Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments and Amendments
	The standing objections have been resolved. The objections to the claims are withdrawn.
	Replacement Drawings have been received and are accepted.
	Rejection of claim 9 under 35 USC § 112 is withdrawn as moot in view of cancelation. 
Applicant has argued in substance that:
As discussed at length in the specification, the claims relate to providing secure access to data for specified purposes on a case-by-case basis. As such, a data processing organization may have authorization to use a user’s data for a specific purpose, such as a specific type of analysis, but may not have blanket authorization.
Accordingly, while a database may contain encrypted data and a vendor may have an encryption key, the vendor may be authorized to use the encryption key only for a first task, such as a first type of analysis. If the vendor chooses to further process user data for a second type of analysis, they should then be required to seek further consent from the user. As such, the vendor should no longer have the ability to decrypt the user data by way of the encryption key.
Traditionally, data-collecting companies or third parties have been able to use such data, after their encryption key is destroyed, only by decrypting the data by way of the user. However, decrypting the data in this way is difficult logistically. See, e.g., the background of the specification.
Instead, the claimed method provides a first decryption key for each user to decrypt that user’s data. The data records are then stored in a database, and that first decryption key can be used to decrypt data associated with a specific user. The first decryption keys (VK) are [then] stored in a volatile memory (VMEM) in decrypted form, so that they can be used for an authorized purpose, and they are also encrypted by an encryption key (Kl) assigned to the particular entity (U)(S4) so that they can safely be stored as an encrypted first decryption key (VKK), such as by a data processing organization, for later use.
	While the claims are view in light of the specification the specification is not read into the claims. While the specification supports a “case-by-case basis” and “decryption key for each user to decrypt that user’s data”. The claims are only requiring a single user, and can even be viewed as implying a single user:
- the data records are each assigned to an entity (U), preferably a user, 
	The arguments are implicit of a claim limitation more along the lines of: 
- the data records are each assigned to a particular entity (U) of a plurality of entities, preferably a user, 

	With the claim only covering a single user Melvin can be viewed as having encryption of the decryption key:
	(Melvin, Column 12, Lines 23-46, “FIG. 8 illustrates portions of an apparatus in which key storage is decoupled from the storage device. Host device 81 can generate data for storage on a storage device and can request retrieval of stored data. Host device 81 can communicate with a locally connected storage device 85 and/or a storage device 84 coupled over a network 83. Host device 81 could be a general purpose computer such as a laptop computer or a personal device such as a PDA or could be a server. Encryption/decryption apparatus 87 is an apparatus that encrypts and encrypts data being stored and retrieved by host device 81. The encryption and decryption could be similar to the encryption and decryption apparatuses discussed above and illustrated in FIG. 1, 4A, 4B or 5. Key Storage Unit 82 stores the keys utilized by the Encryption/Decryption Unit 87. Communication path 86 is used to communicate the keys stored by Key Storage Unit 82. In some embodiments this communication path is a secure path that is secured either physically or cryptographically or both. For example, the keys being communicated on communication path 86 could themselves be encrypted according to a public key encryption mechanism so that observation of the data being communicated would not reveal the keys. In some embodiments Key Storage Unit 82 is a portable storage device such as could be embodied in a USB thumb drive.”).

Claim Rejections - 35 USC § 102

A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 4, and 5 is/are rejected under 35 U.S.C. 102(a)(2) as being antedated by United States Patent No.: US 8,812,875 B1 (Melvin).

As Per Claim 1: Melvin teaches: Method for secure access to data, wherein

- the data comprises a number of data records, wherein
- the data records are each assigned to an entity (U), preferably a user, and
- the data records are stored in encrypted form in a database (DB),
- wherein a first decryption key (VK) assigned to a particular entity (U) is used to decrypt the data records assigned to the particular entity,
- the first decryption keys (VK) are stored in a volatile memory (VMEM),
	(Melvin, Abstract, “A method and apparatus are utilized to conveniently and swiftly render stored information inaccessible. Sensitive information is stored in an encrypted form and by eliminating the key or keys which are needed for decryption, the stored information becomes virtually destroyed. A variety of mechanisms and policies can be used to manage, set and eliminate decryption keys. In some cases decryption keys can be stored in volatile storage elements so that by merely interrupting power to the storage element, the decryption keys are eliminated. In this way, a manually controlled mechanism can be used to allow a user to accomplish a "self-destruct" of the stored information instantly without the need for the operation of any processor and without the need to change any stored information.”).

