Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsTelefonaktiebolaget Lm Ericsson (Publ) › 18866988
Last updated: April 19, 2026
Application No. 18/866,988

ENABLING CELLULAR BASED ZERO TRUST NETWORK ACCESS

Non-Final OA §103
Filed
Nov 18, 2024
Examiner
KOBROSLI, SHADI HASSAN
Art Unit
2492
Tech Center
2400 — Computer Networks
Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
OA Round
1 (Non-Final)
70%
Grant Probability
Favorable
1-2
OA Rounds
3y 5m
To Grant
99%
With Interview

Interview Optional

+41.8% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 81 resolved cases, 2023–2026

Examiner Intelligence

KOBROSLI, SHADI HASSAN View full profile →
Grants 70% — above average
70%
Career Allow Rate
57 granted / 81 resolved
+12.4% vs TC avg
Strong +42% interview lift
Without
With
+41.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
27 currently pending
Career history
108
Total Applications
across all art units

Statute-Specific Performance

§101
6.4%
-33.6% vs TC avg
§103
50.3%
+10.3% vs TC avg
§102
19.6%
-20.4% vs TC avg
§112
20.4%
-19.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 81 resolved cases

Office Action

§103
DETAILED ACTION This action is in response to the application filed on November 18, 2024. Claims 1-16 are pending. Claims 1-14 represent a method and claims 15-16 represents an apparatus directed to enabling cellular based zero trust network access. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-16 are rejected under 35 U.S.C. 103 as being unpatentable over Soryal et al. (US 20230297664), hereinafter referred to as Soryal, in view of 3GPP TS 33.535 V17.5.0 (NPL: 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS)), hereinafter referred to as 3GPP. Regarding Claim 1, Soryal discloses: A method performed by a user equipment (UE) (In ¶ 19, Soryal discloses “each of the devices 111-113 may comprise any single device or combination of devices that may comprise a user endpoint device, or client device.”) for establishing a secured connection with an application entity in an enterprise network (In ¶ 3, Soryal discloses “establishing a communication session between a user device and an enterprise system”), the method comprising sending an establishment request to a Secure Access Secure Edge (SASE) entity (In ¶ 27, Soryal discloses “device 111 may establish a communication with SASE 198 to seek such access.”); receiving an establishment response from the application entity if the SASE entity determines to allow the establishment request (In ¶ 28, Soryal discloses “If the two-factor authentication code is correct, the SIA of SASE 198 may then request the second key from the enterprise network 162” and further discloses in ¶ 44 “the enterprise may provide the second key when the at least one of the user or the user device is authorized to use the at least one access credential”); and establishing a connection with the application entity based on the session key (In ¶ 12, Soryal discloses “the SASE may establish one or more communication sessions between a user device and one or more applications in one or more clouds via the SASE.” and further discloses “then obtain access to one or more enterprise systems in one or more clouds using the access credential(s)”). However, Soryal does not explicitly disclose the use of a Generic Bootstrapping Architecture/Authenticated Key Management for Application platform. 3GPP discloses: and authorizes a Generic Bootstrapping Architecture/Authenticated Key Management for Application (GBA/AKMA) platform to share a session key with the application entity (In section 6.2.1, 3FPP discloses “the AF selects the AAnF as defined in clause 6.7, and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE.” And further discloses “The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI, KAF and the KAF expiration time.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 2, the combination of Soryal and 3GPP disclose: The method of claim 1, further comprising the steps of: receiving an error message from the SASE entity if the SASE entity determines not to allow the establishment request (In ¶ 44, Soryal discloses “the enterprise may decline to provide the second key, or may provide an incorrect second key that may present the access credential locker from being properly decrypted.”); and terminating a connection between the UE and the application entity (In ¶ 31, Soryal discloses “SASE 198 and/or enterprise network 162 may then implement any number of automated actions, such as closing connections between device 111 and enterprise system, locking/encrypting the access credential locker, etc.”). Regarding Claim 3, the combination of Soryal and 3GPP disclose the limitations of claim 1. However, Soryal does not explicitly disclose the generating a session key with GBA/AKMA prior to the request. 3GPP discloses: The method of claim 1, further comprising the step of: generating a session key with the GBA/AKMA platform before sending the establishment request to the SASE entity (In section 6.1, 3GPP discloses “AKMA reuses the 5G primary authentication procedure executed e.g. during the UE Registration to authenticate the UE. A successful 5G primary authentication results in KAUSF being stored at the AUSF and the UE.”