DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/27/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
Claims 1, 8 and 15 have been amended. Claims 1-18 are currently pending.

Response to Arguments
With respect to claim 1, Applicant argues that IEEE 802.1X ‘2010 does not teach “determining, by the first member device, a first cipher suite, and determining a first secure association key (SAK) corresponding to the first cipher suite, wherein the first cipher suite is a cipher suite supported by all member devices in the CA, and the first cipher suite belongs to the cipher suite indicated by the second cipher suite list” since the reference does not make mention of determining the first cipher suite in the second cipher suite list that is supported by all CA members (See Pages 12 in the argument). Examiner respectfully disagrees.
IEEE 802.1X ‘2010 describes (See Pages 25-26 in IEEE 802.1X) that each PAE (Port Access Entity; i.e., member device) that can be adopted as an authenticator or supplicant exchanges EAP frames over the LAN (EAPOL packets) and furthermore each PAE may operate the MACsec Key Agreement (MKA) 
Based upon the previous facts, a PAE that may be designated as an authenticator while other PAEs may be selected as a supplicant. Then, all PAEs in a same CA may transmits EAPOL MKA packets choosing the default MACsec Cipher suite which is to be supported by all member devices in the same CA. In this case, the PAE of the authenticator (first device) may receive a packet showing the default MACsec Cipher suite from the other PAEs (second device) and should be able to determine the MACsec Cipher Suite as the default suite. It means that the first cipher suite may be equal to a cipher suite (the default suite) in the second cipher suite list. On top of that, the claim is silent about how the second cipher suite list affects the determination of the first cipher suite in the first member device but only by describing “the first cipher suite belongs to the cipher suite indicated by the second cipher suite list” including no details associated with processes executed between the two devices. Therefore, the applicant’s arguments overall are deemed unpersuasive and the rejections are hereby maintained.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-2, 8-9 and 15-16 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by IEEE Std 802.1X-2010 (hereinafter “IEEE 802.1X ‘2010”; provided by IDS dated 04/18/2019).
Per claim 1 (independent):
IEEE 802.1X ‘2010 discloses: receiving, by a first member device, a second Extensible Authentication Protocol over local area network-Media Access Control security key agreement (EAPOL-MKA) packet sent by a second member device and the first member device and the second member device belong to a same connectivity association (CA) (6. Principles of port-based network access control operation, pages 19, “The mechanisms specified in this standard allow any type of system, including bridges and routers, to authenticate, authorize, and secure communications through one of its ports to any other system attached to the same LAN” [Emphasis added.]; 6.3.1 Authentication exchanges, pages 25-26, “Each PAE may operate EAP … to transmit EAP frames over the LAN (EAPOL) … conveying EAP frames between the EAP PAEs … each PAE adopts …  distinct EAP specified roles: a) Authenticator () b) Supplicant () EAP … c) Authentication Server ()” [Emphasis added.]; 6.3.2 Key agreement, pages 26, “Each instance is protected by a distinct Secure Connectivity Association Key (CAK) that allows each PAE to ensure that information for a given MKA instance is only accepted from other PAEs that also possess that CAK, thus identifying themselves as members or potential members of the same CA” [Emphasis added.]; 9.3.3 MKA key hierarchy, pages 64, “with a fresh CAK