DETAILED ACTION
Responsive to the Applicant reply filed on 12/04/2020, Applicant’s respective arguments carefully considered and responded in following.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicants arguments, see independent claim 1 and Applicant’s Remarks, Page 7-9, Applicant's arguments filed 12/04/2020, see independent claim 1 and Applicant’s Remarks Page 7-9, have been fully considered but they are not persuasive.
In response to applicant's argument regarding
“Mazur does not teach, and the Office Action fails to identify, any network device(s) intermediary between for instance the proxy (or any service node) and the server. Because Mazur does not teach or suggest any such network devices intermediary between the service node and the server1, Mazur necessarily fails to teach or suggest "the at least one network device including a first network device that shares a first cryptographic context with the service node, the first cryptographic context existing prior to establishment of the end-to-end cryptographic context ... " as recited in Claim 1. Further, Mazur does not contemplate any cryptographic context existing prior to establishment of an end-to-end cryptographic contexts2, much less a cryptographic context between the service node and the first network device.”

Examiner respectfully disagrees with the argument1 above. The network devices in Claim 1 are indefinite because they do not appear features as a hardware or software in the limitation. After review of the specification, there is no section that defines any of them as hardware. In some instance, only examples of hardware are provided but it is not limited. 
First, if they are interpreted as a hardware, MaZur discloses “FIG. 4 illustrates the basic operation of a known man-in-the-middle (MITM) device 400 for intercepting, decrypting and inspecting secure network communications according to a known technique” (¶0040, Emphasis added). Although FIG. 4 illustrates the basic operation for the device, MaZur specifically network devices” recited in Claim 1] within distributed data processing system 100”. 
Second, if they are interpreted as a software, MaZur discloses component a server process Xcs 408 and a client process Xss 406 having distinct connections, one between the client 402 and Xcs 408, and the other between Xss 406 and the server 404 (See FIG. 4 and ¶0041-0042).  For the reasons stated above, Examiner recommended further clarify and limiting the scope of the independent claim to emphasize the inventive concepts. 
Third, Examiner also respectfully disagrees with the argument2 above. In contract to Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS), the end-to-end cryptographic contexts does not describe a particular technology or dictate certain protocols, it only describes the way a system is designed (Emphasis added). As noted in the Non-Final Office Actin mailed on 09/04/2020 Page 3-4, MaZur discloses HTTP over SSL which protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering. Even though MaZur does not explicitly recite “end-to-end cryptographic contexts”, SSL is a cryptographic protocol that provides end-to-end encryption and integrity for all web requests since it is possible to use the public key to encrypt a message that can only be decrypted with the private key (Emphasis added). Although strikethrough is used for enhancing the obviousness of rejections, Examiner asserts that MaZur disclose argument2 above. As noted previously in responding argument1, the network provides communication line [analogous to “sharing”] between various devices and computers or Xcs 408 and Xss 406 are distinct connections. The device 400 provides a transparent (or man-in-the-middle, analogous to “service node”) proxy between the client 402 and the server 404 in the network. Based on the a first cryptographic context” prior to establishment of the e2e cryptographic context] against a configured policy preferably occurs prior to initiating any key exchange or transfer of any other cryptographic information to the server with respect to the new session (See ¶0010, Emphasis added). Therefore, given the broadest reasonable interpretation, one of ordinary skill in the art would attempt to modify MaZur’s man-in-the-middle (MITM) device 400 as “service node intermediary” in the claimed manner.
In response to applicant's argument regarding
“Mazur fails to contemplate both a first cryptographic context and an end-to-end cryptographic context, and therefore cannot teach or suggest transmitting a message using the first cryptographic context to inform the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device”

Examiner respectfully disagrees with the argument above. As stated previously, the end-to-end cryptographic contexts does not describe a particular technology or dictate certain protocols. Examiner also considered the concept of “End to End Encryption” wisely accepted in the art (Non-Final Office Actin mailed on 09/04/2020 Page 4 line 22- Page 5 line 3), Examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. Blom, secondary reference, discloses utilizing of SRTP or SRTCP for network communications using the cryptographic context (secure RTP similar to SSL, See ¶0003-0004) and an e2e encryption (See ¶0011, Emphasis added). Blom disclose “The e2e protected media might also be further integrity protected hop-by-hop (using SRTP) between the senders and the intermediate node 1, and so the used security parameters are associated with a hop-by-hob (hbh) context” (See ¶0050-0058, e2e encryption).
In response to applicant's argument regarding


