Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsJpmorgan Chase Bank N A › 18066010
Last updated: April 19, 2026
Application No. 18/066,010

SYSTEMS AND METHODS FOR KEY SYNCHRONIZATION IN MULTI-CLOUD ENVIRONMENTS

Final Rejection §102
Filed
Dec 14, 2022
Examiner
NARRAMORE, BLAKE I
Art Unit
2438
Tech Center
2400 — Computer Networks
Assignee
Jpmorgan Chase Bank N A
OA Round
4 (Final)
78%
Grant Probability
Favorable
5-6
OA Rounds
2y 8m
To Grant
99%
With Interview

Interview Optional

+24.8% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 161 resolved cases, 2023–2026

Examiner Intelligence

NARRAMORE, BLAKE I View full profile →
Grants 78% — above average
78%
Career Allow Rate
126 granted / 161 resolved
+20.3% vs TC avg
Strong +25% interview lift
Without
With
+24.8%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
26 currently pending
Career history
187
Total Applications
across all art units

Statute-Specific Performance

§101
8.3%
-31.7% vs TC avg
§103
56.2%
+16.2% vs TC avg
§102
10.2%
-29.8% vs TC avg
§112
20.6%
-19.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 161 resolved cases

Office Action

§102
Detailed Action This is a Final Office action in response to communications received on 9/26/2025. Claims 1, 7 and 13 were amended. Claims 2-4, 8-10 and 14-16 were previously canceled. Claims 1, 5-7, 11-13 and 17-18 are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments regarding the rejection under 35 U.S.C. 102 of the claims under Zhang have been considered, and are found unpersuasive. Applicant argues on pages 8-12 of the Remarks, filed 9/26/2025, the cited prior art fail to teach or suggest the limitations of newly amended claim 1. However, Examiner respectfully disagrees. Zhang explicitly discloses that cryptographic keys are managed by cloud-resident key management frameworks and vaults. Specifically, Zhang discloses that cryptographic keys are managed using a key management framework and/or secure hardware key store within a cloud instance ([0015]), and that the vault is used to securely store encryption keys and to provide public keys corresponding to private keys of cloud instances ([0018]). Zhang [0042] teaches “In various embodiments, the process of FIG. 5 can be performed on behalf of a source cloud instance at a cloud service such as cloud service 103 of FIG. 1 using one or more components of a key management framework, such as key management framework 203 of FIG. 2, including a key exporter component, such as by key exporter 207 of FIG. 2, and a key access management component such as key access management 215 of FIG. 2”. Therefore, Zhang teaches that software components executing in the cloud instance utilize the key management framework to perform cryptographic operations. Zhang [0044]-[0045] teaches that “the public key of the requesting target cloud instance is retrieved using a key access management component such as key access management 215 of FIG. 2” as well as “By utilizing the public key of the target cloud instance, the corresponding private key of the target cloud instance can be utilized to decrypt the encrypted encryption key”. These teach generation, storage and retrieval of a public/private key pair managed by a key management service in the first (source) and second (target) cloud environments, accessed by software components via a programmatic interface. Zhang repeatedly distinguishes between a source cloud instance and a target cloud instance, each having their own cryptographic keys and key management resources ([0015], [0018]). In regards to arguments that Zhang does not disclose application programming instances, Examiner also reasserts previous arguments. The message service 209 is invoked by software components (key-exporter 207, key-importer 205). Its two corresponding ends on the respective cloud instances are the claimed API endpoints through which the first KMS is accessed and through which the encrypted key is received. These software-to-software interfaces exposed by the KMS satisfy the functional requirements of an API without needing to specifically recite an “API”, which is the means by which applications interface. After receipt, the target’s key-access-management 215 secures the key into a local keystore (para 0055). In some embodiments, this key exchange data is implements as database tables (para 0023). Storing through such a component constitutes using the claimed database service API. Zhang therefore teaches every limitation - generation, fetching, encrypting and storing via programmatic service interfaces. Consequently, the rejection of the claims under 35 U.S.C. 102 is sustained. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zhang (US 20220231848 A1). Regarding claim 1, Zhang teaches the limitations of claim 1 substantially as follows: A method, comprising: generating, by a synching computer application executed in a first cloud environment and using a first key management service executed in the first cloud environment accessed via a first key management service application programming interface endpoint in the first cloud environment, a data encryption key and storing the data encryption key in the first key management service using a first key management service endpoint; (Zhang; Para(s). [0015], [0018] & [0042]; Fig. 5: A cryptographic key is managed (i.e. a data encryption key and storing the data encryption key in the first key management service) for a first instance of a group of one or more cloud nodes providing a service (i.e. generating, by a synching computer application and using a first key management service in a first cloud environment) the cryptographic key is managed by the first cloud instance using a key management framework and/or by or using another module, such as a secure hardware key store) generating, by the synching computer application in the first cloud environment and using a second key management service executed in a second cloud environment accessed via a second key management service application programming interface endpoint in the second cloud environment, a key encryption key pair comprising a private key and a public key and storing the key encryption key pair in the second key management service using a second key management service endpoints; (Zhang; Paras. [0015], [0018] & [0042]; Fig. 5: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key (i.e. a key encryption key pair comprising a private key and a public key and storing the key encryption key pair in the second key management service) The private keys of source cloud instance and target cloud instance are securely stored by their respective cloud instances and may also utilize vault as appropriate) fetching, by the synching computer application, the public key from the second key management service; (Zhang; Para. [0015]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance (i.e. fetching, by the synching computer application, the public key from the second key management service) such that only the second