Office Action Predictor
Last updated: April 17, 2026
Application No. 18/792,706

STORING AND DETERMINING A DATA ELEMENT

Non-Final OA §103§112§DP
Filed
Aug 02, 2024
Examiner
GERGISO, TECHANE
Art Unit
2408
Tech Center
2400 — Computer Networks
Assignee
unknown
OA Round
1 (Non-Final)
84%
Grant Probability
Favorable
1-2
OA Rounds
3y 3m
To Grant
99%
With Interview

Examiner Intelligence

Grants 84% — above average
84%
Career Allow Rate
703 granted / 835 resolved
+26.2% vs TC avg
Strong +24% interview lift
Without
With
+24.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
34 currently pending
Career history
869
Total Applications
across all art units

Statute-Specific Performance

§101
12.8%
-27.2% vs TC avg
§103
55.0%
+15.0% vs TC avg
§102
11.3%
-28.7% vs TC avg
§112
10.9%
-29.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 835 resolved cases

Office Action

§103 §112 §DP
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. Information Disclosure Statement The information disclosure statement (IDS) submitted on August 02, 2024 has been considered by the examiner. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 2-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-16 of U.S. Patent No. 12,101,400. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1 and 12 of current Appl. No.: 18/792,2706 are generic to corresponding limitations of claims 1 and 9 U.S. Patent No. 12,101,400 respectively. Current Appl. No.: 18/792,2706 U.S. Patent No. 12,101,400 2: A method comprising: based on a data element, generating M data element shares of the data element, wherein M is an integer greater than 1; a first data processing unit encrypting each of the M data element shares with a respective encryption key, and thus generating M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key; the first data processing unit outputting the M encrypted data element shares to at least one external device; providing to a device at least N of M of the data element shares in an unencrypted state, wherein N is an integer greater than or equal to 1 and smaller than or equal to M, wherein the at least N data element shares are provided by one or more of the at least one external device; and the device determining the data element based on the at least N data element shares in the unencrypted state, wherein the device is different from the first data processing unit; and wherein at least one external device executes an authentication protocol prior to transferring data with the device for authenticating the device. 1. A method comprising: based on a data element, generating M data element shares of the data element, wherein M is an integer greater than 1; a first data processing unit encrypting each of the M data element shares with a respective encryption key, and thus generating M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key; providing to a device at least N of M of the data element shares in an unencrypted state, wherein N is an integer greater than or equal to 1 and smaller than or equal to M; and the device determining the data element based on the at least N data element shares in the unencrypted state; wherein the providing to the device at least N of M of the data element shares in an unencrypted state comprises: providing at least N temporary encrypted data element shares to the device; and unencrypting each of the at least N temporary encrypted data element shares on the device and thus obtaining the at least N data element shares in an unencrypted state; and wherein the providing at least N temporary encrypted data element shares to the device comprises each of at least N computing units performing the steps of: decrypting a respective one of the M encrypted data element shares to obtain a respective data element share in an unencrypted state; encrypting the respective data element share in the unencrypted state using a temporary encryption key to generate a respective temporary encrypted data element share; and providing the respective temporary encrypted data element share to the device. As per claim 12: A system comprising: a first data processing unit configured to: generate M data element shares based on a data element, wherein M is an integer greater than 1; encrypt each of the M data element shares with a respective encryption key, and to thus generate M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key; and output the M encrypted data element shares to at least one external device;a device configured to: obtain at least N of M data element shares in an unencrypted state related to the data element, wherein N is an integer greater than or equal to 1 and smaller than or equal to M and wherein the at least N data element shares are obtained from one or more of the at least one external device; and determine the data element based on the at least N data element shares in the unencrypted state; wherein the device is different from the first data processing unit; and wherein the at least one external device is configured to execute an authentication protocol prior to transferring data with the device for authenticating the device. 