Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 18/867,038 is presented for examination by the examiner.
Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d). The certified copy has been received.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1, 2, and 21 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by over Driever (US 2020/0076600 A1).
Regarding Claim 1
Driever discloses:
An encryption system comprising:
a management device (Driever ¶32 and ¶37: external key manager server / key server (EKM 106) functions as the management device because it manages and distributes the encryption information to both endpoint nodes for use in securing their communications.);
an encryption device (Driever ¶71: master node / host 102); and
a decryption device (Driever ¶71 and ¶78: slave node / storage device 104), wherein
the encryption device and the decryption device are connected to each other via a first transmission line serving as a physical transmission path (Driever ¶95, ¶107: teaches that the encryption device (host) and the decryption device (storage device) are connected via a first transmission line serving as a physical transmission path because the host and storage device are connected through physical Fibre Channel links and use those links to securely transmit and receive I/O command data between them.),
the management device is configured to transmit encryption information to the encryption device and the decryption device, the encryption information being related to an encryption scheme to be used in the encryption device and the decryption device (Driever ¶58, ¶60: teaches that the management device (external key manager server) is configured to transmit encryption information to the encryption device and the decryption device because the key server generates a wrapping key (AES 256 encryption scheme) used for encryption/decryption, the wrapping key is directly provided to both the host (master node) and the storage device (slave node).),
the encryption device is configured to generate encrypted data by performing an encryption process on communication data, based on the encryption information received from the management device (Driever ¶58, ¶60, ¶64: Driever teaches that the encryption device (host) generates encrypted data by performing an encryption process on communication data based on encryption information received from the management device because the external key manager generates a wrapping key, provides that wrapping key to the host, and the host encrypts a message using the wrapping key before transmitting it to the storage device.),
and to transmit the generated encrypted data to the decryption device via the first transmission line (Driever ¶64, ¶95: teaches that the encryption device (host / master node) transmits the generated encrypted data to the decryption device (storage device / slave node) via the first transmission line because the host encrypts a message using the wrapping key and sends the encrypted message to the storage device over a Fibre Channel link, which is described as a physical connection between the nodes.), and
the decryption device is configured to perform a decryption process on the encrypted data received from the encryption device via the first transmission line, based on the encryption information received from the management device (Driever ¶58, ¶60, ¶64: teaches that the decryption device (storage device / slave node) is configured to perform a decryption process on the encrypted data received from the encryption device (host / master node) via the first transmission line because the wrapping key generated by the external key manager server is used for encryption/decryption, the external key manager provides the wrapping key directly to both the host and the storage device, and the storage device receives the encrypted message over a link and decrypts the payload using the obtained wrapping key.).
Regarding Claim 2
Driever discloses:
The encryption system according to claim 1, wherein the management device is configured to transmit the encryption information to the encryption device and the decryption device via a second transmission line different from the first transmission line (Driever ¶72, ¶74: Driever teaches that the management device (external key manager server) transmits encryption information to the encryption device (host) via a second transmission line because the host communicates with the external key manager server over secure connection 108 to obtain the wrapping key, while the host transmits encrypted messages to the storage device over a separate Fibre Channel link, thereby establishing two distinct transmission lines.).
Regarding Claim 21
Claim 21 is directed to a method corresponding to the system in claim 1. Claim 21 is similar in scope to claim 1 and is therefore rejected under similar rationale.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 3-5 and 10-15 are rejected under 35 U.S.C. 103 as being unpatentable over Driever (US 2020/0076600 A1) as applied to claims 1-2 above, and in view of Van Duyne (US 20200092728 A1).
Regarding Claim 3
Driever teaches an encryption system including a management device and communicating devices, wherein the management device distributes cryptographic information to encryption and decryption devices, and the devices use the received cryptographic information to perform coordinated encryption and decryption operations in accordance with a selected cryptographic technique. However, Driever is silent in explicitly teaching that the management device, the encryption device, and the decryption device hold correspondence information indicating a correspondence between encryption information and an encryption scheme, and that the management device refers to such correspondence information to select and transmit encryption information corresponding to the encryption scheme to be used. Van Duyne teaches such correspondence information. Specifically, Van Duyne discloses an encryption scheme field (field 502) having defined bit values that correspond to specific encryption schemes, including industry standard and custom schemes (¶124–125, Table 3). The encryption scheme field constitutes encryption information, and Table 3 defines the correspondence between the encryption information and the specific encryption schemes. Van Duyne further teaches that the IPK-TX controller generates and sets the encryption scheme field and transmits it within the IPK frame structure (¶123–124, 183), and that the encrypt cipher processor and decrypt cipher processor execute encryption and decryption operations in accordance with the encryption scheme identified by the received encryption scheme field (¶124, 179, 188). Thus, Van Duyne teaches that communicating devices refer to stored correspondence information to determine and execute the appropriate encryption scheme based on received encryption information.