being distributed when each participant joins a CA”; 11. EAPOL PDUs, pages 87, “This clause specifies the EAPOL PDUs exchanged between peer PAEs: to support authentication using EAP (PACP, see Clause 8); to support the MACsec Key Agreement protocol (MKA, see Clause 9);” [Emphasis added.]; 11.3.2 Packet Type, Table 11-3, “Packet Type: EAPOL-MKA”; 11.11 EAPOL-MKA, pages 95-96, Figure 11-6, Table 11-4, Table 11-7 “The Packet Body of each EAPOL PDU with a Packet Type of EAPOL-MKA conveys an MKPDU. The use of MKPDU parameters by the MACsec Key Agreement protocol (MKA) is specified in Clause 9” [Emphasis added.] where EAPOL PDUs (EAPOL-MKA packet), which supports the MKA by setting up a packet type as EAPOL-MKA as Table 11-3, are exchanged between peer PAEs (member device) on a same LAN where the PAEs is guaranteed to be on the same LAN by sharing a same CAK (Connectivity Association Key). In addition, each participant (member device) may join the same LAN as a fresh CAK is being distributed.); 
wherein the second EAPOL-MKA packet comprises a second cipher suite list, the second cipher suite list is configured to indicate a cipher suite supported by the second member device (9. MACsec Key Agreement protocol (MKA), pages 60, “The MACsec Key Agreement (MKA) protocol allows PAEs (Figure 6.3), each associated with a Port that is an authenticated member of a secure connectivity association (CA) or a potential CA, to discover other PAEs attached to the same LAN, to confirm mutual possession of a CAK and hence to prove a past mutual authentication, to agree the secret keys (SAKs) used by MACsec  … The Key Agreement Entity (KaY) responsible for MKA within the PAE can operate multiple simultaneous MKA instances: … each providing pairwise authentication between the server and a member of a group CA, to distribute the CAK for that group” [Emphasis added.]; 11.11 EAPOL-MKA, pages 95-96, Figure 11-6, Figure 11-11, Figure 11-12, Table 11-4, Table 11-7 (pages 99), “The Packet Body of each EAPOL PDU with a Packet Type of EAPOL-MKA conveys an MKPDU. The use of MKPDU parameters by the MACsec Key Agreement protocol (MKA) is specified in Clause 9” [Emphasis added.] ; 
determining, by the first member device, a first cipher suite, and determining a first secure association key (SAK) corresponding to the first cipher suite, wherein the first cipher suite is a cipher suite supported by all member devices in the CA, and the first cipher suite belongs to the cipher suite indicated by the second cipher suite list; and sending, by the first member device, the first cipher suite and the first SAK to the second member device in the CA (9.5 Key server election, pages 67, “The participants in a given MKA instance agree on a Key Server, responsible for the following:
a) Deciding on the use of MACsec (9.6)
b) Cipher suite selection (9.7)
c) SAK generation and distribution (9.8)
d) SA assignment (9.9)
e) Identifying the CA when two or more CAs merge (9.11)
f) CA formation and group CAK distribution (9.12)
… the MKA participant for the PAE that was the EAP Authenticator will be the Key Server … Each participant in an MKA instance with a CAK  … uses the Key Server Priority (an 8-bit integer) encoded in each MKPDU to agree on the Key Server. Each such participant selects the live participant advertising the highest priority as its Key Server whenever the Live Peers List changes” [Emphasis added.]; 9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a PAE or participant which may be elected as a key server based on the key server priority may select a cipher suite on which a fresh SAK is generated and distributed until all other PAEs use the selected cipher suite ensuring that all member device in a same CA support the cipher suite. Note that at least the default cipher suite may belong to any cipher suite lists.).

