DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending in this application.


Drawings
The drawings are objected to because of the following informalities:
In Fig.2, Item 204 /step 4 is pointed to “response queue” and item 206 /step 6 is pointed to “request queue”. However, specification [0051] recites “At 204, task queue 130 may determine to place the task request in a particular queue” and [0052] recites “At 206, prior to pushing the task results to the response queue of task queue 130…The encrypted payload and the encrypted AES key may be transmitted to task queue 130 and placed on the response queue”. Therefore, Item 204 /step 4 is pointed to “request queue” and item 206 /step 6 is pointed to “response queue”.

Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, 


Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f): 
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) are: “application server configured to", “task queue module configured to”  “at least one worker configured to” and “at least one plugin configured to” in claim 1, “a machine learning module” in claim 2, “at least one worker” in claims 3-7, “at least one plugin” and “at least one worker” in claims 8-9, and “application server”, “task queue module” and “at least one worker” in claims 10-12.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding either structure, material, or acts to the function described in the specification as performing the claimed function, and equivalents thereof.  The electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system.”
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
As per claims 1, 14 and 20 (line# refers to claim 1):
Line 5, it is not clearly indicated where is “task queue module” originated (i.e., is “task queue module” part of the “application server”, “first cloud”, the “device”, “second cloud” or anywhere within the system?). 
Line 13, it is not clearly indicated where does the “plugin” located (i.e., is the “plugin” within the “first cloud”, “second cloud”, “application server” or anywhere within the system?).

As per claims 2-13 and 15-19:
	They are system and method claims that depend on claims 1, 14 and 20 respectively above. Therefore, they have same deficiencies as claims 1, 14 and 20 above.
 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been 

Claims 1-2, 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Parmar et al. (US. Pub. 2008/0270523 A1) in view of Zimmermann et al. (US Pub. 2018/0027006 A1).
Zimmermann was cited in the IDS filed on 09/25/2019.

As per claim 1, Parmar teaches the invention substantially as claimed including A system (Parmar, Fig. 3) comprising: 
an application server hosted in a first cloud, the application server configured to (Parmar, Fig. 3, 310 Client hosts (as first cloud); 311 Client Applications, 312 Client API (311 and 312 as whole (one host) as application server) : 
receive a trigger to execute a workflow, the workflow including at least one task to be executed in a device hosted in a second cloud (Parmar, Fig. 3, 310, 311, 312, 314 (communication), 325 SD (session director), 330 server host (as device), 330a-c (server hosts as second cloud); [0024] lines 6-10, client hosts 310 are provided having client applications 311 that will generate workload units or tasks to be processed on resources within the system 300; [0034] lines 2-3, the execution of the workloads on service instances 340a-c operating on the hosts 330 (as executed in a device hosted in a second cloud); [0053] lines 5-12, the process begins when the client application does a look-up to the session director 325…If the service session manager 315 is available, the session director 325 returns a URL or other address for the service session ; and 
send a task request to process the at least one task to a task queue module (Parmar, Fig. 3, 313 Application workloads, 315 SSM (as task queue module); Fig. 4, 420 Workload Queue(s)); 
the task queue module configured to place the task request in at least one request queue of the task queue module (Parmar, Fig. 4, 315 SSM, 420 Workload queue(s); [0042] lines 3-5, The incoming workloads are received via the client interface 313 by the SSM 315 and placed in the workload queue 420); 
at least one worker hosted in the device hosted in the second cloud, the at least one worker configured to (Parmar, Fig. 3, 335a-c SIM (as workers), 330a (as device), 330a-c (as second cloud)): 
retrieve the task request from the at least one request queue of the task queue module (Parmar, Fig. 3, 315 SSM, 328, 335a; [0042] lines 5-7, The workloads generally flow from the workload queue 420 to assigned service instance managers 335 through the service interface 328; [0036] lines 11-14, the service session manager 315 is able to provide workload units to the various service instance managers 335 immediately upon those workload units becoming assignable by the service session manager 315), and 
process the task request, wherein processing the task request includes invoking at least one plugin to execute the at least one task (Parmar, Fig. 3, 335, 340a service instance (as plugin); [0034] lines 1-3, Within the hosts 330 are the service instance managers 335a-c, which provide for the execution of the workloads on service instances 340a-c operating on the hosts 330 (as service instance manager (worker) invoking the service instance to execute the workloads/task); and 
the at least one plugin configured to interact with an application (Parmar, Fig. 3, 340a (as plugin), 342a service application; [0034] lines 4-6, Each service instance 340 comprises in the present example a service application component 342, which contains the core operating software for the application being run (as interact with an application), wherein executing the at least one task yields task results, the at least one worker further configured to receive the task results and push the task results into a result queue of the task queue module (Parmar, Fig. 4, 315, 430 Output queue(s) (as result queue); Fig. 3, 335a SIM (as worker), 340a service instance, Manage service Instances; Fig. 10 Output, 335 SIM send output/result to 315 SSM;  [0034] lines 1-3, Within the hosts 330 are the service instance managers 335a-c, which provide for the execution of the workloads on service instances 340a-c operating on the hosts 330; [0040] lines 4-7, the output queues 430 for workload results that are received from the resources (e.g., service instances 340) after the resources have processed the assigned workloads); and the task queue module further configured to send the task results from the result queue to the application server (Parmar, Fig. 4, 430 Output queue(s); [0052] lines 4-6, The service session manager 315 is further able to communicate the workload results via the output queue 430 back to the client applications 311 via the interface 313).

