DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-9, 11,13, 15-16 and 18 - 20  are rejected under 35 U.S.C. 103 as being unpatentable over McDougal, publication number: US 2009/0327733 in view of Kako, publication number: US 2014/0289532.

As per claim 1, McDougal teaches a method of secure data packet transmission over a packet-switched communications network, the method comprising:
receiving a data packet over the packet-switched network, the data packet having a hash-based message authentication code (HMAC) appended thereto (packets and hashes, 110b, [0005][0020]);

forwarding the data packet to a destination address if the HMAC appended to the data packet satisfies the validity condition (Forwarding validated packets, [0020][0037]); and
discarding the data packet if the HMAC appended to the data packet does not satisfy the validity condition (Forwarding only validated packets, [0027][0020][0037]).

McDougal does not teach determining one or more valid expiring HMACs based on at least a seed value and a current clock time;

In an analogous art, Kako teaches determining one or more valid expiring HMACs based on at least a seed value and a current clock time (signature being based on a key and valid term, Fig. 5 and 6, [0085-0089]).

Therefore, it would have been obvious to modify McDougal’s hash authenticating system to include a time based hash as described in Kako’s validity determining system 

As per claim 2, the combination teaches further comprising:
stripping the HMAC appended to the data packet before forwarding the data packet to the destination address (McDougal: stripping, [0020][0037]).

As per claim 3, the combination teaches wherein the expiring HMAC is appended to a data payload of the data packet (McDougal: attaching signature, Fig. 2B, [0031-0033]).

As per claim 4, the combination teaches wherein the expiring HMAC is inserted into a header of the data packet (McDougal: header, [0037]).

As per claims 5, 9 and 18, the combination teaches wherein the validation condition is based at least in part on matching a universally unique identifier (UUID) of a client from which the data packets originate (Kako: source address, Fig. 7, [0091]).


As per claim 7, the combination teaches wherein the expiring HMAC is included in a dedicated network protocol layer inside the data packet (McDougal: header, [0037]).

	As per claim 8, McDougal teaches an expiring hash-based message authentication code (HMAC) firewall system, the firewall system comprising:
a first network interface that receives data packets from, and sends data packets to, a public packet-switched network (Guards, 110Fig. 1A, [0014]);
an HMAC packet validator that receives incoming data packets from the public packet-switched network and determines whether an HMAC appended to each data packet satisfies a validity condition based on the one or more valid HMACs, the HMAC packet validator sending data packets to a second network interface if the HMAC of the data packet satisfies the validity condition and discarding data packets if the HMAC of the data packets do not satisfy the validity condition (comparing hashes to determine validity, [0027][0037]); and
an HMAC data packet appender that appends a valid HMAC to data packets received from the second network interface and forwards the data packets received from the second network interface to the first network interface for transmission on the public packet-switched network (Guard 110a [0020][0022][0025]).

	McDougal does not teach a current valid expiring HMAC generator that generates one or more valid HMACs, the one or more HMACs being deterministically calculated based on a seed value and a time factor;

In an analogous art, Kako teaches a current valid expiring HMAC generator that generates one or more valid HMACs, the one or more HMACs being deterministically calculated based on a seed value and a time factor (signature being based on a key and valid term, Fig. 5 and 6, [0085-0089]).

Therefore, it would have been obvious to modify McDougal’s hash authenticating system to include a time based hash as described in Kako’s validity determining system for the advantages of adding an extra layer of security to the validation system of McDougal.

As per claim 11, the combination teaches wherein the known sender includes a secure hardware enclave for determining valid expiring HMACs (Guard, 110b, [0037]).



As per claim 15, McDougal teaches a network of protected host endpoints, the network comprising:
one or more protected host endpoints receiving data packets from client endpoints over a packet switched network, the data packets including an expiring HMAC (user 125, [0005][0017]); and
the protected host endpoints including an HMAC validator determining whether a data packet satisfies a validity condition (comparing hashes to determine validity, [0027][0037]). 

McDougal does not teach the validity condition being based on one or more valid HMACs deterministically created based on a seed value and a time value. 
In an analogous art, Kako teaches the validity condition being based on one or more valid HMACs deterministically created based on a seed value and a time value (signature being based on a key and valid term, Fig. 5 and 6, [0085-0089]).


As per claim 16, the combination teaches wherein the seed value is obtained by the one or more protected host endpoints by decrypting an encrypted seed value with a private cryptographic key stored on a shared ledger (Kako: private and public keys, [0065][0029]).


As per claim 19, the combination teaches wherein the client endpoints include an unextractable trusted platform module to store a copy of the seed value (Kako: Key storage, [0065], McDougal: [0018]).

As per claim 20, the combination teaches wherein the one or more protected host endpoints include a policy engine (McDougal: guards, [0016][0020]).




Claims 6, 10,12, 14 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over McDougal, publication number: US 2009/0327733 in view of Kako, publication number: US 2014/0289532 in further view of Agrawal, patent number: US 8 392 709.

As per claim 6, the combination of McDougal and Kako teach authenticating transmitted packets using a time based hash. 
The combination does not teach wherein the data packet includes a nonce value and the validation condition includes the nonce value not having been seen on a prior data packet by the operation that determines whether the HMAC appended to the data packet satisfies the validity condition.
In an analogous art, Agrawal teaches wherein the data packet includes a nonce value and the validation condition includes the nonce value not having been seen on a prior data packet by the operation that determines whether the HMAC appended to the data packet satisfies the validity condition (validating packets using a signature, validity period and a single use nonce, col. 5, lines 50-57, col. 7, lines 55-65, col. 8, lines 6-35)

Therefore, it would have been obvious to one of ordinary skill in the art to modify the combination of McDougal and Kako to include a single use nonce as described in Agrawal’s validation system for the advantages of preventing replay attacks. 


As per claims 10 and 17, the combination of McDougal and Kako teach authenticating transmitted packets using a time based hash. 

The combination does not teach wherein the expiring HMAC data packet appender further appends a nonce value to the data packets received from the second network interface and the validity condition includes comparison to known nonce values.

In an analogous art, Agrawal teaches wherein the expiring HMAC data packet appender further appends a nonce value to the data packets received from the second network interface and the validity condition includes comparison to known nonce values (validating packets using a signature, validity period and a single use nonce, col. 5, lines 50-57, col. 7, lines 55-65, col. 8, lines 6-35)

Therefore, it would have been obvious to one of ordinary skill in the art to modify the combination of McDougal and Kako to include a single use nonce as described in Agrawal’s validation system for the advantages of preventing replay attacks. 

As per claim 12, the combination of McDougal and Kako teach authenticating transmitted packets using a time based hash. 


In an analogous art, Agrawal teaches wherein the validity condition is not satisfied if a data packet arrives at the first network interface more than once (single use nonce, col. 5, lines 50-57, col. 8, lines 6 - 35)

Therefore, it would have been obvious to one of ordinary skill in the art to modify the combination of McDougal and Kako to include a single use nonce as described in Agrawal’s validation system for the advantages of preventing replay attacks.

As per claim 14, the combination teaches wherein the known nonce value is read from a shared ledger (Agrawal: list, col. 8, lines 6 - 35).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450.  The examiner can normally be reached on Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494