Per claim 2 (dependent on claim 1):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
IEEE 802.1X ‘2010 discloses: The method according to claim 1, wherein the second EAPOL-MKA packet further comprises a key server priority of the second member device, and the key server priority is used to negotiate a key server; and (9.5 Key server election, pages 67, “the MKA participant for the PAE that was the EAP Authenticator will be the Key Server … Each participant in an MKA instance with a CAK  … uses the Key Server Priority (an 8-bit integer) encoded in each MKPDU to agree on the Key Server. Each such participant selects the live participant advertising the highest priority as its Key Server whenever the Live Peers List changes” [Emphasis added.] where each participant (member device) in an MKA instance with a CAK uses the Key Server Priority stored at a MKPDU (packet body) contained in a EAPOL PDU (packet) to agree (negotiate) on the Key Server); 
before the determining, by the first member device, a first cipher suite, the method further comprises: sending, by the first member device, a first EAPOL-MKA packet to the second member device, wherein the first EAPOL-MKA packet comprises a first cipher suite list and a key server priority of the first member device, and the first cipher suite list is used to indicate a cipher suite supported by the first member device and (9. MACsec Key Agreement protocol (MKA), pages 60, “The MACsec Key Agreement (MKA) protocol allows PAEs (Figure 6.3), each associated with a Port that is an authenticated member of a secure connectivity association (CA) or a potential CA, to discover other PAEs attached to the same LAN, to confirm mutual possession of a CAK and hence to prove a past mutual authentication, to agree the secret keys (SAKs) used by MACsec  … The Key Agreement Entity (KaY) responsible for MKA within the PAE can operate multiple simultaneous MKA instances: … each providing pairwise authentication between the server and a member of a group CA, to distribute the CAK for that group” [Emphasis added.]; 9.5 Key server election, pages 67, “The participants in a given MKA instance agree on a Key Server, responsible for the following: … b) Cipher suite selection (9.7)
… the MKA participant for the PAE that was the EAP Authenticator will be the Key Server … Each participant in an MKA instance with a CAK  … uses the Key Server Priority (an 8-bit integer) encoded in each MKPDU to agree on the Key Server. Each such participant selects the live participant advertising the highest priority as its Key Server whenever the Live Peers List changes” [Emphasis added.]; 11.11 EAPOL-MKA, pages 95-96, Figure 11-6, Figure 11-11, Figure 11-12, Table 11-4, Table 11-7 (pages 99), “The Packet Body of each EAPOL PDU with a Packet Type of EAPOL-MKA conveys an MKPDU. The use of MKPDU parameters by the MACsec Key Agreement protocol (MKA) is specified in Clause 9” [Emphasis added.] where before a PAE or participant (first member device) is elected as a key server based on its key server priority (note that a key server is responsible for determining a cipher suite), the PAE may transmit an EAPOL PDU (packet) marked as a packet type of EAPOL-MKA, which includes a parameter set (as Figure 11-6) that is to include the MACsec Cipher Suite (cipher suite list) as shown in Table 11-7, 
determining, by the first member device, an identity of the first member device as the key server based on the key server priority of the first member device and the key server priority of the second member device (9.5 Key server election, pages 67, “the MKA participant for the PAE that was the EAP Authenticator will be the Key Server … Each participant in an MKA instance with a CAK  … uses the Key Server Priority (an 8-bit integer) encoded in each MKPDU to agree on the Key Server. Each such participant selects the live participant advertising the highest priority as its Key Server whenever the Live Peers List changes” [Emphasis added.] where a PAE or participant whose Key Server Priority is the highest may be elected as a key server between peer PAEs (member device) which output their own Key Server Priority conveyed in a MKPDU (packet body).).