Parmar fails to specifically teach the workflow is an information security (IS) workflow and the application that the plugin interact is security application, and the security application being an external security application or a security application that the device hosted in the second cloud has access to.

However, Zimmermann teaches the workflow is an information security (IS) workflow (Zimmermann, [0103] lines 11-14, This automatic synchronization increases the efficiency of the workflow involved in contracting with third party entities as well as decreasing the likelihood of unauthorized collaboration; [0360] lines 14-17, the policy automation engine 116 can be used as a service to evaluate various entities and with which to build security-related policy workflows; [0465] lines 2-9, encryption services enabled by the CSF 100 may be used to help quarantine a workflow or make it more secure. For example, within a given work flow, data may be stored in various fields, some of which are appropriate for confidential information (e.g., encrypted fields used for social security numbers and other PII, credit card numbers, passwords, and the like), lines 17-18, In this workflow, sensitive data can be quarantined (e.g., moved temporarily to a system account and made private.)), and 
the application that the plugin interact is security application, and the security application being an external security application or a security application that the device hosted in the second cloud has access to (Zimmermann, [0323] lines 9-37, Once a request is approved by a gatekeeper 802 it may be routed to a web/API server (as security application) that will either retrieve the requested data…or will issue a command for the CSF 100 (as plugin interact with the security application) to execute some action such as start a scan or perform some batch operation (like encrypt files). These actions are issued by the web/api server to a queuing mechanism 808 (currently information security; [0451] lines 10-12, the AFW platform 300 may be installed separately…as a separate API server; [0594] lines 1-6, a cloud platform, such as the Salesforce.TM. platform, where information from the CSF 100, the cyber intelligence platform 6500, the AFW platform AFW-200, or the like, can be provided within an application, such as a security application, that is operating on the third party cloud platform (as external security application)).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar with Zimmermann because Zimmermann’s teaching of information security workflow and providing an external security application would have provided Parmar’s system with the advantage and capability to improve the system security which allowing the system to encrypt important files based on the security incidents.