cloud instance can decrypt the encryption key by using its corresponding private key) encrypting, by the synching computer application, the data encryption key with the public key; and (Zhang; Para. [0015]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance (i.e. encrypting, by the synching computer application, the data encryption key with the public key) such that only the second cloud instance can decrypt the encryption key by using its corresponding private key) storing, by the synching computer application, the encrypted data encryption key in a database in the second cloud environment via a database application programming endpoint in the second cloud environment. (Zhang; Paras. [0015], [0018] & [0024]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key. The cluster includes database servers and/or other data stores for storing encrypted data (i.e. storing, by the synching computer application, the encrypted data encryption key in a database in the second cloud environment)) Regarding claim 7, Zhang teaches the limitations of claim 7 substantially as follows: A system, comprising: (Zhang; Paras. [0010] & [0012]: a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium for the exchange of cryptographic keys between cloud instances) a first electronic device executing a first cloud environment comprising a synching computer application and a first key management service; and a second electronic device executing a second cloud environment comprising a second key management service and a database; wherein: (Zhang; Para. [0015]: First and second cloud instances) the synching computer application generates, using the first key management service accessed via a first key management service application programming interface endpoint in the first cloud environment, a data encryption key and stores the data encryption key in the first key management service using a first key management service endpoint; (Zhang; Para(s). [0015], [0018] & [0042]; Fig. 5: A cryptographic key is managed (i.e. a data encryption key and storing the data encryption key in the first key management service) for a first instance of a group of one or more cloud nodes providing a service (i.e. generating, by a synching computer application and using a first key management service in a first cloud environment) the cryptographic key is managed by the first cloud instance using a key management framework and/or by or using another module, such as a secure hardware key store) the synching computer application generates, using the second key management service accessed via a second key management service application programming interface endpoint in the second cloud environment, a key encryption key pair comprising a private key and a public key and storing the key encryption key pair in the second key management service using a second key management service endpoint; (Zhang; Paras. [0015], [0018] & [0042]; Fig. 5: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key (i.e. a key encryption key pair comprising a private key and a public key and storing the key encryption key pair in the second key management service) The private keys of source cloud instance and target cloud instance are securely stored by their respective cloud instances and may also utilize vault as appropriate) the synching computer application fetches the public key from the second key management service; (Zhang; Para. [0015]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance (i.e. fetching, by the synching computer application, the public key from the second key management service) such that only the second cloud instance can decrypt the encryption key by using its corresponding private key) the synching computer application encrypts the data encryption key with the public key; and (Zhang; Para. [0015]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance (i.e. encrypting, by the synching computer application, the data encryption key with the public key) such that only the second cloud instance can decrypt the encryption key by using its corresponding private key) the synching computer application stores the encrypted data encryption key in a database in the second cloud environment via a database application programming endpoint in the second cloud environment. (Zhang; Paras. [0015], [0018] & [0024]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key. The cluster includes database servers and/or other data stores for storing encrypted data (i.e. storing, by the synching computer application, the encrypted data encryption key in a database in the second cloud environment)) Regarding claim 13, Zhang teaches the limitations of claim 13 substantially as follows: A non-transitory computer readable storage medium, including instructions stored thereon, which when read and executed by one or more computer processors, cause the one or more computer processors to perform steps comprising: (Zhang; Paras. [0010] & [0012]: a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium for the exchange of cryptographic keys between cloud instances) generating, using a first key management service executed in a first cloud environment accessed via a first key management service application programming interface endpoint in the first cloud environment, a data encryption key and storing the data encryption key in the first key management service using a first key management service endpoint; (Zhang; Para(s). [0015], [0018] & [0042]; Fig. 5: A cryptographic key is managed (i.e. a data encryption key and storing the data encryption key in the first key management service) for a first instance of a group of one or more cloud nodes providing a service (i.e. generating, by a synching computer application and using a first key management service in a first cloud environment) the cryptographic key is managed by the first cloud instance using a key management framework and/or by or using another module, such as a secure hardware key store) generating, using a second key management service executed in a second cloud environment accessed via a second key management service application programming interface endpoint in the second cloud environment, a key encryption key pair comprising a private key and a public key and storing the key encryption key pair in the second key management service using a second key management service endpoint; (Zhang; Paras. [0015], [0018] & [0042]; Fig. 5: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key (i.e. a key encryption key pair comprising a private key and a public key and storing the key encryption key pair in the second key management service) The private keys of source cloud instance and target cloud instance are securely stored by their respective cloud instances and may also utilize vault as appropriate) fetching the public key from the second key management service; (Zhang; Para. [0015]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance (i.e. fetching, by the synching computer application, the public key from the