- the first decryption keys (VK) assigned to the particular entity (U) are encrypted by an encryption key (K1) assigned to the particular entity (U) (S4), and the encrypted first decryption keys (VKK) are stored in a permanent memory (PMEM) (S5),
	(Melvin, Column 3, Lines 44-59, “The encryption mechanism employed by encryption block 14, decryption block 15 and key storage 11 can be a symmetric or non-symmetric system. In the case of a symmetric system, the same key is utilized for both encryption and decryption. In the case of a non-symmetric system different keys are utilized for encryption and decryption. Typically non-symmetric encryption systems involve generating encryption and decryption keys in matched pairs and are designed such that knowledge of one key does not permit a practical discovery of the other key. With a non-symmetric encryption mechanism it would be possible to have key storage 11 store only the decryption key or keys and move the encryption apparatus into the host device. In that case the host device could have the encryption key or keys and could encrypt the information before sending it to virtual self-destruct apparatus 19.”).
	(Melvin, Column 12, Lines 23-46, “FIG. 8 illustrates portions of an apparatus in which key storage is decoupled from the storage device. Host device 81 can generate data for storage on a storage device and can request retrieval of stored data. Host device 81 can communicate with a locally connected storage device 85 and/or a storage device 84 coupled over a network 83. Host device 81 could be a general purpose computer such as a laptop computer or a personal device such as a PDA or could be a server. Encryption/decryption apparatus 87 is an apparatus that encrypts and encrypts data being stored and retrieved by host device 81. The encryption and decryption could be similar to the encryption and decryption apparatuses discussed above and illustrated in FIG. 1, 4A, 4B or 5. Key Storage Unit 82 stores the keys utilized by the Encryption/Decryption Unit 87. Communication path 86 is used to communicate the keys stored by Key Storage Unit 82. In some embodiments this communication path is a secure path 

- and after the volatile memory (VMEM) is cleared (S6)
- the encrypted first decryption keys (VKK) are copied from the permanent memory (PMEM) into the volatile memory (VMEM) (S9), and
	(Melvin, Column 4, Lines 10-34, “In some embodiments, key storage 11 comprises volatile memory. This means that it contains storage elements that require power to maintain their contents. Examples of volatile storage devices are semiconductor RAM cells and semiconductor registers. Battery 18 is used to supply power to key storage 11, in the absence of power being supplied through peripheral interface 13 or peripheral interface 16 or some other source. If power is interrupted to volatile key storage 11 the key or keys will be erased. Self destruct switch 17 can be a momentary action mechanical push button switch which will temporarily interrupt power from being supplied from battery 18 to volatile key storage 11. In the case that self destruct switch 17 is activated when key storage is not receiving power from any other source, the keys used to encrypt information on storage device 12 will be lost. Thus, if the user simply presses self destruct switch 17, this causes the virtual destruction of stored information (kablooie!). The information stored on storage device 12 becomes unusable; while still accessible it is "virtually" destroyed because it is no longer practical to decrypt it. In other embodiments the keys are stored in non-volatile memory, but include circuitry that can automatically erase stored keys based on a signal from a user or application.”).