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 4, the combination of Soryal and 3GPP disclose: The method of claim 1, further comprising the step of: establishing a Virtual Private Network (VPN) tunnel with the SASE entity (In ¶ 10, Soryal discloses “remote access is facilitated at an SASE point-of-presence (POP), and the user can then be steered to an enterprise system (e.g., a database, an application, etc.) directly (e.g., without having to hairpin the traffic via a VPN termination point in an enterprise data center).” wherein the SASE functions as an enhanced version of a VPN) before sending the establishment request to the SASE entity (In ¶ 56, Soryal discloses “step 220 may precede step 215.” Wherein a first key is obtained prior to the access credential needed). Regarding Claim 5, the combination of Soryal and 3GPP disclose the limitations of claim 1. However, Soryal does not disclose the use of a GBA/AKMA platform. 3GPP discloses: The method of claim 1, wherein the session key is computed by the GBA/AKMA platform. (In section 6.3, 3GPP discloses “The AAnF generates the KAF as specified in clause 6.2 and sends the response to the NEF with the KAF, the KAF expiration time (KAF exptime) and SUPI.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 6, the combination of Soryal and 3GPP disclose: The method of claim 1, further comprising: providing user data; and forwarding the user data to a host via the transmission to the application entity (In ¶ 12, Soryal discloses “all communications between the user device and the enterprise system(s) may be routed via the SASE, e.g., without first having to pass through an enterprise data center and hairpin back out to one or more clouds in which the enterprise system(s) is/are deployed.”) Regarding Claim 7, Soryal discloses: A method performed by a Secure Access Secure Edge (SASE) entity for establishing a secured connection between a user equipment (UE) and an application entity in an enterprise network (In ¶ 3, Soryal discloses “establishing a communication session between a user device and an enterprise system”), the method comprising: receiving an establishment request from the UE (In ¶ 27, Soryal discloses “device 111 may establish a communication with SASE 198 to seek such access.”); determining whether to allow the establishment request (In ¶ 28, Soryal discloses “If the two-factor authentication code is correct, the SIA of SASE 198 may then request the second key from the enterprise network 162” and further discloses in ¶ 44 “the enterprise may provide the second key when the at least one of the user or the user device is authorized to use the at least one access credential”); and sending a session establishment request message to the application entity, wherein the initiate message comprises an authorization to share a session key with the application entity (In ¶ 12, Soryal discloses “the SASE may establish one or more communication sessions between a user device and one or more applications in one or more clouds via the SASE.” and further discloses “then obtain access to one or more enterprise systems in one or more clouds using the access credential(s)”). However, Soryal does not explicitly disclose the use of a Generic Bootstrapping Architecture/Authenticated Key Management for Application platform. 3GPP discloses: sending an initiate message to a Generic Bootstrapping Architecture/Authenticated Key Management for Application (GBA/AKMA) platform if the SASE entity determines to allow the establishment request; receiving an acknowledgement (ACK) response from the GBA/AKMA platform; (In section 6.2.1, 3FPP discloses “the AF selects the AAnF as defined in clause 6.7, and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE.” And further discloses “The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI, KAF and the KAF expiration time.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 8, the combination of Soryal and 3GPP disclose: The method of claim 7, further comprising the step of: sending an error message to the UE to terminate a connection between the UE and the application entity if the SASE entity determines not to allow the establishment request (In ¶ 44, Soryal discloses “the enterprise may decline to provide the second key, or may provide an incorrect second key that may present the access credential locker from being properly decrypted.” and further in ¶ 31 “SASE 198 and/or enterprise network 162 may then implement any number of automated actions, such as closing connections between device 111 and enterprise system, locking/encrypting the access credential locker, etc”) Regarding Claim 9, the combination of Soryal and 3GPP disclose: The method of claim 7, wherein the establishment request comprises a session key identifier (In ¶ 3, Soryal discloses “where the request comprises a token that identifies the access credential locker, obtain a first key from the user device,”). Regarding Claim 10, the combination of Soryal and 3GPP disclose the limitations of claim 7. However, Soryal does not explicitly disclose the use of a Generic Bootstrapping Architecture/Authenticated Key Management for Application platform. 