DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application discloses and claims only subject matter disclosed in prior application no 15/699,553, filed 09/08/2017, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a continuation. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-16, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 20140194094 A1)in view of Hsu (US 5,584,023B2).

With regards to claim 1, Ahuja discloses, A method for data encryption or decryption at a multi-tenant database server, comprising: 
intercepting, at a kernel module of the multi-tenant database server (FIG 1 and associated text; [0055]; Still further, portions of a hosted application can be executed by a system call and a data set associated with the system call (FIG 9A 905 and associated text; ); 
determining, at the kernel module of the multi-tenant database server (FIG 1 and associated text; [0055]; Still further, portions of a hosted application can be executed by a user working directly at a server hosting the application, as well as remotely at a client.), that the data set associated with the system call is marked for encryption ([0048] In the example of FIG. 9A, system calls can be monitored 905, for instance, by a security module interfacing with a kernel, such as an LSM. A particular system call can be intercepted 910 that relates to I/O functionality of the mobile computing device. A DLP agent on the mobile computing device can be queried for DLP policies applicable to the intercepted system call. In some instances, a DLP agent can be queried for each system call monitored by security module. In other examples, a security module can filter which system calls are intercepted and communicated to the DLP agent based upon logic and rules accessible to the security module, such as system calls that likely relate to I/O functionality of the mobile computing device and relate to DLP goals and/or policies for the device, among other examples [0065] In one example, the DLP enforcement action includes causing data to be input or output in connection with the particular system call to be encrypted.  ); 
Ahuja does not exclusively but Hsu teaches, 
identifying, at the kernel module of the multi-tenant database server, a tenant identifier associated with the data set (Hsu Col 8 ; Table III; Process with P_uid); 
retrieving a tenant specific encryption key based at least in part on the tenant identifier associated with the data set (Col 22 line 0-10; The key-based transparent file encryption system of claim 13 wherein the encryption and decryption of said predetermined file by said encryption routine is dependant on said predetermined password as an encryption key.  FIG 4A 54 and associated text;  Col 10 line 10-25; ); and 
performing, at the kernel module of the multi-tenant database server and based at least in part on the identified system call, an encryption process on the data set with the tenant specific encryption key (Col 10 line 10-25; The ioctl system call specific to the device driver of the present invention is issued by a simple application program also specific to the present invention. The application program provides a simple user interface to obtain a password key for validating the encryption and decryption of data files protected by the present invention.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Ahuja’s method with teaching of Hsu in order to secure transfer data in storages(Hsu Abstract)

Claims 16, 20 are device and product claim corresponding method claim also rejected accordingly.

With regards to claim 6, Ahuja in view of Hsu discloses, wherein determining that the data set associated with the system call is marked for encryption is based at least in part on a directory that the data set is associated with (Hsu Col 6 line 45 to 67 ; Consequently, the open, create, read, write, seek, stat and close system call procedures the protection mode, owner, user group and size of a particular data file. A summary of an inode entry, as stored on disk, is provided in Table II. ). Motivation would be same as stated in claim 1, 16. 

With regards to claim 7, Ahuja in view of Hsu discloses, wherein the tenant specific encryption key is based at least in part on a cryptographic nonce associated with the data set (Hsu Col 11 line 45-67;   The user provided password key is used in conjunction with a predefined seed table to create, by index value substitution, an encryption table 56 that is stored in the alpha structure SO. The seed table, preferably included as a predefined element of the device driver of the present invention, preferably consists of 256 randomly ordered unique byte  values. In the preferred embodiment of the present inventiona shuffle function 54 is implemented to generate the process specific encryption table 56. The preferred shuffle function provides for a modulo four progressive recalculation of values based on the byte values of the password key and the seed table. Pls see Table V; ). Motivation would be same as stated in claim 1.

With regards to claim 8, 19 Ahuja in view of Hsu discloses, wherein at least a portion of the data set is stored in a page cache (Hsu col 5 line 63-67;  FIG 5A and associated the encryption process is performed on the portion of the data set (Hsu col 10 line 9-15; The ioctl system call specific to the device driver of the present invention is issued by a simple application program also specific to the present invention. The application program provides a simple user interface to obtain a password
key for validating the encryption and decryption of data files protected by the present invention.). Motivation would be same as stated in claim 1.

With regards to claim 9, Ahuja in view of Hsu discloses, wherein: the system call comprises a write command; and the encryption process comprises encrypting the data set based at least in part on the tenant specific encryption key (Hsu Col 15 line 50-65;  In similar fashion, the write system call wrapper procedure is invoked to implement the functions of the present invention in connection with the writing of data to a regular file. Thus, when a user program invokes a write, specifically integrated as a call to the Unix "writei'' file system switch call layer, a the file enode structure and type are examined to determine whether the referenced file may be encrypted….The encryption procedure used is that discussed in connection with FIG. 4a; Col 22 line 0-10; The key-based transparent file encryption system of claim 13 wherein the encryption and decryption of said predetermined file by said encryption routine is dependant on said predetermined password as an encryption key.  FIG 4A 54 and associated text;  Col 10 line 10-25;). Motivation would be same as stated in claim 1, 16.

