Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
New corrected drawings in compliance with 37 CFR 1.121(d) are required in this application because the drawings filed are mostly blank boxes that would not show the nature of the invention.  The one exception is figure 3 which seems to be exemplifying in German.
Applicant is advised to employ the services of a competent patent draftsperson outside the Office, as the U.S. Patent and Trademark Office no longer prepares new drawings. The corrected drawings are required in reply to the Office action to avoid abandonment of the application. The requirement for corrected drawings will not be held in abeyance.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 15 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 15 is a system claim referring back to a part of a device claim. It is entirely uncertain what the scope of claim 15 is to be interpreted as encompassing. Assuming claim 15 is an independent claim 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-4, 6-10, and 14 is/are rejected under 35 U.S.C. 102(a)(2) as being antedated by United States Patent No.: US 7,234,058 B1 (Baugher et al.).

As Per Claim 1: Baugher et al. teaches: A method for transferring data in a topic-based publish-subscribe system, comprising a key distribution server and a number of local client systems that is coupled with the key distribution server, comprising:

- a) providing a group key by the key distribution server for a group selected from the local client systems,
	(Baugher et al., Column 11, Lines 1-9, “If a shared group secret exists, then key server 512 retrieves it; otherwise, the key server generates a new shared group secret. For each router 502A, 502B, 502C that contacts it, key server 512 then encrypts the shared group secret under the pairwise key of that router and provides the encrypted shared secret to that router. As a result, all group members have the same shared secret. For purposes of describing algorithms herein, the group shared secret is designated Kg.”).
	(Baugher et al., Column 9, Lines 53-55, “Routers 502A, 502B, 502C participate in a local area network, wide area network, or internetwork.”).

- b) locally deriving a first-order sub-group key for a first-order sub-group of the group by means of key derivation parameters, at least comprising the provided group key and a specific topic of the publish-subscribe system, by the respective client system of the first-order sub-group, and
	(Baugher et al., Column 11, Lines 42-64, “Assume that router 502A is designated as group member A and router 502B is designated as group member B. For group member A to communicate with member B, both A and B generate a pairwise key designated Kab. Both A and B must be able to compute the same key value independently. In one embodiment, the computation is:
	Kab=PRF(Kg|IPa|IPb) 
	wherein PRF is a pseudorandom function, and IPa and IPb are the IP addresses of A and B, respectively. 
	When IKE Main-mode is used, though, identity information is not known unless the shared-secret is known. Accordingly, in one alternative approach, nonce values obtained from messages 1 through 4 in the IKE Main-mode message exchange are used. For example, the computation is: 
	Kab=PRF(Kg|Na|Nb) 
	where Na and Nb are nonce values contributed by each peer, respectively, Kg is the group key, and PRF is a pseudorandom function that was negotiated in IKE, such as SHA-1, MD5, etc. Each peer acquires knowledge of the nonce value contributed by the other peer during Phase 1 of IKE, in block 612 of FIG. 6 prior to the authentication step where the Kab is used as the IKE authenticator”).

- c) transferring at least one message cryptographically protected by the derived first-order sub-group key between the client systems of the first-order sub-group. 
	(Baugher et al., Column 10, Lines 44-51, “In block 526, secure VPN communications are set up and performed following the completion of an IKE Phase 1 exchange in which a pairwise key that is derived 
	(Baugher et al., Column 12, Lines 2-5, “For example, router 502A initiates VPN communication with router 502B; packet flows on the VPN are encrypted using an IPsec key that is negotiated among router 502A and 502B using the IKE connection they have established.”).

As Per Claim 2: The rejection of claim 1 is incorporated and further Baugher et al. teaches:
- the steps a), b) and c) are carried out after a respective authentication of the client system of the group on the key distribution server. 
	(Baugher et al., Column 5, Lines 3-19, “Thus the present invention discloses two useful and novel applications for automated group-key management. The first is to use a group key in place of a pre-shared key to authenticate each entity involved in a key-establishment procedure. The second application is to use group keys to derive pairwise session keys that encrypt and/or authenticate individual messages. Whereas the first application permits point-to-point key establishment based on group-key authenticators. The second application obviates the need for point-to-point key establishment for certain environments. Thus, the approaches herein provide automated management of pre-shared keys, faster establishment of secure sessions, and great expansion in the capacity of VPNs, servers, concentrators, and other devices that provide security services to host computers. Embodiments may be used in unicast and multicast virtual private network, client-server security services, among other applications.”).
	(Baugher et al., Column 6, Lines 26-34, “In block 202, one or more potential group members are enrolled in a secure group. For example, data representing employees of an enterprise are enrolled in a secure group of employees who are permitted to use a VPN. The specific enrollment mechanism is not critical. Enrollment may use, for example, a common credential system such as an X.509 digital certificate 

