Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the application 18/424,719 filed on 01/26/2024.
Claims 1-20 have been examined and are pending in this application.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 05/14/2025 and 05/17/2024, are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C.
102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chen (CN 110730071) and in view of Evans (US 2015/0288517).
Regarding claim 1, Chen discloses a method, comprising:
creating a first security association (SA) or secured message (SM) between a first endpoint and a second endpoint based on a first pre-shared key (PSK) (Chen par. 0043, 0047 and 0059; IKE protocol is the core of the IPSec protocol suite, which is responsible for dynamically negotiating and managing the IPSec security association SA. The main content is now more using IKEv2, the IKEv2 protocol includes an initial exchange and subsequent exchange and subsequent exchange comprising: CREAT-CHILD-SA or INFORMATIONAL EXCHANGE. The pre-shared key authentication mode, the authentication data in the authentication load is calculated according to the key pre-sharing is obtained. See also par. 0020-0022);
transmitting one or more subsequent PSKs from the first endpoint to the second endpoint with secure communication support by the first SA or SM (Chen par. 0048 and 0049; Subsequent exchange comprising: CREAT-CHILD-SA or INFORMATIONAL EXCHANGE. function CREATE-CHILD-SA is completed with 3: 1, performing key updating is IKE-SA (rekey); 2, the negotiation of new IPSec SA, 3, IPSec SA is IKE-SA generated by performing key updating (rekey). INFORMATIONAL EXCHANGE exchange is used for transmitting control information to each other, such as deleting a particular security association, request configuration, notifying the specific events, and the like);
creating a SA between the first endpoint and the second endpoint based on a second PSK, wherein the second PSK is one of the subsequent PSKs (Chen par. 0048 and 0049; Subsequent exchange comprising: CREAT-CHILD-SA or INFORMATIONAL EXCHANGE. function CREATE-CHILD-SA is completed with 3: 1, performing key updating is IKE-SA (rekey); 2, the negotiation of new IPSec SA, 3, IPSec SA is IKE-SA generated by performing key updating (rekey); and
transmitting or receiving at least one message with secure communication support by the second SA or SM (Chen par. 0048 and 0049; Subsequent exchange comprising: CREAT-CHILD-SA or INFORMATIONAL EXCHANGE. function CREATE-CHILD-SA is completed with 3: 1, performing key updating is IKE-SA (rekey); 2, the negotiation of new IPSec SA, 3, IPSec SA is IKE-SA generated by performing key updating (rekey). INFORMATIONAL EXCHANGE exchange is used for transmitting control information to each other, such as deleting a particular security association, request configuration, notifying the specific events, and the like).
Chen3KhanKhanKkk teaches3 creating a SA between the first endpoint and the second endpoint based on a second PSK, wherein the second PSK is one of the subsequent PSKs (Chen par. 0048 and 0049). However, Chen does not explicitly teach creating a second SA between the first endpoint and the second endpoint based on a second PSK, wherein the second PSK is one of the subsequent PSKs.
However, in an analogous field, Evans teaches creating a second SA between the first endpoint and the second endpoint based on a second PSK, wherein the second PSK is one of the subsequent PSKs (Evans par. 0027 and 0045; As set forth below, the system and method may utilize pre-shared keys, provided to both a client device and a server device, to enable secured communication between the client device and the server device. For example, the client device 10 and the server device 20 may each promote a new key from among a plurality of pre-shared keys after a predetermined time period (e.g., once per minute), where the clocks or timers in the client device 10 and the server device 20 are synchronized such that promotion of new keys occurs at substantially the same time, as depicted in the table below. See also par. 0029).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teaching of Chen as taught by Evans in order to securely communicating with a server device wherein both the server device and a client device may be provided pre-shared keys (Evans par. 0012).7
Regarding claim 2, Chen and Evans disclose the method of claim 1,
Chen further discloses further comprising: before creating the second SA or SM, validating the second PSK via a validation message transmitted between the first and second endpoints (Chen par. 0059; The pre-shared key authentication mode, the authentication data in the authentication load is calculated according to the key pre-sharing is obtained).
Regarding claim 3, Chen and Evans disclose the method of claim 2,
Chen further discloses wherein: the validation message contains a string encrypted by the second PSK; and the validation message is transmitted with secure communication support by the first SA or SM (Chen par. 0059; The pre-shared key authentication mode, the authentication data in the authentication load is calculated according to the key pre-sharing is obtained. if the initiator or responder for some reason leaked the key shared in advance, and if the public network from potential attacker intercepts IKE is protected by not-SA-INIT in the exchange process of the message content).
Regarding claim 4, Chen and Evans disclose the method of claim 1,
Chen further discloses wherein: the transmission of the one or more subsequent PSKs comprises transmitting a key set comprising two or more subsequent PSKs; and the second PSK is a PSK selected from the key set of subsequent PSKs (Chen par. 0018-0020; Preferably, the function relation of the preset is: f (x) = ax + b of x1, y1 and x2, y2 can be calculated to obtain the predetermined function, a represents a coefficient, b represents a function of pre-shared key).
