DISTRIBUTION OF SECURITY KEYS IN A STORAGE NETWORK

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 8-9, 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Muniswamy-Reddy et al(US 20210089662 A1, designated as “Reddy”) in view of Roth et al(US 9215076 B1). With regards to claim 1, Reddy discloses, A computing device (FIG 15 1500) comprising: a processor (FIG 15 1510 and associated text; ); and a machine-readable storage storing instructions, the instructions executable by the processor ([0144]) to: identify a plurality of devices associated with a zone configuration of a storage network ([0029]; Thus, each zone may include a variety of computing, storage, and network resources that provide various services to client devices 102, as well as components to facilitate creation and management of such resources. One skilled in the art will therefore appreciate that the illustrative configuration of FIG. 2 is simplified for ease of description. [0046] Illustratively, an instance 132 may attach cross-zone data storage by utilizing an identifier of the cross-zone data storage device to identify the primary worker 302A in the primary zone 120 (zone 120A), and initiating communication with the primary worker 302A. Thereafter, the instance 132 may interact with the worker 302A over a network, in a manner similar to locally-attached disks. ); identify a set of policies associated with the zone configuration of the storage network (0042] While shown as individual elements in FIG. 2, the manager service 162 and authority service 164 may in practice be implemented by multiple devices operating in a distributed manner. For example, the authority service 164 may be implemented by an odd number of redundant devices utilizing a consensus protocol (e.g., a Paxos protocol, simple majority protocol, or other consensus protocol) to ensure consistent designation of a primary worker 152 for a volume. In some instances, functionalities of the elements of the zonal control plane 160 may be divided. For example, rather than a zonal volume manager service 162 selecting workers 152 to implement a volume, the plane 160 may include a dedicated placement service configured to select an appropriate worker 152 on which to place a volume.); generate a plurality of security keys based on the plurality of devices ([0039] In some embodiments, data written to storage nodes may be encrypted. In one embodiment, encryption may occur at a host device of the virtual machine instance 132. Each volume of a data store may be associated with a unique encryption key, which may illustratively be stored at a key management service 190 (which service represents a secure storage location that maintains and distributes keys only to authorized and authenticated entities). For example, an instance 132 may provide a first key (e.g., a “customer” key) to the key management service 190 when creating a volume, and the key management service 190 may select for the volume a volume key.) and the set of policies associated with the zone configuration of the storage network ([0055]; he regional control plane 170 may implement a routine to create and failover to a new secondary volume 300 in different zone 120 than the primary volume 300 (which may be the same zone 120 as the past secondary volume 300 or a different zone 120, particularly in the case of zone-wide failure) [0029] FIG. 2 depicts an example configuration of a zone 120. As noted above, a zone 120 may represent an independent, isolated computing system providing a variety of services to client devices 102 independent of the computing systems of other zones 120. Thus, each zone may include a variety of computing, storage, and network resources that provide various services to client devices 102, as well as components to facilitate creation and management of such resources. One skilled in the art will therefore appreciate that the illustrative configuration of FIG. 2 is simplified for ease of description.); and distribute the plurality of security keys to the plurality of devices via a plurality of secure messages ([0039]; The key management service 190 can then encrypt the volume key using the customer key, and provide that encrypted volume key to the storage node 150 for storage as metadata related to the volume. When an instance 132 attempts to “attach” the volume as a hard disk, the node 150 may provide the encrypted key to a host device of the instance 132, which may in turn submit a request to the key management service 190 to decrypt the encrypted key. [0035] In the example of FIG. 2, virtualized block storage devices of the storage service 140 are provided by storage nodes 150. Each storage node 150 can represent one or more associated computing devices (e.g., co-located within a rack) configured to enable virtual machine instances 132 to write to and read from volumes representing virtualized block storage devices. In some instances, a virtualized block storage device may be represented by a single volume made accessible by a one or more storage nodes 150 of the service 140 within a single zone 120. However, in accordance with embodiments of the present disclosure, a virtualized block storage device may also be represented by as multiple volumes hosted by multiple storage nodes 150 within multiple zones 120). Reddy does not exclusively but Roth teaches, wherein the plurality of devices receive different subsets of the plurality of security keys to establish encrypted communications among the plurality of devices (Col 7 line 10-20; In an embodiment, a hierarchy of keys is generated and subsets of the keys are provided to devices. Special care is taken in the provisioning of keys to devices. For example, in an embodiment, keys are distributed to ensure that subsets of the devices are provided different sets of keys. The subsets of devices may comprise multiple devices and/or single devices. In addition, in an embodiment, keys are provided and encrypted content is published such that authorized devices are able to use at least one of the keys to decrypt the content). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Reddy’s method with teaching of Roth in order to ensure that content can be consumed with minimal burden to the consumer, conventional techniques make it difficult to identify the source of unauthorized copies of content (Roth col 1 line 40-50;) With regards to claim 2, 9, 16 Reddy in view of Roth discloses, including instructions executable by the processor to: receive a registration request from a first device of the storage network (Roth Col 3 line 30-40; Techniques described and suggested herein include systems and methods for key generation and applications for using generated keys, in accordance with various embodiments. The keys may be used for various purposes, such as authentication and participation in message signing schemes, encryption, and/or other purposes for which keys are useful. In an embodiment, a computing resource provider provides computing services to customers based at least in part on electronic requests received from user devices of the services ); and assign a client identifier to the first device (Roth Col 7 line 50-60; Because the keys