It would have been obvious to modify Driever’s management device to maintain and refer to correspondence information in the manner taught by Van Duyne in order to standardize selection of cryptographic techniques, ensure interoperability between communicating devices, and enable dynamic selection of encryption schemes based on supported capabilities, thereby yielding predictable and coordinated encryption and decryption operations.
Regarding Claim 4
Driever teaches an encryption system including a management device and communicating devices, wherein the management device distributes cryptographic information to encryption and decryption devices, and the devices use the received cryptographic information to perform coordinated encryption and decryption operations in accordance with a selected cryptographic technique. However, Driever does not explicitly teach that the management device selects the encryption scheme to be used in accordance with confidentiality of the communication data. Van Duyne teaches dynamically selecting and changing encryption schemes based on security considerations. Specifically, Van Duyne discloses that the IPK system can define, implement, and execute an algorithm to change the encryption scheme based on factors including “level of security” (¶190). Van Duyne further teaches that control bits may be defined to select the boundaries of the encryption search space and control the level of obfuscation, such that relatively light encryption may be used when sufficient and higher levels of encryption may be used when greater security is desired (¶248). Because confidentiality is a fundamental component of security in cryptographic systems, selecting an encryption scheme based on a required “level of security” or desired level of obfuscation corresponds to selecting an encryption scheme in accordance with the confidentiality requirements of the communication data.
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify Driever’s management device to select the encryption scheme based on confidentiality requirements of the communication data as taught by Van Duyne. Incorporating Van Duyne’s dynamic, security-level based encryption selection into Driever’s management encryption system would have predictably enhanced flexibility and security by allowing stronger encryption for highly confidential communications and lighter encryption where appropriate, while maintaining coordinated operation between encryption and decryption devices. Such modification represents the predictable use of known techniques for selecting cryptographic strength based on security requirements.
Regarding Claim 5
Driever teaches an encryption system including a management device that distributes cryptographic information to encryption and decryption devices, which use the received information to perform coordinated encryption and decryption operations in accordance with a selected cryptographic technique. However, Driever does not explicitly teach selecting the encryption scheme in accordance with real-time performance required for the communication data. Van Duyne teaches dynamically adapting cryptographic operations based on performance considerations. Specifically, Van Duyne discloses optimizing security and performance (¶75), changing encryption parameters based on performance and system conditions (¶95, 108), and having the IPK-TX controller determine computational complexity of encryption functions based on performance requirements (¶129). Van Duyne further teaches real-time communication feedback mechanisms, including BER feedback and retransmission tracking, used to optimize system decisions under varying conditions (¶62, 157). Because encryption computational complexity directly impacts latency and throughput, selecting encryption functions based on performance considerations corresponds to selecting an encryption scheme in accordance with real-time performance requirements of the communication data.
It would have been obvious to modify Driever to incorporate Van Duyne’s performance encryption adaptation to balance encryption strength and computational overhead in real-time communication environments, which represents the predictable application of known performance-optimization techniques to cryptographic scheme selection.
Regarding Claim 10
Claim 10 is directed to a system corresponding to the system in claim 3. Claim 10 is similar in scope to claim 3 and is therefore rejected under similar rationale.
Regarding Claim 11
Claim 11 is directed to a system corresponding to the system in claim 4. Claim 11 is similar in scope to claim 4 and is therefore rejected under similar rationale.
Regarding Claim 12
Claim 12 is directed to a system corresponding to the system in claim 4. Claim 12 is similar in scope to claim 4 and is therefore rejected under similar rationale.
Regarding Claim 13
Claim 13 is directed to a system corresponding to the system in claim 5. Claim 13 is similar in scope to claim 5 and is therefore rejected under similar rationale.
Regarding Claim 14
Claim 14 is directed to a system corresponding to the system in claim 5. Claim 14 is similar in scope to claim 5 and is therefore rejected under similar rationale.