Regarding claim 5, Chen and Evans disclose the method of claim 4,
Chen further discloses further comprising, before creating the second SA or SM, validating the second PSK via a validation message transmitted between the first endpoint and the second endpoint (Chen par. 0059; The pre-shared key authentication mode, the authentication data in the authentication load is calculated according to the key pre-sharing is obtained).
Regarding claim 6, Chen and Evans disclose the method of claim 5,
Chen further discloses wherein: the validation message for the second PSK comprises a string encrypted by the second PSK; and the validation message for the second PSK is transmitted with secure communication support by the first SA or SM (Chen par. 0048 and 0049; Subsequent exchange comprising: CREAT-CHILD-SA or INFORMATIONAL EXCHANGE. function CREATE-CHILD-SA is completed with 3: 1, performing key updating is IKE-SA (rekey); 2, the negotiation of new IPSec SA, 3, IPSec SA is IKE-SA generated by performing key updating (rekey). INFORMATIONAL EXCHANGE exchange is used for transmitting control information to each other, such as deleting a particular security association, request configuration, notifying the specific events, and the like).7
Regarding claim 7, Chen and Evans disclose the method of claim 6,
Evans further discloses wherein the first PSK is a two-time-use key that is used in one instance of transmission to transmit the one or more subsequent PSKs, and is further used in one instance of transmission to transmit the validation message for the second PSK (Evans par. 0033; As an example, the client device 10 and the server device 20 may be provided the pre-shared keys and a clock synchronization signal at manufacture. The client device 10 may also be synchronized, loosely or precisely, with the server device 20 such that selection of a key from among the pre-shared keys may be synchronized. In this way, a key from among the pre-shared keys used by the client device 10 at any given time may correspond to a key requested or obtained from the protected memory 26 of the server device 20).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teaching of Chen as taught by Evans in order to securely communicating with a server device wherein both the server device and a client device may be provided pre-shared keys (Evans par. 0012).7
Regarding claim 8, Chen and Evans disclose the method of claim 6,
Chen further discloses further comprising: selecting a third PSK from the key set of subsequent PSKs; validating the third PSK via a validation message transmitted between the first and second endpoints with secure communication support by the second SA or SM, wherein said validation message contains a string encrypted by the second PSK; and creating a third SA or SM based on the third PSK (Chen par. 0053 and 0059; The pre-shared key authentication mode, the authentication data in the authentication load is calculated according to the key pre-sharing is obtained. The secret linear equation and splitting pre-shared key authentication algorithm after the above improvement in authentication two parties does not store the real shared key into the memory after a pre-selected. Even if leakage all the secret, the attacker is not capable of calculating the real pre-shared key, also cannot pass through authentication, so the improved algorithm greatly reduces the possibility of pre-shared key leakage, improves the safety of the pre-shared key algorithm. after addition, if there is a third party malicious imitation legal authentication one, then both the reconfigurable computing to obtain the pre-shared key is different, that cannot pass through the authentication step).
Regarding claim 9, Chen and Evans disclose the method of claim 8,
Chen further discloses wherein the second PSK is a one-time-use key that is used in precisely one instance of transmission to transmit the third-PSK-validation message (Chen par. 0089; The secret linear equation and splitting pre-shared key authentication algorithm after the above improvement in authentication two parties does not store the real shared key into the memory after a pre-selected. Even if leakage all the secret, the attacker is not capable of calculating the real pre-shared key, also cannot pass through authentication, so the improved algorithm greatly reduces the possibility of pre-shared key leakage, improves the safety of the pre-shared key algorithm).
Regarding claim 10, Chen and Evans disclose the method of claim 4,
Chen further discloses further comprising, after creating the second SA or SM, at least one instance of selecting a further PSK from the key set of subsequent PSKs and creating a further SA or SM based on the selected further PSK ((Chen par. 0048 and 0049; Subsequent exchange comprising: CREAT-CHILD-SA or INFORMATIONAL EXCHANGE. function CREATE-CHILD-SA is completed with 3: 1, performing key updating is IKE-SA (rekey); 2, the negotiation of new IPSec SA, 3, IPSec SA is IKE-SA generated by performing key updating (rekey)).
Regarding claim 11, Chen and Evans disclose the method of claim 10,
Chen further discloses comprising two or more instances of creating a further SA or SM from the key set of subsequent PSKs, wherein: each further SA or SM is based on a respective further PSK selected from the key set of subsequent PSKs; and the respective further PSKs are selected from the key set of subsequent PSKs according to a pre-agreed PSK rotation schedule (Chen claim 5; The power distribution communication device security authentication method according to claim 4, wherein the function relation of the preset is: f (x) = ax + b of x1, y1 and x2, y2 can be calculated to obtain the predetermined function, a represents a coefficient, b represents a function of pre-shared key Chen teaches that the process receives (at 1405) a first set of firewall rules (e.g., firewall rules 1311 in FIG. 13). The first set of firewall rules include a first set of objects that have identifiers that are recognized by the data center network manager).