As Per Claim 3: The rejection of claim 1 is incorporated and further Baugher et al. teaches:
- locally deriving a second-order sub-group key for a second-order sub-group of the first-order sub-group by means of the derived first-order sub-group key by the respective client system of the second-order sub-group, and transferring at least one message cryptographically protected by the derived second-order sub-group key between the client systems of the second-order sub-group. 
	(Baugher et al., Column 6, Lines 57-64, “FIG. 2B is a flow diagram of a process of generating pair-wise keys for use in private encrypted communications among a first and second group member. FIG. 2B described the use of deriving a pair-wise group key for a data security protocol. The steps of FIG. 2B may be carried out, for example, after the process of FIG. 2A is carried out, and at the time that two group members need to establish a two-party, peer-to-peer or point-to-point secure connection.”).
	(Baugher et al., Column 10, Lines 44-51, “In block 526, secure VPN communications are set up and performed following the completion of an IKE Phase 1 exchange in which a pairwise key that is derived from a group key is used by each peer to authenticate itself to the other peer. Block 526 may involve, for example, an IKE negotiation of a pairwise key among peers at endpoints of a VPN connection, and communicating data packets that are encrypted using the pairwise key.”).
	(Baugher et al., Column 12, Lines 2-5, “For example, router 502A initiates VPN communication with router 502B; packet flows on the VPN are encrypted using an IPsec key that is negotiated among router 502A and 502B using the IKE connection they have established.”).

As Per Claim 4: The rejection of claim 1 is incorporated and further Baugher et al. teaches:
- the first-order sub-group key for the first-order sub-group is derived by the key derivation parameters comprising the supplied group key, the specific topic of the publish-subscribe system, a secret specific to the first-order sub-group and at least one additional derivation parameter. 
	(Baugher et al., Column 6, Lines 57-64, “In block 206, in response, the key server provides the group key to the requesting member. In one embodiment, the requesting member receives a copy of the group shared secret or group key that is encrypted using that group member's pairwise key that it established with the key server. As a result, all group members acquire the same shared group secret. The key server also provides descriptor information or policy information to the requesting member. The descriptor is a set of information that identifies security parameters that are applicable to the data-security protocol session that the requesting member is seeking to establish or that are applicable to the pre-shared key, which might also be derived from the group key. Embodiments of descriptors are described further below.”).

As Per Claim 6: The rejection of claim 1 is incorporated and further Baugher et al. teaches:
- the first-order sub-group key for the first-order sub-group is derived by a commutative operation from the key derivation parameters by the respective client system of the first-order sub-group. 
	(Baugher et al., Column 6, Lines 57-64, “In block 206, in response, the key server provides the group key to the requesting member. In one embodiment, the requesting member receives a copy of the group shared secret or group key that is encrypted using that group member's pairwise key that it established with the key server. As a result, all group members acquire the same shared group secret. The key server also provides descriptor information or policy information to the requesting member. The descriptor is a set of information that identifies security parameters that are applicable to the data-security protocol session that the requesting member is seeking to establish or that are applicable to the 

As Per Claim 7: The rejection of claim 1 is incorporated and further Baugher et al. teaches:
- M sub-groups ranked in a hierarchy of the group of client systems are provided, wherein a sub-group key of (N+1)-th order of a sub-group of (N+1)-th order is derived by an Nth order sub-group key of an Nth order sub-group. 
	(Baugher et al., Column 6, Lines 7-17, “FIG. 1 is a block diagram of a system for generating pair-wise keys, according to a first embodiment. A key server 102 is communicatively coupled in a network 100 comprising a plurality of packet data routers R1, R2, R3, etc. A first security domain SD-1 includes routers R2, R3, R4, and a second security domain SD-2 includes routers R5, R6, R7, R8. SD-1 and SD-2 may also comprise groups in which the routers therein are group members. For purposes of illustrating a simple example, FIG. 1 depicts only eight routers; however, in a practical embodiment, there may be any number of network devices involved.”).