Examiner recognizes that obviousness since the intermediate node 1 between senders and a receiver is analogous to “Service node” in the claimed manner. As noted previously, Blom discloses utilizing of SRTP or SRTCP for network communications using the cryptographic context and an end-to-end cryptographic context. In paragraph 0006, Blom discloses “The term “hop” is used herein to denote a logical link between two logically adjacent nodes in a network.” For example, each function 6-10 within the intermediate node 1 in FIG. 12 may interpreted as “Network device” in the claimed manner. As noted previously, Blom disclose “The e2e protected media might also be further integrity protected hop-by-hop (using SRTP) between the senders and the intermediate node 1, and so the used security parameters are associated with a hop-by-hob (hbh) context”. In paragraph 0038, Blom discloses “An intermediate node (having logically adjacent nodes in a network) resends/forwards to a receiver [analogous to “first network device”] at least one e2e encrypted stream from one or more senders [analogous to “server”] together with hop-by-hop encrypted media that the intermediate node has access to.” Given the broadest reasonable interpretation, one of ordinary skill in the art would attempt to modify Blom’s intermediate node 1 as “service node intermediary” in the claimed manner.
For the reasons stated above, Examiner respectfully disagrees with Applicant’s arguments regarding L'Heureux and asserts that the combination of MaZur, Blom and L'Heureux renders the claim limitations obvious before the effective date of the claimed invention.
Conclusion: The rejection of independent claims 1 as obvious over MaZur in view of Blom is, therefore, maintained. While of a different scope, independent claim 11 recites similar 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 4-6, 8-12, 14-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over MaZur et al. (US 20160127414 A1 hereinafter MaZur) in view of Blom et al. (US 20110093609 A1 hereinafter Blom).
Regarding claim 1, (Original) MaZur discloses using of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS)-based encryption for network communications (See par. 0006). SSL stands for Secure Sockets Layer and, in short, it is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL. Therefore, it protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering.