As per claim 2, Parmar and Zimmermann teach the invention according to claim 1 above. Parmar further teaches generating the workflow, wherein the generating the workflow includes at least one of: the tasks including the at least one task and defining tasks to be executed to complete execution of the workflow (Parmar, generate workload units or tasks (as workflow including at least one task) to be processed on resources within the system 300; [0034] lines 2-3, the execution of the workloads on service instances 340a-c operating on the hosts 330). In addition, Zimmermann teaches the workflow is IS workflow (Zimmermann, [0103] lines 11-14, This automatic synchronization increases the efficiency of the workflow involved in contracting with third party entities as well as decreasing the likelihood of unauthorized collaboration; [0360] lines 14-17, the policy automation engine 116 can be used as a service to evaluate various entities and with which to build security-related policy workflows; [0465] lines 2-9, encryption services enabled by the CSF 100 may be used to help quarantine a workflow or make it more secure. For example, within a given work flow, data may be stored in various fields, some of which are appropriate for confidential information (e.g., encrypted fields used for social security numbers and other PII, credit card numbers, passwords, and the like), lines 17-18, In this workflow, sensitive data can be quarantined (e.g., moved temporarily to a system account and made private), receiving at least one user input specifying configuration of the IS workflow, the configuration defining tasks to be executed to complete execution of the IS workflow (Zimmermann, [0049] lines 1-2, FIG. 35 shows a user interface with a menu element for choosing to selectively encrypt a document (as user input). [0465] lines 1-25, encryption services enabled by the CSF 100 may be used to help quarantine a workflow or make it more secure. For example, within a given work flow, data may be stored in various fields, some of which are appropriate for confidential information (e.g., encrypted fields used for social security numbers and other PII, credit card numbers, undertaken, such as using the content inspection (as task) and classification services (as task) noted herein, and sensitive data that is discovered to be in unprotected fields may either be encrypted (within the same field) or moved from an unprotected field to a safer, encrypted field. This may be undertaken automatically, or users may be notified and prompted to undertake action to secure the improperly located data. In this workflow, sensitive data can be quarantined (e.g., moved temporarily to a system account and made private) while a user gets notified with a `smart` action in email prompting the user to review the sensitive data and encrypt it. When the user acknowledges the prompt, then the selective encryption engine in this embodiment may `resume` and move the data back to the original field in encrypted form or may move the data to a different, encrypted field (as configuring the IS workflow)), and configuring, by a machine learning module, the IS workflow, configuration defining the tasks to be executed to complete execution of the IS workflow, the tasks determined by the machine learning module based on correlation of historical IS workflow-related data (Zimmermann, [0557] lines 1-43, The machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover patterns. As described in more detail below, machine learning engine 6510 may perform user anomaly detection (such as involving multi-dimensional anomalies, where the anomaly involves departures from a pattern in more than one dimension), entity behavior detection (including entity detection and anomaly detection), insider over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine learning. From that point on, the machine learning capability of the platform 6500 can observe changes in the pattern of usage from the baseline, such as indicating more frequent access from a different country, or in the same country, but in a different part of the country. The platform 6500 can do the same kind of profiling and comparison based on machine learning in the engine 6510 of the patterns of usage for particular devices, such as based on knowing that a connection is from a particular device, or a kind of device; that is, the platform 6500 can do the same kind of baseline profiling on the devices and can use machine learning to recognize and define what is outside the norm. The output is not necessarily binary, or rule-based. The norm might involve a cluster of events (such as that mobile access is usually from home and laptop access is normally from the office), but a machine learning facility can provide an indicator of departure from a pattern, whatever it is).

As per claim 7, Parmar and Zimmermann teach the invention according to claim 1 above. Parmar further teaches wherein the at least one worker includes a plurality of workers, each worker of the plurality of workers running in a different device (Parmar, Fig. 3, 335a, b, c SIM (as plurality of workers), 330a, b, c service hosts (as different device); (each worker is running in a different device)).

As per claim 14, it is a method claim of claim 1 above. Therefore, it is rejected for the same reason as claim 1 above.

As per claim 20, it is a computer-based tool including non-transitory computer readable media claim of claim 1 above. Therefore, it is rejected for the same reason as claim 1 above. 


Claims 3-6 are rejected under 35 U.S.C. 103 as being unpatentable over Parmar and Zimmermann, as applied to claim 1 above, and further in view of Devadhar et al. (US Pub. 2011/0265088 A1).

As per claim 3, Parmar and Zimmermann teach the invention according to claim 1 above. Parmar further teaches identify tasks placed in the at least one request queue that the at least one worker is able to process (Parmar, [0036] lines 2-6, the service session manager 315 is aware of which hosts 330, service instance managers 335, and service instances 340 are available for executing the application workloads that have been sent from the client hosts 310).

monitor the at least one request queue by at least one worker.