As Per Claim 8: The rejection of claim 1 is incorporated and further Baugher et al. teaches:
- the Nth order sub-group in the hierarchy of the M ranked sub-groups is arranged directly above the sub-group of (N+1)-th order. 
	(Baugher et al., Column 6, Lines 7-17, “FIG. 1 is a block diagram of a system for generating pair-wise keys, according to a first embodiment. A key server 102 is communicatively coupled in a network 100 comprising a plurality of packet data routers R1, R2, R3, etc. A first security domain SD-1 includes routers R2, R3, R4, and a second security domain SD-2 includes routers R5, R6, R7, R8. SD-1 and SD-2 may also comprise groups in which the routers therein are group members. For purposes of illustrating a simple 

As Per Claim 9: The rejection of claim 1 is incorporated and further Baugher et al. teaches:
- locally deriving a sub-group key of (N+1)-th order for a sub-group of (N+1)-th order of the subgroup of Nth order by means of the derived Nth order sub-group key by the respective client system of the subgroup of (N+1)-th order, with N [1, . . . , M] and M>2, and transferring at least one message cryptographically protected by the derived sub-group key of (N+1)-th order between the client systems of the sub-group of (N+1)-th order. 
	(Baugher et al., Column 11, Lines 42-64, “Assume that router 502A is designated as group member A and router 502B is designated as group member B. For group member A to communicate with member B, both A and B generate a pairwise key designated Kab. Both A and B must be able to compute the same key value independently. In one embodiment, the computation is:
	Kab=PRF(Kg|IPa|IPb) 
	wherein PRF is a pseudorandom function, and IPa and IPb are the IP addresses of A and B, respectively. 
	When IKE Main-mode is used, though, identity information is not known unless the shared-secret is known. Accordingly, in one alternative approach, nonce values obtained from messages 1 through 4 in the IKE Main-mode message exchange are used. For example, the computation is: 
	Kab=PRF(Kg|Na|Nb) 
	where Na and Nb are nonce values contributed by each peer, respectively, Kg is the group key, and PRF is a pseudorandom function that was negotiated in IKE, such as SHA-1, MD5, etc. Each peer acquires knowledge of the nonce value contributed by the other peer during Phase 1 of IKE, in block 612 of FIG. 6 prior to the authentication step where the Kab is used as the IKE authenticator”).

As Per Claim 10: The rejection of claim 9 is incorporated and further Baugher et al. teaches:
- the sub-group key of (N+1)-th order for the sub-group of (N+1)-th order is derived using the derived Nth order sub-group key and a specific secret for the sub-group of (N+1)-th order by the respective client system of the sub-group of (N+1)-th order. 
	(Baugher et al., Column 6, Lines 57-64, “FIG. 2B is a flow diagram of a process of generating pair-wise keys for use in private encrypted communications among a first and second group member. FIG. 2B described the use of deriving a pair-wise group key for a data security protocol. The steps of FIG. 2B may be carried out, for example, after the process of FIG. 2A is carried out, and at the time that two group members need to establish a two-party, peer-to-peer or point-to-point secure connection.”).
	(Baugher et al., Column 10, Lines 44-51, “In block 526, secure VPN communications are set up and performed following the completion of an IKE Phase 1 exchange in which a pairwise key that is derived from a group key is used by each peer to authenticate itself to the other peer. Block 526 may involve, for example, an IKE negotiation of a pairwise key among peers at endpoints of a VPN connection, and communicating data packets that are encrypted using the pairwise key.”).
	(Baugher et al., Column 12, Lines 2-5, “For example, router 502A initiates VPN communication with router 502B; packet flows on the VPN are encrypted using an IPsec key that is negotiated among router 502A and 502B using the IKE connection they have established.”).

As Per Claim 14: Claim 14 is substantially a restatement of the method of claim 1 as a device and is rejected under substantially the same reasoning.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 11-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 7,234,058 B1 (Baugher et al.).

As Per Claim 11: The rejection of claim 1 is incorporated and further Baugher et al. does not explicitly teach:
- the local client system comprises a number of client devices, wherein the client device comprises a decentralized power generation facility for the supply of electrical power into a power supply network. 
	However Examiner is giving Official Notice that this is an obvious interchangeable variation of non-functional descriptive material. The limitation lists a type of client in a manner that does not affect how the invention would operate.

