DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 11 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Claim 1 recites: “identity-based encryption on a combination of a credential and a random parameter based on an identity of a server…  It is unclear what the phrase ‘based on’ is referring to.  Is it the credential, the random parameter or the combination.  Therefore, the claim is indefinite.
Claim 11 recites the limitation "the second server".  There is insufficient antecedent basis for this limitation in the claim.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-4, 6, 8-14, 16-23 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Goh et al. (US Pub. 20050010760 A1).

Goh discloses the following:
 
1. A client device for accessing a resource based on an authorization access protocol, comprising one or more processors configured to: 
when generating a request message required for accessing the resource, perform, using an identity-based encrypting method (Fig. 5), identity-based encryption on a combination of a credential and a random parameter based on an identity of a server to which the request message is to be transmitted (para. 50, 84- the requesting party 20 wants to access a patient record, it makes a request (arrow 55) to the PRSS entity 30 in which it not only identifies the patient concerned, but also identifies both itself (by name or, preferably, by another identifier such as a public key of an asymmetric public/private key pair the private key of which is held by the party 20), and the medical organisation for which the party 20 is currently working (again, either by name or by another identifier such as the public key of an asymmetric public/private key pair the private key of which is held by the organisation).); and include the encrypted credential and the encrypted random parameter in the request message (para. 112- an encrypted second item E<K2,N2; Nonce> formed by the IBE encryption of the nonce used in the first encryption key K1, using the second encryption key K2 and the public data N2 of the medical organization TA 45.) ; and when processing a response message of the server with respect to the request message, decrypt a content of the response message by using the random parameter. (para. 101- On receiving the decryption key K4, the medical organisation entity 50 uses it to decrypt (process 73) the encrypted second item. The second item E<K1,N1; PR> is then passed back (arrow 74) over the secure channel 101 to the party entity 20)

2. The client device according to claim 1, wherein the one or more processors are further configured to: compute information for verifying integrity for the combination of the credential and the random parameter; and include the computed information in the request message. (para. 109- identification of an individual (the party 20) purporting to be a medical professional (MP), this identification being that used by the PRSS entity 30, in combination with a nonce (random number), for a first IBE encryption key K1)

3. The client device according to claim 1, wherein the credential is a first credential from a resource owner, and the first credential comprises an identifier of a first server that the owner authorizes the client device to access, a resource that the client device is (para. 129- re-use of either decryption key from cache means that the checks carried out by the corresponding TA entity are avoided; it is therefore preferable for the PRSS entity 30 to limit either the number of times or the period over which it re-uses the same encryption key; for example, the PRSS entity 30 maybe arranged to change the first encryption key K1 once a month and to change the second encryption key K3 daily. Changing an encryption key whilst retaining the identification of the medical professional or medical organisation identified in the key is readily done by including a fresh nonce each time the key is to be changed; every time a new nonce is included in an encryption,)

4. The client device according to claim 3, wherein the one or more processors are further configured to: perform identity-based encryption on a combination of the first credential and a first random parameter based on the identity of the first server to generate a first request message; and perform identity-based encryption based on identities of a plurality of the first servers to generate the first request message for the plurality of the first servers simultaneously. (para. 96- an encrypted second item formed by the IBE encryption of the first item using the second encryption key K2 and the public data N2 of the medical organization TA 45--this is represented by the expression E<K2,N2; E<K1,N2; PR>>.)

5. (canceled) 

(para. 85, 87)

7. (canceled) 

8. The client device according to claim 6, wherein the one or more processors are further configured to decrypt a content of a response message from the second server by using the second random parameter to acquire the resource to be accessed. 89- This recovery is only possible if the party 20 is a medical professional accredited with the medical professional TA 40 and is engaged by a medical organisation accredited with the medical organisation TA 45. However, it may be noted that the PRSS entity 30 may use the same encryption keys when encrypting the first and second items of data sets associated with different record requests by the party 20; in this case, the corresponding decryption keys may be cached by the entities that carry out IBE decryption)


9. The client device according to claim 6, wherein the first server is a different server from the second server. (Fig. 5)

10. The client device according to claim 5, wherein the first server is the same server as the second server. (Fig. 5)

11. The client device according to claim 1, wherein the identities of the first server and the second server comprise public identity parameters generated by a key generation center for the first server and the second server. (para. 83-84)

Regarding claim 12, the rejection of claim 1 is incorporated herein. Goh discloses a server device executing an authorization access protocol, comprising one or more processors configured to: perform identity-based decryption on a request message from a client based on an identity of the server device, to acquire a credential and a random parameter (Fig. 5, para. 113- the party entity 20 first obtains the decrypted second item (the nonce used in the encryption key K1) from the medical organisation entity 50 and then uses this nonce, together with the medical professional identifier provided by the PRSS entity 30, to re-form (process 81) the encryption key K1); determine a content to be provided to the client based on the credential; and encrypt the content to be provided to the client by using the random parameter. (para. 112- an encrypted second item E<K2,N2; Nonce> formed by the IBE encryption of the nonce used in the first encryption key K1, using the second encryption key K2 and the public data N2 of the medical organization TA 45.)