However, Devadhar teaches the identification is based on monitor the at least one request queue by at least one worker (Devadhar, Fig. 2, 202A-C; [0038] lines 1-5, each of the dequeue servers 202A-C includes a master process 206A-C. The master process 206A-C may monitor the unprocessed tasks stored in the task queues 204A-N for determining whether the QOS policies for such unprocessed tasks have been violated).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar and Zimmermann with Devadhar because Devadhar’s teaching of monitoring the task queues by the different servers (as workers) would have provided Parmar and Zimmermann’s system with the advantage and capability to allow the system to determine the resources utilizations based on the monitoring which improving the system efficiency.   

As per claim 4, Parmar, Zimmermann and Devadhar teach the invention according to claim 3 above. Parmar teaches identify tasks placed in the at least one request queue that the at least one worker is able to process (Parmar, [0036] lines 2-6, the service session manager 315 is aware of which hosts 330, service instance managers 335, and service instances 340 are available for executing the application based on one of: resources available at the at least one worker (Parmar, [0045] lines 1-6, the service session manager 315 has a certain level of resources assigned to it, it is able to make dynamic assignments of workloads to the assigned resources according to the system needs at the time. Specifically, the service session manager 315 can consider a number of possible policy and/or resource availability; also see [0050] lines 1-2, based on the capacity of the service instance host (CPU capacity, etc)); and a type of task of the tasks placed in the at least one request queue (Parmar, [0046] lines 1-3, the priority of workloads as indicated by the client applications 311, or based on an indication in the workload itself or based on some other external basis).

As per claim 5, Parmar, Zimmermann and Devadhar teach the invention according to claim 3 above. Parmar teaches wherein the at least one request queue includes a plurality of requests queues (Parmar, Fig.4, 420 workload queue(s)). In addition, Devadhar teaches wherein the at least one worker is configured to monitor multiple requests queues of the plurality of requests queues (Devadhar, Fig. 2, 202A-C; [0038] lines 1-5, each of the dequeue servers 202A-C includes a master process 206A-C. The master process 206A-C may monitor the unprocessed tasks stored in the task queues 204A-N for determining whether the QOS policies for such unprocessed tasks have been violated).

As per claim 6, Parmar, Zimmermann and Devadhar teach the invention according to claim 3 above. Parmar teaches wherein the at least one worker includes a plurality of workers (Parmar, Fig.4, 420 workload queue(s)). In addition, Devadhar teaches wherein the at least one request queue is monitored by multiple workers of the plurality of workers (Devadhar, Fig. 2, 202A-C; [0038] lines 1-5, each of the dequeue servers 202A-C includes a master process 206A-C. The master process 206A-C may monitor the unprocessed tasks stored in the task queues 204A-N for determining whether the QOS policies for such unprocessed tasks have been violated).

Claims 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Parmar and Zimmermann, as applied to claims 1 and 14 respectively above, and further in view of Brown et al. (US Pub. 2015/0073892 A1).

As per claim 8, Parmar and Zimmermann teach the invention according to claim 1 above. Parmar further teaches wherein the configuration of the at least one worker to invoke the at least one plugin includes configuration of the at least one worker to: provide the task request to the at least one plugin, the second device hosted in the second cloud (Parmar, Fig. 3, 330a (second device), 330a-c (as whole as second cloud), 335, 340a service instance (as plugin); [0034] lines 1-3, Within the hosts 330 are the service instance managers 335a-c, which provide for the execution of the workloads on service instances 340a-c operating on the hosts 330 (as service instance manager (worker) invoking the service instance to execute the workloads/task).

determine whether the at least one plugin is running; when the at least one plugin is determined not to be running: download the at least one plugin to a resource associated with cause the at least one plugin to be executed; and when the at least one plugin is determined to be running, provide the task request to the at least one plugin. 

However, Brown teaches determine whether the at least one plugin is running; when the at least one plugin is determined not to be running: download the at least one plugin to a resource associated with the second device, cause the at least one plugin to be executed (Brown, Fig. 2B, 214, 162 End user computing device; [0007] lines 4-11, The end user computing device determines whether the application (as plugin) is installed on the end user computing device in response to a user interaction with the advertisement. The end user computing device redirects to an application provider computing device for download and installation of the application in response to determining that the application is not installed, and executes the application (as if the application is not installed (as not running), download and install the application in the storage (as resource) of the computing device (see [0003], application installed on their mobile computing device; [0079] the remote memory storage device) and executes application); and 
when the at least one plugin is determined to be running, provide the task request to the at least one plugin (Brown, Fig. 2B, 214 Installed application, 216 execution). 