a service node intermediary between a client and a server, in communication with at least one network device intermediary between the service node and the server (Fig. 4, 400; Fig. 5, 500; par. 0040, FIG. 4 illustrates the basic operation of a known man-in-the-middle (MITM) device 400 for intercepting, decrypting and inspecting secure network communications according to a known technique), the server providing a service to the client via the service node and the at least one network device (Fig. 1, 104 and 106; par. 0021, server 104 provides data, such as boot files, operating system images, and applications to the clients 110, 112, and 114), the service node configured to (Fig. 4, 400, par. 0041, the device 400 is connected between a client 402 and a server 404): 
obtain information to validate the service (par. 0042, the Xcs component reads the client hello, interprets the data, and responds to the client 402, typically with a server hello, a certificate [See details in par. 0037], and a server done message); 
establish, responsive to validating the service, an  (par. 0041, the device 400 provides a transparent (or man-in-the-middle) proxy between the client 402 and the server 404 by creating and managing two (2) separate SSL/TLS sessions, one as a client process Xss 406 to the target server 404, and another as a server process Xcs 408 to the initiating client 402), the at least one network device including a first network device that shares a first cryptographic context with the service node, the first cryptographic context existing prior to  (par. 0010, A new session is then established at the server-facing client component, preferably by initiating an SSL instance to the server, placing the session initiation request message (received from the client) in the SSL instance, and then configuring a cryptographic context for the new prior to initiating any key exchange or transfer of any other cryptographic information to the server with respect to the new session). 
Although, MaZur teaches “transmit a message to the first network device encrypted using the first cryptographic context”(par. 0036, Cryptographic protocols such as SSL are often based on public key cryptographic systems, such as the RSA (Rivest, Shamir and Adelman) encryption algorithm), but it does not explicitly discloses, “establishment of the end- to-end cryptographic context” and “transmit a message to the first network device encrypted using the first cryptographic context, to inform the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device.” 
MaZur discloses using of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS)-based encryption for network communications including the cryptographic context as stated above, while Blom, in a same field of endeavor, discloses utilizing of SRTP or SRTCP for network communications using the cryptographic context (See par. 003) and an end-to-end cryptographic context (See par. 0011, e2e encryption). The e2e encryption stands for End To End encryption, in short, it is a well-known technology for encrypting the data at the point of creation and only decrypting it at the point of use. It is called “End To End” since transmitted messages are not decrypted and re-encrypted at intermediate points.
Blom further discloses the system, wherein establishment of the end- to-end cryptographic context (par. 0038, An intermediate node resends/forwards to a receiver at least one e2e encrypted stream from one or more senders together with hop-by-hop encrypted media that the intermediate node has access to);
transmit a message to the first network device encrypted using the first cryptographic context, to inform the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device (par. 0005, Utilization of SRTP or SRTCP is optional to utilization of RTP or RTCP; but even if SRTP/SRTCP are used, all provided features (such as encryption and authentication) are optional and can be separately enabled or disabled; par. 0006, each hop at an intermediate node (such as a Store and Forward Server) should be integrity protected; par. 0011, The context may be determined using the Synchronization source (SSRC) used by a media data source node in e2e encryption direct to the receiver node (termed SSRC_e2e); par. 0050, Note that the protected media may traverse several intermediate nodes, and integrity protection may be required for each hop; Fig. 12-13; par. 0083, The intermediate node 1 has a receiver 6 for receiving at least one secured media stream via SRTP session(s). … A first transmitting function 9 is provided for sending the second secured media stream using an SRTP session to the receiver node 5, and a second transmitting function 10 is provided for sending the end-to-end context identifier and the hop-by-hop context identifier to the receiver node 5; par. 0084, a receiving node 5, provided with a first receiver 12 for receiving the context identifiers. A second receiver 13 is provided for receiving the secured multiplexed protected media stream using an SRTP session, and a processor 14 is provided for using the context identifiers to demultiplex the received protected media stream. A further media handling function 15 is provided for decrypting and otherwise handling the demultiplexed protected media streams). 
It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of MaZur with Blom, to provide the End to End Encryption since it may reduce Man in the middle attacks since fewer systems handle plain text data.

Regarding claim 2, (Original) MaZur in view of Blom teaches all elements of the current invention as stated in claim 1. MaZur further discloses the system of claim 1, wherein the service node is configured to (Fig. 1 and 4): 
transmit to the first network device a first handshake message encrypted using the first cryptographic context (par. 0042, following an initial TCP handshake (not shown), the client 402 generates the SSL/TLS session initiation request (the Client Hello) to begin the SSL/TLS handshake to the server. This is step 1. The proxy intercepts this connection and directs it to the client-facing server component Xcs 408); 
cause the first network device to decrypt the encrypted first handshake message using the first cryptographic context, and to encrypt the decrypted first handshake message using a second cryptographic context shared with a second network device of the at least one network device, for transmission to the second network device (par. 0036, Cryptographic protocols such as SSL are often based on public key cryptographic systems, such as the RSA (Rivest, Shamir and Adelman) encryption algorithm; par. 0040, FIG. 4 illustrates the basic operation of a known man-in-the-middle (MITM) device 400 for intercepting, decrypting and inspecting secure network communications according to a known technique; par. 0042, In step 3, a brand new SSL connection is configured and setup inside the appliance. This is a server facing connection that is initiated by the Xss. The Xss then generates a new client hello (referred to here as ClientHello2 to distinguish it from the ClientHello in step 1. … As a result, there are two (2) distinct connections, one between the client 402 and Xcs 408, and the other between Xss 406 and the server 404), and sends the (new) client hello to the server); 
receive a second handshake message from the first network device encrypted using the first cryptographic context (par. 0042, following an initial TCP handshake (not shown), the client 402 generates the SSL/TLS session initiation request (the Client Hello) to begin the SSL/TLS handshake to the server. … At step 2, the Xcs component reads the client hello, interprets the ); 
decrypt the encrypted second handshake message using the first cryptographic context (par. 0040, FIG. 4 illustrates the basic operation of a known man-in-the-middle (MITM) device 400 for intercepting, decrypting and inspecting secure network communications according to a known technique).
Blom further discloses the system, wherein establish the end-to-end cryptographic context using information in at least one of (Fig. 4): the decrypted first handshake message or the decrypted second handshake message (par. 0011, The context may be determined using the Synchronization source (SSRC) used by a media data source node in e2e encryption direct to the receiver node (termed SSRC_e2e); Fig. 12-13; par. 0083, The intermediate node 1 has a receiver 6 for receiving at least one secured media stream via SRTP session(s). … A first transmitting function 9 is provided for sending the second secured media stream using an SRTP session to the receiver node 5, and a second transmitting function 10 is provided for sending the end-to-end context identifier and the hop-by-hop context identifier to the receiver node 5; par. 0084, a receiving node 5, provided with a first receiver 12 for receiving the context identifiers. A second receiver 13 is provided for receiving the secured multiplexed protected media stream using an SRTP session, and a processor 14 is provided for using the context identifiers to demultiplex the received protected media stream. A further media handling function 15 is provided for decrypting and otherwise handling the demultiplexed protected media streams).

