Prosecution Insights
Last updated: July 17, 2026
Application No. 18/618,582

METHODS AND DEVICE FOR MULTI-LEVEL PORTABLE SECURE DATA STORAGE

Final Rejection §103
Filed
Mar 27, 2024
Examiner
NAJI, YOUNES
Art Unit
2445
Tech Center
2400 — Computer Networks
Assignee
Collins Aerospace
OA Round
2 (Final)
75%
Grant Probability
Favorable
3-4
OA Rounds
7m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
332 granted / 443 resolved
+16.9% vs TC avg
Strong +73% interview lift
Without
With
+73.1%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
31 currently pending
Career history
494
Total Applications
across all art units

Statute-Specific Performance

§101
0.9%
-39.1% vs TC avg
§103
94.3%
+54.3% vs TC avg
§102
2.4%
-37.6% vs TC avg
§112
2.1%
-37.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 443 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Applicant's submission filed on 01/21/2026 has been entered. Claims 1-20 have been examined. Claim Objections Claim 19 is objected to because of the following informalities: With regards to claim 19, the claim recites “wherein the first file store key is associated with the second certificate” Examiner believes it is a typo. Examiner suggests amending the claim to recite “wherein the second file store key is associated with the second certificate”. Appropriate correction is required. Response to Arguments Applicant’s arguments, see Remarks – Pages 7-9, filed on 01/21/2026, with respect to the rejection(s) of claims 1, 12,18 under 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground of rejection is made in view of Karimzadeh. Applicant’s argument #1: Applicant argues that Holtzman fails to disclose or suggest a cryptography manager that manages access to the data storage. Response to Application argument #1 Applicant relied on his argument is that the memory system 10 of Holtzman does not disclose or suggest a cryptography manager – See Remarks – Page 9 Examiner respectfully disagrees. Holtzman teaches a memory system comprises controller (CPU 12) and crypto engine 40 which together function as cryptography manager to control access to data stored in the memory. All of the components of system 10 within the dotted line box may be enclosed in a single unit such as in memory card or stick 10' (Fig.1, ¶0063- ¶0065). Note: Karimzadeh also discloses the cryptography manager – See claim rejection below. With regards to claim interpretations, Examiner did not find any argument/amendment. Therefore, the claim interpretation (112 6th ) is maintained. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-9,11,18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Holtzman et al. Publication No. WO 2008/013655 A2 ( Holtzman hereinafter) in view of Karimzadeh et al. Publication No. US 2007/0006322 A1 ( Karimzadeh hereinafter) Regarding claim 1, Holtzman teaches a method for multi-level portable secure data storage (Fig.2), the method comprising: configuring a portable data storage device to communicate with a host device using a data bus interface (¶ 0063 - As shown in Fig. 1, the memory system 10 includes a central processing unit (CPU) 12, a buffer management unit (BMU) 14, a host interface module (HIM) 16 and a flash interface module (FIM) 18, a flash memory 20 and a peripheral access module (PAM) 22. Memory system 10 communicates with a host device 24 through a host interface bus 26 and port 26a. The flash memory 20 which may be of the NANO type, provides data storage for the host device 24) ; receiving a private key at the portable data storage device from the host device, wherein the private key corresponds to a unique digital identity (¶ 0067 - Thus, the host 24 associates each file that is cryptographically processed by system 10 with a key ID, and the system 10 associates each key value that is used to cryptographically process data with a key ID provided by the host. Thus, when the host requests that data be cryptographically processed, it will send the request along with a key ID along with the logical addresses of data to be fetched from or stored in memory 20 to system 10. System 10 generates or receives a key value and associates the key ID provided by the host 24 with such value, and performs the cryptographic processing – In other words, once the key value is stored in or generated by system 10, the system continues to allow the host 24 to manage the files by having exclusive control of FAT, while it maintains exclusive control for the management of the key value(s) used for cryptographic processing). authenticating the private key within the portable storage device; determining the unique digital identity of the private key has access to a storage area of a plurality of storage area within a non-volatile memory storage of the portable data storage device, accessing at least one data file within the storage area of the non-volatile memory storage. (¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application. – See Also – ¶ 0072 ;¶ 0082 - In reference to Fig. 4, for example, File A is accessible to all entities without any authentication, since it is shown as not enclosed by any key ID. Even though File B in the public partition can be read or overwritten by all entities, it contains data encrypted with a key with ID "key l ", so that the information contained in File B is not accessible to an entity unless such entity has access to such key. In this manner using key values and key references or Key IDs provide logical protection only, as opposed to the type of protection provided by the partition described above. Hence, any host that can access a partition (public or private) is capable of reading or writing the data in the entire partition, including the encrypted data. However, since the data is encrypted, unauthorized users can only corrupt it - ¶ 0117 - The entity's credentials correspond to the login algorithm and are used by the SSA to verify and authenticate the user. An example for credential can be a password/ PIN number for password authentication, AES-key for AE authentication). However, Holtzman does not explicitly teach retrieving a first file store key within the portable storage device based on the determination that the private key has access to the storage area; and accessing at least one data file within the storage area of the non-volatile memory storage using the first file store key stored within the portable storage device. Karimzadeh teaches retrieving a first file store key within the portable storage device based on the determination that the private key has access to the storage area; and accessing at least one data file within the storage area of the non-volatile memory storage using the first file store key stored within the portable storage device (¶ 0049 - Each card also stores the owner's private key stored in a secure portion 26 of the card – ¶0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. ¶0053 - The access control module 16 then associates the user with one of the keys stored in the secure portion, which is needed for decrypting the requested encrypted data files. If the level of access associated with the requested file for the user requesting access is allowed, the appropriate key is applied to decrypt the requested encrypted data files – Claim 32 - retrieving the patient private key and the encrypted randomly generated key in response to said authenticating, decrypting the encrypted randomly generated key automatically with the patient private key; decrypting the medical record with the randomly generated key; and allowing access to the user requesting read access in accordance with the access control matrix -See also Claim 33 ). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Karimzadeh. The motivation to do so is to allow the system to provide a secure database format and access technology oriented towards portability, small footprint, security, and a distributed nature in a public environment, in which multiple users can have varying levels of access to the secure database (Karimzadeh – ¶ 0040). Regarding claim 2, Holtzman in view of Karimzadeh further teaches generating output to the computing device regarding the at least one data file within the storage area using the first file store key (Holtzman - ¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application -See Also Karimzadeh – ¶ 0053, ¶ 0057, ¶ 0108, Claims 17 & 32). Regarding claim 3, Holtzman further teaches enabling a read/write operation within the storage area according to the unique digital identity of the private key (¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application). Regarding claim 4, Holtzman further teaches wherein the interface of the portable data storage device enables the read/write operation to the storage area (Fig.1&2 - ¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application - ¶ 0063 - As shown in Fig. 1, the memory system 10 includes a central processing unit (CPU) 12, a buffer management unit (BMU) 14, a host interface module (HIM) 16 and a flash interface module (FIM) 18, a flash memory 20 and a peripheral access module (PAM) 22. Memory system 10 communicates with a host device 24 through a host interface bus 26 and port 26a. The flash memory 20 which may be of the NANO type, provides data storage for the host device 24) ; Regarding claim 5, Holtzman further teaches a read only operation within the storage area according to the unique digital identify of the private key(Fig.1&2 - ¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application – ¶ 0071 -some may have read only access, while others may have write access only, while still others may have both -See Also ¶ 0088). Regarding claim 6, Holtzman further teaches wherein the interface of the portable data storage device enables the read only operation to the storage area(Fig.1&2 - ¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application – ¶ 0071 -some may have read only access, while others may have write access only, while still others may have both -See Also ¶ 0088). Regarding claim 7, Holtzman further teaches wherein the storage area includes an encrypted memory location within the non-volatile memory storage space(Fig.1&2 - ¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application – ¶ 0066-¶ 0068 - the controller 12 has to rely on the host device to send the logical addresses of the data in the file in memory 20, so that the data of the particular file can be found and encrypted and/or decrypted by system 10 using the key value(s) available only to system 10). Regarding claim 8, Holtzman further teaches authenticating the private key ( ¶ 0068 – ¶ 0070). However, Holtzman does not explicitly teach matching the private key to a certificate stored within the non-volatile memory storage. Karimzadeh teaches matching the private key to a certificate stored within the non-volatile memory storage (Abstract - The database has a secure portion for storing security keys and a non-secure portion for encrypted data files Authentication of the owner/patient is preferably required to access the secure portion of the database – Claim 2 - additionally storing a private key associated with the certificate in the secure portion, wherein said allowing the requested access includes identifying the certificate with the user requesting access – ¶0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. Claim 9 - wherein the stored security components include a private key and a certificate of the user requesting access, wherein the certificate comprises a public key of the user and identifies the user in the hierarchical structure, and wherein said accessing further comprises: retrieving the private key and the certificate of the user requesting access from the secure portion in response to said authenticating Claim 10 - providing challenge data in response to said retrieving; providing response data by digitally signing the challenge data with the private key; retrieving the public key from the certificate; and using the public key to validate the response data – Note: The matching is performed through challenge response logic where the private key signs data and the certification (public key) is retrieved to verify the signature). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Karimzadeh. The motivation to do so is to allow the system to provide a secure database format and access technology oriented towards portability, small footprint, security, and a distributed nature in a public environment, in which multiple users can have varying levels of access to the secure database (Karimzadeh – ¶ 0040). Regarding claim 9, Holtzman does not explicitly teach associating the certificate from a certificate storage of the non-volatile memory storage with the first file store key. However, Karimzadeh teaches associating the certificate from a certificate storage of the non-volatile memory storage with the first file store key (¶ 0052 - The method may further include storing encrypted security components in the non-secure portion 28. Security components may include keys and certificates associated with each user. As is well-known to those skilled in the art, the certificate contains a public key associated with the owner of the certificate - ¶0048 - The secure portion 26 contains the security components, which include encryption/decryption keys, certificates, and so on – ¶ 0103- obtaining 194 the encrypted data from the non-secure potion 28 of the database, and accessing 196 a private key from the secure portion 26 of the portable database to decrypt 198 the symmetric key used to encrypt the data records. The method also preferably includes accessing 200 the digital signature attached to the encrypted data records, obtaining the certificate (which includes the public key) of the entity who signed the data, and validating 204 the signature. The results of the signature check, along with the unencrypted data records are preferably sent 206 to a display screen associated with a computer or PDA running the application). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Karimzadeh. The motivation to do so is to allow the system to provide a secure database format and access technology oriented towards portability, small footprint, security, and a distributed nature in a public environment, in which multiple users can have varying levels of access to the secure database (Karimzadeh – ¶ 0040). Regarding claim 11, Holtzman in view of Karimzadeh further teaches reading or writing to the at least one data file within the storage area of the non-volatile memory storage using the first file store key ( Holtzman - ¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application. – See Also – ¶ 0072 ;¶ 0082 - In reference to Fig. 4, for example, File A is accessible to all entities without any authentication, since it is shown as not enclosed by any key ID. Even though File B in the public partition can be read or overwritten by all entities, it contains data encrypted with a key with ID "key l ", so that the information contained in File B is not accessible to an entity unless such entity has access to such key. In this manner using key values and key references or Key IDs provide logical protection only, as opposed to the type of protection provided by the partition described above. Hence, any host that can access a partition (public or private) is capable of reading or writing the data in the entire partition, including the encrypted data. However, since the data is encrypted, unauthorized users can only corrupt it – Karimzadeh – Fig.1A, 10B, 11B, ¶ 0053, ¶0105). Regarding claim 18, Holtzman further teaches a method for secure multi-level portable secure data storage (Fig.2), the method comprising: configuring a portable data storage device to communicate with a host device using one of a read only data bus interface and a read/write data bus interface ¶ 0063 - As shown in Fig. 1, the memory system 10 includes a