The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 38-42, 44-46, 48-51, 53, 55-57, and 61-63 are rejected under 35 U.S.C. 102(a)(2) as being unpatentable by Bykampadi et al. (US 2019/0260803, “Bykampadi”).
Regarding claim 38, Bykampadi discloses a method for negotiating a security mechanism with a responding security gateway, the method comprising:
- in a negotiation stage (See ¶.12, negotiate a security profile with the other security edge protection proxy element; See ¶.92, negotiation is carried out as part of the initialization sequence when the two SEPPs initially authenticate each other. Once authentication is complete, each SEPP shares its available cipher suites with the other SEPP. Eventually both agree on a cipher suite to use for confidentiality and integrity protection in SEPP):
establishing a first connection between an initiating security gateway and the responding security gateway (See ¶.12, the given security edge protection proxy element is configured to negotiate a security profile with the other security edge protection proxy element; See ¶.91, negotiation is carried out as part of the initialization sequence when the two SEPPs initially authenticate each other; See FIG. 3 illustrates the presence of a Security Edge Protection Proxy (SEPP) at the edge of each PLM network such as visiting SEPP (vSEPP) 312 in VPLMN 310 and home SEPP (hSEPP) 322 in HPLMN 330; See fig.4A-E for a connection between vSEPP and hSEPP; Examiner’s Note: the connection between vSEPP and hSEPP via interface N32 is interpreted as the first connection), wherein the first connection is configured to provide integrity protection of messages communicated between the initiating security gateway and the responding security gateway (See ¶.51 and ¶.71, integrity protection between two SEPPs; See ¶.12, performing security key agreement operations with the other security edge protection proxy element to agree on one or more keys for application security; See ¶.92, negotiation is carried out as part of the initialization sequence when the two SEPPs initially authenticate each other. Once authentication is complete, each SEPP shares its available cipher suites with the other SEPP. Eventually both agree on a cipher suite to use for confidentiality and integrity protection in SEPP);
- transmitting a request message to the responding security gateway over the first connection, wherein the request message identifies one or more security mechanisms supported by the initiating security gateway (See ¶.46, thus, the SEPP is the entity that resides at the perimeter of the network and performs Application Layer Security (ALS) on information elements (IE) in HTTP messages before the messages are sent externally over a roaming interface (e.g., N32). ALS is performed individually on each IE in the HTTP Request message using a standardized JavaScript Object Signing and Encryption (JOSE) framework; See fig.4A-4C,

    PNG
    media_image1.png
    179
    569
    media_image1.png
    Greyscale


);
- receiving a response message from the responding security gateway over the first connection, wherein the response message identifies an application layer security mechanism selected by the responding security gateway from among the one or more security mechanisms supported by the initiating security gateway (See fig.4D-E, security negotiations, i.e. requesting and responding; See ¶.92, negotiation is carried out as part of the initialization sequence when the two SEPPs initially authenticate each other. Once authentication is complete, each SEPP shares its available cipher suites with the other SEPP. Eventually both agree on a cipher suite to use for confidentiality and integrity protection in SEPP; See ¶.94, this initial negotiation is generally illustrated as process 430 in FIG. 4D; See ¶.12, performing security key agreement operations with the other security edge protection proxy element to agree on one or more keys for application security; Examiner’s Note: ¶.95-¶.101 show the method of key management, i.e. how these keys get established in them, as security mechanism and/or security protocol between vSEPP and hSEPP; and Fig.4D-4E show security negotiations by exchanging security keys each other, i.e., requesting and responding);
- in a communications stage: communicating signaling messages with the responding security gateway using the selected application layer security mechanism (See ¶.50, to protect NF specific content in the messages that are sent over the roaming interface, 5G introduces SEPP as the entity residing at the perimeter of the 

Regarding claim 39, Bykampadi discloses “the first connection is one of: an integrity protected Transport Layer Security (TLS) connection; and an integrity protected Internet Protocol Security (IPsec) connection (See ¶.53, SEPP behaves as a `non-transparent` active proxy in that the NFs are aware of SEPP and send all inter-PLMN control plane traffic to SEPP. The connection between the NF and its local SEPP may be secured with transport layer security (TLS)).”

