DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/20/2018 and 01/29/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 8 computing is directed to a system comprising a secure object store, and a hierarchical key structure for performing all the functions of the system. To one of ordinary skill in the art all the functions cited in these claims may be reasonably implemented as software routines. There is no specific definition in the specification. When interpreted broadly as software routines, these claims do not cite any claim elements for performing the functions wherein the claimed elements of the apparatus or device are limited to a machine or a physical part of a device within the meaning of 35 U.S.C. 101. Therefore, claim 8 is directed to non-statutory subject matter for lack of a hardware component. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101. Dependent claims 9-14 are also rejected for being directed to a non-statutory subject matter.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 5, 7, 14 and 19-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 5, 7, 14 and 19-20 each recite "the secured data object(s)". There is insufficient antecedent basis for this limitation in the claim.
Claim 20 recites “the Node Key Encryption Keys”. There is insufficient antecedent basis for this limitation in the claim.
Claim 14 recites “wherein the Node Key Encryption Key each  associate access control rules …” which is ambiguous because there is on one “Node Key Encryption Key” claimed. However, the word “each” implies more than one “Node Key Encryption Key”. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claim 1-6, 8-13 and 15-19 are rejected under 35 U.S.C. 102 as being anticipated by Patnala et al. (Pub. No.: US 2009/0252330, hereinafter Patnala).
Regarding claim 1: Patnala discloses A method for use in managing, a secure object store in a computing system, the method including:
securing the secure object store (Patnala - [0022]: A key database may include millions of key objects corresponding to the millions of disk LUNs and tape cartridges written at a datacenter) including creating, maintaining, and using a hierarchical key system (Patnala - [0022]: Efficient use of key objects allows efficient searching, management, and migration capabilities. In particular embodiments, keys themselves are maintained in a hierarchy, with keys encrypted using intermediate keys and intermediate keys themselves encrypted with other intermediate keys or a master key), the securing including:
generating a Node Key Encryption Key (Patnala - [0031]: The master key is created when a cluster is created and a first cryptographic node such as a cryptographic node within a switch is added);
generating a plurality of Data Encryption Keys that are encrypted using the Node Key Encryption Key (Patnala - [0035]: a key object is created by reencrypting and rewrapping the key using intermediate and master keys associated with the destination cluster. [0021]: the keys themselves are encrypted by intermediate and/or master keys that may be unique to a particular data center); and
encrypting a plurality of data objects using the Data Encryption Keys (Patnala - [0028]: A wrapper globally unique identifier (WGUID) 209 is provided to identify a key object used to secure the encryption key 207. In particular examples, the WGUID 209 specifies a separate key object in the key database … An encryption key 207 holds the actual keying material used to encrypt and/or decrypt data), each data object being encrypted by a respective Data Encryption Key (Patnala - [0041]: the key object in the key management center is accessed using the UID); and
accessing an encrypted data object using the Node Key Encryption Key and a selected one of the Data Encryption Keys (Patnala - [0041]: Any key used to encrypt the object key is referred to herein as an intermediate key. Any key used to encrypt intermediate and/or object keys is referred to herein as a master key … The access may be a read or write access. At 609, the key object in the key management center is accessed using the UID … At 611, the key in the key object is decrypted using the wrapper UID to obtain the intermediate key. At 613, data is cryptographically processed using the decrypted key). 
Regarding claim 2: Patnala discloses wherein the secure object store is an identity store (Patnala - [0041]: an access request for data associated with a particular user identifier is received).
Regarding claim 3: Patnala discloses wherein securing the secure object store further includes:
generating a Storage Class Key Encryption Key (Patnala - [0040]: each switch in the cluster 505 maintains master keys, intermediate keys, as well as data object keys in a secure environment such as FIPs modules);
encrypting the Storage Class Key Encryption Key under the Node Key Encryption Key (Patnala - [0041]: Any key used to encrypt intermediate and/or object keys is referred to herein as a master key); and
generating a plurality of Data Encryption Keys from the Storage Class Key Encryption Key (Patnala - [0021]: the keys themselves are encrypted by intermediate and/or master keys that may be unique to a particular data center).