9. A system comprising: a first data processing unit configured to: generate M data element shares based on a data element, wherein M is an integer greater than 1; and encrypt each of the M data element shares with a respective encryption key, and to thus generate M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key; a device configured to: obtain at least N of M data element shares in an unencrypted state related to a data element, wherein M is an integer greater than 1 and N is an integer greater than or equal to 1 and smaller than or equal to M; and determine the data element based on the at least N data element shares in the unencrypted state; and at least N computing units; wherein the device is configured to obtain the at least N of M data element shares in an unencrypted state by: obtaining at least N temporary encrypted data element shares; and unencrypting each of the at least N temporary encrypted data element shares on the device and thus obtaining the at least N data element shares in an unencrypted state; and wherein each of the at least N computing units is configured to: decrypt a respective one of the M encrypted data element shares to obtain a respective data element share in the unencrypted state; encrypt the respective data element share in the unencrypted state using a temporary encryption key to generate the respective temporary encrypted data element share; and provide the respective temporary encrypted data element share to the device. Claims 2-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-16 of U.S. Patent No. 11,791,996. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1 and 12 of the current Appl. No.: 18/792,2706 are generic to corresponding limitations of claims 1 and 8 U.S. Patent No. 11,791,996 respectively. Current Appl. No.: 18/792,2706 U.S. Patent No. 11,791,996 2: A method comprising: based on a data element, generating M data element shares of the data element, wherein M is an integer greater than 1; a first data processing unit encrypting each of the M data element shares with a respective encryption key, and thus generating M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key; the first data processing unit outputting the M encrypted data element shares to at least one external device; providing to a device at least N of M of the data element shares in an unencrypted state, wherein N is an integer greater than or equal to 1 and smaller than or equal to M, wherein the at least N data element shares are provided by one or more of the at least one external device; and the device determining the data element based on the at least N data element shares in the unencrypted state, wherein the device is different from the first data processing unit; and wherein at least one external device executes an authentication protocol prior to transferring data with the device for authenticating the device. 1. A method, comprising: (a) generating M data element shares; based on a data element; wherein M is an integer greater than 1; (b) providing M encryption keys to a first data processing unit; (c) encrypting each of the M data element shares with a respective encryption key of the M encryption keys to generate M encrypted data element shares using the first data processing unit, wherein each of the encryption keys corresponds to a respective decryption key of M decryption keys; (d) wherein the first data processing unit comprises a secure microcontroller configured to generate, based on the data element, M data element shares and encrypt the data element shares; (e) wherein the method further comprises at least one of: (e1) providing, using the first data processing unit, each of the M encrypted data element shares to a respective one of separate data share storage units and storing each of the M encrypted data element shares on the respective separate data share storage unit, or (e2) providing, using the first data processing unit, each of the M encrypted data element shares to a database and storing each of the M encrypted data element shares on the database; (f) wherein each of the M decryption keys is stored on a respective one of separate decryption key storage units; (g) wherein the method comprises determining the data element which comprises providing a device and at least N computing units, wherein N is an integer greater than or equal to 1, and smaller than or equal to M, (h) wherein each of the at least N computing units is configured to access a respective one of the separate decryption key storage units, and (i) wherein each of the at least N computing units is further configured to access at least one of: (i1) a respective one of the separate data share storage units that stores the encrypted data element share, the decryption key of which is stored in the decryption key storage unit that the computing unit is configured to access, or (i2) the database; (j) wherein determining the data element further comprises: (j1) generating, using the device, at least one temporary encryption key and at least one corresponding temporary decryption key; (j2) each of the at least N computing units receiving from the decryption key storage unit, that the respective computing unit is configured to access, the decryption key stored therein; or (j3) Each of the at least N computing units receiving from the data share storage unit, that the respective computing unit is configured to access, the encrypted data element share stored therein or receiving from the database an encrypted data element share of the M encrypted data element shares stored in the database, the encrypted data element share corresponding to the decryption key received in (j2); (j4) each of the at least N computing units decrypting the encrypted data element share, received in (j3), using the decryption key, received in (j2), to obtain a data element share in an unencrypted state; (j5) each of the at least N computing units receiving one of the at least one temporary encryption key generated in (j1); and (j6) Each of the at least N computing units encrypting the data element share in the unencrypted state, obtained in (j4), using the temporary encryption key, received in (j5), to generate a respective temporary encrypted data element share, (j7) Each of the at least N computing units providing the respective temporary encrypted data element share generated in (j6) to the device; (j8) decrypting, using the device, each of the at least N temporary encrypted data element shares, provided in (j7), to obtain at least N data element shares in an unencrypted state; (j9) determining, using the device, the data element based on the at least N data element shares in the unencrypted