DETAILED ACTION
Examiner acknowledges receipt of Applicant’s amendment filed on [THE RIGHT DATE]
Claims 1, 8, 18, and 20 are currently amended
Claims 1, 3-4, 6-21, and 31-32 are pending
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Examiner has fully considered Applicant’s amendments to the Claims in the arguments filed on 03/16/2026. Claims 1, 3-4, 6-21, and 31-32 remain pending in the application. Examiner has withdrawn the claim objections based on the amendments.
Response to Arguments
Applicant’s arguments filed 03/16/2026, with respect to the rejections of independent claims 1, 18, and 20 and their corresponding dependent claims under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejections have been withdrawn. However, upon further consideration, new grounds of rejection are made in view of the previously applied reference from Huck (US 20210281406 A1) in combination with at least the previously applied reference from Khanna. Huck is sufficient to cure the deficiencies of the previously applied references from Khanna and Chang noted in Applicant Arguments. Specifically, Huck teaches “the plurality of first cryptographic algorithms is selected according to a first control algorithm”, in addition to teaching limitations previously relying upon both or either of Khanna and Chang. Further, the combination of Huck and Khanna is sufficient to teach the limitation(s) “wherein the first control algorithm specifies that the plurality of first cryptographic algorithms are applied in parallel … wherein the second control algorithm specifies that the plurality of second cryptographic algorithms are applied in parallel”.
Regarding Applicant’s Argument, beginning on P. 23 of Applicant Arguments, that Chang is not sufficient to teach “wherein a number of the plurality of first cryptographic algorithms is larger than a number of the one or more second cryptographic algorithms” of dependent claim 32, Examiner respectfully disagrees. Relevant teaching from Chang with respect to this limitation includes: “ [0012]: … performing, by a multiple cryptography algorithm set section, a plurality of selected cryptography algorithms in a selected sequence on the input data, wherein the selected cryptography algorithms or the selected sequence or both are determined by the security level parameter, and wherein the selected cryptography algorithms are performed using the plurality of cryptography keys; [0020] Embodiments of the present invention provide a reconfigurable and scalable encryption/decryption system … The encrypted data can only be fully and correctly decrypted with the correct algorithms in the correct sequence (as determined by one or more security level parameters) and the corresponding encryption/decryption keys. With incorrect algorithm set or encryption/decryption keys, the data cannot be decrypted or can only be partially decrypted; [0029] … As an alternative structure (not shown), the key processor 14 receives the security level parameters as an input, and selectively generates only the encryption keys that will be used by the multiple encryption algorithm set section 13 and the encryption enabled entropy encoding section 12 based on the security level parameters; [0032] … the key processor 24 may receive the security level parameters and only generate the necessary decryption keys based on the security level parameters”. The emphasized portions of the passages cited above highlight an explicit contemplation of partial decryption, achievable by applying fewer cryptographic algorithms in decryption than were applied for encryption.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3, 4, 6-7, 14, 16-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huck (US 20210281406 A1), hereinafter Huck, in view of Khanna (US 20200389289 A1), hereinafter Khanna.
Regarding Claim 1:
Huck teaches a method for exchanging data between a provider cryptosystem and a receiver cryptosystem, comprising (Huck – Paragraph [0118]: A “computer system” may refer to a system having … two or more computer systems connected together via a network for transmitting and/or receiving information between the computer systems; and Paragraph [0134]: The disclosed embodiments generally relate to the encryption and subsequent decryption of computer-based data using a set of keys and/or key-based algorithm pairs) computing composite cryptographic data by executing a plurality of first cryptographic algorithms (Huck – Paragraph [0002]: One or more embodiments of the invention generally relate to a cryptographic security system using data partitioning and configurable key-based encryption and/or decryption. More particularly, certain embodiments of the invention permit for data from a file or stream to be broken into multiple parts or partitions where a different key and key-based algorithm is applied to each partition during encryption and/or decryption), wherein the composite cryptographic data are computed as a function of input data (Huck – Paragraph [0136]: In the present embodiment, by way of example and not limitation, data, e.g., raw data and/or encrypted data, may be input into a cryptographic system 100 via a data handler 102, which as understood in the art and as defined herein refers to a reusable transformation logic independent of a specific transport protocol); wherein the plurality of first cryptographic algorithms is selected according to a first control algorithm (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively); providing the composite cryptographic data from the provider cryptosystem to the receiver cryptosystem (Huck – Paragraph [0157]: FIG. 3 illustrates an exemplary partition handler during a decryption and/or a partitioning algorithm operation in accordance with an embodiment of the present invention. In the present embodiment, a system 300 includes a partition handler 302 performing a decryption and/or a partitioning algorithm operation in which encrypted data 304 may have been encrypted by, for example (but without limitation thereto), any combination of one or more of the cryptography handler 106 shown in FIG. 1 and/or the like); computing results data using the receiver cryptosystem as a function of the composite cryptographic data by applying one or more second cryptographic algorithms (Huck – Paragraph [0157]: Implementation of the cryptographic algorithms and/or rules to the raw data in partitions 212 may, in an embodiment, include usage of keys, pads and media that are combined in unique and different ways to create rules, where each rule thereof may determine how and how much data to process. Rules can also reference other rules and can be of arbitrary complexity. Decryption may involve process knowledge of what algorithms, keys, pads and media were used or applied, how they were used, and in what particular order), wherein the one or more second cryptographic algorithms is at least one of: selected according to a second control algorithm, and combined according to the second control algorithm (Huck – Paragraph [0157]: Implementation of the cryptographic algorithms and/or rules to the raw data in partitions 212 may, in an embodiment, include usage of keys, pads and media that are combined in unique and different ways to create rules, where each rule thereof may determine how and how much data to process. Rules can also reference other rules and can be of arbitrary complexity. Decryption may involve process knowledge of what algorithms, keys, pads and media were used or applied, how they were used, and in what particular order; and Paragraph [0172]: Additional distinctions and/or advantages offered by multi-algorithmic cryptography and related techniques and/or methods may include at least the following: each rule in a given rule set may define how much of a data stream or file may be processed during encryption, decryption and pad generation and only a subset of the rule set may be used … rules must be reversible to be used for encryption and decryption operations; and Paragraph [0176]: Accordingly, passage of encrypted data contained in partition P1 from partition queue 504 produces decrypted module 508 containing data “ABKL” pursuant to decryption applying in reverse, for example (but without limitation thereto), the second rule 210 (also referred to as “Rule 2” in partitioning module 206 shown in FIG. 2)); and automatically executing a software and/or hardware function using the receiver cryptosystem according to the results data (Huck – Paragraph [0178]: The decrypted partitions 508-516 may then be passed to post-decryption rule 518 which, as described earlier, performs post-decryption processing, in this case reassembling non-contiguous part into decrypted data 520, which, in an embodiment, may match or otherwise equal original data. As an alternative, (not shown in FIG. 5), the decrypted partitions 508-516 may be passed back to a partition handler, such as partition handler 104 for data reassembly and post-decryption processing).
Huck does not expressly teach wherein the first control algorithm specifies that the plurality of first cryptographic algorithms are applied in parallel to the input data or parts of the input data, and wherein the second control algorithm specifies that the plurality of second cryptographic algorithms are applied in parallel to the composite cryptographic data or parts of the composite cryptographic data.