Regarding claim 4, (Original) MaZur in view of Blom teaches all elements of the current invention as stated in claim 1. MaZur further discloses the system of claim 1, wherein the service node is configured to validate the service using information about a parameter uniquely associated with the service, the information obtained through one or more packets from the client (par. 0036, For a traditional RSA-based SSL session, the two sides of a connection agree 

Regarding claim 5, (Original) MaZur in view of Blom teaches all elements of the current invention as stated in claim 1. MaZur further discloses the system of claim 1, wherein the service node is configured to validate the service by authenticating the service (par. 0006, the vast majority of SSL/TLS communications use only server authentication, i.e., the server is authenticated via the SSL/TLS protocols to the client, but the client is unauthenticated with respect to the server. This authentication asymmetry provides the opportunity for a process to interpose itself between client and server in such a way as to enable decryption of communications and inspection of its contents).

Regarding claim 6, (Original) MaZur in view of Blom teaches all elements of the current invention as stated in claim 1. Blom further discloses the system of claim 1, wherein the service node is configured to transmit the encrypted message to the first network device, to cause the first network device to decrypt the message using the first cryptographic context, and to receive an indication from the decrypted message, that the first network device is to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device (par. 0005, Utilization of SRTP or SRTCP is optional to utilization of RTP or RTCP; but even if SRTP/SRTCP are used, all provided features (such as encryption and authentication) are optional and can be separately enabled or disabled; par. 0006, each hop at an intermediate node (such as a Store and Forward Server) should be integrity protected … the keys necessary to decrypt the media or calculate/modify end-to-end (e2e) integrity protection should not be available to the intermediate node, to prevent the intermediate node from manipulating or having access to the plaintext media data; par. 0050, Note that the protected media may traverse several intermediate nodes, and integrity protection may be required for each hop; par. context identifiers [indication from the decrypted message]. A second receiver 13 is provided for receiving the secured multiplexed protected media stream using an SRTP session, and a processor 14 is provided for using the context identifiers to demultiplex the received protected media stream. A further media handling function 15 is provided for decrypting and otherwise handling the demultiplexed protected media streams; par. 0076, Mapping information between Context Identifiers C, SSRCs and contexts (as well as other information such as codec types) is typically sent from the intermediate node 1 to the receiver 5 before any SRTP/SRTCP is sent; par. 0079, The intermediate node determines end-to-end and hop-by-hop Context identifiers (based on eSSRC and/or C-values) [See details in par. 0065], the Context identifiers identifying the secured media stream).

Regarding claim 8, (Original) MaZur in view of Blom teaches all elements of the current invention as stated in claim 1. Blom further discloses the system of claim 1, wherein the service node is configured to transmit the encrypted message to the first network device, to cause the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device, without decrypting or re-encrypting the traffic at the first network device (par. 0047, It is required for an intermediate node to be able to resend protected RTP media received as part of a plurality of SRTP sessions using a second SRTP session that is independent of the SRTP session(s) that were used when the intermediate node received the without having to decrypt and re -encrypt the media, in particular without requiring the intermediate node to have access to the plaintext data; par. 0050, Note that the protected media may traverse several intermediate nodes, and integrity protection may be required for each hop; par. 0011, The context may be determined using the Synchronization source (SSRC) used by a media data source node in e2e encryption direct to the receiver node (termed SSRC_e2e)).