state; (k) wherein the device comprises a secure microcontroller configured to generate the data element based on the at least N data element shares. As per claim 12: A system comprising: a first data processing unit configured to: generate M data element shares based on a data element, wherein M is an integer greater than 1; encrypt each of the M data element shares with a respective encryption key, and to thus generate M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key; and output the M encrypted data element shares to at least one external device;a device configured to: obtain at least N of M data element shares in an unencrypted state related to the data element, wherein N is an integer greater than or equal to 1 and smaller than or equal to M and wherein the at least N data element shares are obtained from one or more of the at least one external device; and determine the data element based on the at least N data element shares in the unencrypted state; wherein the device is different from the first data processing unit; and wherein the at least one external device is configured to execute an authentication protocol prior to transferring data with the device for authenticating the device. 8. A system comprising: (a) a first data processing Unit configured to generate M data element shares based on a data element, wherein M is an integer greater than 1; (b) wherein the first data processing unit is configured to receive M encryption keys; (c) wherein the first data processing unit is configured to encrypt each of the M data element shares with a respective encryption key of M encryption keys to generate M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key of M decryption keys; (d) wherein the first data processing unit comprises a secure microcontroller configured to generate, based on the data element, data element shares and encrypt the data element shares; (e) wherein first data processing unit is configured to provide each of the M data element shares for storage therein to at least one of: (e1) a respective one of separate data share storage units, or (e2) a database; (f) wherein each of the M decryption keys is stored on a respective one of separate decryption key storage units; (g) wherein the system comprises a device and at least N computing units, wherein N is an integer greater than or equal to 1, and smaller than or equal to M, (h) wherein each of the at least N computing units is configured to access a respective one of the separate decryption key storage units, and (i) wherein each of the at least N computing units is further configured to access at least one of: (i1) a respective one of the separate data share storage units that stores the encrypted data element share, the decryption key of which is stored in the decryption key storage unit that the computing unit is configured to access, or (i2) the database; (j) wherein: (j1) The device is configured to generate at least one temporary encryption key and at least one corresponding temporary decryption key; (j2) each of the at least N computing units is configured to receive from the decryption key storage unit, that the respective computing unit is configured to access; the decryption key stored therein; (j3) each of the at least N computing units is configured to receive from the data share storage unit; that the respective computing unit is configured to access, the encrypted data element share stored therein or receive from the database an encrypted data element share, of the M encrypted data element shares stored in the database, the encrypted data element share corresponding to the received decryption key received according to (j2); (j4) each of the at least N computing units is configured to decrypt the encrypted data element share, received according to (j3), using the decryption key, received according to (j2), to obtain a data element share in an unencrypted state; (j5) each of the at least N computing units is configured to receive one of the at least one temporary encryption key generated according to (j1); and (j6) Each of the at least N computing units is configured to encrypt the data element share in the unencrypted state, obtained according to (j4), using the temporary encryption key, received according to (j5), to generate a respective temporary encrypted data element share, (j7) Each of the at least N computing units is configured to provide the respective temporary encrypted data element share to the device; (j8) the device is configured to unencrypt each of the at least N temporary encrypted data element shares, provided according to (j7), to obtain at least N data element shares in an unencrypted state; (j9) the device is configured to determine the data element based on the at least N data element shares in the unencrypted state; (k) wherein the device comprises a secure microcontroller configured to generate the data element based on the at least N data element shares. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 2-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1 and 12 recite “wherein at least one external device executes an authentication protocol” however it is not clear whether the recited “at least one external device executes” has any association or reference to either of: “the first data processing unit outputting the M encrypted data element shares to at least one external device” or “the at least N data element shares are provided by one or more of the at least one external device”. These ambiguities rendered the limitations indefinite. Proper antecedent basis or reference association are needed to clarify the ambiguities. Claims 1 and 12 are rendered indefinite. Claims 3 and 4 recite “wherein data is transferred between the respective at least one external device and the device only upon successful authentication of the device by the external device”, however there are lack of anteceded basis for “the respective” and “the external device”. It is ambiguous to make references or association between the recited external devices and claims 3 and 4 are rendered indefinite. Dependent claims 4-11 and claims 13-17 failed to remedy the deficiencies of their respective independent claims and therefore they are rendered indefinite. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2-17 are rejected under 35 U.S.C. 103 as being unpatentable over Stolbikov et al. (US 20210124812 A1 ---hereinafter—-“Stolbikov”) in view of Jueneman et al. (US 20080263363 A1 ---hereinafter --- Jueneman). As per claim 2: Stolbikov discloses a method comprising: based on a data element, generating M data element shares of the data element, wherein M is an integer greater than 1 ([0068] In one embodiment, the provisioning module 302 divides the digital license into the plurality of segments using Shamir's Secret Sharing algorithm. As used herein, Shamir's Secret Sharing algorithm is a form of secret sharing where a secret is divided into parts such that each participant of a plurality of participants is given its own unique part. To reconstruct the original secret, a minimum number of parts is required. In the threshold scheme, this number is a subset of the total number of parts, which may include a number of parts that is less than the total number of parts. Otherwise all participants are needed to reconstruct the original secret); a first data processing unit encrypting each of the M data element shares with a respective encryption key, and thus generating M encrypted data element shares, wherein each of the encryption keys corresponds to a respective decryption key ([0071] In further embodiments, the provisioning module 302 determines an owner/participant for each of the plurality of segments and the storage nodes 110 where the plurality of segments will be stored. As used herein, a participant or owner of a segment may be a user, a device, an organization, a company, or the like or any combination of the foregoing, that has been authorized to participate in the encryption and distribution of license keys as described herein. Each participant/owner may have a corresponding encryption key, e.g., a public/private key pair that can be used to encrypt and decrypt corresponding segments of the license key. The provisioning module 302 may randomly select participants/owners for a segment of the license key, may select participants/owners from a pre-authorized list (e.g., a vendor may maintain an authorized list of participants/owners and their corresponding (public) encryption key), may assign multiple participants/owners to the same license key segment, and/or the like); the first data processing unit outputting the M encrypted data element shares to at least one external device ([0072] The provisioning module 302 may reference a list or data structure that includes identifying information for users or devices that may be participants or owners of segments of the license (e.g., users or devices that are pre-authorized to participant in the blockchain) and storage nodes 110 where the segments may be stored such as a node identifier or name, a location of the storage nodes 110 such as an internet protocol (“IP”) address or a media access control (“MAC”) address, a port for communicating with the storage nodes 110, and/or the like. In certain embodiments, a single storage node 110 may be used to store each of the encrypted segments, or each segment may be stored on a different storage node 110, or some segments may be stored on the same storage node 110 while other segments are stored on different storage nodes 110, and/or the like); providing to a device at least N of M of the data element shares in an unencrypted state, wherein N is an integer greater than or equal to 1 and smaller than or equal to M, wherein the at least N data element shares are provided by one or more of the at least one external device ([0073] In certain embodiments, the provisioning module 302 encrypts each of the plurality of segments of the digital license with an encryption key that is associated with a participant/owner of a segment, e.g., a storage node 110. For example, each participant/owner may have a unique public encryption key, and the provisioning module 302 may encrypt each segment of the digital license with the public encryption key of the participant/owner of the segment, e.g., a storage node 110 where a segment will be stored. Various encryption schemes may be used including symmetric key encryption, public/private key encryption, integrated encryption scheme (“IES”), discrete logarithm IES (“DLIES”), elliptic curve IES (“ECIES”), advanced encryption standard (“AES”) encryption, and/or the like); and the device determining the data element based on the at least N data element shares in the unencrypted state ([0068] the provisioning module 302 divides the digital license into the plurality of segments using Shamir's Secret Sharing algorithm. As used herein, Shamir's Secret Sharing algorithm is a form of secret sharing where a secret is divided into parts such that each participant of a plurality of participants is given its own unique part. To reconstruct the original secret, a minimum number of parts is required. In the threshold scheme, this number is a subset of the total number of parts, which may include a number of parts that is less than the total number of parts. Otherwise all participants are needed to reconstruct the original secret); wherein the device is different from the first data processing unit ([0075] Of note is that the segments of the license key are secured with encryption while the segments are stored at a storage node 110 or another device and/or while the segments are transmitted to different devices, e.g., between a storage node 110 and a requesting device. As an added layer of security, the encryption