provided to the devices vary among the devices, the keys used to decrypt the content effectively function as an identifier of one or more devices. For example, if it is determined that a key K was used to decrypt the content, it may be determined that only devices that were provided K are suspect), wherein the first device is included in a first zone of the storage network (Reddy FIG 2 132 and associated text; Note: 302A assigned in zone 120A ), wherein the zone configuration is associated with the first zone, and wherein the first zone includes the plurality of devices (Reddy FIG 2 132 and associated text; 0030] As shown in FIG. 2, the zone includes a virtual compute service 130. Generally described, the virtual compute service 130 enables client devices 102 to create, configure, and manage operation of virtual machine instances 132, each of which represents a configurable, virtualized computing device hosted on a substrate host computing device. Each virtual machine instance 132 may, for example, represent a virtual computing device provisioned with an operating system and various other software and configured according to specification of a client device 102 to provide a network-based service for or on behalf of a user of the client device 102.). Motivation would be same as stated in claim 1. Claim 8 is method claim corresponding to device claim 1, also rejected accordingly.Note: Reddy discloses, method ([0145] In some embodiments, system memory 1520 may include data store 1545. In general, system memory 1520 (e.g., data store 1545 within system memory 1520), persistent storage 1560, and/or remote storage 1570 may store write journal entries, data blocks, replicas of data blocks, metadata associated with data blocks and/or their state, configuration information, and/or any other information usable in implementing the methods and techniques described herein.) Claim 15 is medium claim corresponding to device claim 1, also rejected accordingly. Note: Reddy discloses, A non-transitory machine-readable medium storing instructions that upon execution cause a controller ([0144] . A non-transitory computer-readable storage medium may include any mechanism for storing information in a form (e.g., software, processing application) readable by a machine (e.g., a computer). ) Claims 3, 5, 10,17 are rejected under 35 U.S.C. 103 as being unpatentable over Muniswamy-Reddy et al(US 20210089662 A1, designated as “Reddy”) in view of Roth et al(US 9215076 B1) and further in view of Kravitz et al(US 20200304318 A1). With regards to claim 3, 10, 17 Reddy in view of Roth disclose, send a first secure message to the first device (Roth Col 6 line 35-45; The term “organization,” unless otherwise clear from context, is intended to be read in the broad sense to imply a set of principals organized in some manner. In an embodiment, keys in the key hierarchy are distributed according to the organizational hierarchy. In particular, the keys are distributed to correspond with access rights of those in the organizational hierarchy. For instance, the keys may be distributed such that a principal with a key in the hierarchy is able to decrypt data that was encrypted with a different key that was derived from the key. ), wherein the first secure message includes the first client key and a first set of security keys for the first device, and wherein the first device authenticates the first secure message using the first client key (Roth col 7 line 10-20; In an embodiment, a hierarchy of keys is generated and subsets of the keys are provided to devices. Special care is taken in the provisioning of keys to devices. For example, in an embodiment, keys are distributed to ensure that subsets of the devices are provided different sets of keys. The subsets of devices may comprise multiple devices and/or single devices. In addition, in an embodiment, keys are provided and encrypted content is published such that authorized devices are able to use at least one of the keys to decrypt the content. FIG 7 and associated text;). Reddy in view of Roth do not but Kravitz disclose, generate, using the client identifier and a global unique identifier of the first device ([0051]; An identity is typically provided to a device (e.g., trust control device, etc.), as depicted by data communication 201 (e.g., generally from an installer). The device 200 then connects to a security ecosystem platform 208 that includes an AA and a Globally Unique Identifier (GUID) is assigned to the device, and then the device is registered. An unique root of trust ID (for example a generated PUF ID) is typically provided by a device (if not previously provided) as shown by 203 and is associated with the GUID by the AA. Subsequently, a unique root of trust ID (for example a generated PUF ID, typically a public key) is provided by device (if not previously provided) as depicted by 204 and is preferably associated with the GUID by the AA), a first client key for the first device ([0051]; A device certificate is then issued that typically includes GUID, device ID, and/or device public key and sent to the device 200, at 205.); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Reddy in view of Roth’s method with teaching of Kravitz in order to provide security and authentication of electronic devices and their data, and more specifically using Public Key Infrastructure (PKI) for security and authentication of electronic devices and their data (Kravitz[0008];) With regards to claim 5, Examiner Taking Official Notice that “wherein the global identifier of the first device is Non-Volatile Memory Express Qualified Name (NQN) of the first device” is not an inventive step or well known in the art. Claims 6, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Muniswamy-Reddy et al(US 20210089662 A1, designated as “Reddy”) in view of Roth et al(US 9215076 B1) and further in view of Eiding et al(US 20220110203 A1). With regards to claim 6, 19 Reddy in view of Roth do not but Eiding disclose, monitor for changes to the zone configuration of the first zone; and identify the plurality of devices in response to a detection of the change to the zone configuration of the first zone ([0084]; The zone configuration information may include an association of zone identifiers to controllable loads and/or load control devices. The load controller may determine one or more differences (e.g., updates) in the updated zone configuration information as compared to previous zone configuration information. At 254, the control circuit of the load controller may determine whether one or more load control devices were added to or removed from the load control system based on the updated zone configuration information.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Reddy in view of Roth’s method with teaching of Eiding in order to provide control the lighting loads providing artificial light in the user environment (Eiding[0002];) Allowable Subject Matter Claim 4, 7, 11-14, 18, 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987. The examiner can normally be reached 8.30 to 430 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 1-571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498