- in the volatile memory (VMEM), the encrypted first decryption keys (VKK) are decrypted by a second decryption key (K2) assigned to the particular entity (U). 
	(Melvin, Column 4 Line 63 - Column 5 Line 2, “In this case, if the key is locally eliminated, the stored information can still be made accessible by going back to the original key generator. This may be a viable solution for portable devices since deletion of the decryption key will cause the information to be locally inaccessible, but may still be recovered using information stored in a central (and presumably more secure) location.”).
	(Melvin, Column 7, Lines 13-26, “Command processing apparatus 412 is used to allow dynamic key management through applications running on a host system, such as one coupled to peripheral interface 410. In one embodiment, peripheral commands are examined by command processing apparatus 412 and those related to key management are intercepted and processed. Key management operations include key creation, key storage, key retrieval and key deletion. Key management operations can also be accomplished using external port 424. In some embodiments, external port 424 is a USB port and allows an external host system to perform key operations. In this way, key management can be controlled internally (using the main information data path) and/or externally (using an external port).”).
	(Melvin, Column 7, Lines 42-49, “FIG. 4B illustrates aspects of a time-based key management system. In some embodiments, a time-based key management system periodically creates new keys and 
	(Melvin, Column 8, Lines 9-12, “In some embodiments, it may be desirable to automatically refresh data when it is being read from the storage device. In this case, it is necessary to decrypt and then re-encrypt the information using a different key.”).
	(Melvin, Column 12, Lines 23-46, “FIG. 8 illustrates portions of an apparatus in which key storage is decoupled from the storage device. Host device 81 can generate data for storage on a storage device and can request retrieval of stored data. Host device 81 can communicate with a locally connected storage device 85 and/or a storage device 84 coupled over a network 83. Host device 81 could be a general purpose computer such as a laptop computer or a personal device such as a PDA or could be a server. Encryption/decryption apparatus 87 is an apparatus that encrypts and encrypts data being stored and retrieved by host device 81. The encryption and decryption could be similar to the encryption and decryption apparatuses discussed above and illustrated in FIG. 1, 4A, 4B or 5. Key Storage Unit 82 stores the keys utilized by the Encryption/Decryption Unit 87. Communication path 86 is used to communicate the keys stored by Key Storage Unit 82. In some embodiments this communication path is a secure path that is secured either physically or cryptographically or both. For example, the keys being communicated on communication path 86 could themselves be encrypted according to a public key encryption mechanism so that observation of the data being communicated would not reveal the keys. In some embodiments Key Storage Unit 82 is a portable storage device such as could be embodied in a USB thumb drive.”).

As Per Claim 4: The rejection of claim 1 is incorporated and further Melvin teaches:
- the encryption keys (K1) are deleted or stored only in the volatile memory (VMEM) after the encryption (S4) of the first decryption keys (VK). 
	(Melvin, Column 7, Lines 27-41, “The dynamic key management apparatus illustrated in FIG. 4A could be combined with the virtual self-destruct mechanism illustrated in FIG. 1. Thus key deletion can be accomplished through the virtual self-destruct mechanisms discussed above or can be performed through the internal or external data path. In the case of applications that utilized command processing apparatus 412, these applications can be firmware running on the host device, BIOS software, OS drivers, OS daemons, user applications or some combination of the above. In some embodiments the operations on key storage 418 can be effected in a way that is transparent to the storage device using regular disk drive read and write commands with special data patterns. In other embodiments new or reserved commands can be utilized to communicate between host device and command processing apparatus 412.”).

As Per Claim 5: The rejection of claim 1 is incorporated and further Melvin teaches:
- the second decryption keys (K2) are deleted or stored only in the volatile memory (VMEM) after the decryption (S11) of the encrypted first decryption keys (VKK).
	(Melvin, Column 7, Lines 27-41, “The dynamic key management apparatus illustrated in FIG. 4A could be combined with the virtual self-destruct mechanism illustrated in FIG. 1. Thus key deletion can be accomplished through the virtual self-destruct mechanisms discussed above or can be performed through the internal or external data path. In the case of applications that utilized command processing apparatus 412, these applications can be firmware running on the host device, BIOS software, OS drivers, OS daemons, user applications or some combination of the above. In some embodiments the operations on key storage 418 can be effected in a way that is transparent to the storage device using regular disk drive read and write commands with special data patterns. In other embodiments new or reserved commands can be utilized to communicate between host device and command processing apparatus 412.”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 2-3 and 6-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 8,812,875 B1 (Melvin) in view of  Functional Encryption for Secured Big Data Analytics (Chakraborty et al.).

