DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
This application is a continuation of Patent no. 9,647,835.  A terminal disclaimer was filed by the Applicant on 11/13/17 and was approved.

Examiner’s Amendment

Authorization for the Examiner’s Amendment was given in an interview with the Applicant’s representative, David Judson (Reg. No. 30467), on February 5, 2021.
Claims 1, 5-6, 8, and 12 have been amended by the Applicant.  Claim 7 has been cancelled by the Applicant.  The following Examiner’s amendment is listed below:

Claims

1.	(Currently amended) Apparatus that is a first machine located behind a firewall of an enterprise, the enterprise being a customer of a service provider that provides an acceleration service via an overlay network, comprising:
	a processor;
	computer memory holding program code configured to be executed by the processor, the program code configured as a client component of a split proxy server, the split proxy server also having a server component distinct from the client component and that executes on a second located remote from the first machine, the second machine located in a data center associated with the overlay network and managed by the service provider, comprising:
		code operative in response to receipt of a handshake request from a client to determine whether a key exchange can be processed in part using a private key held in association with the server component of the split proxy server; 
code operative in response to determining, based on information in a data structure, that the key exchange can be processed in part using the private key held in association with the server component of the split proxy server, to forward first information from the client component of the split proxy server to the server component of the split proxy server, the first information configured to be processed using the private key maintained in association with the server component of the split proxy server; and
code operative to receive a response from the server component of the split proxy server, the response including second information, the second information having been generated at the server component of the split proxy server by generating a hash of the first information, using the hash as an index into a cache, determining based on the hash whether first information is already present in the cache, when the first information is not already present in the cache, storing the first information in the cache and applying the private key maintained at the server component of the split proxy server to the first information;
via the overlay network.

5.	(Currently amended) A method to secure a communication, comprising:
establishing a connection between a client component of a split proxy server executing on a first machine, and a server component of the split proxy server executing on a second machine, the first machine located behind a firewall of an enterprise, the enterprise being a customer of a service provider that provides an acceleration service via an overlay network, the second machine located in a data center associated with the overlay network and managed by the service provider, the second machine located remotely from the first machine;
receiving, by the client component of the split proxy server executing on the first machine, a handshake request;
upon receipt of the handshake request, determining, by the client component of the split proxy server, and based on information in a data structure, whether a key exchange associated with the handshake request can be processed in part using a private key that is held remotely and in association with the server component of the split proxy server; 
based on determining that the handshake request can be processed in part by using the private key that is held remotely, proxying first information over the connection from the client component of the split proxy server to the server component of the split proxy server; 
receiving from the server component of the split proxy server, over the connection, a response that includes second information, the second information having been generated at the server component of the split proxy server by generating a hash of the first information, using the 
using the second information to further the key exchange;
wherein, following a successful completion of a handshake initiated by the handshake request, an application associated with the first machine is enabled to receive the acceleration service via the overlay network.

6.  	(Currently amended) A system, comprising: 
	at least one machine in a first network-accessible location and that includes proxy server component software program that executes on hardware, the first network-accessible location being part of an overlay network that is managed by a service provider that provides an acceleration service via the overlay network; 
at least one machine in a second network-accessible location and that includes a proxy client component software program that executes on hardware, the second network-accessible location being behind a firewall of an enterprise, the enterprise being a customer of the overlay network service provider; 
the proxy server component software program and the proxy client component software program comprising a split proxy and each including code to establish and maintain a connection there-between; 
the proxy client component software program configured to receive a handshake request from a client; 

the proxy client component software program, upon determining that the secure handshake request can be processed using the private key held remotely, forwarding to the proxy server component software program over the connection first information; 
the proxy server software program configured to receive the first information forwarded from the proxy client software program; 
the proxy server component software program further configured to return a response to the proxy client software program over the connection, the response including second information, the second information having been generated at the proxy server component software program by receiving the first information, generating a hash of the first information, using the hash as an index into a cache, determining based on the hash whether first information is already present in the cache, when the first information is not already present in the cache, storing the first information in the cache and applying the private key to the first information to generate the second information;
the proxy client component software program receiving the second information and using it to facilitate the key exchange during further processing of the handshake request; 
wherein, following a successful completion of a handshake initiated by the handshake request, an application associated with the machine in the second network-accessible location is enabled to receive the acceleration service via the overlay network; 
wherein the first network-accessible location is a data center associated with the overlay network managed by the service provider, the second network-accessible location being a physical location remote from the first network-accessible location.