With regards to claim 10, Ahuja in view of Hsu do not but well known in the art, storing an encryption key identifier in a file that is associated with the data set (Chang stores the encryption key ID within a header portion of the data file. The memory device 202 may also store encryption key ID data in a secure portion of the memory 208.  ).

With regards to claim 11, Ahuja in view of Hsu discloses, wherein: the system call comprises a read command; and the encryption process comprises decrypting the data set based at least in part on the tenant specific encryption key (Hsu Col 15 line 8-24; The read system call procedure 98, is then called to obtain the requested block of data. In the preferred embodiment, this call is preferably integrated at the Unix "readi" file system switch call level, which is one layer below the system call interface layer, to permit file system switch independent operation. The read system call procedure returns the requested data to a buffer typically located in the user data space pre-allocated by the requesting application program. However, the read system call wrapper procedure 96 may access this buffer location while continuing to execute in kernel mode. That is, conventional kernel subroutine calls permit the read system call wrapper procedure to obtain the location of the user space buffer filled as a consequence of the read system call procedure. If the file was authenticated as an encrypted file capable of decryption, the read system call wrapper procedure 96 decrypts the data in the user space read buffer; Col 22 line 0-10; The key-based transparent file encryption system of claim 13 

With regards to claim 12, Ahuja in view of Hsu do not but well known in the art, wherein the tenant specific encryption key comprises a symmetric encryption key (Chang [0058] In order for a user or application to gain access to protected content or a secure memory area of the memory 208, the memory device 202 may authenticate the user or application using a credential that may be pre-registered with the memory device 202 or pre-loaded within a secure area of the memory 208. The credential can include a symmetric key, a digital signature, a digital certificate, other indicia to provide authentication, or any combination thereof.).

With regards to claim 13, 14 Ahuja in view of Hsu do not but well known in the art, wherein performing the encryption process on the data set further comprises: using a cipher block chaining (CBC) block cipher mode; wherein performing the encryption process on the data set further comprises: using a counter (CTR) block cipher mode (Devanand [0080] FIG. 6 is a diagram of an example embodiment of a process for communicating protected content according to an example embodiment of the present invention. Part of that process is SKE. As shown at line 6a, SKE may begin with the top-level transmitter (e.g., processing system 20) generating the session key "KeyS." In one embodiment, processing system 20 generates KeyS as a random 128-bit value. As 

With regards to claim 15, Ahuja in view of Hsu do not but well known in the art , wherein the device driver comprises a file system in user space (FUSE) drive (  Schmitdt [0125] PBA moves the infrastructural problem of platform validation to a TTP, similarly to, but extending the role of, the TCG's privacy certificate authority (CA). Another alternative is presented by the Nexus OS which builds on a minimal Trusted Computing Base (TCB) to establish strong isolation between user space and privileged programs. Nexus has secure memory regions and monitoring and enforcement machines to protect them. One application may be to move device drivers into user space.).

Claims 2, 17,  are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 20140194094 A1)in view of Hsu (US 5,584,023B2) and Futher in view of Raiz et al(US 20020164025 A1).


With regards to claim 2, 17 Ahuja in view of Hsu teaches,  wherein retrieving the tenant specific encryption key (Col 22 line 0-10; The key-based transparent file encryption system of claim 13 wherein the encryption and decryption of said predetermined file by said encryption routine is dependant on said predetermined password as an encryption key.  FIG 4A 54 and associated text;  Col 10 line 10-25;) ; also discloses, a key cache( Hsu FIG 4C 56; Seed table) 
transmitting,  the tenant identifier; and receiving,  based at least in part on the tenant identifier, the tenant specific encryption key associated with the tenant identifier ([0010] In general, in another aspect, the invention features a method comprising (1) distributing without charge, copies of an application program online or on storage media, (2) enabling a user of one of the computers to choose among modes he wishes to run the application program, (3) in at least one of the chosen modes, enabling the user to run the application program without requiring the user to provide information about the user, (4) in at least another one of the chosen modes, requiring the user to self-register by providing information about the user in exchange for an authorization key that is associated with a unique identifier of the computer on which the application program is to run and which enables the application to be run in the chosen mode, the authorization key having a limited validity period.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Ahuja in view of Hsu’s method with teaching of Raiz in order to secure transaction and restricting copying(Raiz [0002])
Allowable Subject Matter
Claims 3-5, 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.