DETAILED ACTION
Office Action Summary
Claims 1-5 and 21-31 are pending in the instant application.
Claims 1-5 and 21-31 are rejected under 35 USC § 103.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claims 1-2, 4-5, 21-25 and 27-31 rejected under 35 U.S.C. 103 as being unpatentable over Duraisamy et al. (US Pre-Grant Publication No: US 20230344921 A1) hereinafter referred to as Duraisamy in view of Xue et al. (CN 101242336 A) (translation is provided) hereinafter referred to as Xue.
As per claims 1, 21, 22 and 23, Duraisamy teaches … receiving, from a user agent of a device, a signal to initiate a connection between the user agent and a cloud service;
establishing a transport layer security (TLS) tunnel with the user agent; (Duraisamy, figure 14 and [0011], teaches “The system can include the agent establishing the channel to the VPN server using one of a datagram transport layer security (DTLS) or a transport layer security (TLS). ” and [0100] teaches “As an example, routing of UDP packet from a client 102/165 to a destination server 106, and vice versa, can be done using agent 120 or a plugin, any software 180, platform 185, infrastructure 190 or servers 195 on the cloud VPN 175, a connector 405 at destination data center 350 and the destination server 106 at the destination data center 350. A client 102/165 can include a client agent 120, or a plugin, to establish a dedicated TLS/DTLS based client-side MUX channel with cloud VPN 175.” And [0143] teaches “ The agent (e.g., 120) can establish the channel (e.g., 330) to the VPN server using one of a datagram transport layer security (DTLS) or a transport layer security (TLS). ”)
providing, to the user agent, an indication
but Duraisamy does not teach allocating, to the connection, a unique subdomain of a domain hosted by a gateway server;
However, Xue (figure 7 and page 10 last paragraph through page 11 first paragraph) teaches “As shown in FIG. 7, shows the mapping unit 103 of one embodiment, comprises: 1031, for main distributing resource ID domain name or sub-domain name resource ID distributing module, said resource ID corresponding to said master domain name or sub-domain name unique, a resource ID mapping module 1032 for mapping the resource ID of the allocated to the Web proxy server 10 under a specified directory. wherein the resource ID allocation module 1031 at least comprises a master index field distributing sub-module, used for master domain name or sub-domain name distributed master index field, wherein the master domain name resource ID distributing different of different Web server master index field, for the same Web master index field sub-domain name resource ID assignment of the same main domain name server and sub-module, a sub-index field for main domain name or sub-domain name sub-index field, wherein the sub-domain name resource ID of the same Web server distributes different sub-index field”
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify the invention of Duraisamy with the method of Xue because providing a unique subdomain allows for scalability and organization and allows for separate management.
As per claims 2 and 25, Duraisamy in view of Xue teaches … wherein the unique subdomain includes a value of a connection nonce. (Duraisamy, [0048], teaches authentication for access, the access is the confirmation)
As per claims 4 and 27, Duraisamy in view of Xue teaches … further comprising: receiving, from an authenticator of the device, a notification that a message associated with the connection was detected at the device. (Duraisamy, [0080] and [0157])
As per claims 5, 24 and 28, Duraisamy in view of Xue teaches … further comprising: transmitting, to the authenticator, a confirmation of the notification. (Duraisamy, [0157])
As per claim 29, Duraisamy in view of Xue teaches … wherein the redirect comprises an HTTP redirect that embeds the subdomain in a URL. (Duraisamy, [0079] and Xue, page 2 last paragraph)
As per claim 30, Duraisamy in view of Xue teaches … wherein a coordinator service that establishes the TLS tunnel and the gateway are hosted by separate servers. (Duraisamy, [0044] and [0073])
As per claim 31, Duraisamy in view of Xue teaches … wherein sending the redirect triggers the user agent to establish a second TLS tunnel with the gateway. (Duraisamy, [0005] and [0006])
Claims 3 and 26 rejected under 35 U.S.C. 103 as being unpatentable over Duraisamy in view of Xue and further in view of Dong et al. (CN 117714316 A) (translation is provided) hereinafter referred to as Dong.
As per claims 3 and 26, Duraisamy in view of Xue teaches … but does not teach wherein the connection nonce is an SNI extension.
However Dong page 4 fifth paragraph teaches SNI.
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify the invention of Duraisamy with the method of Dong as SNI are well known and used int the field of the invention.
Other Art of Record
Kelson et al. (US 20140337614 A1) teaches “According to one embodiment, a transparent security gateway is coupled between a client end station (CES) and a web application server (WAS). The security gateway monitors an encryption protocol handshake between the CES and the WAS to capture, using a provided private key of the WAS, a generated symmetric key to be used for an encryption layer connection. Using the captured symmetric key, the security gateway receives an encrypted connection record of the encryption layer connection, decrypts the encrypted connection record to yield a plaintext connection record, modifies the plaintext connection record, encrypts the modified plaintext connection record using the symmetric key, and transmits one or more packets carrying the encrypted modification plaintext connection record instead of the received encrypted connection record such that neither the CES or WAS is aware of the modification of the encrypted data.”
Holtmanns et al. (US 20150012743 A1) teaches “A method, apparatus and computer program product are disclosed for establishing secure off-network communications between first and second Secure Cellular Devices that each have a cellular identity. The second Secure Cellular Device may assume the role of Remote Device for interaction with the NAF keyserver and may obtain a local key. The first Secure Cellular Device may derive the local key and the two devices may conduct secure communications using the shared local key. The two Secure Cellular Devices may alternate the roles of Secure Host and Remote Device, each twice obtaining or deriving a shared local key such that there are two such keys. The devices may employ one key for secure communication in one direction and the other for communication in the other direction. Alternatively, the devices may derive a unique shared key as a function of the two shared keys.”
Jonathan Cobb (US 20210273914 A1) teaches “Described herein are improved systems and methods for overcoming technical problems associated with virtual private networks and application provisioning systems to provide ways for end-users and/or providers to control access, use, and communications associated with websites, online applications, and online services. Such systems and methods leverage techniques analogous to technologies known for implementing man-in-the-middle (MITM) attacks.”
Amro et al. (US 20240089301 A1) teaches “A system and method are described for information extraction from network traffic traces that are both encrypted and non-encrypted. The system includes a client computer and a remote computer, where the client computer communicates data over a network. The client computer sets a session key log file environment variable, such that when the client computer launches a supported browser, a session key log file (KLF) is created, computer network traffic traces are captured by retrieving data from encrypted traffic, and the KLF and captured traffic are periodically transferred to a remote server. A remote computer performs traffic mining to analyze the captured traffic traces and extract sensitive pieces of information.”
Yin et al. (US 20250260677 A1) teaches “The disclosed technology teaches a method for security monitoring in TLS or other certificate-pinned sessions by a cloud-based network security system. An endpoint routing client directs sessions through an inspection proxy by secure tunneling. A secure web gateway buffers encrypted packets in a new session with a cloud-based resource, detects a connection access request from a certificate-pinned application, requests and receives key extraction, and forwards keys to the security system. Traffic is buffered for decryption and forwarded without modification until the keys are available. The keys are applied to allow decryption and re-encryption, on a proxy basis, of traffic between the client and a cloud based system. The inspection proxy applies security policies, even to the TLS or other certificate-pinned session.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906. The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached on (571) 272-1183. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SIMON P KANAAN/Primary Examiner, Art Unit 2407