7.  	(Cancelled)  
8.  	(Currently amended) The system as described in claim [7] 6 wherein, as between the data center and the physical location, the data center has a higher degree of security.  
12.  	(Currently amended) Apparatus that is a second machine, the second machine located remotely from a first machine, the first machine located behind a firewall of an enterprise, the enterprise being a customer of a service provider that provides an acceleration service via an overlay network, the second machine being located in a data center associated with the overlay network and managed by the service provider, comprising:
	a processor;
	computer memory holding program code configured to be executed by the processor, the program code comprising code configured as a server component of a split proxy server, the split proxy server also having a client component distinct from the server component and that executes on the first machine remote from the second machine, the program code comprising:
		code to receive from the client component of the split proxy server first information associated with a handshake request, the handshake request having been received at the client component of the split proxy server from a client, the first information having being received following a determination at the client component of the split proxy server that a key exchange associated with the handshake request can be 
code to generate a hash of the first information, to use the hash as an index into a cache, to determine based on the hash whether first information is already present in the cache, when the first information is not already present in the cache, to store the first information in the cache, and to apply the private key to the first information to generate second information; and
code to return a response to the client component of the split proxy server, the response including the second information;
wherein, following a successful completion of a handshake initiated by the handshake request, an application associated with the first machine is enabled to receive the acceleration service via the overlay network.


                                 Reasons for Allowance

Claims 1-6, and 8-20 are allowable.
The following is an Examiner’s statement of reasons for allowance:
The present invention is directed to a system and method that discloses an Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy “service” as an enhancement to the SSL protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS “locally,” the SSL server proxies (forwards) the ePMS to an RSA proxy server component 
At least one machine in a first network-accessible location includes an RSA proxy server software program, and at least one machine in a second network-accessible location includes an RSA proxy client software program. The RSA proxy server software program and the RSA proxy client software program each include code to establish and maintain a secure (e.g., a mutually-authenticated SSL) connection there-between. The RSA proxy client software typically executes in association with an SSL server component (such as OpenSSL). According to this disclosure, however, SSL decryption keys are not accessible to the RSA proxy client software. Rather, decryption of encrypted pre-master secrets is off-loaded to the RSA proxy server software program. In operation, the RSA proxy client software program receives and forwards to the RSA proxy server software program over the mutually-authenticated SSL connection an encrypted pre-master secret associated with a new SSL handshake request received (at the RSA proxy client) from an end user client program (e.g., an SSL-enabled web browser, a native mobile app, or the like). 
The prior art of Black (2007/0074282) discloses server-side SSL functions are performed by a network device located remotely from a secure data center, while maintaining the secure use of centralized certificates and their associated private keys.  Black discloses the server-side SSL function is partitioned into two discrete functions: the SSL Certificate Manager, and the SSL Server Proxy. The SSL Certificate Manager is contained within a network device typically located within a secure data center. Its purpose is to maintain certificates and their associated private keys, and to pass requested certificates to, and service decryption requests from, one or more remote SSL Server Proxies during SSL session initialization. The SSL Server Proxy may 
The prior art of Black (2007/0074282) does not disclose or suggest, “code operative to receive a response from the server component of the split proxy server, the response including second information, the second information having been generated at the server component of the split proxy server by generating a hash of the first information, using the hash as an index into a cache, determining based on the hash whether first information is already present in the cache, when the first information is not already present in the cache, storing the first information in the cache and applying the private key maintained at the server component of the split proxy server to the first information;
wherein, following a successful completion of a handshake initiated by the handshake request, an application associated with the first machine is enabled to receive the acceleration service via the overlay network”.



The prior art of Kersey (2006/0064750) discloses conventional SSL termination devices support secure connections only to a predetermined destination address. An SSL termination device accepts a plaintext connection and associate it to a secure connection to an arbitrary destination endpoint by intercepting a connection request from the local subnetwork, identifying the intended destination of the connection, and establishing a secure connection to the destination, bridges the local connection and the secure connection to provide a connection through the gateway device. The SSL termination device identifies an outgoing secure connection request from a client, and intercepts the connection request to identify the recipient destination. The SSL termination device establishes a secure connection using the identified destination, and associates the connections by mapping the intercepted connection to the recipient. The identified recipient allows the secure connection to the destination, and the mapping allows message traffic received from the client over the local connection to be mapped to the destination. 
Kersey does not disclose or suggest, “code operative to receive a response from the server component of the split proxy server, the response including second information, the second information having been generated at the server component of the split proxy server by generating a hash of the first information, using the hash as an index into a cache, determining based on the hash whether first information is already present in the cache, when the first information is not already present in the cache, storing the first information in the cache and applying the private key maintained at the server component of the split proxy server to the first information;
wherein, following a successful completion of a handshake initiated by the handshake request, an application associated with the first machine is enabled to receive the acceleration service via the overlay network”.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


2/6/2021


 /J.E.J/ Examiner, Art Unit 2439                                                                                                                                                                                                        

/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439