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar and Zimmermann with Brown because Brown’s teaching of determining whether the application (as plugin) was installed/running before assigning the tasks for execution would have provided Parmar and Zimmermann’s system with the advantage and capability to prevent potential processing delay due to lacks of the application which improving the system performance.

As per claim 15, it is a method claim of claim 8 above. Therefore, it is rejected for the same reason as claim 8 above.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Parmar, Zimmermann and Brown, as applied to claim 8 above, and further in view of  Bates et al. (US Pub. 2007/0074207 A1).

As per claim 9, Parmar, Zimmermann and Brown teach the invention according to claim 8 above. Parmar teaches the at least one plugin is running when the task is processed by the at least one worker (Parmar, Fig. 3, 335, 340a service instance (as plugin); [0034] lines 1-3, Within the hosts 330 are the service instance managers 335a-provide for the execution of the workloads on service instances 340a-c operating (as running) on the hosts 330).

Parmar, Zimmermann and Brown fail to specifically teach wherein the at least one plugin is cached for a subsequent task, such that the at least one plugin is running when the subsequent task is processed by the at least one worker.

However, Bates teaches wherein the at least one plugin is cached for a subsequent task, such that the at least one plugin is running when the subsequent task is processed by the at least one worker (Bates, [0045] lines 2-7, an SPU program refers to code that can be used by the SPU to implement one or more SPU tasks. In certain embodiments of the present invention, multiple SPU programs can be cached for use by the SPU 104 in processing the data 123 or for processing data for subsequent tasks).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar, Zimmermann and Brown with Bates because Bates’s teaching of caching the application/programs for a subsequent task processing would have provided Parmar, Zimmermann and Brown’s system with the advantage and capability to increase the system accessing speed for loading the code which improving the system efficiency (see Bates,[0045] lines 8-10, Such caching of programs can be used to optimize DMA .

Claims 10-13 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Parmar and Zimmermann, as applied to claims 1 and 14 respectively above, and further in view of  Radich et al. (US Pub. 2018/0012032 A1) and KWON et al. (US Pub. 2018/0152454 A1)
Radich was cited in the IDS filed on 09/25/2019.

As per claim 10, Parmar and Zimmermann teach the invention according to claim 1 above. Parmar and Zimmermann fail to specifically teach encrypt the task request using a symmetric encryption key; encrypt the symmetric encryption key using a first asymmetric encryption key associated with the task queue module; and send the encrypted task request and the encrypted symmetric encryption key to the task queue module.

However, Radich teaches encrypt the data file using a symmetric encryption key (Radich, [0302] lines 1-9, after the user selects the document data file 10 for uploading, the user key module 3a of the user application generates a random data key, in this example a 2048 or 4096 bit data key 11 although the length of bits may be varied depending on requirements of the system. The encryption module 3b of the user symmetrically encrypt the document data file 10 to generate an encrypted document data file 10a); 
encrypt the symmetric encryption key using a first asymmetric encryption key associated with the task queue module (Radich, [0302] lines 9-11, By symmetric encryption it is meant that the document data file 10 can be decrypted using the same data key 11; [0303] lines 3-5, In one configuration, the encryption module 3b uses digital enveloping to asymmetrically encrypt the data key 11 with one or more public keys (as first asymmetric encryption key) to generate an enveloped data key 11a; [0313] lines 1-5, the server application 4 comprises one or more service queues 4b which contain a list of reference IDs associated with the items of stored data content that need further processing by the server key module 4c and/or file converting module 4d); and 
send the encrypted task request and the encrypted symmetric encryption key to the task queue module (Radich, [0304] lines 1-4, transmit the encrypted document data file 10a and the encrypted data key 11a (`enveloped data key`) to the server; [0313] lines 1-5, the server application 4 comprises one or more service queues 4b which contain a list of reference IDs associated with the items of stored data content that need further processing by the server key module 4c and/or file converting module 4d).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar and Zimmermann with Radich because Radich’s teaching of using symmetric encryption key for encrypting the task respectively would have provided Parmar and 

	Parmar, Zimmermann and Radich fail to specifically teach when encrypt data file is encrypt task request.