Regarding Claim 15
Claim 15 is directed to a system corresponding to the system in claim 5. Claim 15 is similar in scope to claim 5 and is therefore rejected under similar rationale.
Claims 6 are rejected under 35 U.S.C. 103 as being unpatentable over Driever (US 2020/0076600 A1) as applied to claims 1 above, and further in view of Schouppe (US 20200162246 A1).
Regarding Claim 6
Driever in view of teaches an encryption system including a management device that distributes cryptographic information to encryption and decryption devices, which use the received information to perform coordinated encryption and decryption operations in accordance with a selected cryptographic technique. However, Driever does not explicitly teach that the management device comprises a plurality of management devices that each provide respective pieces of encryption information used collectively to identify the encryption scheme. Schouppe teaches distributing cryptographic control across multiple devices by splitting a private key into a plurality of subkeys using a secret sharing scheme (e.g., Shamir’s Secret Sharing) and allocating those subkeys to different user devices, validator devices, and/or storage devices (¶20–25). Schouppe further teaches that restoration and use of the underlying cryptographic capability requires obtaining a threshold number of subkeys from respective devices, such that no single device possesses sufficient information to reconstruct or use the key (¶16, 27–31). Because reconstruction of the operative key from multiple distributed pieces directly determines the encryption/decryption capability and associated cryptographic scheme, identifying the encryption scheme based on a plurality of pieces of encryption information received from respective management devices corresponds to Schouppe’s threshold-based key reconstruction from multiple distributed devices.
It would have been obvious to modify Driever to implement the management device as a plurality of management devices that each provide respective pieces of encryption information, as taught by Schouppe, so that the encryption device performs encryption and the decryption device performs decryption in accordance with an encryption scheme identified based on the combined pieces of encryption information. Such modification represents the predictable application of known distributed key management and secret-sharing techniques to improve security and eliminate single points of failure in encryption scheme control.
Claims 7, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Driever (US 2020/0076600 A1), as applied to claims 1-2 above, and further in view of Hebbar (US 9912699 B1).
Regarding Claim 7
Driever teaches an encryption system including a management device that distributes cryptographic information to encryption and decryption devices, which use the received information to perform coordinated encryption and decryption operations in accordance with a selected cryptographic technique. However, Driever does not explicitly teach forming a plurality of logical transmission paths over the transmission line and designating a particular logical transmission path as a target for encrypted communication while transmitting other communication data over a different logical transmission path without encryption. Hebbar teaches selectively applying IPsec encryption to particular network flows identified using network and transport layer parameters (e.g., source IP address, destination IP address, source port, destination port, protocol), where each flow constitutes a logical communication path over the same physical transmission medium (Column 8, Lines 24-36). Hebbar further teaches determining, based on security policy and application-layer information, that a first flow associated with a first application is to be protected using IPsec while a second flow associated with a second application is not to be protected using IPsec (Column 8, Line 37- Column 10, Line 26; Column 12, Lines 47-58). Hebbar additionally teaches transmitting a message to a peer device indicating that traffic associated with a particular flow is not to be protected using IPsec, thereby coordinating encryption behavior between devices (Column 11, Line 54 – Column 12, Line 31). Because distinct network flows over a common transmission line represent logical transmission paths, selectively encrypting traffic associated with one flow while transmitting other traffic unencrypted over another flow corresponds to designating a target logical transmission path for encrypted communication and transmitting other communication data over a different logical transmission path, as recited in the claim.
It would have been obvious to modify Driever to implement selective encryption over multiple logical transmission paths as taught by Hebbar, such that the management device transmits encryption information identifying a target logical transmission path for encrypted communication, the encryption device encrypts first communication data transmitted via the designated path and transmits second communication data via a different logical transmission path without encryption, and the decryption device correspondingly decrypts the encrypted data and processes the unencrypted data. Such modification represents the predictable application of known policy-based selective encryption techniques to improve network performance and resource efficiency while maintaining enhanced security for sensitive traffic.
Regarding Claim 20
Claim 20 is directed to a system corresponding to the system in claim 7. Claim 20 is similar in scope to claim 7 and is therefore rejected under similar rationale.
Claims 9 are rejected under 35 U.S.C. 103 as being unpatentable over Driever (US 2020/0076600 A1), as applied to claims 1-2 above, and further in view of Uchiyama (JP2014045237A).