central processing unit (CPU) 12, a buffer management unit (BMU) 14, a host interface module (HIM) 16 and a flash interface module (FIM) 18, a flash memory 20 and a peripheral access module (PAM) 22. Memory system 10 communicates with a host device 24 through a host interface bus 26 and port 26a. The flash memory 20 which may be of the NANO type, provides data storage for the host device 24 -Fig.2 - ¶ 0067 - Thus, the host 24 associates each file that is cryptographically processed by system 10 with a key ID, and the system 10 associates each key value that is used to cryptographically process data with a key ID provided by the host. Thus, when the host requests that data be cryptographically processed, it will send the request along with a key ID along with the logical addresses of data to be fetched from or stored in memory 20 to system 10. System 10 generates or receives a key value and associates the key ID provided by the host 24 with such value, and performs the cryptographic processing – In other words, once the key value is stored in or generated by system 10, the system continues to allow the host 24 to manage the files by having exclusive control of FAT, while it maintains exclusive control for the management of the key value(s) used for cryptographic processing – See Also ¶ 0068 -¶0070); receiving a first private key at the portable data storage device from the host device, wherein the private key corresponds to a unique digital identity; authenticating the first private key within the portable storage device using a cryptography manager [..] a first certificate stored within a certificate storage of a non-volatile data storage of the portable storage device, determining a first data file storage having at least one data file[..]; determining a first access status for the first data file storage[..]; and enabling access to the first data file storage using the read only data bus interface or the read/write data bus interface based on the first access status (¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application. – See Also – ¶ 0072 ;¶ 0082 - In reference to Fig. 4, for example, File A is accessible to all entities without any authentication, since it is shown as not enclosed by any key ID. Even though File B in the public partition can be read or overwritten by all entities, it contains data encrypted with a key with ID "key l ", so that the information contained in File B is not accessible to an entity unless such entity has access to such key. In this manner using key values and key references or Key IDs provide logical protection only, as opposed to the type of protection provided by the partition described above. Hence, any host that can access a partition (public or private) is capable of reading or writing the data in the entire partition, including the encrypted data. However, since the data is encrypted, unauthorized users can only corrupt it - - ¶ 0117 - The entity's credentials correspond to the login algorithm and are used by the SSA to verify and authenticate the user. An example for credential can be a password/ PIN number for password authentication, AES-key for AE authentication - ¶ 0013 - therefore desirable for an improved system to be provided which enables memory or storage devices to verify certificates without having to obtain certificate revocation lists – ¶ 0205 - Fig. 2 J is a schematic view illustrating a device certificate level hierarchy for illustrating 1 through n different certificate chains for devices using SSA such as storage devices) However, Holtzman does not explicitly teach authenticating the first private key using a cryptography manager by matching the first private key to a first certificate stored within a certificate storage, determining a first data file storage having at least one data file corresponds to the first certificate; determining a first access status for the first data file storage according to the first certificate; retrieving a first file store key within the nonvolatile data storage based on the authentication of the first private key, wherein the first file store key is associated with the first certificate enabling access to the first data file storage using the first file store key stored in the nonvolatile data storage. Karimzadeh teaches authenticating the first private key using a cryptography manager by matching the first private key to a first certificate stored within a certificate storage (Abstract - The database has a secure portion for storing security keys and a non-secure portion for encrypted data files Authentication of the owner/patient is preferably required to access the secure portion of the database – Claim 2 - additionally storing a private key associated with the certificate in the secure portion, wherein said allowing the requested access includes identifying the certificate with the user requesting access – Para 0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. Claim 9 - wherein the stored security components include a private key and a certificate of the user requesting access, wherein the certificate comprises a public key of the user and identifies the user in the hierarchical structure, and wherein said accessing further comprises: retrieving the private key and the certificate of the user requesting access from the secure portion in response to said authenticating Claim 10 - providing challenge data in response to said retrieving; providing response data by digitally signing the challenge data with the private key; retrieving the public key from the certificate; and using the public key to validate the response data – Note: the examiner interprets cryptographic manager as the database and the associated processor performing the functions of retrieving the keys , challenge and validating certificate. The matching is performed through challenge response logic where the private key signs data and the certification (public key) is retrieved to verify the signature). determining a first data file storage having at least one data file corresponds to the first certificate, determining a first access status for the first data file storage according to the first certificate ( Abstract - The database has a secure portion for storing security keys and a non-secure portion for encrypted data files. Access to the encrypted data files is controlled by assigning access rights through an access control matrix to each encrypted data file according to a hierarchical structure of users. A user requesting access is identified in the hierarchy, associated with a key for allowing the requested access, and the requested access allowed to a file in accordance with the rights allocated through the access control matrix - patient can selectively grant access to encrypted medical records on his card to a physician. Authentication of the owner/patient is preferably required. Other records required by emergency medical personnel are readable from the same card without requiring permission from the patient. claim 2 - additionally storing a private key associated with the certificate in the secure portion, wherein said allowing the requested access includes identifying the certificate with the user requesting access). retrieving a first file store key within the nonvolatile data storage based on the authentication of the first private key, wherein the first file store key is associated with the first certificate , enabling access to the first data file storage using the first file store key stored in the nonvolatile data storage (¶ 0049 - Each card also stores the owner's private key stored in a secure portion 26 of the card – ¶0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. ¶0052 -¶0053 - The access control module 16 then associates the user with one of the keys stored in the secure portion, which is needed for decrypting the requested encrypted data files. If the level of access associated with the requested file for the user requesting access is