Per claim 8 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Per claim 9 (dependent on claim 8):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 2 and the claim(s) is/are rejected for the reasons detailed with respect to claim 2.

Per claim 15 (independent):


Per claim 16 (dependent on claim 15):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 2 and the claim(s) is/are rejected for the reasons detailed with respect to claim 2.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 3-4, 6, 10-11, 13 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over IEEE 802.1X ‘2010 in view of Sharifi Mehr, US-10291589-B1 (hereinafter “Mehr ‘589”).
Per claim 3 (dependent on claim 1):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
IEEE 802.1X ‘2010 discloses: The method according to claim 1, wherein after the sending, by the first member device, the first cipher suite and the first SAK to the second member device in the CA, the method further comprises: (9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with each key … identified by a reference number (IEEE Std 802.1AE-The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a PAE or participant which may be elected as a key server based on the key server priority may select a (first) cipher suite on which a fresh SAK is generated and distributed until all other PAEs use the selected cipher suite ensuring that all member device in a same CA support the cipher suite. Note that the first member device can be the PAE elected as a key server. );
determining, by the first member device, that a third member device joins the CA (9.3.3 MKA key hierarchy, pages 64, “with a fresh CAK being distributed when each participant joins a CA”; 9.5 Key server election, pages 67, “The participants in a given MKA instance agree on a Key Server, responsible for the following: … b) Cipher suite selection (9.7) c) SAK generation and distribution (9.8) … e) Identifying the CA when two or more CAs merge (9.11) f) CA formation and group CAK distribution (9.12)” [Emphasis added.] where a key server which is responsible for CA formation and group CAK distribution may distribute a fresh CAK when a new participant joins a CA.); 
receiving, by the first member device, a third EAPOLMKA packet sent by the third member device, wherein the third EAPOL-MKA packet comprises a third cipher suite list, and the third cipher suite list is used to indicate a cipher suite supported by the third member device (9. MACsec Key Agreement protocol (MKA), pages 60, “The MACsec Key Agreement (MKA) protocol allows PAEs (Figure 6.3), each associated with a Port that is an authenticated member of a secure connectivity association (CA) or a potential CA, to discover other PAEs attached to the same LAN, to confirm mutual possession of a CAK … between the server and a member of a group CA, to distribute the CAK for that group” a Packet Type of EAPOL-MKA conveys an MKPDU. The use of MKPDU parameters by the MACsec Key Agreement protocol (MKA) is specified in Clause 9” [Emphasis added.] where a EAPOL PDU (packet) marked as a packet type of EAPOL-MKA conveys MKPDU as a packet body that may include a parameter set (as Figure 11-6) that is to include the MACsec Cipher Suite (cipher suite list) as shown in Table 11-7. A PAE (third member device) can send the EAPOL PDU to a group of other PAEs on a same CA to announce the support of the MACsec Cipher Suite. In other words, a particular participant, including a key server (first member device), can receive a cipher suite list from any other PAEs on the same CA);
determining, by the first member device, a second SAK corresponding to the second cipher suite; and sending, by the first member device, the second cipher suite and the second SAK to the second member device and the third member device in the CA (9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with each key … identified by a reference number (IEEE Std 802.1AE-2006, Table 14-1)” [Emphasis added.]; 9.8 SAK generation, distribution, and selection, pages 69-70, “The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a key server may select a cipher suite on which a fresh SAK is generated and distributed until all other PAEs use the selected cipher suite ensuring that all member device in a same CA support the cipher suite. Note that the first member device can be the key server and the key server is supposed to send a fresh SAK whenever a new cipher suite, e.g., 2nd or 3rd cipher suite etc. is selected.);
determining, by the first member device, a second cipher suite, wherein the second cipher suite is a cipher suite supported by all the member devices in the CA, and the second cipher suite belongs to a cipher suite indicated by the second cipher suite list and the third cipher suite list; determining, by the first member device, whether the second cipher suite is the same as the first cipher suite; when determining that the second cipher suite is different from the first cipher suite (FIG. 1, [Col. 4], ll. 3-34, “the various resources 1021-102M correspond to different cipher suites 1041-104N … Cryptographic strength … resistance to cryptographic attacks … key size for an encryption or other algorithm of the cipher suite … ” [Emphasis added.]; FIG. 5, [Col. 12], ll. 43 – [Col. 14], ll. 4, “the process 500 may be performed by any system that participates in a handshake process … determining 504 whether there is a mutually supported cipher suite … by determining whether any cipher suites listed in the ClientHello message match a cipher suite that system performing the process 500 is configured to support … If it is determined … there is at least one mutually supported cipher suite, the process 500 may include determining 508 whether the ClientHello message included a session use indicator … select 512 the most preferred mutually supported cipher suite listed in the ClientHello message that matches the session use indicator … generate 514 a ServerHello message indicating the selected cipher suite … the generated 514 ServerHello message may be transmitted 516 to a system from which the ClientHello message was received 502” [Emphasis added.] where a participant (first member device), which may be a server, in a handshake process, can determine whether there is a mutually supported cipher suite (second cipher suite) based on a cipher suite list in a ClientHello message sent by a client(second member device) with matching a cipher suite. After a cipher suite is selected by the server, a message is sent to a client for an indication of the selection. Note that the selected cipher suite is to support all device since it is selected only if they are mutually supported by comparing their own supported cipher list. In addition, since the system is able to support different cipher suites that correspond to various 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified IEEE 802.1X ‘2010 with the selection of a way for adopting different cipher suites mutually supported between the client and the server as taught by Mehr ‘589 because it would attain adaptively a level of data confidentiality by selecting a different cipher suite based on the cryptographic strength [Col. 4], ll. 3-34.

