DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner’s Amendment
Authorization for the Examiner’s Amendment was given in an interview with the Applicant’s representative, David B. Raczkowski (Reg. No. 52,145) on March 23, 2021.
Claims 1, 7, 9-10 have been amended by the Applicant.  Claims 4-6, and 11-20 have been canceled by the Applicant.  Claims 21-33 have been added by the Applicant.

Claims
1.	 (Currently Amended) A computer-implemented method comprising performing, by a first computer in a first high security zone of a first system:
transmitting, over a network, a public key to be obtained by a second computer in a low security zone of a second system, wherein the public key corresponds to a private key associated with the first system, the first system comprising the first high security zone behind a first firewall and a first low security zone in front of the first firewall, the second system comprising a second high security zone behind a second firewall and a second low security zone in front of the second firewall;
receiving, over the network, a key ID that identifies the public key;
, wherein the first API message is a request for a service provided by the second system;
obtaining data to be signed from the first API message, the data comprising a resource identifier corresponding to the service provided by the second system;
generating a signature token by signing the data using a cryptographic algorithm and the private key associated with the first system, the generating comprising applying a hash function of the cryptographic algorithm to the data from the first API message, including the resource identifier, to obtain at least a portion of the signature token; and
transmitting the first API message to the second computer in the low security zone of the second system, wherein the first API message invokes the service provided by the second system in a third computer of the second high security zone of the second system.

4. (Canceled)
5.(Canceled)
6. (Canceled)

7. (Currently Amended) The method of claim 1, wherein the first API message is a response to an API request for a service provided by the first system, and wherein the API request is received by the first computer via a fourth computer in the first low security zone of the first system.




9.	(Currently Amended) The method of claim 1, further comprising:
encrypting at least a portion of the first API message using a shared secret that is shared with a fourth computer of the second high security zone of the second system. 

10.	(Currently Amended) The method of claim 9, fourth computer is configured to route a decrypted first API message to the third computer.

11. (Canceled)
12. (Canceled)
13. (Canceled)
14. (Canceled)
15. (Canceled)
16. (Canceled)
17. (Canceled)
18. (Canceled)
19. (Canceled)
20. (Canceled) 



21.	(New)	A first computer system, comprising: 
a first computer in a first high security zone of the first computer system, the first computer comprising one or more processors configured to:
transmit, over a network, a public key to be obtained by a second computer in a low security zone of a second system, wherein the public key corresponds to a private key associated with the first computer system, the first computer system comprising the first high security zone behind a first firewall and a first low security zone in front of the first firewall, the second system comprising a second high security zone behind a second firewall and a second low security zone in front of the second firewall;
receive, over the network, a key ID that identifies the public key;
generate a first application programming interface (API) message that includes the key ID, wherein the first API message is a request for a service provided by the second system;
obtain data to be signed from the first API message the data comprising a resource identifier corresponding to the service provided by the second system;
generate a signature token by signing the data using a cryptographic algorithm and the private key associated with the first computer system, the generating comprising applying a hash function of the cryptographic algorithm to the data from the first API message, including the resource identifier, to obtain at least a portion of the signature token; and
transmit the first API message to the second computer in the low security zone of the second system, wherein the first API message invokes the service provided by the second system in a third computer of the second high security zone of the second system.

22.	(New) The system of claim 21, wherein the public key is transmitted to another computer from which the second computer retrieves the public key. 

23.	(New) The system of claim 21, wherein the key ID is received from the second system and is configured to be used by the second computer to retrieve the public key for authenticating the first API message.

24.	(New) The system of claim 21, wherein the first API message is a response to an API request for a service provided by the first computer system, and wherein the API request is received by the first computer via a fourth computer in the first low security zone of the first computer system.

25.	(New) The system of claim 21, wherein the signed data includes only a portion of a header and/or body of the first API message.
26.	(New) The system of claim 21, wherein the one or more processors of the first computer are further configured to encrypt at least a portion of the first API message using a shared secret that is shared with a fourth computer of the second high security zone of the second system. 

27.  	(New)	One or more non-transitory computer-readable storage media storing a plurality of instructions that when executed cause one or more processors of a first computer in a first high security zone of a first system to perform:
transmitting, over a network, a public key to be obtained by a second computer in a low security zone of a second system, wherein the public key corresponds to a private key associated with the first system, the first system comprising the first high security zone behind a 
receiving, over the network, a key ID that identifies the public key;
generating a first application programming interface (API) message that includes the key ID, wherein the first API message is a request for a service provided by the second system;
obtaining data to be signed from the first API message the data comprising a resource identifier corresponding to the service provided by the second system;
generating a signature token by signing the data using a cryptographic algorithm and the private key associated with the first system, the generating comprising applying a hash function of the cryptographic algorithm to the data from the first API message, including the resource identifier, to obtain at least a portion of the signature token; and
transmitting the first API message to the second computer in the low security zone of the second system, wherein the first API message invokes the service provided by the second system in a third computer of the second high security zone of the second system.