Regarding claim 40, Bykampadi discloses “the second connection is an N32-F connection, and further comprising, in the communications stage: establishing a second connection between the initiating security gateway and the responding security gateway; and communicating the signaling messages over the second connection with the responding security gateway using the selected application layer security mechanism; wherein communicating signaling messages with the responding security gateway using the selected application layer security mechanism comprises protecting the signaling messages communicated between network functions associated with respective different Public Land Mobile Networks (PLMNs) (See ¶.50, to protect NF specific content in the messages that are sent over the roaming interface, 5G introduces SEPP as the entity residing at the perimeter of the PLMN network and acting as a gateway that protects all incoming and outgoing HTTP traffic over the N32 roaming interface. The SEPP implements application layer traffic for all the data exchanged between two NFs at the service layer; See fig.3, N32 interface and PLMNs

    PNG
    media_image2.png
    362
    885
    media_image2.png
    Greyscale
).

Regarding claim 41, Bykampadi discloses “the application layer security is an N32 Application Layer Security (See ¶.50, to protect NF specific content in the messages that are sent over the roaming interface, 5G introduces SEPP as the entity residing at the perimeter of the PLMN network and acting as a gateway that protects all incoming and outgoing HTTP traffic over the N32 roaming interface. The SEPP implements application layer traffic for all the data exchanged between two NFs at the service layer).”

Regarding claim 42, Bykampadi discloses “protecting user plane traffic messages communicated between network functions in respective first and second different Public Land Mobile Networks (PLMNs) (See fig.3, vPLMN and hPLMN).”

Regarding claim 44, Bykampadi discloses “the negotiation stage is performed by one of: a Secure Edge Protection Proxy (SEPP); a network resource function (NRF); a network exposure function (NEF); and a network server device (See fig.3, vSEPP, hSEPP, NRF, NEF).”



Regarding claim 46, Bykampadi discloses “indicating to the responding security gateway that the security mechanism to be selected is being negotiated within a secure connection comprises one of: indicating that the security mechanism to be selected is being negotiated in a message header communicated outside of the protected part of the secure connection; and populating an address field of the request message with an address of the security negotiation module (See ¶.59, SEPP receives all the traffic addressed to it (as it is the proxy) and forwards the traffic to the correct NF based on the Request URI. In this process. SEPP restores the protected message to its original form before forwarding it to the correct NF; See ¶.65, SEPP performs application layer security by protecting the contents of the HTTP message payload along specific HTTP headers and parts of the HTTP Request including the Request-URI field).”

Regarding claim 48, Bykampadi discloses “negotiating the application layer security mechanism with an interconnect node associated with an Internet Provider prior to transmitting the request message to the responding security gateway (See ¶.61, IPX interconnect nodes between two PLMNs).

Regarding claim 49, it is a network node claim corresponding to the method claim 38 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claim 50, it is a method for negotiating a security mechanism with an initiating security gateway claim corresponding to the method claim 38 for negotiating a security mechanism with a responding security gateway and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claim 51, it is a claim corresponding to the claim 40 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claim 53, it is a claim corresponding to the claim 48 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claim 55, Bykampadi discloses “the response message further identifies the one or more security mechanisms supported by the initiating security gateway (See ¶.11, enables the given security edge protection proxy element to self-identify at least one security operation to be applied to at least one information element in a received message).”

Regarding claim 56, Bykampadi discloses “selecting the application layer security mechanism comprises selecting the application layer security mechanism: for all network functions in a PLMN; or for a network function independently of one or more other network functions (See ¶.10, apply application layer security to one or more information elements in a received message from a network function before sending the message to 

Regarding claim 57, Bykampadi discloses “the application layer security mechanism that is selected is valid for as long as the first connection is maintained (See ¶.53, The connection between the NF and its local SEPP may be secured with transport layer security (TLS)).”

Regarding claim 61, it is a network node for negotiating a security mechanism with an initiating security gateway claim corresponding to the method claim 50 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claim 62, it is a non-transitory computer readable medium claim corresponding to the method claim 38 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claim 63, it is a non-transitory computer readable medium claim corresponding to the method claim 50 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been 

Claims 43, 47, 52, 54, and 58-60 are rejected under 35 U.S.C. 103 as being unpatentable over Bykampadi in view of Rajadurai et al. (US 2020/0221281, “Rajadurai”).
Regarding claim 43, Bykampadi does not explicitly disclose what Rajadurai discloses “the one or more security mechanisms comprise one or more security protocols, and are ordered according to a preference of one or both of the initiating security gateway and the responding security gateway (Rajadurai, ¶.63, contain a list of preferred PLMNs in priority order).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to apply the method of “the one or more security mechanisms comprise one or more security protocols, and are ordered according to a preference of one or both of the initiating security gateway and the responding security gateway” as taught by Rajadurai into the system of Bykampadi, so that it provides a way for UE to obtain service on a higher priority according to the priority order (Rajadurai, See ¶.62).