3GPP discloses: The method of claim 7, wherein the initiate message comprises at least one of the following :one or more properties assigned to the session key based on credentials of the UE or the session key identifier (In section 6.2.1, 3GPP discloses “The AF also includes its identity (AF_ID) in the request.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 11, Soryal discloses: A method performed by a computer-implemented controller for establishing a secured connection between a user equipment (UE) and an application entity in an enterprise network (In ¶ 3, Soryal discloses “establishing a communication session between a user device and an enterprise system”), the method comprising: receiving an establishment request from the UE (In ¶ 27, Soryal discloses “device 111 may establish a communication with SASE 198 to seek such access.”); determining whether to allow the establishment request (In ¶ 28, Soryal discloses “If the two-factor authentication code is correct, the SIA of SASE 198 may then request the second key from the enterprise network 162” and further discloses in ¶ 44 “the enterprise may provide the second key when the at least one of the user or the user device is authorized to use the at least one access credential”); and sending a session establishment request message to the application entity, wherein the initiate message comprises an authorization to share a session key with the application entity. (In ¶ 12, Soryal discloses “the SASE may establish one or more communication sessions between a user device and one or more applications in one or more clouds via the SASE.” and further discloses “then obtain access to one or more enterprise systems in one or more clouds using the access credential(s)”). However, Soryal does not explicitly disclose the use of a Generic Bootstrapping Architecture/Authenticated Key Management for Application platform. 3GPP discloses: sending an initiate message to a Generic Bootstrapping Architecture/Authenticated Key Management for Application (GBA/AKMA) platform if the computer-implemented controller determines to allow the establishment request; receiving an acknowledgement (ACK) response from the GBA/AKMA platform (In section 6.2.1, 3FPP discloses “the AF selects the AAnF as defined in clause 6.7, and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE.” And further discloses “The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI, KAF and the KAF expiration time.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 12, the combination of Soryal and 3GPP disclose: The method of claim 11, further comprising the step: sending an error message to the UE to terminate a connection between the UE and the application entity if the computer-implemented controller determines not to allow the establishment request. (In ¶ 44, Soryal discloses “the enterprise may decline to provide the second key, or may provide an incorrect second key that may present the access credential locker from being properly decrypted.” and further in ¶ 31 “SASE 198 and/or enterprise network 162 may then implement any number of automated actions, such as closing connections between device 111 and enterprise system, locking/encrypting the access credential locker, etc”) Regarding Claim 13, the combination of Soryal and 3GPP disclose: The method of claim 11, wherein the establishment request comprises a session key identifier (In ¶ 3, Soryal discloses “where the request comprises a token that identifies the access credential locker, obtain a first key from the user device,”). Regarding Claim 14, the combination of Soryal and 3GPP disclose the limitations of claim 11. However, Soryal does not explicitly disclose the use of a Generic Bootstrapping Architecture/Authenticated Key Management for Application platform. 3GPP discloses: The method of claim 11, wherein the initiate message comprises at least one of the following :one or more properties assigned to the session key based on credentials of the user equipment or the session key identifier (In section 6.2.1, 3GPP discloses “The AF also includes its identity (AF_ID) in the request.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 15, Soryal discloses: A user equipment (UE) for establishing a secured connection with an application entity in an enterprise network (In ¶ 3, Soryal discloses “establishing a communication session between a user device and an enterprise system”), comprising: processing circuitry configured to perform: sending an establishment request to a Secure Access Secure Edge (SASE) entity (In ¶ 27, Soryal discloses “device 111 may establish a communication with SASE 198 to seek such access.”); and establishing a connection with the application entity based on the session key (In ¶ 12, Soryal discloses “the SASE may establish one or more communication sessions between a user device and one or more applications in one or more clouds via the SASE.” and further discloses “then obtain access to one or more enterprise systems in one or more clouds using the access credential(s)”); and power supply circuitry configured to supply power to the processing circuitry (In ¶ 59, Soryal discloses “As depicted in FIG. 3, the processing system 300 comprises one or more hardware processor elements 302 (e.g., a microprocessor, a central processing unit (CPU) and the like), a memory 304, (e.g., random access memory (RAM), read only memory (ROM), a disk drive, an optical drive, a magnetic drive, and/or a Universal Serial Bus (USB) drive)” wherein hardware components require power to operate). However, Soryal does not explicitly disclose the use of a Generic Bootstrapping Architecture/Authenticated Key Management for Application platform. 