module 204 is configured to securely store the encryption keys, e.g., private encryption keys or other non-public encryption keys, in a secure storage area of a device such as in a trusted platform module (“TPM”) or other secure cryptoprocessor). Stolbikov does not explicitly disclose wherein at least one external device executes an authentication protocol prior to transferring data with the device for authenticating the device. Jueneman, in analogous art however, discloses wherein at least one external device executes an authentication protocol prior to transferring data with the device for authenticating the device ([0108] To illustrate this mode of operation, the system that includes a SPED and a HCD can be implemented to permit alternative creation of HACs for remotely located HCDs, on which the proper SPED mass storage and administrative tools software have been loaded. For example, in an alternate embodiment of the present invention as illustrated in FIG. 1, multiple remotely located host computing devices are connected to a network 22 in a client-server configuration which also comprises a server 21 An Originator 11 can create a host authorization code on their specific host computing device 13 and secure portable encryption device 14, and share this HAC with other Recipients or users 17 in the same Community of Interest without requiring individual user interaction by the Originator's SPED 14 with each host computing device, by communicating the Originator's created host authorization code by a cryptographically secure mutually authenticated client-server channel connection 22 to a system server 21. [0109] Distribution of the Originator created host authorization code to the host computing devices of the designated members 17 of the enclave or domain transmits the shared HAC through a cryptographically-secure, mutually-authenticated client-server channel connection 22. Since the external host authorization code is transformed by the SPED using a unique identifier from each HCD, the HAC secret can only be correctly reverse transformed by the same HCD and combined with the other shared secrets to reconstitute the MKEK. In this manner, multiple HACs may be created to be distributed to combinations of host computing device according to security policies and the designation of Communities of Interest. [0110] In one further embodiment of the present invention, a given SPED 610 can only support a single HAC and therefore a single, optionally named classification level. At the time of SPED 610 initialization, the name of the HAC 601 specified for operating with a given SPED 610 is carried as a public object in the SPED 610 cryptographic processor 613 and is accessed by the HCD middleware 603 after insertion of the SPED, and the matching HAC in the HCD 610 list of HACs will be loaded into the SPED 615 in order to enable a user to log on from the particular authenticated HCD). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the at least one external device disclosed by Stolbikov to include the external device executes an authentication protocol prior to transferring data with the device for authenticating the device. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide ([0037] A portable encryption device with file decryption controlled by a file encryption key is disclosed comprising an enclosure for the device providing a portable form factor, and a cryptographic processor within the enclosure for reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code as suggested by Jueneman ([0031-0033]). As per claim 3: Stolbikov in view of Jueneman discloses the method according to claim 2, wherein data is transferred between the respective at least one external device and the device only upon successful authentication of the device by the external device (Jueneman [0012] An "enclave" is considered to consist of one or more host computers operating within a single organization or enterprise and under the control of a common security administration, typically subject to some level of physical security, and within which there is some reasonable expectation of interoperability with respect to the use of the subject invention. An example of an enclave would be the computers used within a single corporate campus, such that an employee could insert and use the secure portable secure encryption device. An enclave may be restricted in its scope to include only those host computers that are authorized to process information of a particular type, e.g., Engineering, Human Resources, or Finance. A given host computer may be authorized to be a member of multiple enclaves. A "domain" is considered to consist of one or more enclaves distributed across one or more enterprises or organizations, all operating within a common security framework and policy. An example would be a collection of computers operating at the SECRET level throughout a portion of the Department of Defense, including civilian contractors and other cleared users. A "Community of Interest" is typically a more loosely defined set of host processors and users who all share a common interest and "Need to Know," even if (in some cases) that interest spans enclaves and domains and even governmental boundaries. An example would be communications between the U.S. military and our allied and coalition partners, and in some cases even indigenous tribal authorities and informal collaborators. In the civilian or social networking sphere, a community of interest might include "Friends and Family," a chat room, membership on a professional or social e-mail or blog list, etc. [0014] It is very important to provide a mechanism for data confinement, such that the secure portable encryption device can only be used in combination with an authorized host-computing device. In a military environment, such a mechanism would prevent the encrypted data from being compromised