	However, KWON teaches encrypt task request (KWON, [0072] lines 1-5, a module which encrypts one or more task requests, received from the application layer 131, using a key shared with the secure circuitry 120 (e.g., a key for establishing a channel, referred to as "channel key").

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar, Zimmermann and Radich with KWON because KWON’s teaching of encrypting the task requests would have provided Parmar, Zimmermann and Radich’s system with the advantage and capability to enable the system to securely processing the sensitive task request which preventing any potential threats and improving the data transmission security (see KWON, [0003] used for a payment process or the like which uses an external electronic device). 

As per claim 11, Parmar, Zimmermann, Radich and KWON teach the invention according to claim 10 above. Radich further teaches decrypt the encrypted symmetric encryption key using a second asymmetric encryption key associated with the task queue module (Radich, [0106] line 1, decrypting the encrypted data key using a server private key; [0313] lines 1-5, the server application 4 comprises one or more service queues 4b which contain a list of reference IDs associated with the items of stored data content that need further processing by the server key module 4c and/or file converting module 4d; [0323] lines 5-8, the queue manager 50 of the server key module 4c accesses the data file service queue 4b and picks up a reference ID from the queue that represents an encrypted data file that needs processing; [0324] lines 1-10, The server key module 4c is configured to decrypt the encrypted data file 10a using the server private key. For example, the server private key is used to decrypt the encrypted or digitally enveloped data key associated with the encrypted data file 10a (as the envelope contains a version of the data key that has been asymmetrically encrypted with the server public key), and then the decrypted data key is used to decrypt the encrypted data file 10a (which was symmetrically encrypted with the data key originally)); 
re-encrypt the symmetric encryption key using a first asymmetric encryption key associated with the at least one worker (Radich, [0108] lines 1-3, re-encrypting the data key with the one or more user public keys and the server public key so that the data key can be decrypted by the one or more user's private keys. [0322] lines 21-27, The server key module 4c re-encrypts the converted data files, including adding any necessary user public keys to their respective enveloped data key or data keys, and outputs, via an output handler, the re-encrypted converted data file(s) 10d back to the server 10b for storage and access (e.g. display) by authorized users); and 
send the encrypted data file and the encrypted symmetric encryption key to the at least one worker (Radich, [0335] lines 3-7, The server responds by retrieving the encrypted data file 10d from the file storage database 1g and sends it to the user application 3 on the electronic user device 5 over the data network 30).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar and Zimmermann with Radich because Radich’s teaching of re-encrypting the symmetric encryption key for processing the task information would have provided Parmar and Zimmermann’s system with the advantage and capability to improve the data transmission security and reliability for processing the task information.

In addition, KWON teaches encrypt task request (KWON, [0072] lines 1-5, a module which encrypts one or more task requests, received from the application layer 131, using a key shared with the secure circuitry 120 (e.g., a key for establishing a channel, referred to as "channel key").

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar, Zimmermann and Radich with KWON because KWON’s teaching of encrypting the task requests would have provided Parmar, Zimmermann and Radich’s system with the advantage and capability to enable the system to securely processing the sensitive task request which preventing any potential threats and improving the data transmission 

As per claim 12, Parmar, Zimmermann, Radich and KWON teach the invention according to claim 11 above. Radich further teaches decrypt the encrypted symmetric encryption key using a second asymmetric encryption key associated with the at least one worker (Radich, [0335] lines 7-11, Once the converted and re-encrypted data file 10d arrives at the electronic user device 5, the user application 3 invokes the decryption module 3c to decrypt the enveloped data key associated with the data file 10d using the user private key 1).; 
decrypt the encrypted data file using the decrypted symmetric encryption key (Radich, [0335] lines 11-13, The decryption module 3c is then configured to decrypts the data file 10d using the decrypted data key); and 
process the decrypted data file (Radich, [0335] lines 13-14, the decrypted data file 10c is then displayed to the user in their browser).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar and Zimmermann with Radich because Radich’s teaching of decrypt the symmetric encryption key for processing the task information would have provided Parmar and Zimmermann’s system with the advantage and capability to improve the data transmission security and reliability for processing the task information.
decrypt the encrypted task request and process the decrypted task request (KWON, Abstract, lines 13-15, The secure circuitry is configured to decrypt the encrypted secure program based on the second public key and a first private key which is symmetrical to the first public key; [0079] lines 1-6, The secure circuitry 120 may receive, for example, an encrypted secure program from the TEE 140 and may decrypt the secure program using a decryption key generated in the TEE 120. The secure circuitry 120 may execute the secure program to perform a specified function).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar, Zimmermann and Radich with KWON because KWON’s teaching of decrypting the encrypted task requests would have provided Parmar, Zimmermann and Radich’s system with the advantage and capability to enable the system to securely processing the sensitive task request which preventing any potential threats and improving the data transmission security (see KWON, [0003] used for a payment process or the like which uses an external electronic device). 