However, Khanna teaches wherein the first control algorithm specifies that the plurality of first cryptographic algorithms are applied in parallel to the input data or parts of the input data (Khanna – Paragraph [0032]: The variable layout cryptography system may split the received data into one or more portions based on the information stored in the metadata of the primary encryption key/primary decryption key i.e. the data is split into one or more portions based on the number of parallel nodes defined in the metadata. The splitting of the data into one or more portions increases encryption and decryption speed as each segment can be handled in parallel), and wherein the second control algorithm specifies that the plurality of second cryptographic algorithms are applied in parallel to the composite cryptographic data or parts of the composite cryptographic data (Khanna – Paragraph [0032]: The variable layout cryptography system may split the received data into one or more portions based on the information stored in the metadata of the primary encryption key/primary decryption key i.e. the data is split into one or more portions based on the number of parallel nodes defined in the metadata. The splitting of the data into one or more portions increases encryption and decryption speed as each segment can be handled in parallel).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck, further incorporating Khanna to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Khanna’s teaching to apply cryptographic operations in parallel based on a control algorithm of the operations into Huck’s method for securely exchanging data between two cryptosystems. In view of Huck’s partitioning of data to apply different cryptographic algorithms to different partitions of the data, one of ordinary skill in the art would be motivated to incorporate Khanna’s teaching to apply the cryptographic functions in parallel in order to increase encryption and decryption speed.
Regarding Claim 3:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
Huck further teaches wherein the provider cryptosystem implements a plurality of first control algorithms; and/or - wherein the receiver cryptosystem implements a plurality of second control algorithms (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 4:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
Huck further teaches wherein at least one of the first cryptographic algorithms is an encryption, signing, or key agreement algorithm (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively), and wherein at least one of the one or more second cryptographic algorithms is a decryption, signature verification, and key agreement algorithm complementary to the at least one first cryptographic algorithm (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 6:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
Huck further teaches wherein at least the first control algorithm contains Boolean operators and/or arithmetic operators connecting the plurality of the first cryptographic algorithms to one another, wherein the operators specify how to combine cryptographic data output by each of the plurality of first cryptographic algorithms to obtain the composite cryptographic data, and/or wherein the second control algorithm contains Boolean operators and/or arithmetic operators which connect a plurality of the second cryptographic algorithms to one another such that their combined application to the provided composite cryptographic data and/or to an output of a previously executed second cryptographic algorithm results in data processing functionally complementary to the execution of the first cryptographic algorithms (Huck – Figures 2-5: illustrations of partitions of input data/encrypted data to be processed according to rules defined by a policy (control algorithm); and Paragraph [0196]: Generally, the multi-algorithmic cryptography service 702 refers to software that applies a set of rules, consisting of multiple partitioning algorithms, cryptographic keys, and key-based algorithms, to encrypt and decrypt data in discrete parts providing message secrecy, integrity and authenticity for communications and storage. In an embodiment, the multi-algorithmic cryptography service 702 may include a set of rules with each rule containing a unique combination of algorithms, cryptographic keys, data sizes, initial offsets, and counters that are used to encrypt and decrypt data. By way of example and not limitation, rules may: be arbitrarily complex and may reference other rules; use any existing cryptographic methods; and make modifications to the rule set including destruction of rules and self-modification).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 7:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
Huck further teaches wherein the first and/or second control algorithm have an identifier (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein … the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively).
Khanna further teaches wherein the first and/or second control algorithm … selected from a group comprising: … DATA ENCYPTION ITERATIVE ... DATA ENCRYPTION PARALLEL … (Khanna – Paragraph [0032]: The variable layout cryptography system may split the received data into one or more portions based on the information stored in the metadata of the primary encryption key/primary decryption key i.e. the data is split into one or more portions based on the number of parallel nodes defined in the metadata. The splitting of the data into one or more portions increases encryption and decryption speed as each segment can be handled in parallel; and Paragraph [0048]: The data portion management unit 204b is in communication with the primary key generation unit 204a. The data portion management unit 204b is configured to split the received data into one or more portions based on the information (number of series nodes and number of parallel nodes) stored in the primary encryption key and the primary decryption key generated by the primary key generation unit 204a … The splitting of the data into one or more portions may help in parallel and serial processing of the data that further helps in reducing time required for data processing).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 14:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
Khanna further teaches wherein the plurality of first cryptographic algorithms comprises a plurality of cryptographic encryption algorithms according to a plurality of different encryption procedures (Khanna – Paragraph [0038]: the variable layout cryptography system 112, upon receiving the data to be encrypted, may selectively function to encrypt the received data. The variable layout cryptography system 112 may first generate a primary encryption key for encrypting the data. The primary encryption key may include metadata and one or more key-blocks. The metadata is a block provided in the primary key that includes information about structure of a cryptographic algorithm, such as number of series nodes, number of parallel nodes and private key checksums (in case the cryptographic algorithm is an asymmetric cryptographic algorithm) and the cryptographic algorithm that may be used by the variable layout cryptography system 112 for data encryption. It should be noted that the cryptographic algorithm can be any known symmetric and asymmetric cryptographic algorithm or combination of them, such as Data Encryption Standard (DES) algorithm, Rivest-Shamir-Adleman (RSA) encryption algorithm, Blowfish, Twofish, Advanced Encryption Standard (AES) etc. The symmetric cryptographic algorithm uses symmetric cryptography in which a single key is used for both encryption and decryption of data. The asymmetric cryptographic algorithm uses asymmetric cryptography in which a public-private key pair is used for encryption and decryption of the data. The data that is encrypted using a public key can only be decrypted using a specific private key in the key pair, while also, the data encrypted using a private key can be only decrypted using a specific public key in the key pair. The one or more key-blocks include one or more keys that may be used for data encryption. The variable layout cryptography system 112 may then split the received data into one or more equal portions based on the parallel nodes defined in the metadata; wherein the plurality of second cryptographic algorithms comprises a plurality of cryptographic decryption algorithms corresponding to the plurality of different encryption procedures (Khanna – Paragraph [0040]: The variable layout cryptography system 112 provided on the user device 108 may perform the decryption of the encrypted data sent by the user 102 using the user device 104. The variable layout cryptography system 112 may first generate a primary decryption key for decrypting the received encrypted data using the one or more secondary keys sent by the user device 104 along with the encrypted data … The primary decryption key may include metadata and one or more key-blocks. The one or more key-blocks include one or more secondary keys that may be used for data decryption. The variable layout cryptography system 112 may then split the received encrypted data into one or more portions based on the number of parallel nodes defined in the metadata of the primary decryption key generated for decrypting the encrypted data … the variable layout cryptography system 112 may decrypt each portion of the one or more portions with a secondary key of the one or more secondary keys using the same cryptographic algorithm that is used at the time of data encryption. The decrypted portions are then combined in a serial order to form the decrypted data).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 16:
The combination of Khanna and Chang teaches the computer-implemented method according to claim 1.
Huck further teaches providing a template of the second control algorithm by the receiver cryptosystem … and specifies how outputs of the second cryptographic algorithms are combined to obtain the results data (Huck – Figures 3 and 5: illustrations of partition and cryptography handler for processing partitioned encrypted data according to rules); and in response to the receipt, by the receiver cryptosystem, of the composite cryptographic data and parameters associated therewith, generating the second control algorithm by supplementing the template with the algorithm designators of the second control algorithms contained in the parameters, wherein the second cryptographic algorithms selected and/or combined by the second control algorithm are selected based on the algorithm designators (Huck – Paragraph [0143]: The partition handler 102 may create a list of identifiers for each of the configured partitioning algorithms and provides the list to the security controller 110, the list then being used to determine an algorithm identifier therefrom. Identifiers could be the name of a specific module, e.g., VegasShufflel or Stripe20303020, or an index into a local or remote rule store. The partition module will have the encryption rule and the decryption rule. For simple algorithms, it may be the same rule (divide by 2, acquire 2000 bytes of data), for more complex algorithms, it may be the same set of rules done in reverse; and Paragraph [0162]: the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively).