Per claim 4 (dependent on claim 1):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
IEEE 802.1X ‘2010 discloses: The method according to claim 1, wherein after the sending, by the first member device, the first cipher suite and the first SAK to the second member device in the CA, the method further comprises: (9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with each key … identified by a reference number (IEEE Std 802.1AE-2006, Table 14-1)” [Emphasis added.]; 9.8 SAK generation, distribution, and selection, pages 69-70, “The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a PAE or participant which may be elected as a key server based on the key server priority may select a (first) cipher suite on which a fresh SAK is generated and distributed 
determining, by the first member device, that the second member device exits the CA (Figure 8-1, 8.1 PACP Overview, pages 49, “the exchange of EAPOL frames between Supplicant and Authenticator PAEs … If the Supplicant’s client no longer wishes to be authenticated, the Supplicant’s PACP entity can transmit an EAPOL-Logoff that the Authenticator’s PACP entity can use to terminate the EAP authentication” [Emphasis added.] where an Authenticator (first member device) can determine whether to terminate the EAP authentication of a PAE (second member device) upon receiving an EAPOL-Logoff from the PAE. Note that an Authenticator can be a key server (See 9.5 Key server election, pages 67).);
determining, by the first member device, a second SAK corresponding to the second cipher suite; and sending, by the first member device, the second cipher suite and the second SAK to each member device in the CA (9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with each key … identified by a reference number (IEEE Std 802.1AE-2006, Table 14-1)” [Emphasis added.]; 9.8 SAK generation, distribution, and selection, pages 69-70, “The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a PAE or participant which may be elected as a key server based on the key server priority may select a cipher suite on which a fresh SAK is generated and distributed until all other PAEs use the selected cipher suite ensuring that all member device in a same CA support the cipher suite. Note that nd or 3rd cipher suite etc. is selected.);
IEEE 802.1X ‘2010 does not disclose but Mehr ‘589 discloses: determining, by the first member device, a second cipher suite, wherein the second cipher suite is a cipher suite supported by all the member devices in the CA; determining, by the first member device, whether the second cipher suite is the same as the first cipher suite (FIG. 1, [Col. 4], ll. 3-34, “the various resources 1021-102M correspond to different cipher suites 1041-104N … Cryptographic strength … resistance to cryptographic attacks … key size for an encryption or other algorithm of the cipher suite” [Emphasis added.]; FIG. 5, [Col. 12], ll. 43 – [Col. 14], ll. 4, “the process 500 may be performed by any system that participates in a handshake process … determining 504 whether there is a mutually supported cipher suite … by determining whether any cipher suites listed in the ClientHello message match a cipher suite that system performing the process 500 is configured to support … If it is determined … there is at least one mutually supported cipher suite, the process 500 may include determining 508 whether the ClientHello message included a session use indicator … select 512 the most preferred mutually supported cipher suite listed in the ClientHello message that matches the session use indicator … generate 514 a ServerHello message indicating the selected cipher suite … the generated 514 ServerHello message may be transmitted 516 to a system from which the ClientHello message was received 502” [Emphasis added.] where a participant (first member device), which may be a server, in a handshake process, can determine whether there is a mutually supported cipher suite (second cipher suite) based on a cipher suite list in a ClientHello message sent by a client (second member device) with matching a cipher suite. After a cipher suite is selected by the server, a message is sent to a client for an indication of the selection. Note that the selected cipher suite is to support all device since it is selected only if they are mutually supported by comparing their own supported cipher list. In addition, since the system is able to support different cipher suites that correspond to various resources, it would differentiate a currently .