second key management service) such that only the second cloud instance can decrypt the encryption key by using its corresponding private key) encrypting the data encryption key with the public key; and (Zhang; Para. [0015]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance (i.e. encrypting, by the synching computer application, the data encryption key with the public key) such that only the second cloud instance can decrypt the encryption key by using its corresponding private key) storing the encrypted data encryption key in a database in the second cloud environment via a database application programming endpoint in the second cloud environment. (Zhang; Paras. [0015], [0018] & [0024]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key. The cluster includes database servers and/or other data stores for storing encrypted data (i.e. storing, by the synching computer application, the encrypted data encryption key in a database in the second cloud environment)) Regarding claims 5, 11 and 17, Zhang teaches the limitations of claims 1, 7 and 13. Zhang teaches the limitations of claims 5, 11 and 17 as follows: receiving, by an application instance in the second cloud environment, encrypted data that is encrypted with the data encryption key; (Zhang; Paras. [0059]-[0060]: the data cloned is data encrypted using an encryption key accessible by source cloud instance but not accessible by target cloud instance (i.e. receiving, by an application instance in the second cloud environment, encrypted data that is encrypted with the data encryption key). The created key exchange request is a request for the encryption key required to decrypt the encrypted data cloned) retrieving, by the application instance and from the database, the encrypted data encryption key; (Zhang; Paras. [0015] & [0018]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key. The cluster includes database servers and/or other data stores for storing encrypted data (i.e. retrieving, by the application instance and from the database, the encrypted data encryption key)) retrieving, by the application instance and from the second key management service, the private key; (Zhang; Paras. [0015] & [0018]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key (i.e. retrieving, by the application instance and from the second key management service, the private key). The cluster includes database servers and/or other data stores for storing encrypted data) decrypting, by the application instance, the encrypted data encryption key with the private key; and (Zhang; Paras. [0015] & [0018]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key (i.e. decrypting, by the application instance, the encrypted data encryption key with the private key). The cluster includes database servers and/or other data stores for storing encrypted data) decrypting, by the application instance, the encrypted data using the data encryption key. (Zhang; Paras. [0059]-[0060]: the data cloned is data encrypted using an encryption key accessible by source cloud instance but not accessible by target cloud instance. The created key exchange request is a request for the encryption key required to decrypt the encrypted data cloned (i.e. decrypting, by the application instance, the encrypted data using the data encryption key)) Regarding claims 6, 12 and 18, Zhang teaches the limitations of claims 1, 7 and 13. Zhang teaches the limitations of claims 6, 12 and 18 as follows: receiving, by an application instance in the second cloud environment, encrypted data that is encrypted with the data encryption key; (Zhang; Paras. [0059]-[0060]: the data cloned is data encrypted using an encryption key accessible by source cloud instance but not accessible by target cloud instance (i.e. receiving, by an application instance in the second cloud environment, encrypted data that is encrypted with the data encryption key). The created key exchange request is a request for the encryption key required to decrypt the encrypted data cloned) retrieving, by the application instance and from the database, the encrypted data encryption key; sending, by the application instance, the encrypted data encryption key to the second key management service, (Zhang; Paras. [0015] & [0018]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key. The cluster includes database servers and/or other data stores for storing encrypted data (i.e. retrieving, by the application instance and from the database, the encrypted data encryption key)) wherein the second key management service is configured to decrypt the encrypted data encryption key with the private key; (Zhang; Paras. [0015] & [0018]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key (i.e. decrypt the encrypted data encryption key with the private key). The cluster includes database servers and/or other data stores for storing encrypted data) receiving, by the application instance and from the second key management service, the data encryption key; and (Zhang; Paras. [0015] & [0018]: The secure transmittal involves encrypting the exchanged encryption key with a public key of the second cloud instance such that only the second cloud instance can decrypt the encryption key by using its corresponding private key (i.e. receiving, by the application instance and from the second key management service, the data encryption key). The cluster includes database servers and/or other data stores for storing encrypted data) decrypting, by the application instance, the encrypted data using the data encryption key. (Zhang; Paras. [0059]-[0060]: the data cloned is data encrypted using an encryption key accessible by source cloud instance but not accessible by target cloud instance. The created key exchange request is a request for the encryption key required to decrypt the encrypted data cloned (i.e. decrypting, by the application instance, the encrypted data using the data encryption key)) Prior Art Considered But Not Relied Upon BenHanokh (US 20220164462 A1) which teaches a cloud resource network configured with multiple storage regions, in order that a cloud application can automatically use special tags in the data specification to distinguish between group-encryptable, high-sensitivity, and public data so that the group encryption key can remain unknown to the storage platform. Rawalkshatriya (US 20200280547 A1) which teaches a cloud storage system comprising of a plurality of user devices and at least one cloud device, wherein the key server comprises: a storage for storing at least one of public keys, re-encryption keys, user details of the plurality of user devices. Conclusion For the above-stated reasons, claims 1, 5-7, 11-13 and 17-18 are rejected. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BLAKE ISAAC NARRAMORE whose telephone number is (303)297-4357. The examiner can normally be reached on Monday - Friday 0700-1700 MT. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BLAKE I NARRAMORE/Examiner, Art Unit 2438
Read full office action