Khanna further teaches wherein the template specifies that the second cryptographic algorithms are to be applied in parallel (Khanna – Paragraph [0032]: The variable layout cryptography system may split the received data into one or more portions based on the information stored in the metadata of the primary encryption key/primary decryption key i.e. the data is split into one or more portions based on the number of parallel nodes defined in the metadata. The splitting of the data into one or more portions increases encryption and decryption speed as each segment can be handled in parallel; and Paragraph [0048]: The data portion management unit 204b is in communication with the primary key generation unit 204a. The data portion management unit 204b is configured to split the received data into one or more portions based on the information (number of series nodes and number of parallel nodes) stored in the primary encryption key and the primary decryption key generated by the primary key generation unit 204a … The splitting of the data into one or more portions may help in parallel and serial processing of the data that further helps in reducing time required for data processing).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 17:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
Khanna further teaches wherein the input data include a text, a parameter of a cryptographic method, and/or a cryptographic key (Khanna – Paragraph [0037]: The user 102 may provide the data to be encrypted to the variable layout cryptography system 112 using an input and/or output (I/O) device. Examples of the I/O devices may include input devices, such as a keyboard, mouse, scanner, microphone etc., and the output devices, such as a printer, display, etc.; and Paragraph [0078]: At operation 702, the variable layout cryptography system 200 receives text data ‘plaintxt’ that needs to be encrypted).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 18:
Huck teaches a provider cryptosystem comprising:(Huck – Paragraph [0118]: A “computer system” may refer to a system having … two or more computer systems connected together via a network for transmitting and/or receiving information between the computer systems; and Paragraph [0134]: The disclosed embodiments generally relate to the encryption and subsequent decryption of computer-based data using a set of keys and/or key-based algorithm pairs) a volatile or non-volatile storage medium comprising (Huck – Paragraph [0130]: Embodiments within the scope of the present disclosure may also include tangible and/or non-transitory computer-readable storage media for carrying or having computer-executable instructions or data structures stored thereon. Such non-transitory computer-readable storage media can be any available media that can be accessed by a general purpose or special purpose computer, including the functional design of any special purpose processor as discussed above. By way of example, and not limitation, such non-transitory computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions, data structures, or processor chip design): a plurality of first cryptographic algorithms and at least one first control algorithm (Huck – Paragraph [0002]: One or more embodiments of the invention generally relate to a cryptographic security system using data partitioning and configurable key-based encryption and/or decryption. More particularly, certain embodiments of the invention permit for data from a file or stream to be broken into multiple parts or partitions where a different key and key-based algorithm is applied to each partition during encryption and/or decryption; and Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively), wherein the at least one first control algorithm is a computational rule for selecting two or more of the first cryptographic algorithms (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively); at least one hardware processor configured to (Huck – Paragraph [0100]: A “computer” may refer to one or more apparatus and/or one or more systems that are capable of accepting a structured input, processing the structured input according to prescribed rules, and producing results of the processing as output. Examples of a computer may include: a computer; a stationary and/or portable computer; a computer having a single processor, multiple processors, or multi-core processors, which may operate in parallel and/or not in parallel): generate input data (Huck – Paragraph [0100]: A “computer” may refer to … an apparatus that may accept data, process data according to one or more stored software programs, generate results, and typically include input, output, storage, arithmetic, logic, and control units); compute composite cryptographic data by executing a plurality of the first cryptographic algorithms (Huck – Paragraph [0002]: One or more embodiments of the invention generally relate to a cryptographic security system using data partitioning and configurable key-based encryption and/or decryption. More particularly, certain embodiments of the invention permit for data from a file or stream to be broken into multiple parts or partitions where a different key and key-based algorithm is applied to each partition during encryption and/or decryption), wherein the composite cryptographic data are computed as a function of input data (Huck – Paragraph [0136]: In the present embodiment, by way of example and not limitation, data, e.g., raw data and/or encrypted data, may be input into a cryptographic system 100 via a data handler 102, which as understood in the art and as defined herein refers to a reusable transformation logic independent of a specific transport protocol); wherein the plurality of first cryptographic algorithms are selected according to the at least one first control algorithm (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively); and provide the composite cryptographic data from the provider cryptosystem to a receiver cryptosystem (Huck – Paragraph [0157]: FIG. 3 illustrates an exemplary partition handler during a decryption and/or a partitioning algorithm operation in accordance with an embodiment of the present invention. In the present embodiment, a system 300 includes a partition handler 302 performing a decryption and/or a partitioning algorithm operation in which encrypted data 304 may have been encrypted by, for example (but without limitation thereto), any combination of one or more of the cryptography handler 106 shown in FIG. 1 and/or the like).
Huck does not expressly teach wherein the at least one first control algorithm specifies that the plurality of first cryptographic algorithms are applied in parallel to the input data or parts of the input data.
However, Khanna teaches wherein the at least one first control algorithm specifies that the plurality of first cryptographic algorithms are applied in parallel to the input data or parts of the input data (Khanna – Paragraph [0032]: The variable layout cryptography system may split the received data into one or more portions based on the information stored in the metadata of the primary encryption key/primary decryption key i.e. the data is split into one or more portions based on the number of parallel nodes defined in the metadata. The splitting of the data into one or more portions increases encryption and decryption speed as each segment can be handled in parallel).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck, further incorporating Khanna to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Khanna’s teaching to apply cryptographic operations in parallel based on a control algorithm of the operations into Huck’s method for securely exchanging data between two cryptosystems. In view of Huck’s partitioning of data to apply different cryptographic algorithms to different partitions of the data, one of ordinary skill in the art would be motivated to incorporate Khanna’s teaching to apply the cryptographic functions in parallel in order to increase encryption and decryption speed.