Regarding claim 9, (Original) MaZur in view of Blom teaches all elements of the current invention as stated in claim 1. MaZur further discloses the system of claim 1, wherein the service node is configured to 
receive an acknowledgment message from the first network device, the acknowledgment message responsive to the encrypted message and an acknowledgment message received by the first network device (par. 0047, As is well-known, the TLS standard (RFC 2246) requires that, as a final step in the handshaking process, both the client and server agree on a hash of all handshake messages. This hash is commonly known as the handshake message authentication code (HMAC). SSL/TLS instances implement the HMAC calculation/checking functions required to comply with the TLS standard. In the disclosed technique described above, HMAC integrity is achieved by propagating the original client hello (instead of a new client hello that would otherwise be generated), and by installing the original client hello in Xss).

Regarding claim 10, (Original) MaZur in view of Blom teaches all elements of the current invention as stated in claim 9. Blom further discloses the system of claim 9, wherein the service node is further configured to transmit to the first network device traffic that is encrypted using the end-to-end cryptographic context (par. 0006, each hop at an intermediate node (such as a Store and Forward Server) should be integrity protected; par. 0050, Note that the protected 
MaZur further discloses  the system, wherein responsive to receiving the acknowledgment message from the first network device (par. 0047, HMAC integrity is achieved by propagating the original client hello (instead of a new client hello that would otherwise be generated), and by installing the original client hello in Xss. By doing so, when the original TLS connection is resumed, the client and server HMAC will agree; in the case that the MITM process does not resume the original connection (but, rather, decides to keep inspecting the connection as in the prior art, the HMACs must also agree, and they do if the client hello is installed in the Xss).

Regarding claim 11, (Original) MaZur discloses using of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS)-based encryption for network communications (See par. 0006). SSL stands for Secure Sockets Layer and, in short, it is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL. Therefore, it protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering.

receiving, by a service node intermediary between a client and a server, information to validate a service that the server provides to the client via the service node and at least one network device, the at least one network device intermediary between the service node and the server (par. 0010, A new session is then established at the server-facing client component, preferably by initiating an SSL instance to the server, placing the session initiation request message (received from the client) in the SSL instance, and then configuring a cryptographic context for the new session. This sequence for creating the new session reverses the usual operation of the server-side component (namely, initiating the SSL instance, configuring a cryptographic context, and then issuing to the server a new client hello)); 
establishing, by the service node responsive to validating the service, an prior to initiating any key exchange or transfer of any other cryptographic information to the server with respect to the new session).
Although, MaZur teaches “transmitting a message to the first network device encrypted using the first cryptographic context”(par. 0036, Cryptographic protocols such as SSL are often based on public key cryptographic systems, such as the RSA (Rivest, Shamir and Adelman) encryption algorithm), but it does not explicitly discloses, “transmitting, by the service node, a message to the first network device encrypted using the first cryptographic context, to inform the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device.”
MaZur discloses using of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS)-based encryption for network communications including the cryptographic context as stated above, while Blom, in a same field of endeavor, discloses utilizing of SRTP or SRTCP for network communications using the cryptographic context (See par. 003) and an end-to-end cryptographic context (See par. 0011, e2e encryption). The e2e encryption stands for End To End encryption, in short, it is a well-known technology for encrypting the data at the point of creation and only decrypting it at the point of use. It is called “End To End” since transmitted messages are not decrypted and re-encrypted at intermediate points.
Blom further discloses the system, wherein establishment of the end- to-end cryptographic context (par. 0038, An intermediate node resends/forwards to a receiver at least one e2e encrypted stream from one or more senders together with hop-by-hop encrypted media that the intermediate node has access to);
transmitting, by the service node, a message to the first network device encrypted using the first cryptographic context, to inform the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device (par. 0005, Utilization of SRTP or SRTCP is optional to utilization of RTP or RTCP; but even if SRTP/SRTCP are used, all provided features (such as encryption and authentication) are 
It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of MaZur with Blom, to provide the End to End Encryption since it may reduce Man in the middle attacks since fewer systems handle plain text data.