As Per Claim 2: The rejection of claim 1 is incorporated and further Melvin does not explicitly teach the following limitation however Chakraborty et al. in analogous art does teach the following limitation:
- the encryption keys (K1) and the second decryption keys (K2) are generated by means of a secret (S) provided by the particular entity (U), wherein the secret (S) is provided by the particular entity (U) separately for the generation of the encryption keys (K1) (S1) and for the generation of the second decryption keys (K2) (S8). 
	(Section: 4. FUNCTIONAL ENCRYPTION, “Functional encryption is a form of public key cryptography that provides a limited secret key which can encrypt a certain functionality of the encrypted data, without exploring any further details. In traditional public-key cryptosystems, the corresponding cipher text of a plain text is intended to be decrypted only by a single recipient of the encrypted data. But in certain scenario, such as cloud computing, an encrypted message may be directed to a group of people, without knowing a specific individual. In such a communication scenario, functional encryption lets a user to decrypt only a specific functionality of the cipher text, without revealing any more information about 
	A functional encryption consists of the following algorithms:
(pk, msk) ← SetUp(1): creates a public key pk and a master secret key msk.
Sk ← KeyGen(msk,k): uses the master secret key to generate a new secret key sk for value k.
C ← Encrypt (pk,m): uses the public key to encrypt a message m.
F(k,m) ← Dec(sk,c): uses secret key sk to calculate a function of the value c encrypts.
	The secret key sk in the above construction, restricts the user from decrypting any other information apart from the functionality for which the secret key is provided for. Thus this scheme can help in providing limited access to certain resources which must be protected and accessed from a limited set of users, though the resources reside on public servers. The rough working mechanism of functional encryption can be depicted in figure-2.

    PNG
    media_image1.png
    476
    513
    media_image1.png
    Greyscale
”).

As Per Claim 3: The rejection of claim 1 is incorporated and further Melvin does not explicitly teach the following limitation however Chakraborty et al. in analogous art does teach the following limitation:
- the secret (S) is discarded or deleted after each of the generation (S2) of the encryption keys (K1) and the generation (S10) of the second decryption keys (K2) (S2.1; S10.1). 
	(Section: 4. FUNCTIONAL ENCRYPTION, “Functional encryption is a form of public key cryptography that provides a limited secret key which can encrypt a certain functionality of the encrypted data, without exploring any further details. In traditional public-key cryptosystems, the corresponding cipher text of a plain text is intended to be decrypted only by a single recipient of the encrypted data. But in certain scenario, such as cloud computing, an encrypted message may be directed to a group of people, without knowing a specific individual. In such a communication scenario, functional encryption lets a user to decrypt only a specific functionality of the cipher text, without revealing any more information about the original data. Existing encryption schemes, such as Identity based encryption and Attribute based encryption can be seen as specific cases of Functional encryption. Functional encryption was introduced in 2005 by Amit Sahai and Brent Waters [7] which supported the evaluation of some specific functionality. In 2012, several researchers around the world developed Functional Encryption schemes that support arbitrary functions. Thus it introduces a new form of cryptographic encapsulation on the cipher texts.
	A functional encryption consists of the following algorithms:
(pk, msk) ← SetUp(1): creates a public key pk and a master secret key msk.
Sk ← KeyGen(msk,k): uses the master secret key to generate a new secret key sk for value k.
C ← Encrypt (pk,m): uses the public key to encrypt a message m.
F(k,m) ← Dec(sk,c): uses secret key sk to calculate a function of the value c encrypts.


    PNG
    media_image1.png
    476
    513
    media_image1.png
    Greyscale
”).