Regarding Claim 9
Driever teaches an encryption system including a management device that distributes cryptographic information to encryption and decryption devices, which use the received information to perform coordinated encryption and decryption operations in accordance with a selected cryptographic technique. However, Driever does not explicitly teach switching the encryption scheme at a frequency corresponding to the confidentiality of the communication data. Uchiyama teaches dynamically selecting an encryption algorithm for each communication event based on security requirements and device performance. Uchiyama explains that the system “A combination of cryptographic algorithms that can ensure the integrity and confidentiality of the communication data generated after satisfying the requirements from the acquired requirement list, evaluation results, and own device environment information tampering to ensure the integrity of the communication data. A combination including at least one of a detection algorithm and a cryptographic algorithm for ensuring confidentiality is selected” (S406), and further discloses that “the requirement list indicates information such as processing performance requirements and security requirements obtained in correspondence with communication data information indicating applications and commands” (S403–S404). These requirement lists reflect confidentiality classifications tied to specific types of data or commands, causing the system to change encryption schemes accordingly. Uchiyama additionally teaches that the selected encryption mode including: algorithm ID, key length, key ID, and IV is transmitted to the destination devices to coordinate decryption: “the communication data generated using the selected encryption algorithm is encrypted (S407), and the encryption mode and the communication data... are transmitted to the control server and the control devices”. Because Uchiyama teaches selecting encryption algorithms based on the confidentiality of the communication data and transmitting the associated encryption information to both the encryption and decryption devices, it corresponds to switching the encryption scheme at a frequency that varies with data sensitivity and synchronizing encryption mode across communication endpoints, as recited in the claim.
It would have been obvious to modify Driever to implement confidentiality driven encryption scheme switching as taught by Uchiyama, such that the management device evaluates the confidentiality of the communication data, selects an appropriate encryption scheme from among multiple options, transmits encryption information to the encryption and decryption devices, and coordinates encryption accordingly. Such modification represents the predictable application of known policy-based encryption selection techniques to enhance security for sensitive data while preserving performance efficiency for lower-priority communications.
Claims 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Driever (US 2020/0076600 A1), in view of Van Duyne (US 20200092728 A1) as applied to claims 3-5 above, and further in view of Schouppe (US 20200162246 A1).
Regarding Claim 16
Driever in view of Van Duyne teaches an encryption system including a management device that distributes cryptographic information to encryption and decryption devices, which use the received information to perform coordinated encryption and decryption operations in accordance with a selected cryptographic technique. However, Driever and Van Duyne do not explicitly teach that the management device comprises a plurality of management devices that each provide respective pieces of encryption information used collectively to identify the encryption scheme. Schouppe teaches distributing cryptographic control across multiple devices by splitting a private key into a plurality of subkeys using a secret sharing scheme (e.g., Shamir’s Secret Sharing) and allocating those subkeys to different user devices, validator devices, and/or storage devices (¶20–25). Schouppe further teaches that restoration and use of the underlying cryptographic capability requires obtaining a threshold number of subkeys from respective devices, such that no single device possesses sufficient information to reconstruct or use the key (¶16, 27–31). Because reconstruction of the operative key from multiple distributed pieces directly determines the encryption/decryption capability and associated cryptographic scheme, identifying the encryption scheme based on a plurality of pieces of encryption information received from respective management devices corresponds to Schouppe’s threshold-based key reconstruction from multiple distributed devices.
It would have been obvious to modify the teachings of Driever and Van Duyne to implement the management device as a plurality of management devices that each provide respective pieces of encryption information, as taught by Schouppe, so that the encryption device performs encryption and the decryption device performs decryption in accordance with an encryption scheme identified based on the combined pieces of encryption information. Such modification represents the predictable application of known distributed key management and secret-sharing techniques to improve security and eliminate single points of failure in encryption scheme control.
Regarding Claim 17
Claim 17 is directed to a system corresponding to the system in claim 16. Claim 17 is similar in scope to claim 16 and is therefore rejected under similar rationale.
Regarding Claim 18
Claim 18 is directed to a system corresponding to the system in claim 16. Claim 18 is similar in scope to claim 16 and is therefore rejected under similar rationale.
Regarding Claim 19
Claim 19 is directed to a system corresponding to the system in claim 16. Claim 19 is similar in scope to claim 16 and is therefore rejected under similar rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is (571) 272-1531. The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/ Examiner, Art Unit 2431
/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431