Regarding claim 47, Bykampadi does not explicitly disclose what Rajadurai discloses “detecting that the selected application layer security mechanism should be changed; and triggering selection of a new application layer security mechanism within a predetermined time period (See ¶.62, UE selects some other higher priority PLMN after making current PLMN as lowest priority, UE attempting to obtain service on a higher priority PLMN as specified in 3GPP TS 23.122 by acting as if timer T that controls periodic attempts has expired" can be used interchangeably without departing from the scope of the embodiments).” Therefore, this claim is rejected with the similar reasons and motivation set forth in the rejection of claim 43.

Regarding claim 52, Bykampadi does not explicitly disclose what Rajadurai discloses “selecting the application layer security mechanism comprises selecting the application layer security mechanism based on one of: a local policy of the responding security gateway; a local policy of the initiating security gateway; a preference order of the initiating security gateway (See ¶.33, perform a PLMN selection procedure when the verification is failed or perform a local NAS signaling connection release and perform a PLMN selection procedure when the verification is failed, or send an accept message to the VPLMN when the verification is successful).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to apply the method of “selecting the application layer security mechanism comprises selecting the application layer security mechanism based on one of: a local policy of the responding security gateway; a local policy of the initiating security gateway; a preference order of the initiating security gateway” as taught by Rajadurai into the system of Bykampadi, so that it provides a way for a system to manage anti-steering of roaming in a wireless communication network (Rajadurai, See ¶.55).

Regarding claim 54, Bykampadi does not explicitly disclose what Rajadurai discloses “negotiating for one or more features that are unrelated to security, wherein negotiating for the one or more features that are unrelated to security comprises informing the initiating security gateway that another security gateway is to be contacted as part of the security negotiation (See ¶.62, UE selects some other higher priority PLMN after making current PLMN as lowest priority, UE attempting to obtain service on a higher priority PLMN as specified in 3GPP TS 23.122 by acting as if timer T that controls periodic attempts has expired" can be used interchangeably without departing 

Regarding claim 58, Bykampadi does not explicitly disclose what Rajadurai discloses “selecting the application layer security mechanism comprises periodically selecting a new application layer security mechanism (See ¶.62, UE attempting to obtain service on a higher priority PLMN as specified in 3GPP TS 23.122 by acting as if timer T that controls periodic attempts has expired).” Therefore, this claim is rejected with the similar reasons and motivation set forth in the rejection of claim 47.

Regarding claim 59, Bykampadi does not explicitly disclose what Rajadurai discloses “responsive to selecting a new application layer security mechanism, the method comprises: terminating all connections to which a currently selected application layer security mechanism has been applied; opening new connections; and applying the new application layer security mechanism to each of the new connections (See ¶.207, the UE 100 shall not proceed with registration procedure message instead UE 100 shall indicate AMF 210 (with reject cause or new IE) over the NAS message (e.g., authentication response message or authentication reject message or authentication failure message) to release the existing NAS N1 signaling connection or the UE 100 can do a local release of the NAS N1 signaling connection, in any of the following cases; See ¶.208, the UE 100 does not have the available PLMN list (i.e. the list of available PLMN's in the area). The UE 100 have the available PLMN list (i.e. the UE 100 had searched for available PLMN's in the area) and there is the VPLMN 200 which is more preferred than current VPLMN 200 after comparing available PLMN list to the latest received preferred PLMN/access technology combination).” Therefore, this claim is rejected with the similar reasons and motivation set forth in the rejection of claim 47.

Regarding claim 60, Bykampadi does not explicitly disclose what Rajadurai discloses “the response message identifies the application layer security mechanism selected by the responding security gateway using corresponding symbolic identifiers (See 5-6 fig.3, “Auth-info response (Preferred PLM access technology list; See, ¶.104, At 6, the AUSF 310 protects the preferred PLMN list using the at least one security parameter (e.g., digital signature or Public Key or KASME or Authentication Key or IK keys or CK keys or Secret Key or KAUSF or KH-int or KH-enc or the like)). Therefore, this claim is rejected with the similar reasons and motivation set forth in the rejection of claim 47.