Regarding claim 12, Chen and Evans disclose the method of claim 10,
Evans further discloses wherein: each PSK in the key set of subsequent PSKs has a respective index; and at least one of the further PSKs is selected on the basis that its respective index has become the next index in a PSK rotation schedule (Evans par. 0027; In one embodiment, the pre-shared keys may be truly random and not generated deterministically. By synchronizing the clocks of the client device and the server device in this embodiment, both the client device and the server device may index through the pre-shared keys in a synchronous manner so that both devices utilize the same pre-shared key for any given period. Because the pre-shared keys are truly random and not generated deterministically, attempts to compromise communication or fake authentication by guessing the pre-shared keys may be impossible. Each key from the pre-shared keys may not be functionally related to the other keys, unlike a hashing function based-system depending on one or more seeds, so that even if an adversary were to guess one key, the remaining keys may remain secure. In this way, reverse engineering or computing the pre-shared keys may be impossible, short of physically breaking into the server device or the client device and absconding with the list of pre-shared keys.).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teaching of Chen as taught by Evans in order to securely communicating with a server device wherein both the server device and a client device may be provided pre-shared keys (Evans par. 0012).7
Regarding claim 13, Chen and Evans disclose the method of claim 12,
Evans further discloses wherein: the PSK rotation schedule resides at a security operations center (SOC); the PSK index that is next in the PSK rotation cycle is identified in a rotation-request message from the SOC; the PSK index that is next is communicated in a rotation-request message from the SOC; the rotation-request message is transmitted from the SOC with secure communication support by a current SA or SM; and the method further comprises replacing the current SA or SM with a new SA or SM based on the PSK having the next index in the PSK rotation cycle (Evans par. 0031; The pre-shared keys used in secured communication may be stored in the protected storage 26 of the server device 20. Likewise, the pre-shared keys used in secured communication may be stored in the protected storage 16 of the client device 10. The protected storage 16 may be potted such that attempts to open the client device 10 to access the pre-shared keys destroys the contents of the protected storage 16 before it can be compromised. See also par. 0044);
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teaching of Chen as taught by Evans in order to securely communicating with a server device wherein both the server device and a client device may be provided pre-shared keys (Evans par. 0012).7
Regarding claim 14, Chen and Evans disclose the method of claim 12,
Chen further discloses wherein: a set-refresh threshold is predetermined; and the method further comprises, when the selected PSK index reaches the set-refresh threshold, transmitting, from the first endpoint to the second endpoint, a new key set comprising two or more subsequent PSKs (Chen par. 0048 and 0049; Subsequent exchange comprising: creat-child-SA or informational exchange. function CREATE-CHILD-SA is completed with 3: 1, performing key updating is IKE-SA (rekey); 2, the negotiation of new IPSec SA, 3, IPSec SA is IKE-SA generated by performing key updating (rekey). INFORMATIONAL EXCHANGE exchange is used for transmitting control information to each other, such as deleting a particular security association, request configuration, notifying the specific events, and the like).7
Regarding claim 15, Chen and Evans disclose the method of claim 1,
Evans further discloses wherein the one or more subsequent PSKs are one-time pads (Evans par. 0049; The security of such a system may be further enhanced by decreasing the time interval between promotion of new keys. Indeed, as the time interval approaches zero, the security of this private pre-shared key method may approach that of the one-time pad, which is considered by many to be impossible to compromise if used correctly).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teaching of Chen as taught by Evans in order to securely communicating with a server device wherein both the server device and a client device may be provided pre-shared keys (Evans par. 0012).
Regarding claims 16-19; claims 16-19 are directed to an apparatus associated with the method claimed in claims 1, 4 and 12-13 respectively. Claims 16-19 are similar in scope to claims 1, 4 and 12-13 respectively, and are therefore rejected under similar rationale respectively.7
Regarding claim 20, Chen and Evans disclose the apparatus of claim 16,
Chen further discloses wherein the circuitry is configured to encrypt the PSKs with one-time-use keys before transmitting them (Chen par. 0059; The pre-shared key authentication mode, the authentication data in the authentication load is calculated according to the key pre-sharing is obtained. if the initiator or responder for some reason leaked the key shared in advance, and if the public network from potential attacker intercepts IKE is protected by not-SA-INIT in the exchange process of the message content).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANCHIT K SARKER whose telephone number is (571)270-7907. The examiner can normally be reached M-F 8:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, FARID HOMAYOUNMEHR can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SANCHIT K SARKER/Primary Examiner, Art Unit 2495