allowed, the appropriate key is applied to decrypt the requested encrypted data files – Claim 32 - retrieving the patient private key and the encrypted randomly generated key in response to said authenticating, decrypting the encrypted randomly generated key automatically with the patient private key; decrypting the medical record with the randomly generated key; and allowing access to the user requesting read access in accordance with the access control matrix -See Claim 33 – - ¶ 0048 - The secure portion 26 contains the security components, which include encryption/decryption keys, certificates, and so on – ¶ 0103- obtaining 194 the encrypted data from the non-secure potion 28 of the database, and accessing 196 a private key from the secure portion 26 of the portable database to decrypt 198 the symmetric key used to encrypt the data records. The method also preferably includes accessing 200 the digital signature attached to the encrypted data records, obtaining the certificate (which includes the public key) of the entity who signed the data, and validating 204 the signature. The results of the signature check, along with the unencrypted data records are preferably sent 206 to a display screen associated with a computer or PDA running the application).). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Karimzadeh. The motivation to do so is to allow the system to provide a secure database format and access technology oriented towards portability, small footprint, security, and a distributed nature in a public environment, in which multiple users can have varying levels of access to the secure database (Karimzadeh – ¶ 0040). Regarding claim 19, Holtzman further teaches receiving a second private key at the portable data storage device; authenticating the second private key using the cryptography manager [..]; determining a second data file storage having at least one data file; determining a second access status for the second data file storage [..], wherein the second access status differs from the first access status; and enabling access to the second data file storage using the read only data bus interface or the read/write data bus interface based on the second access status(¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application. – See Also – ¶ 0072 ;¶ 0082 - In reference to Fig. 4, for example, File A is accessible to all entities without any authentication, since it is shown as not enclosed by any key ID. Even though File B in the public partition can be read or overwritten by all entities, it contains data encrypted with a key with ID "key l ", so that the information contained in File B is not accessible to an entity unless such entity has access to such key. In this manner using key values and key references or Key IDs provide logical protection only, as opposed to the type of protection provided by the partition described above. Hence, any host that can access a partition (public or private) is capable of reading or writing the data in the entire partition, including the encrypted data. However, since the data is encrypted, unauthorized users can only corrupt it - ¶ 0117 - The entity's credentials correspond to the login algorithm and are used by the SSA to verify and authenticate the user. An example for credential can be a password/ PIN number for password authentication, AES-key for AE authentication). However, Holtzman does not explicitly teach authenticating the second private key using cryptography manager by matching the second private key to a second certificate stored with the certificate storage; determining a second data file storage having at least one data file corresponds to the second certificate; determining a second access status for the second data file storage according to the second certificate retrieving a second file store key within the nonvolatile data storage based on the authentication of the second private key, wherein the second file store key is associated with the first certificate , enabling access to the second data file storage using the second files tore key stored in the nonvolatile data storage. Karimzadeh teaches authenticating the second private key using cryptography manager by matching the second private key to a second certificate stored with the certificate storage; (Abstract - The database has a secure portion for storing security keys and a non-secure portion for encrypted data files Authentication of the owner/patient is preferably required to access the secure portion of the database – Claim 2 - additionally storing a private key associated with the certificate in the secure portion, wherein said allowing the requested access includes identifying the certificate with the user requesting access – ¶0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. Claim 9 - wherein the stored security components include a private key and a certificate of the user requesting access, wherein the certificate comprises a public key of the user and identifies the user in the hierarchical structure, and wherein said accessing further comprises: retrieving the private key and the certificate of the user requesting access from the secure portion in response to said authenticating Claim 10 - providing challenge data in response to said retrieving; providing response data by digitally signing the challenge data with the private key; retrieving the public key from the certificate; and using the public key to validate the response data – Note: the examiner interprets cryptographic manager as the database and associated processor performing the functions of retrieving the keys , challenge and validating certificate. The matching is performed through challenge response logic where the private key signs data and the certification (public key) is retrieved to verify the signature). determining a second data file storage having at least one data file corresponds to the second certificate, determining a second access status for the first data file storage according to the second certificate ( Abstract - The database has a secure portion for storing security keys and a non-secure portion for encrypted data files. Access to the encrypted data files is controlled by assigning access rights through an access control matrix to each encrypted data file according to a hierarchical structure of users. A user requesting access is identified in the hierarchy, associated with a key for allowing the requested access, and the requested access allowed to a file in accordance with the rights allocated through the access control matrix - patient can selectively grant access to encrypted medical records on his card to a physician. Authentication of the owner/patient is preferably required. Other records required by emergency medical personnel are readable from the same card without requiring permission from the patient. claim 2 - additionally storing a private key associated with the certificate in the secure portion, wherein said allowing the requested access includes identifying the certificate with the user requesting access). retrieving a second file store key within the nonvolatile data storage based on the authentication of the second private key, wherein the second file store key is associated with the first certificate , enabling access to the second data file storage using the second files tore key stored in the nonvolatile data storage. (¶ 0049 - Each card also stores the owner's private key stored in a secure portion 26 of the card – ¶0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. ¶0052 -¶0053 - The access control module 16 then associates the user with one of the keys stored in the secure portion, which is needed for decrypting the requested encrypted data files. If the level of access associated with the requested file for the user requesting access is allowed, the appropriate key is applied to decrypt the requested encrypted data files – Claim 32 - retrieving the patient private key and the encrypted randomly generated key in response to said authenticating, decrypting the encrypted randomly generated key automatically with the patient private key; decrypting the medical record with the randomly generated key; and allowing access to the user requesting read access in accordance with the access control matrix -See Claim 33 – - ¶ 0048 - The secure portion 26 contains the security components, which include encryption/decryption keys, certificates, and so on – ¶ 0103- obtaining 194 the encrypted data from the non-secure potion 28 of the database, and accessing 196 a private key from the secure portion 26 of the portable database to decrypt 198 the symmetric key used to encrypt the data records. The method also preferably includes accessing 200 the digital signature attached to the encrypted data records, obtaining the certificate (which includes the public key) of the entity who signed the data, and validating 204 the signature. The results of the signature check, along with the unencrypted data records are preferably sent 206 to a display screen associated with a computer or PDA running the application).). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Karimzadeh. The motivation to do so is to allow the system to provide a secure database format and access technology oriented towards portability, small footprint, security, and a distributed nature in a public environment, in which multiple users can have varying levels of access to the secure database (Karimzadeh – ¶ 0040). Claims 10,20 are rejected under 35 U.S.C. 103 as being unpatentable over Holtzman in view of Karimzadeh further in view of Musgrave et al. Patent No. US 6,505,193 B1 ( Musgrave hereinafter) Regarding claim 10, Holtzman does not explicitly teach associating a classification level of the certificate to the private key, wherein the classification level is from a plurality of classification levels However, Musgrave teaches associating a classification level of the certificate to the private key, wherein the classification level is from a plurality of classification levels (Col.4, lines 40-50 -The present invention is also directed to an iris certificate ( e.g., an IrisCert™ code) having a plurality of data fields including information relating to a digital certificate which identifies one or more computing platforms and points to a partition within a database and information relating to an iris image obtained from a person seeking to use one of the computing platforms. The iris certificate can also include other data, such as name, address, a level of authorization, entitlements, –Col.9,lines 50-70 -The certifying authority and identity server designates which computing platform or platform each individual will have authority to access and what that level of access will be at step 835. Computing platform access and identification information relating to each individual is stored in the central database in the correct partition based on the digital 65 certificate - Col.17, lines 25-35 -The combination of cryptographic techniques, such as public key cryptography, and digital certificates provides greater integrity, privacy, and authentication for applications having multiple computing platforms connected to a central database. The authentication of the computing platform using digital certificates as well as encryption techniques instills a greater level of confidence in the computing platform user, such as employees and electronic services consumers. Since digital certificates alone only authenticate the computing platform (e.g., the private key used in the transaction – Abstract -The use of digital certificates narrows the database search to only those individuals who have authorized access to a particular computing platform by using the digital certificates. The inclusion of the iris template allows for the reliable identification of an individual at the computing platform using digital certificates both as the secure transport method and as the means to ensure the privacy of the individual and their iris template. A level of access and other entitlements to use the computing platform may also be granted to the person based on the results of the identification process). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Musgrave. The motivation to do so is to allow the system to grant access based on the results of the digital certificate authentication process (Musgrave– Abstract). Regarding claim 20, Holtzman further teaches wherein enabling access to the first data file storage (¶ 0068-¶ 0071). However, Holtzman does not explicitly teach granting a certificate level to the first private key based on the first certificate Musgrave teaches granting a certificate level to the first private key based on the first certificate(Abstract - The inclusion of the iris template allows for the reliable identification of an individual at the computing platform using digital certificates both as the secure transport method and as the means to ensure the privacy of the individual and their iris template. A level of access and other entitlements to use the computing platform may also be granted to the person based on the results of the identification process. Col.4, lines 40-50,Col.9,lines 50-70 -The certifying authority and identity server designates which computing platform or platform each individual will have authority to access and what that level of access will be at step 835. Computing platform access and identification information relating to each individual is stored in the central database in the correct partition based on the digital 65 certificate - Col.17, lines 25-35 -The combination of cryptographic techniques, such as public key cryptography, and digital certificates provides greater integrity, privacy, and authentication for applications having multiple computing platforms connected to a central database. The authentication of the computing platform using digital certificates as well as encryption techniques instills a greater level of confidence in the computing platform user, such as employees and electronic services consumers. Since digital certificates alone only authenticate the computing platform (e.g., the private key used in the transaction – Abstract -The use of digital certificates narrows the database search to only those individuals who have authorized access to a particular computing platform by using the digital certificates. The inclusion of the iris template allows for the reliable identification of an individual at the computing platform using digital certificates both as the secure transport method and as the means to ensure the privacy of the individual and their iris template. A level of access and other entitlements to use the computing platform may also be granted to the person based on the results of the identification process). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Musgrave. The motivation to do so is to allow the system to grant access based on the results of the digital certificate authentication process (Musgrave– Abstract). Claims 12,15,16,17 are rejected under 35 U.S.C. 103 as being unpatentable over Holtzman in view of Musgrave further in view of Karimzadeh Regarding claim 12, Holtzman teaches a portable data storage device (Fig.2) comprising: a read only data bus interface to exchange data with a host device; a read/write data bus interface to exchange data with the host device; a non-volatile memory storage having a plurality of data file storage areas, wherein each of the plurality of data file storage areas is associated with a private key [..] ¶ 0063 - As shown in Fig. 1, the memory system 10 includes a central processing unit (CPU) 12, a buffer management unit (BMU) 14, a host interface module (HIM) 16 and a flash interface module (FIM) 18, a flash memory 20 and a peripheral access module (PAM) 22. Memory system 10 communicates with a host device 24 through a host interface bus 26 and port 26a. The flash memory 20 which may be of the NANO type, provides data storage for the host device 24 -Fig.2 - ¶ 0067 - Thus, the host 24 associates each file that is cryptographically processed by system 10 with a key ID, and the system 10 associates each key value that is used to cryptographically process data with a key ID provided by the host. Thus, when the host requests that data be cryptographically processed, it will send the request along with a key ID along with the logical addresses of data to be fetched from or stored in memory 20 to system 10. System 10 generates or receives a key value and associates the key ID provided by the host 24 with such value, and performs the cryptographic processing – In other words, once the key value is stored in or generated by system 10, the system continues to allow the host 24 to manage the files by having exclusive control of FAT, while it maintains exclusive control for the management of the key value(s) used for cryptographic processing – See Also ¶ 0068 -¶0070) ; a [..] storage area within the plurality of data file storage areas of the non-volatile memory storage, and a cryptography manager to control access to a first data file storage area of the plurality of data file storage areas through the read only data bus interface or the read/write data bus interface upon receipt of a first private [..] within the [..] storage corresponding to the first data file storage area (¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application. – See Also – ¶ 0072 ;¶ 0082 - In reference to Fig. 4, for example, File A is accessible to all entities without any authentication, since it is shown as not enclosed by any key ID. Even though File B in the public partition can be read or overwritten by all entities, it contains data encrypted with a key with ID "key l ", so that the information contained in File B is not accessible to an entity unless such entity has access to such key. In this manner using key values and key references or Key IDs provide logical protection only, as opposed to the type of protection provided by the partition described above. Hence, any host that can access a partition (public or private) is capable of reading or writing the data in the entire partition, including the encrypted data. However, since the data is encrypted, unauthorized users can only corrupt it - - ¶ 0117 - The entity's credentials correspond to the login algorithm and are used by the SSA to verify and authenticate the user. An example for credential can be a password/ PIN number for password authentication, AES-key for AE authentication). However, Holtzman does not explicitly teach wherein each of the plurality of data file storage areas is associated with a private key and a certificate; wherein the certificate storage area includes the certificate for each data file storage area; a cryptography manager to control access to a first data file storage area upon receipt of a first private key that matches a first certificate within the certificate storage corresponding to the first data file storage area. retrieve a first file store key stored within the non-volatile memory storage, wherein the first file store key is used to perform an operation within the first data file storage area. Musgrave teaches wherein each of the plurality of data file storage areas is associated with a private key and a certificate; wherein the certificate storage area includes the certificate for each data file storage area; control access to a first data file storage area (Claim 27 - authenticating said computing platform by comparing said digital certificate to a plurality of stored digital certificates stored in said database – Col.17, lines 25-35 -The combination of cryptographic techniques, such as public key cryptography, and digital certificates provides greater integrity, privacy, and authentication for applications having multiple computing platforms connected to a central database. The authentication of the computing platform using digital certificates as well as encryption techniques instills a greater level of confidence in the computing platform user, such as employees and electronic services consumers. Since digital certificates alone only authenticate the computing platform (e.g., the private key used in the transaction – Abstract -The use of digital certificates narrows the database search to only those individuals who have authorized access to a particular computing platform by using the digital certificates. The inclusion of the iris template allows for the reliable identification of an individual at the computing platform using digital certificates both as the secure transport method and as the means to ensure the privacy of the individual and their iris template. A level of access and other entitlements to use the computing platform may also be granted to the person based on the results of the identification process – Col.5, lines 65-68 -The digital certificate DC is also used to point to a partition P within the central database 852). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Musgrave. The motivation to do so is to allow the system to grant access based on the results of the digital certificate authentication process (Musgrave– Abstract). Holtzman in view of Musgrave does not explicitly teach a cryptography manager control access to a first data file storage area upon receipt of a first private key that matches a first certificate within the certificate storage corresponding to the first data file storage area retrieve a first file store key stored within the non-volatile memory storage, wherein the first file store key is used to perform an operation within the first data file storage area. Karimzadeh teaches a cryptography manager control access to a first data file storage area upon receipt of a first private key that matches a first certificate within the certificate storage corresponding to the first data file storage area ( Para 0062 - These features are obtained in part by providing a particular simple record format for all data, which is tailored for a micro/portable database. As described above, the portable database may be physically stored on devices such as flash memory smart cards, with the secure portion provided by a processor running the access control module and the non-secure portion provided by flash memory – Claim 2 - additionally storing a private key associated with the certificate in the secure portion, wherein said allowing the requested access includes identifying the certificate with the user requesting access – Claim 9 - wherein the stored security components include a private key and a certificate of the user requesting access, wherein the certificate comprises a public key of the user and identifies the user in the hierarchical structure, and wherein said accessing further comprises retrieving the private key and the certificate of the user requesting access from the secure portion in response to said authenticating. providing challenge data in response to said retrieving; providing response data by digitally signing the challenge data with the private key; retrieving the public key from the certificate; and using the public key to validate the response data – Abstract - The database has a secure portion for storing security keys and a non-secure portion for encrypted data files. A user requesting access is identified in the hierarchy, associated with a key for allowing the requested access, and the requested access allowed to a file in accordance with the rights allocated through the access control matrix – Note: the processor acts as manager ensuring that the user with valid certificate and matching private key is able to access the encrypted files corresponding to a level in the hierarchy. retrieve a first file store key stored within the non-volatile memory storage, wherein the first file store key is used to perform an operation within the first data file storage area (¶ 0049 - Each card also stores the owner's private key stored in a secure portion 26 of the card – ¶0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. ¶0053 - The access control module 16 then associates the user with one of the keys stored in the secure portion, which is needed for decrypting the requested encrypted data files. If the level of access associated with the requested file for the user requesting access is allowed, the appropriate key is applied to decrypt the requested encrypted data files – Claim 32 - retrieving the patient private key and the encrypted randomly generated key in response to said authenticating, decrypting the encrypted randomly generated key automatically with the patient private key; decrypting the medical record with the randomly generated key; and allowing access to the user requesting read access in accordance with the access control matrix -See Claim 33 ). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Karimzadeh. The motivation to do so is to allow the system to provide a secure database format and access technology oriented towards portability, small footprint, security, and a distributed nature in a public environment, in which multiple users can have varying levels of access to the secure database (Karimzadeh – ¶ 0040). Regarding claim 15, Holtzman does not explicitly teach wherein the cryptography manager determines a classification level of a plurality of classification levels for the first certificate and that the first data file storage area has the classification level. However, Musgrave teaches wherein the cryptography manager determines a classification level of a plurality of classification levels for the first certificate and that the first data file storage area has the classification level (Col.4, lines 40-50 -The present invention is also directed to an iris certificate ( e.g., an IrisCert™ code) having a plurality of data fields including information relating to a digital certificate which identifies one or more computing platforms and points to a partition within a database and information relating to an iris image ( e.g., an IrisCode ™ template) obtained from a person seeking to use one of the computing platforms. The iris certificate can also include other data, such as name, address, a level of authorization, entitlements, etc. –Col.9,lines 50-70 -The certifying authority and identity server designates which computing platform or platform each individual will have authority to access and what that level of access will be at step 835. Computing platform access and identification information relating to each individual is stored in the central database in the correct partition based on the digital 65 certificate). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Musgrave. The motivation to do so is to allow the system to grant access based on the results of the digital certificate authentication process (Musgrave– Abstract). Regarding claim 16, Holtzman does not explicitly teach wherein the plurality of data file storage areas includes a second data file storage area corresponding to a second certificate within the certificate storage area However, Musgrave teaches wherein the plurality of data file storage areas includes a second data file storage area corresponding to a second certificate within the certificate storage area ( Claim 27 - authenticating said computing platform by comparing said digital certificate to a plurality of stored digital certificates stored in said database – Col.17, lines 25-35 -The combination of cryptographic techniques, such as public key cryptography, and digital certificates provides greater integrity, privacy, and authentication for applications having multiple computing platforms connected to a central database. The authentication of the computing platform using digital certificates as well as encryption techniques instills a greater level of confidence in the computing platform user, such as employees and electronic services consumers. Since digital certificates alone only authenticate the computing platform (e.g., the private key used in the transaction – Abstract -The use of digital certificates narrows the database search to only those individuals who have authorized access to a particular computing platform by using the digital certificates. The inclusion of the iris template allows for the reliable identification of an individual at the computing platform using digital certificates both as the secure transport method and as the means to ensure the privacy of the individual and their iris template. A level of access and other entitlements to use the computing platform may also be granted to the person based on the results of the identification process – Col.5, lines 65-68 -The digital certificate DC is also used to point to a partition P within the central database 852). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Musgrave. The motivation to do so is to allow the system to grant access based on the results of the digital certificate authentication process (Musgrave– Abstract). Regarding claim 17, Holtzman further teaches cryptography manager controls access to the to the second data file storage area of the plurality of data file storage areas through the read only data bus interface or the read/write data bus interface upon receipt of a second private key (¶ 0068 – ¶ 0070 - When a user or application requests to read encrypted data from memory 20, it will need to provide its identity and credential, the key ID for the key previously used to encrypt the requested data, and the logical addresses where the encrypted data is stored. System 10 will then match the user or application identity and credential provided by the host to those stored in its record. If they match, system 10 will then fetch from its memory the key value associated with the key ID provided by the user or application, decrypt the data stored at the addresses designated by the host device using the key value and send the decrypted data to the user or application. – See Also – ¶ 0072 ;¶ 0082 - In reference to Fig. 4, for example, File A is accessible to all entities without any authentication, since it is shown as not enclosed by any key ID. Even though File B in the public partition can be read or overwritten by all entities, it contains data encrypted with a key with ID "key l ", so that the information contained in File B is not accessible to an entity unless such entity has access to such key. In this manner using key values and key references or Key IDs provide logical protection only, as opposed to the type of protection provided by the partition described above. Hence, any host that can access a partition (public or private) is capable of reading or writing the data in the entire partition, including the encrypted data. However, since the data is encrypted, unauthorized users can only corrupt it - - ¶ 0117 - The entity's credentials correspond to the login algorithm and are used by the SSA to verify and authenticate the user. An example for credential can be a password/ PIN number for password authentication, AES-key for AE authentication). However, Holtzman does not explicitly teach cryptography manager controls access to the to the second data file storage area upon receipt of a second private key that matches the second certificate within the certificate storage using a second file store key stored within the nonvolatile memory and associated with the second certificate Karimzadeh teaches cryptography manager controls access to the to the second data file storage area upon receipt of a second private key that matches the second certificate within the certificate storage using a second file store key stored within the nonvolatile memory and associated with the second certificate; (Abstract - The database has a secure portion for storing security keys and a non-secure portion for encrypted data files Authentication of the owner/patient is preferably required to access the