Response to Arguments
Applicant's arguments filed have been fully considered but they are not persuasive. The examiner has clarified the rejection to the argued claim limitations at the Examiner’s best by adding more details in “Examiner’s Note”, using the prior art of record in the current prosecution of the claims.
At pages 11-12, applicant argues that Bykampadi fails to disclose the method of establishing step and transmitting step by asserting that “Bykampadi fails to disclose, 1st) integrity protection for a connection used in a negotiation state as recited in claim 38 and 2nd) transmitting a request message and receiving a response message, wherein the request message identifies one or more security mechanisms supported by the initiating security gateway.”
In reply, the limitations “integrity protection for a connection used in a negotiation stage” explicitly read on:
¶.[0012] of Bykampadi discloses “the given security edge protection proxy element is configured to one or more of: select a protection scheme based on the negotiate a security profile with the other security edge protection proxy element; and perform security key agreement operations with the other security edge protection proxy element to agree on one or more keys for application layer security [emphasis added].
¶.[0071] of Bykampadi discloses “How do two SEPPs agree on which security profiles to use for ciphering, integrity protection, etc. Also, there is a need to build support for renegotiation of these profiles between two SEPPs.”
¶.[0091] of Bykampadi discloses “Illustrative embodiments provide for two SEPPs in the two roaming networks to negotiate the cipher suite that will be used to protect HTTP messages in each SEPP.”
¶.[0092] of Bykampadi discloses “negotiation is carried out as part of the initialization sequence when the two SEPPs initially authenticate each other. Once authentication is complete, each SEPP shares its available cipher suites with the other SEPP. Eventually both agree on a cipher suite to use for confidentiality and integrity protection in SEPP.” [emphasis added].
¶.[0094] and Fig.4D of Bykampadi disclose “this negotiation (including initial negotiation and renegotiation) is generally illustrated as process 430 in FIG. 4D.”
As shown below, vSEPP and hSEPP negotiate integrity protection by exchanging security profile information. The definition of negotiation is that each side gives and takes, i.e. request and response, in order to reach an agreement and therefore, Fig.4D and ¶.[0094] show the exchanging process of security profile negotiation. 


[AltContent: arrow]
    PNG
    media_image3.png
    163
    537
    media_image3.png
    Greyscale


Therefore, the limitations “transmitting a request message and receiving a response message” read on from the negotiation steps described in the paragraphs [0091], [0092], [0094], and Fig.4D.

Further, the limitations “one or more security mechanisms supported by the initiating security gateway” read on:
¶.[0096]-[0101] and Fig.4E of Bykampadi discloses the key management method “[0096] In illustrative embodiments, both SEPPs are configured to agree on which keys to use and how these keys get established in them. This can occur in several ways: 
¶.[0097] 1. A shared symmetric key is manually provisioned on both the SEPPs. SEPPs use the same key to protect all traffic on the N32 interface. 
¶.[0098] 2. Key distribution algorithm is used to agree on a shared symmetric key--one for confidentiality protection, another one for integrity protection. 
¶.[0099] 3. Public Key Infrastructure (PKI) certificates are used to protect all traffic. SEPPs use public key encryption and digital signatures to confidentiality protect and integrity protect respectively. 
¶.[0100] 4. A randomly generated Content Encryption key (CEK) is used to confidentiality protect all traffic. PKI certificates used to protect CEK that is transferred along with the protected message. Digital signatures are used for integrity protection. 
Key management functionalities in each SEPP are generally illustrated as process 440 in FIG. 4E.

		At page 13, with respect to claim 39, application argues that Bykampadi fail to disclose “the first connection is one of an integrity protected Transport Layer Security (TLS) connection” by asserting that Bykampadi’s teaching is “a network function (NF) and its local SEPP may be secured with transport layer security (TLS).”
		In reply, the limitations “the first connection is one of an integrity protected Transport Layer Security (TLS) connection” read on:
¶.[0053] of Bykampadi discloses “SEPP behaves as a `non-transparent` active proxy in that the NFs are aware of SEPP and send all inter-PLMN control plane traffic to SEPP. The connection between the NF and its local SEPP may be secured with transport layer security (TLS).”
¶.[0056] of Bykampadi discloses “(ii) In addition, SEPP secures all outgoing traffic by either securing all or some NF control plane traffic on its own or using TLS at the transport layer to secure all traffic [emphasis added].
                              
    PNG
    media_image4.png
    93
    238
    media_image4.png
    Greyscale

In other words, as shown above, the outgoing messages of vSEPP and hSEPP via N32 interface connection are secured by using TLS at the transport layer to secure all traffic and therefore, the N32 connection between vSEPP and hSEPP are secured using TLS at the transport layer to secure all traffic. Therefore, the examiner disagrees respectfully.

                                                                        Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
 
Contact Information

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jung Park whose telephone number is 571-272-8565. The examiner can normally be reached on Mon-Fri during 7:00-3:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Andrew Lai can be reached on 571-272-9741.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JUNG H PARK/Primary Examiner, Art Unit 2411