Regarding claim 12, it is a method claim that corresponds to the claim 2. Therefore, the claim is rejected for at least the same reasons as the system of claim 2.

Regarding claim 14, it is a method claim that corresponds to the claim 4. Therefore, the claim is rejected for at least the same reasons as the system of claim 4.

Regarding claim 15, it is a method claim that corresponds to the claim 5. Therefore, the claim is rejected for at least the same reasons as the system of claim 5.

Regarding claim 16, it is a method claim that corresponds to the claim 6. Therefore, the claim is rejected for at least the same reasons as the system of claim 6.

Regarding claim 18, it is a method claim that corresponds to the claim 8. Therefore, the claim is rejected for at least the same reasons as the system of claim 8.

Regarding claim 19, it is a method claim that corresponds to the claim 9. Therefore, the claim is rejected for at least the same reasons as the system of claim 9.

Regarding claim 20, it is a method claim that corresponds to the claim 10. Therefore, the claim is rejected for at least the same reasons as the system of claim 10.


Claims 3, 7, 13 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over MaZur et al. (US 20160127414 A1 hereinafter MaZur) in view of Blom et al. (US 20110093609 A1 hereinafter Blom) as applied to independent claims 1 and 11 above, and further in view of L'Heureux et al. (US 20140259147 A1 hereinafter L'Heureux).

Regarding claim 3, (Original) MaZur in view of Blom teaches all elements of the current invention as stated above except “using information about a pre-shared key (PSK), or validating ownership of a public key associated with the service.”
In a same field of endeavor,  L'Heureux  further discloses the system of claim 1, wherein the service node is configured to validate the service by at least one of: using information about pre-shared key (PSK), or validating ownership of a public key associated with the service (par. 0154, One example of a challenge could be to recall the packet with a particular sequence number, and hashing that with a preshared secret. In this way, the queried device would have to both maintain a history of conversation with other devices, and be able to present a preshared key).
It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of MaZur and Blom with L'Heureux, to provide the preshared key since devices spoofing or impersonating the identity of others would not be able to respond with the correct data, and their rogue nature could be revealed (par. 0154).

Regarding claim 7, (Original) MaZur in view of Blom teaches all elements of the current invention as stated above except “the service node is configured to transmit the encrypted message to the first network device, to further cause the first network device to encrypt the decrypted message using a second cryptographic context shared with a second network device of the at least one network device, for transmission to the second network device.”
Blom further discloses the system of claim 6, wherein the service node is configured to transmit the encrypted message to the first network device, to further cause the first network device to encrypt the decrypted message using a second cryptographic context shared with a second network device of the at least one network device, for transmission to the second network device (par. 0051, 3. Smart router 110 may be configured to apply encryption, decryption, protocol translation, or other suitable processing to communications between clients of LAN 190 and server devices of WAN 180; Fig. 15, At 310, the method may include receiving communications from clients over a LAN encrypted according to the LAN-side encryption scheme. At 312, the method may include decrypting the communications received over the LAN from the LAN-side encryption scheme and/or encrypting communications received over the LAN 
It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of MaZur and Blom with L'Heureux, to provide the suitable processing to communications between clients of LAN and server devices of WAN since supporting encryption/security protocols have the protocols applied to communications passed from LAN to the WAN by the routers.

Regarding claim 13, it is a method claim that corresponds to the claim 3. Therefore, the claim is rejected for at least the same reasons as the system of claim 3.

Regarding claim 17, it is a method claim that corresponds to the claim 7. Therefore, the claim is rejected for at least the same reasons as the system of claim 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure
SYSTEMS AND METHODS FOR REDIRECT HANDLING (US 20150341466 A1): (¶00126) The second transport layer connection may be a pooled transport layer 
SECURED ACCESS TO RESOURCES USING A PROXY (US 20140331297 A1): (¶0085) The receiver 604 may facilitate these network connections by providing suitable time limited secondary credentials obtained following online authentication. Multiple modes of network connection may be used, such as reverse web proxy connections and end-to-end VPN-style tunnels 618
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524.  The examiner can normally be reached on campus 9:00 AM- 4:30 PM, alternate Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/A.S./            Examiner, Art Unit 2493                                  

/CARL G COLIN/            Supervisory Patent Examiner, Art Unit 2493