3GPP discloses: receiving an establishment response from the application entity if the SASE entity determines to allow the establishment request and authorizes a Generic Bootstrapping Architecture/Authenticated Key Management for Application (GBA/AKMA) platform to share a session key with the application entity; (In section 6.2.1, 3FPP discloses “the AF selects the AAnF as defined in clause 6.7, and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE.” And further discloses “The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI, KAF and the KAF expiration time.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Regarding Claim 16, Soryal discloses: A computer-implemented controller for establishing a secured connection between a user equipment (UE) and an application entity in an enterprise network (In ¶ 3, Soryal discloses “establishing a communication session between a user device and an enterprise system”), the computer-implemented controller comprising: processing circuitry configured to perform: receiving an establishment request from the UE (In ¶ 27, Soryal discloses “device 111 may establish a communication with SASE 198 to seek such access.”); determining whether to allow the establishment request (In ¶ 28, Soryal discloses “If the two-factor authentication code is correct, the SIA of SASE 198 may then request the second key from the enterprise network 162” and further discloses in ¶ 44 “the enterprise may provide the second key when the at least one of the user or the user device is authorized to use the at least one access credential”); and sending a session establishment request message to the application entity, wherein the initiate message comprises an authorization to share a session key with the application entity (In ¶ 12, Soryal discloses “the SASE may establish one or more communication sessions between a user device and one or more applications in one or more clouds via the SASE.” and further discloses “then obtain access to one or more enterprise systems in one or more clouds using the access credential(s)”); and power supply circuitry configured to supply power to the processing circuitry (In ¶ 59, Soryal discloses “As depicted in FIG. 3, the processing system 300 comprises one or more hardware processor elements 302 (e.g., a microprocessor, a central processing unit (CPU) and the like), a memory 304, (e.g., random access memory (RAM), read only memory (ROM), a disk drive, an optical drive, a magnetic drive, and/or a Universal Serial Bus (USB) drive)” wherein hardware components require power to operate). However, Soryal does not explicitly disclose the use of a Generic Bootstrapping Architecture/Authenticated Key Management for Application platform. 3GPP discloses: sending an initiate message to a Generic Bootstrapping Architecture/Authenticated Key Management for Application (GBA/AKMA) platform if the processing circuitry determines to allow the establishment request; receiving an acknowledgement (ACK) response from the GBA/AKMA platform (In section 6.2.1, 3FPP discloses “the AF selects the AAnF as defined in clause 6.7, and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE.” And further discloses “The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI, KAF and the KAF expiration time.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Soryal’s approach by utilizing 3GPP of utilizing a GBA/AKMA platform defined by 3GPP to provide a key required by the SASE architecture as the motivation would allow enterprise applications to leverage 3GPP hardware-based security for cloud-distributed resources (See 3GPP, Section 1). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Paul et al. (US 20250117471) discloses a method for using a SASE to monitor incoming requests from user devices. Parla et al. (US 20250047759) discloses methods for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SHADI H KOBROSLI/Examiner, Art Unit 2492 /RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2492
Read full office action

Prosecution Timeline

Nov 18, 2024
Application Filed
Mar 05, 2026
Non-Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/042,878
Patent 12602453
MEDIA AUTHENTICATION
2y 5m to grant Granted Apr 14, 2026
16/649,514
Patent 12580760
SMART CONTRACT EXECUTION USING DISTRIBUTED COORDINATION
2y 5m to grant Granted Mar 17, 2026
17/116,483
Patent 12574371
Privacy-Preserving Biometric Authentication
2y 5m to grant Granted Mar 10, 2026
17/399,002
Patent 12556377
INTERNAL KEY MANAGEMENT FOR A STORAGE SUBSYSTEM ENCRYPTING DATA IN THE CLOUD
2y 5m to grant Granted Feb 17, 2026
17/994,753
Patent 12547739
SYSTEMS AND METHODS FOR CREATING DERIVATIVE DIGITAL ASSETS BY BRANCHING ON AN ORIGINAL NON-FUNGIBLE TOKEN
2y 5m to grant Granted Feb 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
70%
Grant Probability
99%
With Interview (+41.8%)
3y 5m
Median Time to Grant
Low
PTA Risk
Based on 81 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month