Prosecution Timeline

Dec 14, 2022
Application Filed
Sep 24, 2024
Non-Final Rejection — §102
Dec 12, 2024
Response Filed
Jan 14, 2025
Final Rejection — §102
Mar 21, 2025
Response after Non-Final Action
Apr 22, 2025
Request for Continued Examination
May 03, 2025
Response after Non-Final Action
Jun 28, 2025
Non-Final Rejection — §102
Sep 26, 2025
Response Filed
Jan 10, 2026
Final Rejection — §102 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/983,868
Patent 12567986
Performing secure data interactions in a distributed network
2y 5m to grant Granted Mar 03, 2026
17/873,127
Patent 12530458
LOCAL LEDGER BLOCK CHAIN FOR SECURE ELECTRONIC CONTROL UNIT UPDATES
2y 5m to grant Granted Jan 20, 2026
18/065,261
Patent 12530474
METHOD FOR PROVING DEVICE IDENTITY TO SECURITY BROKERS
2y 5m to grant Granted Jan 20, 2026
18/003,265
Patent 12526137
Method for Saving Ciphertext and Apparatus
2y 5m to grant Granted Jan 13, 2026
17/413,530
Patent 12518059
DEVICE AND METHOD TO CONTROL ACCESS TO PROTECTED FUNCTIONALITY OF APPLICATIONS
2y 5m to grant Granted Jan 06, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+24.8%)
2y 8m
Median Time to Grant
High
PTA Risk
Based on 161 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month