Regarding Claim 20:
Huck teaches A receiver cryptosystem comprising: (Huck – Paragraph [0118]: A “computer system” may refer to a system having … two or more computer systems connected together via a network for transmitting and/or receiving information between the computer systems; and Paragraph [0134]: The disclosed embodiments generally relate to the encryption and subsequent decryption of computer-based data using a set of keys and/or key-based algorithm pairs) a volatile or non-volatile storage medium comprising (Huck – Paragraph [0130]: Embodiments within the scope of the present disclosure may also include tangible and/or non-transitory computer-readable storage media for carrying or having computer-executable instructions or data structures stored thereon. Such non-transitory computer-readable storage media can be any available media that can be accessed by a general purpose or special purpose computer, including the functional design of any special purpose processor as discussed above. By way of example, and not limitation, such non-transitory computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions, data structures, or processor chip design): one or more second cryptographic algorithms and at least one second control algorithm (Huck – Paragraph [0002]: One or more embodiments of the invention generally relate to a cryptographic security system using data partitioning and configurable key-based encryption and/or decryption. More particularly, certain embodiments of the invention permit for data from a file or stream to be broken into multiple parts or partitions where a different key and key-based algorithm is applied to each partition during encryption and/or decryption; Huck – Paragraph [0157]: Implementation of the cryptographic algorithms and/or rules to the raw data in partitions 212 may, in an embodiment, include usage of keys, pads and media that are combined in unique and different ways to create rules, where each rule thereof may determine how and how much data to process. Rules can also reference other rules and can be of arbitrary complexity. Decryption may involve process knowledge of what algorithms, keys, pads and media were used or applied, how they were used, and in what particular order; and Paragraph [0172]: Additional distinctions and/or advantages offered by multi-algorithmic cryptography and related techniques and/or methods may include at least the following: each rule in a given rule set may define how much of a data stream or file may be processed during encryption, decryption and pad generation and only a subset of the rule set may be used … rules must be reversible to be used for encryption and decryption operations; and Paragraph [0176]: Accordingly, passage of encrypted data contained in partition P1 from partition queue 504 produces decrypted module 508 containing data “ABKL” pursuant to decryption applying in reverse, for example (but without limitation thereto), the second rule 210 (also referred to as “Rule 2” in partitioning module 206 shown in FIG. 2)), wherein the at least one second control algorithm is a computational rule for selecting one or more of the second cryptographic algorithms (Huck – Paragraph [0157]: Implementation of the cryptographic algorithms and/or rules to the raw data in partitions 212 may, in an embodiment, include usage of keys, pads and media that are combined in unique and different ways to create rules, where each rule thereof may determine how and how much data to process. Rules can also reference other rules and can be of arbitrary complexity. Decryption may involve process knowledge of what algorithms, keys, pads and media were used or applied, how they were used, and in what particular order; and Paragraph [0172]: Additional distinctions and/or advantages offered by multi-algorithmic cryptography and related techniques and/or methods may include at least the following: each rule in a given rule set may define how much of a data stream or file may be processed during encryption, decryption and pad generation and only a subset of the rule set may be used … rules must be reversible to be used for encryption and decryption operations; and Paragraph [0176]: Accordingly, passage of encrypted data contained in partition P1 from partition queue 504 produces decrypted module 508 containing data “ABKL” pursuant to decryption applying in reverse, for example (but without limitation thereto), the second rule 210 (also referred to as “Rule 2” in partitioning module 206 shown in FIG. 2)); at least one hardware processor configured to (Huck – Paragraph [0100]: A “computer” may refer to one or more apparatus and/or one or more systems that are capable of accepting a structured input, processing the structured input according to prescribed rules, and producing results of the processing as output. Examples of a computer may include: a computer; a stationary and/or portable computer; a computer having a single processor, multiple processors, or multi-core processors, which may operate in parallel and/or not in parallel): receive composite cryptographic data from a provider cryptosystem (Huck – Paragraph [0157]: FIG. 3 illustrates an exemplary partition handler during a decryption and/or a partitioning algorithm operation in accordance with an embodiment of the present invention. In the present embodiment, a system 300 includes a partition handler 302 performing a decryption and/or a partitioning algorithm operation in which encrypted data 304 may have been encrypted by, for example (but without limitation thereto), any combination of one or more of the cryptography handler 106 shown in FIG. 1 and/or the like); compute results data as a function of the composite cryptographic data by applying one or more of the second cryptographic algorithms (Huck – Paragraph [0157]: Implementation of the cryptographic algorithms and/or rules to the raw data in partitions 212 may, in an embodiment, include usage of keys, pads and media that are combined in unique and different ways to create rules, where each rule thereof may determine how and how much data to process. Rules can also reference other rules and can be of arbitrary complexity. Decryption may involve process knowledge of what algorithms, keys, pads and media were used or applied, how they were used, and in what particular order), wherein the one or more second cryptographic algorithms is selected according to one of the at least one second control algorithms (Huck – Paragraph [0157]: Implementation of the cryptographic algorithms and/or rules to the raw data in partitions 212 may, in an embodiment, include usage of keys, pads and media that are combined in unique and different ways to create rules, where each rule thereof may determine how and how much data to process. Rules can also reference other rules and can be of arbitrary complexity. Decryption may involve process knowledge of what algorithms, keys, pads and media were used or applied, how they were used, and in what particular order; and Paragraph [0172]: Additional distinctions and/or advantages offered by multi-algorithmic cryptography and related techniques and/or methods may include at least the following: each rule in a given rule set may define how much of a data stream or file may be processed during encryption, decryption and pad generation and only a subset of the rule set may be used … rules must be reversible to be used for encryption and decryption operations; and Paragraph [0176]: Accordingly, passage of encrypted data contained in partition P1 from partition queue 504 produces decrypted module 508 containing data “ABKL” pursuant to decryption applying in reverse, for example (but without limitation thereto), the second rule 210 (also referred to as “Rule 2” in partitioning module 206 shown in FIG. 2)); and automatically execute a software and/or hardware function depending on the results data (Huck – Paragraph [0178]: The decrypted partitions 508-516 may then be passed to post-decryption rule 518 which, as described earlier, performs post-decryption processing, in this case reassembling non-contiguous part into decrypted data 520, which, in an embodiment, may match or otherwise equal original data. As an alternative, (not shown in FIG. 5), the decrypted partitions 508-516 may be passed back to a partition handler, such as partition handler 104 for data reassembly and post-decryption processing).
Huck does not expressly teach wherein one of the at least one second control algorithms specifies that the one or more second cryptographic algorithms are applied in parallel to the composite cryptographic data or parts of the composite cryptographic data.
However, Khanna teaches wherein one of the at least one second control algorithms specifies that the one or more second cryptographic algorithms are applied in parallel to the composite cryptographic data or parts of the composite cryptographic data (Khanna – Paragraph [0032]: The variable layout cryptography system may split the received data into one or more portions based on the information stored in the metadata of the primary encryption key/primary decryption key i.e. the data is split into one or more portions based on the number of parallel nodes defined in the metadata. The splitting of the data into one or more portions increases encryption and decryption speed as each segment can be handled in parallel).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck, further incorporating Khanna to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Khanna’s teaching to apply cryptographic operations in parallel based on a control algorithm of the operations into Huck’s method for securely exchanging data between two cryptosystems. In view of Huck’s partitioning of data to apply different cryptographic algorithms to different partitions of the data, one of ordinary skill in the art would be motivated to incorporate Khanna’s teaching to apply the cryptographic functions in parallel in order to increase encryption and decryption speed.
Claim(s) 8 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huck in view of Khanna and Allen et al. (US 20200403978 A1), hereinafter Allen.
Regarding Claim 8:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
The combination of Huck and Khanna does not expressly teach wherein the composite cryptographic data contain parameters and/or are provided together with the parameters, wherein the parameters contain algorithm designators of cryptographic procedures implemented by the executed plurality of first cryptographic algorithms, and optionally component parameters of the cryptographic procedures and/or optionally control parameters for the second control algorithm, wherein the method further comprises: identifying, by the receiver cryptosystem, each of the second cryptographic algorithms used for the computation of the results data within a plurality of second cryptographic algorithms, prior to or during the computation of the results data by means of the algorithm designators, wherein each of the identified second cryptographic algorithms implements receiver-system-side steps of the same cryptographic procedures as the executed plurality of first cryptographic algorithms corresponding thereto.