Regarding claim 4: Patnala discloses wherein the Storage Class Key Encryption Key and the Data Encryption Keys are used to share data across a plurality of nodes within a cluster (Patnala - [0036]: The keys are first decrypted or unwrapped at a source cluster using the source cluster intermediate and master keys. [0041]: … At 611, the key in the key object is decrypted using the wrapper UID to obtain the intermediate key. At 613, data is cryptographically processed using the decrypted key).
wherein accessing the secured object includes unlocking the secured data object using the Node Key Encryption Key and the selected Data Encryption Key in one of multiple unlock protocols (Patnala - [0041]: Any key used to encrypt the object key is referred to herein as an intermediate key. Any key used to encrypt intermediate and/or object keys is referred to herein as a master key … The access may be a read or write access. At 609, the key object in the key management center is accessed using the UID … At 611, the key in the key object is decrypted using the wrapper UID to obtain the intermediate key. At 613, data is cryptographically processed using the decrypted key). 

Regarding claim 5: Patnala discloses wherein accessing the secured object includes unlocking the secured data object using the Node Key Encryption Key and the selected Data Encryption Key in one of multiple unlock protocols (Patnala - [0041]: Any key used to encrypt the object key is referred to herein as an intermediate key. Any key used to encrypt intermediate and/or object keys is referred to herein as a master key … The access may be a read or write access. At 609, the key object in the key management center is accessed using the UID … At 611, the key in the key object is decrypted using the wrapper UID to obtain the intermediate key. At 613, data is cryptographically processed using the decrypted key). 
Regarding claim 6: Patnala discloses wherein the unlock protocols include a key splitting unlock protocol, a stable system values unlock protocol, and a trusted platform module unlock protocol (Patnala - [0043]: the master key is split into a number of shares using a threshold secret sharing mechanism 627 and can be later recovered using a subset of the number of shares).
Regarding claims 8-9, 11 and 13: Claims are directed to apparatus/system claims and do not teach or further define over the limitations recited in claims 1-2, 4 and 6. Therefore, claims 8-9, 11 and 13 are also rejected for similar reasons set forth in claims 1-2, 4 and 6. 
Regarding claim 10: Patnala discloses wherein:
a subset of the nodes is grouped to form a cluster (Patnala - [0030]: A cluster may include numerous switches and storage devices); and
the hierarchical key system includes a Storage Class Key Encryption Key encrypted using the Node Key Encryption Key and from which the Data Encryption Keys of the data objects residing on the subset of nodes are encrypted (see rejection of claim 3).
Regarding claim 12: Patnala discloses wherein the Node Key Encryption Key and the Data Encryption Key are unlocked using one of multiple unlock protocols (Patnala - [0041]: Any key used to encrypt the object key is referred to herein as an intermediate key. Any key used to encrypt intermediate and/or object keys is referred to herein as a master key … At 611, the key in the key object is decrypted using the wrapper UID to obtain the intermediate key. At 613, data is cryptographically processed using the decrypted key).
Regarding claims 15-19: Claims are directed to method claims and do not teach or further define over the limitations recited in claims 8-14. Therefore, claims 15-19 are also rejected for similar reasons set forth in claims 8-14. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Patnala et al. (Pub. No.: US 2009/0252330, hereinafter Patnala) in view of Wang et al. (Pub. No.: US 2016/0119349, hereinafter Wang).
Regarding claim 7: Patnala doesn’t explicitly teach but Wang discloses wherein the hierarchical key system associates access control rules with a respective one of the secured data objects (Wang - [0003]: The method includes associating an encryption key and an access control rule to the filename in the further namespace. [0004]: The method includes applying, through the agent, one of the plurality of access control rules, corresponding to the filename of the file in the first filesystem).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Patnala with Wang so that the encryption keys is associated with an access rule. The modification would have allowed the system to associate keys with access control rules for further security. 
Regarding claims 14 and 20: Patnala doesn’t explicitly teach but Wang discloses wherein the Node Key Encryption Key each associate access control rules with a respective one of the secured data objects (Wang - [0003]: The method includes associating an encryption key and an access control rule to the filename in the further namespace. [0004]: The method includes applying, through the agent, one of the plurality of access control rules, corresponding to the filename of the file in the first filesystem).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Patnala with Wang so that the encryption keys is associated with an access rule. The modification would have allowed the system to associate keys with access control rules for further security. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Orsini et al. (Pub. No.: US  2012/0072723) - SYSTEMS AND METHODS FOR SECURE
DATA SHARING
White et al. (Pub. No.: US 2017 / 0250966) - SYSTEM AND METHOD FOR HIERARCHY MANIPULATION IN AN ENCRYPTION KEY MANAGEMENT SYSTEM 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437