28.	(New) The one or more non-transitory computer-readable storage media of claim 27, wherein the public key is transmitted to another computer from which the second computer retrieves the public key. 

29.	(New) The one or more non-transitory computer-readable storage media of claim 27, wherein the key ID is received from the second system and is configured to be used by the second computer to retrieve the public key for authenticating the first API message.

30.	(New) The one or more non-transitory computer-readable storage media of claim 27, wherein the first API message is a response to an API request for a service provided by the first system, and wherein the API request is received by the first computer via a fourth computer in the first low security zone of the first system.

31.	(New) The one or more non-transitory computer-readable storage media of claim 27, wherein the signed data includes only a portion of a header and/or body of the first API message.

32.	(New) The one or more non-transitory computer-readable storage media of claim 27, wherein the one or more processors of the first computer are further configured to encrypt at least a portion of the first API message using a shared secret that is shared with a fourth computer of the second high security zone of the second system. 

33.	(New) The one or more non-transitory computer-readable storage media of claim 32, wherein the fourth computer is configured to route a decrypted first API message to the third computer.




                                                           Reasons for Allowance

4.    Claims 1-3, 7-10, and 21-33 are allowable.

5.    The following is an Examiner’s statement of reasons for allowance:

The present invention is directed to methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing. 
The Non-patent literature of Laganier et al. (Title: HIPernet: A Decentralized Security Infrastructure for Large Scale Grid Environments) teaches sharing distributed resources amongst a multi-domain grid environment raises complex security and policy issues, at the heart of which lies the ability to make an authorization decision when a shared resource is accessed.  When an entity makes a resource accessible to users, it is rather interested in verifying that an entity “obtaining data to be signed from the first API message, the data comprising a resource identifier corresponding to the service provided by the second system; generating a signature token by signing the data using a cryptographic algorithm and the private key associated with the first system, the generating comprising applying a hash function of the cryptographic algorithm to the data from the first API message, including the resource identifier, to obtain at least a portion of the signature token; and transmitting the first API message to the second computer in the low security zone of the second system, wherein the first API message invokes the service provided by the second system in a third computer of the second high security zone of the second system”.
The prior art of Ostermann et al (9,130,937) discloses enclaves each may include a networked environment such that nodes within each enclave may communicate with each other but not with nodes in other enclaves.  Enclaves may include one or more network, and each portion of a network is a DMZ (demilitarized zone).  Enclaves may be associated with different security levels such as confidential and top secret.  Ostermann discloses the guard may facilitate the distribution of information between varied security classification environments.  The prior art of Ostermann et al (9,130,937) does not disclose or suggest, “obtaining data to be signed from the first API message, the data comprising a resource identifier corresponding to the service provided by the second system; generating a signature token by signing the data using a cryptographic algorithm and the private key associated with the first system, the generating comprising applying a hash function of the cryptographic algorithm to the data from the first API message, including the resource identifier, to obtain at least a portion of the signature token; and transmitting the first API message to the second computer in the low security zone of the second system, wherein the first API message invokes the service provided by the second system in a third computer of the second high security zone of the second system”.

The prior art of Jolfaei (2011/0138457) discloses securing communication between different network zones.  Jolfaei discloses messages can be communicated between different network zones.  Jolfaei discloses the http request and logon data may be encapsulated and transmitted to the high secure network zone by way of RFC.  Jolfaei discloses communication from a low secure network zone to the high secure network zone to the high secure network zone uses RFC instead of HTTP to access resources at the high secure network zone.  The prior art of Jolfaei (2011/0138457) does not disclose or suggest, “obtaining data to be signed from the first API message, the data comprising a resource identifier corresponding to the service provided by the second system;
generating a signature token by signing the data using a cryptographic algorithm and the private key associated with the first system, the generating comprising applying a hash function of the cryptographic algorithm to the data from the first API message, including the resource identifier, to obtain at least a portion of the signature token; and transmitting the first API message to the second computer in the low security zone of the second system, wherein the first API message invokes the service provided by the second system in a third computer of the second high security zone of the second system”.


“obtaining data to be signed from the first API message, the data comprising a resource identifier corresponding to the service provided by the second system; generating a signature token by signing the data using a cryptographic algorithm and the private key associated with the first system, the generating comprising applying a hash function of the cryptographic algorithm to the data from the first API message, including the resource identifier, to obtain at least a portion of the signature token; and transmitting the first API message to the second computer in the low security zone of the second system, wherein the first API message invokes the service provided by the second system in a third computer of the second high security zone of the second system”.





Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 


  3/23/2021
/J.E.J/Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439