However, Allen teaches wherein the composite cryptographic data contain parameters and/or are provided together with the parameters (Allen – Paragraph [0034]: The offer 206, in an embodiment, is a message comprising data to initiate a handshake of the cryptographic transmissions protocol, such as a ClientHello message in various versions of TLS. The offer 206, in an embodiment, is a message comprising data to renegotiate a session ... The hybrid cryptographic scheme proposed in the offer 206 comprises two or more cryptographic algorithms listed in a list of ciphersuites supported by the first computing system 202. In various embodiments, a hybrid cryptographic scheme is one that uses at least double-hull encryption, wherein an inner encryption or decryption is performed using a first cryptographic algorithm and an outer encryption or decryption is performed using a second cryptographic algorithm), wherein the parameters contain algorithm designators of cryptographic procedures implemented by the executed plurality of first cryptographic algorithms, and optionally component parameters of the cryptographic procedures and/or optionally control parameters for the second control algorithm (Allen – Paragraph [0034]: The hybrid cryptographic scheme proposed in the offer 206 comprises two or more cryptographic algorithms listed in a list of ciphersuites supported by the first computing system 202. In various embodiments, a hybrid cryptographic scheme is one that uses at least double-hull encryption, wherein an inner encryption or decryption is performed using a first cryptographic algorithm and an outer encryption or decryption is performed using a second cryptographic algorithm), wherein the method further comprises: identifying, by the receiver cryptosystem, each of the second cryptographic algorithms used for the computation of the results data within a plurality of second cryptographic algorithms (Allen – Paragraph [0034]: The offer 206, in an embodiment, is a message comprising data to initiate a handshake of the cryptographic transmissions protocol, such as a ClientHello message in various versions of TLS. The offer 206, in an embodiment, is a message comprising data to renegotiate a session ... The hybrid cryptographic scheme proposed in the offer 206 comprises two or more cryptographic algorithms listed in a list of ciphersuites supported by the first computing system 202. In various embodiments, a hybrid cryptographic scheme is one that uses at least double-hull encryption, wherein an inner encryption or decryption is performed using a first cryptographic algorithm and an outer encryption or decryption is performed using a second cryptographic algorithm), prior to or during the computation of the results data by means of the algorithm designators (Allen – Paragraph [0034]: In various embodiments, a hybrid cryptographic scheme is one that uses at least double-hull encryption, wherein an inner encryption or decryption is performed using a first cryptographic algorithm and an outer encryption or decryption is performed using a second cryptographic algorithm), wherein each of the identified second cryptographic algorithms implements receiver-system-side steps of the same cryptographic procedures as the executed plurality of first cryptographic algorithms corresponding thereto (Allen – Paragraph [0034]: In various embodiments, a hybrid cryptographic scheme is one that uses at least double-hull encryption, wherein an inner encryption or decryption is performed using a first cryptographic algorithm and an outer encryption or decryption is performed using a second cryptographic algorithm).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck and Khanna, further incorporating Allen to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Allen’s teaching to provide parameters along with encrypted data in order for a receiver system to decrypt the data into Huck and Khanna’s combined method for securely exchanging data between two cryptosystems. The combined functionality would facilitate a receiver’s ability to decipher a sender’s encrypted message.
Regarding Claim 15:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
The combination of Huck and Khanna does not expressly teach wherein the plurality of first cryptographic algorithms comprises a plurality of provider- side key agreement algorithms according to a plurality of different key agreement procedures; wherein the second cryptographic algorithms comprise a plurality of receiver-side key agreement algorithms, each implemented corresponding to one of the different key agreement procedures.
However, Allen teaches wherein the plurality of first cryptographic algorithms comprises a plurality of provider-side key agreement algorithms according to a plurality of different key agreement procedures (Allen – Figure 2: Illustration of a key agreement process between two communicating systems; and Paragraph [0044]: Example key agreement algorithms that can be used for derivation 220 of the first cryptographic key 222, 226 and/or second cryptographic key 224, 228 are: BIKE, Classic McEliece, CRYSTALS-KYBER, FrodoKEM, HQC, LAC, LEDAcrypt, NewHope, NTRU, NTRU Prime, NTS-KEM, ROLLO, Round5, RQC, SABER, SIKE, Three Bears, and others such post-quantum algorithms); wherein the second cryptographic algorithms comprise a plurality of receiver-side key agreement algorithms, each implemented corresponding to one of the different key agreement procedures (Allen – Figure 2: Illustration of a key agreement process between two communicating systems; and Paragraph [0044]: Example key agreement algorithms that can be used for derivation 220 of the first cryptographic key 222, 226 and/or second cryptographic key 224, 228 are: BIKE, Classic McEliece, CRYSTALS-KYBER, FrodoKEM, HQC, LAC, LEDAcrypt, NewHope, NTRU, NTRU Prime, NTS-KEM, ROLLO, Round5, RQC, SABER, SIKE, Three Bears, and others such post-quantum algorithms).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck and Khanna, further incorporating Allen to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Allen’s teaching of key agreement algorithms to be used as the combined cryptographic algorithms into Huck and Khanna’s combined method for securely exchanging data between two cryptosystems. This addition would add more cryptographic capabilities to Khanna and Chang’s method.
Claim(s) 9-10, and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huck in view of Khanna and Amulothu et al. (US 20160119299 A1), hereinafter Amulothu.
Regarding Claim 9:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
The combination of Huck and Khanna does not expressly teach wherein providing the composite cryptographic data comprises storing the composite cryptographic data in a single first predefined field of a data structure agreed between the provider cryptosystem and the receiver cryptosystem, wherein the receiver cryptosystem is configured to read and parse the first predefined field of the data structure to obtain the composite cryptographic data.
However, Amulothu teaches wherein providing the composite cryptographic data comprises storing the composite cryptographic data in a single first predefined field of a data structure agreed between the provider cryptosystem and the receiver cryptosystem (Amulothu – Paragraph [0020]: where a need exists to encrypt data at a hypervisor, custom applications or tools (collectively, “appliances”) have to be configured to operate with the hypervisor. Such an appliance also requires a corresponding counterpart appliance to be configured at the other hypervisor to form a pre-determined flow between the two hypervisors. Such custom configuration has to be pre-planned for each flow, and such appliances have to be installed with each participating hypervisor according to the pre-planned flows. Furthermore, the entire custom setup has to be maintained and kept in synchronization so that each appliance at each end of a given flow uses the exact same encrypting algorithm to successfully encrypt and decrypt the packets over the flow; Examiner’s Comment: the data packet is interpreted as the data structure agreed between the cryptosystems during the configuration of the flow), wherein the receiver cryptosystem is configured to read and parse the first predefined field of the data structure to obtain the composite cryptographic data (Amulothu – Paragraph [0139]: SDN component 528 receives the new packet VH+Pe. At the end of the new packet's journey over SDN 504, using information in repository 529, SDN component 528 decrypts payload Pe to recover packet P; Examiner’s Comment: the recovery of the Packet P is interpreted as the reading/parsing step).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck and Khanna, further incorporating Amulothu to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Amulothu’s teaching to designate particular fields of data structures to hold encrypted messages for transmission into Khanna and Chang’s combined method for securely exchanging data between two cryptosystems. This combination would enhance the security of the system by providing protection for the composite cryptographic data while in transit.
Regarding Claim 10:
The combination of Huck, Khanna, and Amulothu teaches the computer-implemented method according to claim 9.
Huck further teaches the identifier of the second control algorithm (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein … the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively).