secure portion of the database – Claim 2 - additionally storing a private key associated with the certificate in the secure portion, wherein said allowing the requested access includes identifying the certificate with the user requesting access - ¶ 0049 - Each card also stores the owner's private key stored in a secure portion 26 of the card – ¶0057 - The private key associated with the certificate identifying the owner of, for example, the flash smart card, is maintained in the secure portion 26 of the database 28 and is accessed from the secure portion 26 upon authentication of the user. ¶0053 - The access control module 16 then associates the user with one of the keys stored in the secure portion, which is needed for decrypting the requested encrypted data files. If the level of access associated with the requested file for the user requesting access is allowed, the appropriate key is applied to decrypt the requested encrypted data files – Claim 32 - retrieving the patient private key and the encrypted randomly generated key in response to said authenticating, decrypting the encrypted randomly generated key automatically with the patient private key; decrypting the medical record with the randomly generated key; and allowing access to the user requesting read access in accordance with the access control matrix -See Claim 33 ). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Karimzadeh. The motivation to do so is to allow the system to provide a secure database format and access technology oriented towards portability, small footprint, security, and a distributed nature in a public environment, in which multiple users can have varying levels of access to the secure database (Karimzadeh – ¶ 0040). Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Holtzman in view of Musgrave further in view of Karimzadeh further in view of Chen et al. Publication No. US 2024/0020676 A1 ( Chen hereinafter) Regarding claim 13, Holtzman does not explicitly teach a control module to enable power to the portable data storage device and to bring the cryptography manager into a secure state. However, Chen teaches a control module to enable power to the portable data storage device and to bring the cryptography manager into a secure state ( ¶ 0053 - The portable device 208 may include an integrated circuit having a memory and one or more processors. At least a portion of the integrated circuit may be dedicated to a transaction module 236, which may include some combination of hardware and software. The portable device may not include a power source, such that the integrated circuit is caused to be powered by an external source. For example, in embodiments in which the portable device 208 is a contactless device, the portable device may be brought within proximity of a client device 204. In this example, a contactless reader of the client device 204 may power the integrated circuit of the portable device 208. Once powered, the transaction module 236 may be configured to provide an account identifier to the client device. In some embodiments, the portable device 208 may include a secure element (e.g., a secure memory) that contains the account identifier and/or a cryptographic key that may be used to authenticate the account identifier). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Chen. The motivation to do so is to allow the system to power the integrated circuit of the portable device (Chen – ¶ 0053). Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Holtzman in view of Musgrave further in view of Karimzadeh further in view of Teal et al. Publication No. US 2006/0064582 A1 ( Teal hereinafter) Regarding claim 14, Holtzman does not explicitly teach wherein the first certificate is an administrator certificate related to the certificate storage area, wherein the cryptography manager determines that the first private key is associated with the administrator certificate, and wherein the cryptography manager enables access only to the certificate storage area for the first private key. However, Musgrave teaches wherein the first certificate is an [..]certificate related to the certificate storage area, wherein the cryptography manager determines that the first private key is associated with the [..] certificate, and wherein the cryptography manager enables access only to the certificate storage area for the first private key ( Claim 27 - authenticating said computing platform by comparing said digital certificate to a plurality of stored digital certificates stored in said database – Col.17, lines 25-35 -The combination of cryptographic techniques, such as public key cryptography, and digital certificates provides greater integrity, privacy, and authentication for applications having multiple computing platforms connected to a central database. The authentication of the computing platform using digital certificates as well as encryption techniques instills a greater level of confidence in the computing platform user, such as employees and electronic services consumers. Since digital certificates alone only authenticate the computing platform (e.g., the private key used in the transaction – Abstract -The use of digital certificates narrows the database search to only those individuals who have authorized access to a particular computing platform by using the digital certificates. The inclusion of the iris template allows for the reliable identification of an individual at the computing platform using digital certificates both as the secure transport method and as the means to ensure the privacy of the individual and their iris template. A level of access and other entitlements to use the computing platform may also be granted to the person based on the results of the identification process – Col.5, lines 65-68 -The digital certificate DC is also used to point to a partition P within the central database 852 ) It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman to include the teachings of Musgrave. The motivation to do so is to allow the system to grant access based on the results of the digital certificate authentication process (Musgrave– Abstract). Holtzman in view of Musgrave does not explicitly teach that the certificate is an administrator certificate However, Teal teaches an administrator certificate ( ¶ 0080 – Administrator certificate) . It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the teachings of Holtzman in view of Musgrave to include the teachings of Teal. The motivation to do so is to allow the system to enhance credibility. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659. The examiner can normally be reached Monday - Friday 8:30 AM -5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached at (571) 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /YOUNES NAJI/Primary Examiner, Art Unit 2445
Read full office action

Prosecution Timeline

Mar 27, 2024
Application Filed
Oct 22, 2025
Non-Final Rejection mailed — §103
Jan 21, 2026
Response Filed
May 15, 2026
Final Rejection mailed — §103
Jul 12, 2026
Interview Requested

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665749
MIGRATING SECRETS FROM A CLOUD ENVIRONMENT TO A LOCAL SYSTEM
3y 3m to grant Granted Jun 23, 2026
Patent 12659322
Systems and methods for identifying legitimate network traffic imitation
2y 2m to grant Granted Jun 16, 2026
Patent 12647495
METHODS AND APPARATUS TO IDENTIFY MAIN PAGE VIEWS
1y 8m to grant Granted Jun 02, 2026
Patent 12640930
REDUCING NETWORK LOAD AND LEAD TIME FOR SIGNING A PACKAGE MANAGER FILE
2y 11m to grant Granted May 26, 2026
Patent 12627693
CYBER-ATTACK TRACKING METHOD AND DEVICE USING BEHAVIOR EVENT-BASED RELATIONSHIP DATA COLLECTED FROM MULTIPLE DOMAINS, AND STORAGE MEDIUM STORING INSTRUCTIONS TO PERFORM CYBER-ATTACK TRACKING METHOD
1y 11m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+73.1%)
2y 11m (~7m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 443 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month