even if the user were coerced into divulging or entering the PIN or password and activating any biometric sensors. In a commercial enterprise environment, such a mechanism could be used to prevent an authorized user from accessing and storing proprietary or personal of data and later decrypting them on his home computer without proper authorization, for personal gain, vicarious pleasure, or purposes that are more nefarious). As per claim 4: Stolbikov in view of Jueneman discloses the method according to claim 2, wherein the device executes an authentication protocol prior to transferring data with the at least one external device for authenticating the external device (Jueneman [0013] In many environments, it is not sufficient merely to restrict the physical access and ability to log on to the device to certain host computers within a given enclave. Instead, there is a need for restricted communication and data containment, and it is necessary to constrain encrypted communications to those members of a pre-defined Community of Interest, so that no one outside of that Community of Interest could possibly decrypt the message. Such a mechanism could be used to enforce Mandatory Access Controls (e.g., clearance levels, compartments, and/or caveats in the military), or a defined Need-To-Know for various proprietary or sensitive types of information in commercial enterprises). As per claim 5: Stolbikov in view of Jueneman discloses the method according to claim 4, wherein data is transferred between the device and the at least one external device only upon successful authentication of the external device by the device (Jueneman [0109] Distribution of the Originator created host authorization code to the host computing devices of the designated members 17 of the enclave or domain transmits the shared HAC through a cryptographically-secure, mutually-authenticated client-server channel connection 22. Since the external host authorization code is transformed by the SPED using a unique identifier from each HCD, the HAC secret can only be correctly reverse transformed by the same HCD and combined with the other shared secrets to reconstitute the MKEK. In this manner, multiple HACs may be created to be distributed to combinations of host computing device according to security policies and the designation of Communities of Interest). As per claim 6: Stolbikov in view of Jueneman discloses the method according to claim 2, wherein the providing to the device the at least N of M of the data element shares in an unencrypted state comprises: providing each of the at least N data element shares in an encrypted state to the device (Stolbikov [0073] In certain embodiments, the provisioning module 302 encrypts each of the plurality of segments of the digital license with an encryption key that is associated with a participant/owner of a segment, e.g., a storage node 110. For example, each participant/owner may have a unique public encryption key, and the provisioning module 302 may encrypt each segment of the digital license with the public encryption key of the participant/owner of the segment, e.g., a storage node 110 where a segment will be stored. Various encryption schemes may be used including symmetric key encryption, public/private key encryption, integrated encryption scheme (“IES”), discrete logarithm IES (“DLIES”), elliptic curve IES (“ECIES”), advanced encryption standard (“AES”) encryption, and/or the like); and unencrypting each of the at least N data element shares in an encrypted state on the device and thus getting the at least N data element shares in an unencrypted state (Stolbikov [0068] the provisioning module 302 divides the digital license into the plurality of segments using Shamir's Secret Sharing algorithm. As used herein, Shamir's Secret Sharing algorithm is a form of secret sharing where a secret is divided into parts such that each participant of a plurality of participants is given its own unique part. To reconstruct the original secret, a minimum number of parts is required. In the threshold scheme, this number is a subset of the total number of parts, which may include a number of parts that is less than the total number of parts. Otherwise all participants are needed to reconstruct the original secret). As per claim 7: Stolbikov in view of Jueneman discloses the method according to claim 2, wherein the data element can be determined with N unencrypted data element shares, where N is an integer greater than or equal to 1 and smaller than or equal to M (Stolbikov [0069] Shamir's Secret Sharing algorithm can be used to secure a secret in a distributed way, such as a digital license. The secret is split into multiple parts, called shares. These shares are used to reconstruct the original secret. To unlock the secret via Shamir's Secret Sharing, a minimum number of shares is needed. This is called the threshold and is used to denote the minimum number of shares needed to unlock the secret). As per claim 8: Stolbikov in view of Jueneman discloses the method according to claim 7, wherein the step of generating M data element shares is based on a threshold secret sharing scheme with a total number of shares equal to M and a threshold equal to N (Stolbikov [0037] In further embodiments, the method includes dividing the digital license into the plurality of segments using Shamir's Secret Sharing algorithm such that a subset of the plurality of segments can be used to reconstruct the digital license. In one embodiment, a total number of the plurality of segments is determined based on a total number of the plurality of second devices where the plurality of segments will be stored. In certain embodiments, the method includes encrypting each of the plurality of segments using a public encryption key of the second device of the plurality of second devices where the segment will be stored). As per claim 9: Stolbikov in view of Jueneman discloses the method according to claim 2, wherein each encryption key is identical to the corresponding decryption key (Stolbikov [0073] The provisioning module 302 encrypts each of the plurality of segments of the digital license with an encryption key that is associated with a participant/owner of a segment, e.g., a storage node 110. For example, each participant/owner may have a unique public encryption key, and the provisioning module 302 may encrypt each segment of the digital license with the public encryption key of the participant/owner of the segment, e.g., a storage node 110 where a segment will be stored. Various encryption schemes may be used including symmetric key encryption, public/private key encryption, integrated encryption scheme (“IES”), discrete logarithm IES (“DLIES”), elliptic curve IES (“ECIES”), advanced encryption standard (“AES”) encryption, and/or the like). As per claim 10: Stolbikov in view of Jueneman discloses the method according to claim 2, wherein: the first data processing unit is configured to execute an encryption routine to encrypt each of the M data element shares to generate M encrypted data element shares (Stolbikov [0059] In one embodiment, the encryption module 204 is configured to re-encrypt the plurality of segments for the digital license associated with the selected license token using an encryption key for the device that is requesting the digital license. As described in more detail below, the portions or segments of the digital license that are stored on the various storage nodes 110 may be stored in an encrypted format using an encryption key associated with a participant/owner of a segment, e.g., a storage node 110 where a segment is stored. For example, each digital license segment may be encrypted using a public key for the storage node 110 where each segment is stored); and the encryption routine is based on a symmetric encryption scheme (Stolbikov [0073] The provisioning module 302 encrypts each of the plurality of segments of the digital license with an encryption key that is associated with a participant/owner of a segment, e.g., a storage node 110. For example, each participant/owner may have a unique public encryption key, and the provisioning module 302 may encrypt each segment of the digital license with the public encryption key of the participant/owner of the segment, e.g., a storage node 110 where a segment will be stored. Various encryption schemes may be used including symmetric key encryption, public/private key encryption, integrated encryption scheme (“IES”), discrete logarithm IES (“DLIES”), elliptic curve IES (“ECIES”), advanced encryption standard (“AES”) encryption, and/or the like). As per claim 11: Stolbikov in view of Jueneman discloses the method according to claim 2, wherein: the first data processing unit comprises a secure microcontroller configured to generate, based on the data element, data element shares and encrypt the data element shares (Jueneman [0012] An "enclave" is considered to consist of one or more host computers operating within a single organization or enterprise and under the control of a common security administration, typically subject to some level of physical security, and within which there is some reasonable expectation of interoperability with respect to the use of the subject invention); and the device comprises a secure microcontroller configured to generate the data element based on the at least N data element shares ([0013] In many environments, it is not sufficient merely to restrict the physical access and ability to log on to the device to certain host computers within a given enclave. Instead, there is a need for restricted communication and data containment, and it is necessary to constrain encrypted communications to those members of a pre-defined Community of Interest, so that no one outside of that Community of Interest could possibly decrypt the message. Such a mechanism could be used to enforce Mandatory Access Controls (e.g., clearance levels, compartments, and/or caveats in the military), or a defined Need-To-Know for various proprietary or sensitive types of information in commercial enterprises) As per claims 12-17: Claims 12-17 are directed to a system comprising: a first data processing unit and a device configured to functional features corresponding limitations of claims 1-2, 6, and 9-11 respectively and therefore claims 12-17 are rejected with the same rationale given above to reject corresponding limitations of 1-2, 6, and 9-11 respectively. Conclusion The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LINGLAN EDWARDS can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TECHANE GERGISO/ Primary Examiner, Art Unit 2408
Read full office action

Prosecution Timeline

Aug 02, 2024
Application Filed
Nov 08, 2024
Response after Non-Final Action
Nov 15, 2025
Non-Final Rejection — §103, §112, §DP
Apr 01, 2026
Response Filed

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12587379
COMPUTER-BASED SYSTEMS CONFIGURED TO GENERATE A PLURALITY OF TIME-BASED DIGITAL VERIFICATION CODES AND METHODS OF USE THEREOF
2y 5m to grant Granted Mar 24, 2026
Patent 12567966
ENDPOINT VALIDATION SECURITY
2y 5m to grant Granted Mar 03, 2026
Patent 12537669
IDENTITY AUTHENTICATION METHOD AND APPARATUS, STORAGE MEDIUM, PROGRAM, AND PROGRAM PRODUCT
2y 5m to grant Granted Jan 27, 2026
Patent 12536266
SYSTEMS AND METHODS FOR CONTENT SELECTIONS FOR SECURING COMMUNICATIONS BETWEEN AGENT DEVICES AND USER DEVICES
2y 5m to grant Granted Jan 27, 2026
Patent 12531739
TECHNIQUES FOR PHISHING-RESISTANT ENROLLMENT AND ON-DEVICE AUTHENTICATION
2y 5m to grant Granted Jan 20, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
84%
Grant Probability
99%
With Interview (+24.2%)
3y 3m
Median Time to Grant
Low
PTA Risk
Based on 835 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month