Amulothu further teaches further comprising the steps of: - storing an identifier of the second [control] algorithm and optionally one or more parameters in a second predefined field of the data structure by the provider cryptosystem (Amulothu – Paragraph [0078]: When multiple encryption algorithms are allowed by a policy, which of the multiple algorithms is used for the encryption has to be communicated to the receiving modified SDN component. This communication can occur in a variety of ways, which are contemplated within the scope of the illustrative embodiments. For example, one embodiment uses a pre-agreed bit or set of bits in the header to identify the algorithm that is used to encrypt the packet); - reading and parsing, by the receiver cryptosystem, of the identifier of the second [control] algorithm from the second predefined field of the data structure; and - selecting the second [control] algorithm based on the read identifier by the receiver cryptosystem (Amulothu – Paragraph [0081]: An embodiment executing within or in conjunction with a receiving modified SDN component receives the new packet with the encrypted payload. The embodiment identifies the encryption algorithm used to encrypt the payload, such as from one or bits in the header of the new packet. The embodiment selects the identified algorithm, and decrypts the encrypted payload).
The motivation to combine the arts is the same as that of Claim 9.
Regarding Claim 12:
The combination of Huck, Khanna, and Amulothu teaches the computer-implemented method according to claim 9.
Amulothu further teaches wherein the first field is a field intended for storing, according to a cryptographic standard, the cryptographic data generated by a single cryptographic algorithm (Paragraph [0020]: Further, where a need exists to encrypt data at a hypervisor, custom applications or tools (collectively, “appliances”) have to be configured to operate with the hypervisor. Such an appliance also requires a corresponding counterpart appliance to be configured at the other hypervisor to form a pre-determined flow between the two hypervisors. Such custom configuration has to be pre-planned for each flow, and such appliances have to be installed with each participating hypervisor according to the pre-planned flows. Furthermore, the entire custom setup has to be maintained and kept in synchronization so that each appliance at each end of a given flow uses the exact same encrypting algorithm to successfully encrypt and decrypt the packets over the flow; Examiner’s Comment: the data packet is interpreted as the data structure agreed between the cryptosystems during the configuration of the flow); and/or wherein the second field is a field intended for storing, according to a cryptographic standard, the algorithm designator of a single cryptographic algorithm (Amulothu – Paragraph [0078]: When multiple encryption algorithms are allowed by a policy, which of the multiple algorithms is used for the encryption has to be communicated to the receiving modified SDN component. This communication can occur in a variety of ways, which are contemplated within the scope of the illustrative embodiments. For example, one embodiment uses a pre-agreed bit or set of bits in the header to identify the algorithm that is used to encrypt the packet).
The motivation to combine the arts is the same as that of Claim 9.
Claim(s) 11 and 31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huck in view of Khanna, Amulothu, and Bowen et al. (US 11563590 B1), hereinafter Bowen.
Regarding Claim 11:
The combination of Huck, Khanna, and Amulothu teaches the computer-implemented method according to claim 10.
The combination of Huck, Khanna, and Amulothu does not expressly teach wherein the agreed data structure is selected from a group comprising: -a file signature or an encrypted file, -a certificate request, -a revocation list, -a validity statement for certificates.
However, Bowen teaches wherein the agreed data structure is selected from a group comprising: -a file signature or an encrypted file, -a certificate request, -a revocation list, -a validity statement for certificates (Bowen – Col. 9, Lines 50-65: templates may be represented and stored in a variety of ways. In an embodiment, the system is able to represent the subject and validity fields in certificates, and any field that could be included in a certificate signing request, certificate revocation list, or OCSP response ... the format for X.509 v3 certificates is profiled by RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List profile. In an embodiment, the format for certificate revocation lists is defined by RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck, Khanna, and Amulothu, further incorporating Bowen to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Bowen’s teachings of various data structures for secure data communication including X.509 certificates, certificate requests, CRLs, and OCSP validity statements into Huck, Khanna, and Amulothu’s combined method for securely exchanging data between two cryptosystems. This combination would enhance the security of the method by implementing reliably secure data structures for storing and transferring data.
Regarding Claim 31:
The combination of Huck, Khanna, Amulothu, and Bowen teaches the computer-implemented method according to claim 11.
Bowen further teaches wherein the file signature and the encrypted file are according to the Cryptographic Message Syntax standard, wherein the certificate request is according to RFC 2986: PKCS #10 (Certification Request Syntax Specification, Version 1.7, November 2000),wherein the revocation list is a Certificate Revocation List according to RFC 5280 (Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile, May 2008), wherein the validity statement for certificates is according to the Online Certificate Status Protocol, and wherein the group further comprises: an X.509 certificate; a Card Verifiable certificate (Bowen – Col. 9, Lines 50-65: templates may be represented and stored in a variety of ways. In an embodiment, the system is able to represent the subject and validity fields in certificates, and any field that could be included in a certificate signing request, certificate revocation list, or OCSP response ... the format for X.509 v3 certificates is profiled by RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List profile. In an embodiment, the format for certificate revocation lists is defined by RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7).
The motivation to combine the arts is the same as that of Claim 11.
Claim(s) 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huck in view of Khanna and Gueron et al. (US 11184157 B1), hereinafter Gueron.
Regarding Claim 13:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
The combination of Huck and Khanna does not expressly teach wherein the plurality of first cryptographic algorithms comprise a plurality of cryptographic signature algorithms according to a plurality of different signing procedures; wherein the second cryptographic algorithms comprise a plurality of cryptographic signature verification algorithms each implemented according to one of the different signing procedures.
However, Gueron teaches wherein the plurality of first cryptographic algorithms comprise a plurality of cryptographic signature algorithms according to a plurality of different signing procedures (Gueron – Col. 15, Lines 40-53: Note that the term “digital signature” includes any information usable to cryptographically verify authenticity of a message including information generated using an RSA-based digital scheme (such as RSA-PSS), the digital signature algorithm (DSA) and the elliptic curve digital signature algorithm, the ElGamal signature scheme, the Schnorr signature scheme, the Pointcheval-Stern signature algorithm, the Rabin signature algorithm, pairing-based digital signature schemes (such as the Boneh-Lynn-Schacham signature scheme), undeniable digital signature schemes, and others. Further, message authentication codes (such as hash-based message authentication codes (HMACs), keyed cryptographic hash functions, and other types of information may also be used as digital signatures); wherein the second cryptographic algorithms comprise a plurality of cryptographic signature verification algorithms each implemented according to one of the different signing procedures (Gueron – Col. 16, Lines 36-50: In various embodiments, data objects such as software updates, digital certificates, and digital signatures may be cryptographically verifiable. In one example, cryptographically verifiable data objects are created to be cryptographically verifiable by the system to which the data object is to be provided or another system that operates in conjunction with the system to which the data object is to be provided. For example, the data object may be encrypted so as to be decryptable by the system that will cryptographically verify the data object, where the ability to decrypt the data object serves as cryptographic verification of the data object. As another example, the data object may be digitally signed (thereby producing a digital signature of the data object) such that the digital signature is verifiable by the system that will cryptographically verify the data object).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck and Khanna, further incorporating Gueron to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Gueron’s teachings of various signature and signature verification techniques to employ for secure data communication into Huck and Khanna’s combined method for securely exchanging data between two cryptosystems. The combined functionality provides additional techniques for protecting data communicated between cryptosystems.
Claim(s) 19 and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huck in view of Khanna, Allen, and Amulothu.
Regarding Claim 19:
The combination of Huck and Khanna teaches the provider cryptosystem according to claim 18.