As per claim 13, Parmar, Zimmermann, Radich and KWON teach the invention according to claim 12 above. Radich further teaches wherein the symmetric encryption key is an advance encryption standard (AES) key (Radich, [0302] lines 12-14, the symmetric encryption may be AES based encryption such as AES-256, or any other suitable symmetric encryption algorithm), the first asymmetric encryption key associated with the task queue module is a public key of the task queue module (Radich, [0303] lines 3-23, In one configuration, the encryption module 3b uses digital enveloping to asymmetrically encrypt the data key 11 with one or more public keys (as first asymmetric encryption key) to generate an enveloped data key 11a. Generally speaking, by `digital enveloping` it is meant that a single data key which has been used to encrypt the data file is itself encrypted using one or many public keys. Any one of the private keys associated with the public key(s), can then be used to decrypt and reveal the single data key, which in turn can be used to decrypt the data file. In this embodiment, the enveloped data key 11a is a data or key package comprising an encrypted version of the data key 11 for each of the public keys associated with the envelope, and where each encrypted version of the data key is created by asymmetrically encrypting the data key with its associated public key. In this embodiment, the encryption module 3b digitally envelopes the data key 11 using the user public key 12 and the server public key 13 which are stored in the browser memory on the electronic user device. By way of example the data key 11 is asymmetrically encrypted using the public key 12, and then the data key 11 is asymmetrically encrypted using the server public key 13; [0323] lines 5-8, the queue manager 50 of the server key module 4c accesses the data file service queue 4b and picks up a reference ID from the queue that represents an encrypted data file that needs processing), the second asymmetric encryption key associated with the task queue module is a private key of the task queue module (Radich, [0323] lines 5-8, the queue manager 50 of the server key module 4c accesses the data file service queue 4b and picks up a reference ID from the queue that represents an encrypted data file that needs processing; [0324] decrypt the encrypted data file 10a using the server private key. For example, the server private key is used to decrypt the encrypted or digitally enveloped data key associated with the encrypted data file 10a (as the envelope contains a version of the data key that has been asymmetrically encrypted with the server public key), and then the decrypted data key is used to decrypt the encrypted data file 10a (which was symmetrically encrypted with the data key originally), the first asymmetric encryption key associated with the at least one worker is a public key of the at least one worker (Radich, [0322] lines 21-27, The server key module 4c re-encrypts the converted data files, including adding any necessary user public keys to their respective enveloped data key or data keys, and outputs, via an output handler, the re-encrypted converted data file(s) 10d back to the server 10b for storage and access (e.g. display) by authorized users), and the second asymmetric encryption key associated with the at least one worker is a private key of the at least one worker (Radich, [0335] lines 7-11, Once the converted and re-encrypted data file 10d arrives at the electronic user device 5, the user application 3 invokes the decryption module 3c to decrypt the enveloped data key associated with the data file 10d using the user private key 1).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Parmar and Zimmermann with Radich because Radich’s teaching of using the advance encryption standard (AES) key as symmetric encryption key for processing the task information would have provided Parmar and Zimmermann’s system with the advantage 

As per claims 16-19, they are method claims of claims 10-13 respectively above. Therefore, they are rejected for the same reasons as claims 10-13 respectively above.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZUJIA XU whose telephone number is (571)272-0954.  The examiner can normally be reached on M-F 9:00-5:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571) 272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-

/MENG AI T AN/Supervisory Patent Examiner, Art Unit 2195                                                                                                                                                                                                        




/Z.X./Examiner, Art Unit 2195