As Per Claim 12: The rejection of claim 11 is incorporated and further Baugher et al. teaches:
- the local client system has a key derivation unit, by means of which the sub-group key for the client devices of the local client system is derived. 
	(Baugher et al., Column 6 Line 65 – Column 7 Line 6, “In block 210, at the time that a data-security session is commenced, a first group member derives a data-security session key from the group key. Techniques for key derivation are described further below. In block 212, the first group member encrypts packets in a message directed to a second group member using the data-security session key that the first group member derived. In block 214, the first group member sends the encrypted packets to the second group member.”).

As Per Claim 13: The rejection of claim 12 is incorporated and further Baugher et al. teaches:
- the client system is allocated to a particular sub-group of M sub-groups ranked in a hierarchy for the group of client systems, wherein the sub-group key for the client devices of the client system allocated to the specific sub-group is derived by means of the key derivation unit of the client system. 
.

Claim 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 7,234,058 B1 (Baugher et al.) in view of United States Patent Application Publication No.: US 2018/0255146 A1 (Aston et al.).

As Per Claim 5: The rejection of claim 4 is incorporated and further Baugher et al. teaches:
- and a validity period of the first-order sub-group key. 
	(Baugher et al., Column 13, Lines 8-20, “The encryption type value 802 identifies the type of encryption that is used and may have values specifying DES, triple DES, AES, etc. The hash algorithm value 804 identifies the kind of hash algorithm that is used and may have values specifying SHA-1, MD5, etc. The DH Groups value 806 signifies the Diffie-Hellman group value as defined by RFC 2412 ("The OAKLEY Key Determination Protocol") and may have values of "1," "2," "5," etc. The TEK key lifetime value 808 specifies a maximum validity period for the TEK key. The authentication method value 810 specifies the 

Baugher et al. does not explicitly teach the following limitation however Aston et al. in analogous art does teach the following limitation:
- the additional derivation parameter is a publish-subscribe-system-based parameter, which is indicative of a communication direction within the publish-subscribe system, a key usage within at of the publish-subscribe system
	(Aston et al., Abstract, “To represent the indirect lifecycle binding between the validity of data for a given topic, and the presence of sessions responsible for updating the data associated with that topic, sessions may register a policy referred to herein as a "session will" against specific nodes in the topic tree maintained by a data distribution system server. A session will binds the lifecycle of the topic node to that of the registering session. When a session that is responsible for updating a particular topic is disconnected, the data distribution system server initiates actions in accordance with the session will to determine how to manage updating the topic and the sub -topics in the topic path.”).
	(Aston et al., Paragraph [0014], “The data distribution system server 104 hosts publisher applications, manages connections from clients 114, pushes data to clients 108 through message queues, and manages the life cycle of data for a given topic received by a control client 108D. When sessions responsible for updating the data associated with a topic are interrupted or terminated, the data distribution system server 104 applies a policy referred to herein as a "session will" against a topic path in the topic tree maintained by a data distribution system server 104. A session will binds the lifecycle of the topic node included in the specified topic path to that of the registering session. When a session that is responsible for updating a topic included in the topic path is disconnected, the data distribution system 
	(Aston et al., Paragraph [0029], “The hierarchy index 304 is an abstract data structure maintained by the data distribution system server 104 that shadows the topic tree 208, but provides a sparse representation based purely on branch paths optimized for efficient lookup. The hierarchy index includes pairs of keys and values, where a key corresponds to a path in the topic tree 208 and the value corresponds to a value assigned to the path. For example, in the embodiment shown in FIG. 3, the hierarchy index maps three keys corresponding to three paths within the topic tree 208 to three integer values. The paths are represented by one or more letters corresponding to one or more nodes, with a "/" used to separate nodes in a path, such as paths "a/b" 306A, "a/b/c/d" 308A, and "x/y" 310A. Path "a/b" 306A is mapped to integer value "1" 306B; path "a/b/c/d" 308A is mapped to integer value "2" 308B; and path "x/y" 310A is mapped to integer value "3" 310B.”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Aston et al. in to the method of Baugher et al. as Aston et al. is teaching a particular interchangeable sub-variation on Baugher et al.’s method.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170.  The examiner can normally be reached on 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BENJAMIN A KAPLAN/Examiner, Art Unit 2434