Huck further teaches and the first control algorithms (Huck – Paragraph [0162]: As shown in FIG. 1, in an embodiment, the cryptography handler 106 may accept, for example, without limitation, any one or more of session keys and/or cryptographic algorithm identifiers from security controller 110, data partitions from partition handler 104 to store key-based cryptography algorithms therein. Generally, key-based cryptography algorithms refer to software-related and/or data modules and can be manually created, read from local storage, or be otherwise acquired from an outside source. A cryptography module, in an embodiment, may have at least one or more selected from a group including the following: a single algorithm, a family of related algorithms or multiple cryptographic algorithms. A key-based cryptographic module may accept data, a key and the cryptographic operation, encryption or decryption, to perform. In an embodiment, the cryptography handler stores a list of identifiers for each of the configured key-based cryptographic modules and the algorithms they contain and provides the list to security controller 110, which provides the keys and identifiers for the algorithms that will be used to encrypt or decrypt the data during an encryption or decryption session, respectively).
The combination of Huck and Khanna does not expressly teach further comprising: a first cryptographic application including the first cryptographic algorithms and the first control algorithms; including the first cryptographic algorithms; and a first application program which is free of cryptographic algorithms and which is interoperable with the first cryptographic application and configured to: provide the input data to the first cryptographic application and/or cause the first cryptographic application to generate the input data; cause the first cryptographic application to compute and return the composite cryptographic data to the first application program; store the composite cryptographic data in a first predefined field of a data structure agreed between the provider cryptosystem and the receiver cryptosystem; and send the data structure to the receiver cryptosystem.
However, Allen teaches further comprising: a first cryptographic application including the first cryptographic algorithms and the first control algorithms (Allen – Paragraph [0115]: In an embodiment, the system and various devices also typically include a number of software applications, modules, services, or other elements located within at least one working memory device, including an operating system and application programs, such as a client application or web browser. In an embodiment, customized hardware is used and/or particular elements are implemented in hardware, software (including portable software, such as applets), or both. In an embodiment, connections to other computing devices such as network input/output devices are employed); including the first cryptographic algorithms (Allen – Paragraph [0072]: 4. Perform an inner cryptographic operation, such as an encryption 614, by cryptographically protecting the application message 612 using the first cryptographic key to produce a cryptographically protected application message (encrypted application message 616). [0073] 5. Serialize (chunk and frame) 618 the cryptographically protected application message (encrypted application message 616) into one or more message frames comprising cryptographically protected data (encrypted data 620) using the cryptographic transmission protocol, including at least an initial message frame. [0074] 6. Perform an outer cryptographic operation, such as encryption 622, by cryptographically protecting the body of the initial message frame from the one or more message frames comprising cryptographically protected data (encrypted data 620) using the second cryptographic key to produce a double-protected message (double-encrypted message 624) comprising the initial message frame); and a first application program which is free of cryptographic algorithms and which is interoperable with the first cryptographic application and configured to (Allen – Paragraph [0122]: Operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. In an embodiment, a process such as those processes described herein (or variations and/or combinations thereof) is performed under the control of one or more computer systems configured with executable instructions and is implemented as code (e.g., executable instructions, one or more computer programs or one or more applications) executing collectively on one or more processors, by hardware or combinations thereof): provide the input data to the first cryptographic application and/or cause the first cryptographic application to generate the input data (Allen – Figures 6-8: steps 610, 710, 810 – Compose Message); cause the first cryptographic application to compute and return the composite cryptographic data to the first application program (Allen – Figures 6-8: inner and outer encryption to produce double-encrypted message; and Paragraph [0115]: In an embodiment, the system and various devices also typically include a number of software applications, modules, services, or other elements located within at least one working memory device, including an operating system and application programs, such as a client application or web browser. In an embodiment, customized hardware is used and/or particular elements are implemented in hardware, software (including portable software, such as applets), or both. In an embodiment, connections to other computing devices such as network input/output devices are employed).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck and Khanna, further incorporating Allen to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Allen’s application for processing data to undergo cryptographic operations into Khanna’s provider cryptosystem. Allen’s application would enhance Huck and Khanna’s system by providing a practical means for users to protect data prior to its transmission to a receiver system.
The combination of Huck, Khanna, and Allen does not expressly teach store the composite cryptographic data in a first predefined field of a data structure agreed between the provider cryptosystem and the receiver cryptosystem; and send the data structure to the receiver cryptosystem.
However, Amulothu teaches store the composite cryptographic data in a first predefined field of a data structure agreed between the provider cryptosystem and the receiver cryptosystem (Amulothu – Paragraph [0020]: Further, where a need exists to encrypt data at a hypervisor, custom applications or tools (collectively, “appliances”) have to be configured to operate with the hypervisor. Such an appliance also requires a corresponding counterpart appliance to be configured at the other hypervisor to form a pre-determined flow between the two hypervisors. Such custom configuration has to be pre-planned for each flow, and such appliances have to be installed with each participating hypervisor according to the pre-planned flows. Furthermore, the entire custom setup has to be maintained and kept in synchronization so that each appliance at each end of a given flow uses the exact same encrypting algorithm to successfully encrypt and decrypt the packets over the flow; Examiners Comment: the data packet is interpreted as the data structure agreed between cryptosystems during the configuration of the flow); and send the data structure to the receiver cryptosystem (Amulothu – Paragraph [0024]: Another embodiment further causes, responsive to sending the set of policies and the set of encryption algorithms, the first component to use a policy from the set of policies to perform a cryptographic operation on a data packet using an encryption algorithm determined by the policy, forming a secure data packet, a destination of the data packet being associated with the second component and reachable via the path in the SDN. Thus, the embodiment enables an SDN controller to cause SDN components at the ends of SDN flows to perform end-to-end encryption in the SDN).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck, Khanna, and Allen, further incorporating Amulothu to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Amulothu’s teachings to establish a data structure for storing data to be communicated between cryptosystems into Huck, Khanna, and Allen’s combined provider cryptosystem. This addition would enhance the security of the encrypted data being transmitted to a receiver system.
Regarding Claim 21:
The combination of Huck and Khanna teaches the receiver cryptosystem according to claim 20.
Huck further teaches and the second control algorithms (Huck – Paragraph [0157]: Implementation of the cryptographic algorithms and/or rules to the raw data in partitions 212 may, in an embodiment, include usage of keys, pads and media that are combined in unique and different ways to create rules, where each rule thereof may determine how and how much data to process. Rules can also reference other rules and can be of arbitrary complexity. Decryption may involve process knowledge of what algorithms, keys, pads and media were used or applied, how they were used, and in what particular order; and Paragraph [0172]: Additional distinctions and/or advantages offered by multi-algorithmic cryptography and related techniques and/or methods may include at least the following: each rule in a given rule set may define how much of a data stream or file may be processed during encryption, decryption and pad generation and only a subset of the rule set may be used … rules must be reversible to be used for encryption and decryption operations; and Paragraph [0176]: Accordingly, passage of encrypted data contained in partition P1 from partition queue 504 produces decrypted module 508 containing data “ABKL” pursuant to decryption applying in reverse, for example (but without limitation thereto), the second rule 210 (also referred to as “Rule 2” in partitioning module 206 shown in FIG. 2)).
The combination of Huck and Khanna does not expressly teach further comprising: a second cryptographic application containing the second cryptographic algorithms …; and a second application program which is free of cryptographic algorithms and which is interoperable with the second cryptographic application and configured to: cause the second cryptographic application to compute and return to the second application program the results data as a function of the composite cryptographic data; and cause the automatic execution of the software and/or hardware function depending on the results data.