As Per Claim 6: The rejection of claim 1 is incorporated and further Melvin does not explicitly teach the following limitation however Chakraborty et al. in analogous art does teach the following limitation:
- the access to the data records encrypted in the database (DB) is handled by an access control device (PGU), wherein access policies indicating who can access the encrypted data records and for what purpose are stored in the access control device (PGU). 
	(Section: 4. FUNCTIONAL ENCRYPTION, “Functional encryption is a form of public key cryptography that provides a limited secret key which can encrypt a certain functionality of the encrypted data, without exploring any further details. In traditional public-key cryptosystems, the corresponding cipher text of a plain text is intended to be decrypted only by a single recipient of the encrypted data. But in certain scenario, such as cloud computing, an encrypted message may be directed to a group of people, 
	A functional encryption consists of the following algorithms:
(pk, msk) ← SetUp(1): creates a public key pk and a master secret key msk.
Sk ← KeyGen(msk,k): uses the master secret key to generate a new secret key sk for value k.
C ← Encrypt (pk,m): uses the public key to encrypt a message m.
F(k,m) ← Dec(sk,c): uses secret key sk to calculate a function of the value c encrypts.
	The secret key sk in the above construction, restricts the user from decrypting any other information apart from the functionality for which the secret key is provided for. Thus this scheme can help in providing limited access to certain resources which must be protected and accessed from a limited set of users, though the resources reside on public servers. The rough working mechanism of functional encryption can be depicted in figure-2.

    PNG
    media_image1.png
    476
    513
    media_image1.png
    Greyscale
”).

As Per Claim 7: The rejection of claim 6 is incorporated and further Melvin teaches:
- all content in the volatile memory (VMEM) is deleted if the access policies are changed. 
	(Melvin, Column 3, Lines 32-43, “In some embodiments, virtual self destruct mechanism 19 mirrors read and write commands across its peripheral interfaces 13 and 16 and implements identical interfaces between host device 10 and storage device 12. This allows virtual self destruct mechanism 19 to be retrofitted into existing computer systems without any changes to existing hardware or software. Host device 10 can communicate with virtual self destruct mechanism 19 in the same way as it would communicate directly with storage device 12. Similarly, storage device 12 can respond to commands from virtual self destruct mechanism 19 in the same way as it would respond to commands directly from host device 10.”).
	(Melvin, Column 4, Lines 10-33, “In some embodiments, key storage 11 comprises volatile memory. This means that it contains storage elements that require power to maintain their contents. Examples of volatile storage devices are semiconductor RAM cells and semiconductor registers. Battery 18 is used to supply power to key storage 11, in the absence of power being supplied through peripheral interface 13 or peripheral interface 16 or some other source. If power is interrupted to volatile key storage 
	Access no longer permitted would be a policy change resulting in the self destruct of all data in volatile memory

As Per Claim 8: The rejection of claim 6 is incorporated and further Melvin teaches:
- the access control device (PGU) is physically coupled to the volatile memory (VMEM), wherein if the access policies are changed, the access control device (PGU) is restarted, the volatile memory (VMEM) is also restarted on account of the physical coupling, and the first decryption keys (VK) stored in the volatile memory (VMEM) are deleted. 
	(Melvin, Column 4, Lines 10-33, “In some embodiments, key storage 11 comprises volatile memory. This means that it contains storage elements that require power to maintain their contents. Examples of volatile storage devices are semiconductor RAM cells and semiconductor registers. Battery 18 is used to supply power to key storage 11, in the absence of power being supplied through peripheral interface 13 or peripheral interface 16 or some other source. If power is interrupted to volatile key storage 11 the key or keys will be erased. Self destruct switch 17 can be a momentary action mechanical push button switch which will temporarily interrupt power from being supplied from battery 18 to volatile key 
	If power is cut to RAM cells and semiconductor registers all the data is lost and the system will not be operating; and power returning will cause a reboot of the system.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170.  The examiner can normally be reached on 9:00 a.m. - 5:00 p.m..

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BENJAMIN A KAPLAN/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434