13. The server device according to claim 12, wherein the one or more processors are further configured to: verify integrity of the acquired credential and random parameter, after performing the decryption. (para. 109- identification of an individual (the party 20) purporting to be a medical professional (MP), this identification being that used by the PRSS entity 30, in combination with a nonce (random number), for a first IBE encryption key K1)


14. The server device according to claim 12, wherein the one or more processors are further configured to: perform identity-based decryption on a first request message from the client to acquire a first credential and a first random parameter, wherein the first credential comprises an identifier of a server that a resource owner authorizes the client to access, a resource that the client is authorized to access, and an authorization valid period; and generate a second credential to be provided to the client based on the first credential, wherein the second credential comprises an identifier of a server which the client is allowed to access, a resource which the client is allowed to access, and an allowance valid period, wherein the one or more processors are further configured to encrypt the second credential to be provided to the client by using the acquired first random parameter. (para. 129- re-use of either decryption key from cache means that the checks carried out by the corresponding TA entity are avoided; it is therefore preferable for the PRSS entity 30 to limit either the number of times or the period over which it re-uses the same encryption key; for example, the PRSS entity 30 maybe arranged to change the first encryption key K1 once a month and to change the second encryption key K3 daily. Changing an encryption key whilst retaining the identification of the medical professional or medical organisation identified in the key is readily done by including a fresh nonce each time the key is to be changed; every time a new nonce is included in an encryption,)

15. (canceled) 

16. The server device according to claim 14, wherein the one or more processors are further configured to perform identity-based decryption on a second request message from the client to acquire the second credential and a second random parameter; and determine a resource to be provided to the client based on the second credential. (para. 129- re-use of either decryption key from cache means that the checks carried out by the corresponding TA entity are avoided; it is therefore preferable for the PRSS entity 30 to limit either the number of times or the period over which it re-uses the same encryption key; for example, the PRSS entity 30 maybe arranged to change the first encryption key K1 once a month and to change the second encryption key K3 daily. Changing an encryption key whilst retaining the identification of the medical professional or medical organisation identified in the key is readily done by including a fresh nonce each time the key is to be changed; every time a new nonce is included in an encryption,)

17. The server device according to claim 16, wherein the one or more processors are further configured to encrypt the resource to be provided to the client by using the acquired second random parameter. (para. 129- re-use of either decryption key from cache means that the checks carried out by the corresponding TA entity are avoided; it is therefore preferable for the PRSS entity 30 to limit either the number of times or the period over which it re-uses the same encryption key; for example, the PRSS entity 30 maybe arranged to change the first encryption key K1 once a month and to change the second encryption key K3 daily. Changing an encryption key whilst retaining the identification of the medical professional or medical organisation identified in the key is readily done by including a fresh nonce each time the key is to be changed; every time a new nonce is included in an encryption,)

18. The server device according to claim 12, wherein the identity of the server comprises a private identity parameter generated by a key generation center for the server. (para. 83-84)

Regarding claim 19, the rejections of claims 1-18 are incorporated herein. Goh discloses a method for authorizing access, comprising: generating, by a key generation center, a public identity parameter and a private identity parameter for each of one or more servers (para. 83-84); performing, by a client, identity-based encryption on a combination of a first credential and a first random parameter by using a public identity (para. 50, 84- the requesting party 20 wants to access a patient record, it makes a request (arrow 55) to the PRSS entity 30 in which it not only identifies the patient concerned, but also identifies both itself (by name or, preferably, by another identifier such as a public key of an asymmetric public/private key pair the private key of which is held by the party 20), and the medical organisation for which the party 20 is currently working (again, either by name or by another identifier such as the public key of an asymmetric public/private key pair the private key of which is held by the organisation).); decrypting, by the first server, the first request message by using a private identity parameter of the first server to acquire the first credential and the first random parameter, and generating a second credential to be provided to the client based on the first credential (para. 101- On receiving the decryption key K4, the medical organisation entity 50 uses it to decrypt (process 73) the encrypted second item. The second item E<K1,N1; PR> is then passed back (arrow 74) over the secure channel 101 to the party entity 20); performing, by the client, identity-based encryption on a combination of the second credential and a second random parameter by using a public identity parameter of a second server indicated by the second credential, to generate a second request message to be transmitted to the second server; decrypting, by the second server, the second request message by using a private identity parameter of the second server to acquire the second credential and the second random parameter, and determining a resource to be provided to the client based on the second credential. (para. 96- an encrypted second item formed by the IBE encryption of the first item using the second encryption key K2 and the public data N2 of the medical organization TA 45--this is represented by the expression E<K2,N2; E<K1,N2; PR>>.)

20. The method according to claim 19, wherein the first credential indicates a plurality of first servers, and wherein the client performs encryption by using public identity parameters of the plurality of the first servers, to generate the first request message to be transmitted to the plurality of the first servers simultaneously. (para. 96- an encrypted second item formed by the IBE encryption of the first item using the second encryption key K2 and the public data N2 of the medical organization TA 45--this is represented by the expression E<K2,N2; E<K1,N2; PR>>.)


21. The method according to claim 19, further comprising: computing, by the client, information for verifying integrity for the combination of the first credential and the first random parameter and the combination of the second credential and the second random parameter respectively; verifying, by the first server, the integrity of the first credential and the first random parameter which are acquired after the decryption based on the information; and verifying, by the second server, the integrity of the second credential and the second random parameter which are acquired after the decryption based on the information. (para. 109- identification of an individual (the party 20) purporting to be a medical professional (MP), this identification being that used by the PRSS entity 30, in combination with a nonce (random number), for a first IBE encryption key K1)

22. The method according to claim 19, further comprising: encrypting, by the first server, the second credential to be provided to the client by using the first random parameter; and decrypting, by the client, the encrypted second credential by using the first random parameter.  (para. 85, 87)

23. The method according to claim 19, further comprising: encrypting, by the second server, the resource to be provided to the client by using the second random parameter; and decrypting, by the client, the encrypted resource by using the second random parameter. (Fig. 5, para. 85, 87)

24.-26 (cancelled)

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM A CORUM JR whose telephone number is (303)297-4234.  The examiner can normally be reached on Mon. - Fri. 8 AM - 5 PM EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WILLIAM A CORUM JR/Examiner, Art Unit 2433           

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433