However, Allen further teaches further comprising: a second cryptographic application (Allen – Paragraph [0115]: In an embodiment, the system and various devices also typically include a number of software applications, modules, services, or other elements located within at least one working memory device, including an operating system and application programs, such as a client application or web browser. In an embodiment, customized hardware is used and/or particular elements are implemented in hardware, software (including portable software, such as applets), or both. In an embodiment, connections to other computing devices such as network input/output devices are employed) containing the second cryptographic algorithms (Allen – Paragraph [0072]: 4. Perform an inner cryptographic operation, such as an encryption 614, by cryptographically protecting the application message 612 using the first cryptographic key to produce a cryptographically protected application message (encrypted application message 616). [0073] 5. Serialize (chunk and frame) 618 the cryptographically protected application message (encrypted application message 616) into one or more message frames comprising cryptographically protected data (encrypted data 620) using the cryptographic transmission protocol, including at least an initial message frame. [0074] 6. Perform an outer cryptographic operation, such as encryption 622, by cryptographically protecting the body of the initial message frame from the one or more message frames comprising cryptographically protected data (encrypted data 620) using the second cryptographic key to produce a double-protected message (double-encrypted message 624) comprising the initial message frame); and a second application program which is free of cryptographic algorithms and which is interoperable with the second cryptographic application and configured to (Allen – Paragraph [0122]: Operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. In an embodiment, a process such as those processes described herein (or variations and/or combinations thereof) is performed under the control of one or more computer systems configured with executable instructions and is implemented as code (e.g., executable instructions, one or more computer programs or one or more applications) executing collectively on one or more processors, by hardware or combinations thereof): cause the second cryptographic application to compute and return to the second application program the results data as a function of the composite cryptographic data (Allen – Figures 6-8: inner and outer encryption to produce double-encrypted message; and Paragraph [0115]: In an embodiment, the system and various devices also typically include a number of software applications, modules, services, or other elements located within at least one working memory device, including an operating system and application programs, such as a client application or web browser. In an embodiment, customized hardware is used and/or particular elements are implemented in hardware, software (including portable software, such as applets), or both. In an embodiment, connections to other computing devices such as network input/output devices are employed); and cause the automatic execution of the software and/or hardware function depending on the results data (Allen – Paragraph [0123]: Accordingly, in an embodiment, computer systems are configured to implement one or more services that singly or collectively perform operations of processes described herein, and such computer systems are configured with applicable hardware and/or software that enable the performance of the operations).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck and Khanna, further incorporating Allen to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Allen’s application for processing data to undergo cryptographic operations into Huck and Khanna’s receiver cryptosystem. Allen’s application would enhance Huck and Khanna’s system by providing a practical means for users to receive and decrypt protected data transmitted from a corresponding provider system.
The combination of Huck, Khanna, and Allen does not expressly teach receive a data structure agreed between the provider cryptosystem and the receiver cryptosystem; parse the data structure to read the composite cryptographic data from a first predefined field in the data structure; provide the read composite cryptographic data to the second cryptographic application.
Amulothu further teaches receive a data structure agreed between the provider cryptosystem and the receiver cryptosystem (Amulothu – Paragraph [0024]: Another embodiment further causes, responsive to sending the set of policies and the set of encryption algorithms, the first component to use a policy from the set of policies to perform a cryptographic operation on a data packet using an encryption algorithm determined by the policy, forming a secure data packet, a destination of the data packet being associated with the second component and reachable via the path in the SDN. Thus, the embodiment enables an SDN controller to cause SDN components at the ends of SDN flows to perform end-to-end encryption in the SDN; Examiners Comment: the data packet is interpreted as the data structure agreed between cryptosystems during the configuration of the flow); parse the data structure to read the composite cryptographic data from a first predefined field in the data structure (Amulothu – Paragraph [0139]: SDN component 528 receives the new packet VH+Pe. At the end of the new packet's journey over SDN 504, using information in repository 529, SDN component 528 decrypts payload Pe to recover packet P; Examiner’s Comment: the recovery of the Packet P is interpreted as the reading/parsing step); provide the read composite cryptographic data to the second cryptographic application (Amulothu – Paragraph [0020]: Further, where a need exists to encrypt data at a hypervisor, custom applications or tools (collectively, “appliances”) have to be configured to operate with the hypervisor. Such an appliance also requires a corresponding counterpart appliance to be configured at the other hypervisor to form a pre-determined flow between the two hypervisors. Such custom configuration has to be pre-planned for each flow, and such appliances have to be installed with each participating hypervisor according to the pre-planned flows. Furthermore, the entire custom setup has to be maintained and kept in synchronization so that each appliance at each end of a given flow uses the exact same encrypting algorithm to successfully encrypt and decrypt the packets over the flow).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck, Khanna, and Allen, further incorporating Amulothu to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Amulothu’s teachings to parse a data structure to acquire a provider system’s message into Huck, Khanna, and Allen’s combined provider cryptosystem. This combination would practically enable the receiver system to receive the secure message as intended.
Claim(s) 32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huck in view of Khanna and Chang et al. (US 20100278338 A1), hereinafter Chang.
Regarding Claim 32:
The combination of Huck and Khanna teaches the computer-implemented method according to claim 1.
The combination of Huck and Khanna does not expressly teach wherein a number of the plurality of first cryptographic algorithms is larger than a number of the one or more second cryptographic algorithms.
However, Chang further teaches wherein a number of the plurality of first cryptographic algorithms is larger than a number of the one or more second cryptographic algorithms (Chang – Paragraph [0012]: performing, by a multiple cryptography algorithm set section, a plurality of selected cryptography algorithms in a selected sequence on the input data, wherein the selected cryptography algorithms or the selected sequence or both are determined by the security level parameter, and wherein the selected cryptography algorithms are performed using the plurality of cryptography keys; and Paragraph [0020]: Embodiments of the present invention provide a reconfigurable and scalable encryption/decryption system … The encrypted data can only be fully and correctly decrypted with the correct algorithms in the correct sequence (as determined by one or more security level parameters) and the corresponding encryption/decryption keys. With incorrect algorithm set or encryption/decryption keys, the data cannot be decrypted or can only be partially decrypted; and Paragraph [0029]: As an alternative structure (not shown), the key processor 14 receives the security level parameters as an input, and selectively generates only the encryption keys that will be used by the multiple encryption algorithm set section 13 and the encryption enabled entropy encoding section 12 based on the security level parameters; and Paragraph [0032]: the key processor 24 may receive the security level parameters and only generate the necessary decryption keys based on the security level parameters).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Huck and Khanna, further incorporating Chang to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Chang’s teachings to implement fewer cryptographic algorithms to perform partial decryption of a message which was encrypted using more cryptographic algorithms into Huck and Khanna’s combined provider cryptosystem. The partial decryption suggested by Chang combines naturally with at least the partitioned encryption/decryption taught by Huck. This combination would provide configurable levels of message concealment and/or disclosure.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Stedron (US 8031865 B2) teaches a system and method for encrypting documents, including the application of multiple different encryption algorithms
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS JOSEPH DILUZIO whose telephone number is (703)756-1229. The examiner can normally be reached Mon - Fri -- 7:30 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NICHOLAS JOSEPH DILUZIO/Examiner, Art Unit 2498
/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498