normally be reached on Monday-Friday from 7:30am to 5pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson, can be reached at telephone number (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/usptoautomated-interview-request-air-form. /A.E.S./Examiner, Art Unit 2432 /Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432