Proxy for Security in Sessions Involving Certificate-Pinned Applications

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Applicant's amendments filed on 03/04/2026 has been received and entered. Currently Claims 1-25 are pending. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 03/04/2026 has been entered. Response to Arguments Applicant argues on pages 8-11 of applicant’s remarks that the cited references do not teach or suggests Secure Web Gateway that starts a stream in bypass, then after the receipt of a symmetrical session key, takes over as an interception proxy. The examiner respectfully disagrees. The examiner refers to the below 103 rejection of the claims. In particular, Bannister teaches a new session with remote service that uses pinned certificate (Fig. 10A, Fig. 10B, paragraph [0006], [0042], [0065], [0069], [0074], [0076]). In an analogous art, Rahkonen teaches in the event that the security device detects that encrypted application messages are present in the traffic and the secrets are not yet known, the security device may send the application messages to the client without delay and store the encrypted messages for later inspection…obtaining session secrets… If the security device has buffered encrypted application messages, the security device may decrypt such application messages and inspect and monitor application messages. Rahkonen also teaches in the event that the security device detects that encrypted application messages are present in the traffic and the secrets are known… the security device may perform decryption on the application messages and handle the application messages in accordance with the security policy. Rahkonen also teaches obtain session secrets and decrypt encrypted messages and perform operations to traffic such as modifying content and/or delaying the messages ([0024]-[0025]). Therefore, Rahkonen teaches that inspection of messages is initially bypassed when the session secrets are not known. And when the session secrets are obtained at a later time, messages are inspected according to security policies, wherein the messages are decrypted and modified. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister of decrypting and analyzing traffic with the teachings of Rahkonen to include buffering data, and decrypting and analyzing buffered data in order to buffer encrypted data when session keys are not available yet and to decrypt and analyze the buffered data when sessions keys are available to ensure that all traffic is analyzed. In another analogous art, Cosgrove teaches re-encrypting traffic ([0220]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister in view of Rahkonen of decrypting and analyzing traffic with the teachings of Cosgrove to include re-encrypting traffic in order to provide secure communication of the traffic data between the client and the remote services. Therefore, the combination of Bannister in view of Rahkonen and Cosgrove teaches limitations of the claims. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3, 5-8, 10, 12, 14, 16, 18-20, 22 and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Bannister et al. US2020/0236093 hereinafter referred to as Bannister, in view of Rahkonen et al. US2020/0092264 hereinafter referred to as Rahkonen, and Cosgrove US2022/0360594. As per claim 1, Bannister teaches a computer-implemented method of security monitoring of and generating alerts during a Transport Layer Security (“TLS”) or other pinned certificate session, the method including: on a client device, using an endpoint routing client to securely tunnel sessions with cloud-based resources via a public network through a secure web gateway (Bannister Fig. 10A, Fig. 10B, paragraph [0005], [0074], [0076], communications between client device and remote services are via intermediate computing environment); for a new session with a cloud-based resource that uses a pinned certificate, detecting initiation of the new session and sending a request to a key extractor running on the client device to perform a key extraction for one or more keys being used in the new session (Bannister Fig. 10A, Fig. 10B, paragraph [0006], [0042], [0065], [0069], [0074], [0076], detect new session with remote service that uses pinned certificate, and trigger to extract encryption key(s)); the secure web gateway bi-directionally forwarding the encrypted packets between the client device and the cloud-based resource (Bannister Fig. 10A, Fig. 10B, paragraph [0005], [0076], intermediate computing environment provides bidirectionally forwarding of encrypted packets). Bannister does not explicitly disclose secure web gateway, as part of allowing packets to bypass inspection, buffering encrypted packets; receiving one or more extracted keys, applying the extracted keys to session traffic in the buffer, and decrypting the buffered packets; and following receipt of a symmetrical session key that is being used during new session, the secure web gateway taking over as an inspection proxy of the new session and changing at least one byte in the new session in at least one direction of the new session, wherein taking over as the inspection proxy includes decrypting traffic in at least one direction. Rahkonen teaches secure web gateway, as part of allowing packets to bypass inspection, buffering encrypted packets (Rahkonen paragraph [0024]-[0025], buffering encrypted packets. In the event that the security device detects that encrypted application messages are present in the traffic and the secrets are not yet known, the security device may send the application messages to the client without delay and store the encrypted messages for later inspection); receiving one or more extracted keys, applying the extracted keys to session traffic in the buffer, and decrypting the buffered packets (Rahkonen paragraph [0024]-[0025], obtain session secrets … If the security device has buffered encrypted application messages, the security device may decrypt such application messages and inspect and monitor application messages); and following receipt of a symmetrical session key that is being used during new session, the secure web gateway taking over as an inspection proxy of the new session and changing at least one byte in the new session in at least one direction of the new session, wherein taking over as the inspection proxy includes decrypting traffic in at least one direction (Rahkonen paragraph [0024]-[0025], obtain session secrets and decrypt encrypted messages and perform operations to traffic such as modifying content and/or delaying the messages. In the event that the security device detects that encrypted application messages are present in the traffic and the secrets are not yet known, the security device may send the application messages to the client without delay and store the encrypted messages for later inspection… obtain session secrets … In the event that the security device detects that encrypted application messages are present in the traffic and the secrets are known… the security device may perform decryption on the application messages and handle the application messages in accordance with the security policy). Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister of decrypting and analyzing traffic with the teachings of Rahkonen to include buffering data, and decrypting and analyzing buffered data in order to buffer encrypted data when session keys are not available yet and to decrypt and analyze the buffered data when sessions keys are available to ensure that all traffic is analyzed. Bannister in view of Rahkonen does not explicitly disclose re-encrypting traffic in at least one direction. Cosgrove teaches re-encrypting traffic in at least one direction (Cosgrove paragraph [0220], re-encrypting traffic). Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister in view of Rahkonen of decrypting and analyzing traffic with the teachings of Cosgrove to include re-encrypting traffic in order to provide secure communication of the traffic data between the client and the remote services. As per claim 3, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, further including: on the client device, successively receiving a plurality of extracted keys and forwarding them to the secure web gateway, wherein: the new session begins using asymmetrical keys, and the new session includes deriving a symmetrical key; and the secure web gateway applying the symmetrical key to decrypt the session traffic (Bannister Fig. 10A, Fig. 10B, paragraph [0010], [0042], [0065], [0069], [0074], [0076]-[0077], [0079], on the client device extracting and sending encryption keys to intermediate computing environment. New session begins with asymmetric encryption handshake and a shared symmetric key is derived. Traffic is decrypted with the extracted symmetric key). As per claim 5, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, further including decrypting multiple sessions, wherein: each session of the multiple sessions includes an encrypted substream of session data, and the secure web gateway successively buffers the encrypted substream of session data corresponding to each session of the multiple sessions, and the secure web gateway successively decrypts the encrypted substream of session data corresponding to each session of the multiple sessions as the multiple substreams of session data were buffered (Bannister Fig. 10A, Fig. 10B, paragraph [0010], [0042], [0074], [0076]-[0077], [0079], Traffic is decrypted with the extracted symmetric key and analyzed; Rahkonen Fig. 2, paragraph [0020], [0023]-[0025], plurality of client devices. buffer encrypted messages and obtain session secrets and decrypt encrypted messages and analyze the messages) (It is obvious to one of ordinary skill in the art that each client device has its own sessions) (Although Bannister in view of Rahkonen and Cosgrove does not explicitly disclose decrypting multiple sessions in a sequential order. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to try to decrypting multiple sessions in a sequential order. There are only two options of how to decrypt the sessions, in sequential order or not in sequential order and the result will be the same, the sessions will be decrypted.) (Although Bannister in view of Rahkonen and Cosgrove does not explicitly disclose decrypts … data corresponding to each session … in the same order as the multiple substreams of session data were buffered. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to try to decrypt data in the same order as they were buffered. There are only two options of how to decrypt the data, in the same order as they were buffered or not in the same order as they were buffered and the result will be the same, the data will be decrypted.). As per claim 6, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, wherein the one or more extracted keys are extracted from a virtual address space associated with a client device TLS or other pinned certificate handling process (Bannister Fig. 10A, Fig. 10B, paragraph [0006], [0042], [0065], [0069], extract encryption key(s)). As per claim 7, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 6, wherein the one or more extracted keys are associated with a specific TLS or other pinned certificate protocol, enabling at least one of the secure web gateway to apply the extracted keys to session traffic in the buffer and decrypt the buffered packets (Bannister Fig. 10A, Fig. 10B, paragraph [0006], [0042], [0065], [0069], [0076], use extracted encryption key(s) to decrypt data; Rahkonen paragraph [0024]-[0025], obtain session secrets and decrypt encrypted messages in the buffer). As per claim 8, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 7, wherein the secure forwarding of the one or more extracted keys further includes matching the one or more extracted keys to the specific TLS or other pinned certificate protocol used in the new session (Bannister Fig. 10A, Fig. 10B, paragraph [0010], [0042], [0074], [0076]-[0077], [0079], obtain extracted keys and Traffic is decrypted with the extracted symmetric key and analyzed; Rahkonen Fig. 2, paragraph [0020], [0023]-[0025], plurality of client devices. buffer encrypted messages and obtain session secrets and decrypt encrypted messages and analyze the messages). As per claim 10, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, wherein the pinned certificate is an accepted certificate located in a local storage on the client device (Bannister Fig. 10A, Fig. 10B, paragraph [0010], Rahkonen paragraph [0003]). As per claim 12, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, wherein session data need to be buffered in order to process the buffered packets (Rahkonen paragraph [0024]-[0025], obtain session secrets and decrypt encrypted messages in the buffer and analyze the messages) (Although Bannister in view of Rahkonen and Cosgrove does not explicitly disclose less than four kilobytes of session data. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to try to have less than four kilobytes of session data. There are only two options for the session data, having less than four kilobytes or not having less than four kilobytes and the result will be the same, the sessions data will be decrypted and analyzed.). As per claims 14, 16, 18-20, 22 and 24-25, the claims claim a non-transitory computer readable medium and a system essentially corresponding to the method claims 1, 3 and 5-6 above, and they are rejected, at least for the same reasons. Claims 2, 11, 15 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Bannister in view of Rahkonen and Cosgrove, and further in view of Bronshtein et al. US2017/0310670 hereinafter referred to as Bronshtein. As per claim 2, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, review of the decrypted traffic (Bannister Fig. 10A, Fig. 10B, paragraph [0076]; Rahkonen paragraph [0025]). Bannister in view of Rahkonen and Cosgrove does not explicitly disclose further including: detecting, from review of traffic, a security condition that requires injecting data into session; wherein taking over as an inspection proxy is delayed until after the detecting. Bronshtein teaches further including: detecting, from review of traffic, a security condition that requires injecting data into session; wherein taking over as an inspection proxy is delayed until after the detecting (Bronshtein paragraph [0058]-[0059], [0072], [0074], detect a security threat and modify response by injecting/simulating a server response). Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister in view of Rahkonen and Cosgrove of decrypting and analyzing traffic with the teachings of Bronshtein to include detecting a security threat and modifying response by injecting/simulating a server response in order to discard data that presents a security threat. As per claim 11, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 10. Bannister in view of Rahkonen and Cosgrove does not explicitly disclose wherein pinned certificate is detected in local storage using a signature specific to one or more libraries used by cloud-based resource. Bronshtein teaches wherein pinned certificate is detected in local storage using a signature specific to one or more libraries used by cloud-based resource (Bronshtein [0066], detect local stored data and authenticate server). Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister in view of Rahkonen and Cosgrove of establishing a session using a pinned certificate with the teachings of Bronshtein to include detecting local stored data and authenticate server because the results would have been predictable and resulted in authenticating the server based on the locally stored data. As per claims 15 and 21, the claims claim a non-transitory computer readable medium and a system essentially corresponding to the method claim 2 above, and they are rejected, at least for the same reasons. Claims 4, 17 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Bannister in view of Rahkonen and Cosgrove, and further in view of Slovetskiy US2022/0060450. As per claim 4, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, further including: on the client device, successively receiving a plurality of extracted keys and forwarding them to the secure web gateway; and the secure web gateway applying the symmetrical key to decrypt the session traffic (Bannister Fig. 10A, Fig. 10B, paragraph [0010], [0042], [0074], [0076]-[0077], [0079], on the client device extracting and sending encryption keys to intermediate computing environment. Traffic is decrypted with the extracted symmetric key). Bannister in view of Rahkonen and Cosgrove does not explicitly disclose wherein: new session resumes a prior session with less than a full handshake, including deriving a symmetrical key. Slovetskiy teaches wherein: new session resumes a prior session with less than a full handshake, including deriving a symmetrical key (Slovetskiy paragraph [0037], resume session without full handshake). Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister in view of Rahkonen and Cosgrove of establishing a session using a pinned certificate with the teachings of Slovetskiy to include resuming a session without full handshake because the results would have been predictable and resulted in a session being resumed without performing full handshake. As per claims 17 and 23, the claims claim a non-transitory computer readable medium and a system essentially corresponding to the method claim 4 above, and they are rejected, at least for the same reasons. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Bannister in view of Rahkonen and Cosgrove, and further in view of Willebeek-LeMair et al. US2003/0204632 hereinafter referred to as Willebeek-LeMair. As per claim 9, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1. Bannister in view of Rahkonen and Cosgrove does not explicitly disclose wherein an administrator terminates session in response to an alert received from secure web gateway. Willebeek-LeMair teaches wherein an administrator terminates session in response to an alert received from secure web gateway (Willebeek-LeMair [0072], alert admin and terminate session). Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister in view of Rahkonen and Cosgrove of decrypting and analyzing traffic with the teachings of Willebeek-LeMair to include alerting an admin and terminating a session in order to alert an admin of a security threat and to terminate the session. Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Bannister in view of Rahkonen and Cosgrove, and further in view of Franzoni Martinez US2017/0063883. As per claim 13, Bannister in view of Rahkonen and Cosgrove teaches the computer-implemented method of claim 1, decrypted session data stream (Bannister Fig. 10A, Fig. 10B, paragraph [0010], [0042], [0074], [0076]-[0077], [0079], Traffic is decrypted with the extracted symmetric key; Rahkonen paragraph [0024]-[0025], obtain session secrets and decrypt encrypted messages in the buffer). Bannister in view of Rahkonen and Cosgrove does not explicitly disclose further including an administrator establishing at least one security policy that defines a particular security condition associated with particular content. Franzoni Martinez teaches further including an administrator establishing at least one security policy that defines a particular security condition associated with particular content (Franzoni Martinez paragraph [0072], admin defines policy). Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bannister in view of Rahkonen and Cosgrove of decrypting and analyzing traffic with the teachings of Franzoni Martinez to include an admin defining policies in order to provide an interface where an administrator is able to configure/set security polices of the intermediate computing environment for analyzing traffic data. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 9am - 5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HENRY TSANG/ Primary Examiner, Art Unit 2495