Per claim 6 (dependent on claim 1):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
IEEE 802.1X ‘2010 discloses: The method according to claim 1, wherein after the sending, by the first member device, the first cipher suite and the first SAK to the second member device in the CA, the method further comprises (9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with each key … identified by a reference number (IEEE Std 802.1AE-2006, Table 14-1)” [Emphasis added.]; 9.8 SAK generation, distribution, and selection, pages 69-70, “The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a PAE or participant which may be elected as a key server based on the key server priority may select a (first) cipher suite on which a fresh SAK is generated and distributed until all other PAEs use the selected cipher suite ensuring that all member device in a same CA support the cipher suite. Note that the first member device can be a PAE elected as a key server.);
determining, by the first member device, a second SAK corresponding to the second cipher suite; and sending, by the first member device, the second cipher suite and the second SAK to each member device in the CA (9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with each key … identified by a reference number (IEEE Std 802.1AE-2006, Table The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a PAE or participant which may be elected as a key server based on the key server priority may select a cipher suite on which a fresh SAK is generated and distributed until all other PAEs use the selected cipher suite ensuring that all member device in a same CA support the cipher suite. Note that the first member device can be the key server and the key server is supposed to send a fresh SAK whenever a new cipher suite, e.g., 2nd or 3rd cipher suite etc. is selected.).
IEEE 802.1X ‘2010 does not disclose but Mehr ‘589 discloses: updating, by the first member device, the cipher suite supported by the first member device (FIG. 1, [Col. 4], ll. 3-34, “the various resources 1021-102M correspond to different cipher suites 1041-104N … Cryptographic strength … resistance to cryptographic attacks … key size for an encryption or other algorithm of the cipher suite” [Emphasis added.]; FIG. 5, [Col. 12], ll. 43-64, “In response to having received 502 the ClientHello message, the process 500 may include determining 504 whether there is a mutually supported cipher suite” [Emphasis added.] where the process as in FIG. 5 is able to support different cipher suites that correspond to various resources according to a requirement of the cryptographic strength on which the device may update a supported cipher suite list to meet the requirement);
determining, by the first member device, a second cipher suite, wherein the second cipher suite is a cipher suite supported by all the member devices in the CA, and the second cipher suite belongs to a cipher suite updated by the first member device; determining, by the first member device, whether the second cipher suite is the same as the first cipher suite; when determining that the second cipher suite is different from the first cipher suite (FIG. 1, [Col. 4], ll. 3-34, “the various resources 1021-102M correspond to different cipher suites 1041-104N … Cryptographic strength … resistance to cryptographic attacks … key size for an encryption or other algorithm of the cipher suite … ” [Emphasis added.]; FIG. 5, [Col. 12], ll. 43 – [Col. 14], ll. 4, “the process 500 may be performed by any system that participates in a handshake process … determining 504 whether there is a mutually supported cipher suite … by determining whether any cipher suites listed in the ClientHello message match a cipher suite that system performing the process 500 is configured to support … If it is determined … there is at least one mutually supported cipher suite, the process 500 may include determining 508 whether the ClientHello message included a session use indicator … select 512 the most preferred mutually supported cipher suite listed in the ClientHello message that matches the session use indicator … generate 514 a ServerHello message indicating the selected cipher suite … the generated 514 ServerHello message may be transmitted 516 to a system from which the ClientHello message was received 502” [Emphasis added.] where a participant (first member device), which may be a server, in a handshake process, can determine whether there is a mutually supported cipher suite (second cipher suite) based on a cipher suite list in a ClientHello message sent by a client (second member device) with matching a cipher suite. After a cipher suite is selected by the server, a message is sent to a client for an indication of the selection. Note that the selected cipher suite is to support all device since it is selected only if they are mutually supported by comparing their own supported cipher list. In addition, since the system is able to support different cipher suites that correspond to various resources, it would differentiate a currently selected cipher suite and a previously selected cipher suite to meet a requirement of the cryptographic strength.).

Per claim 10 (dependent on claim 8):

The limitations of the claim(s) correspond(s) to features of claim 3 and the claim(s) is/are rejected for the reasons detailed with respect to claim 3.

Per claim 11 (dependent on claim 8):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 4 and the claim(s) is/are rejected for the reasons detailed with respect to claim 4.


Per claim 13 (dependent on claim 8):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 6 and the claim(s) is/are rejected for the reasons detailed with respect to claim 6.

Per claim 17 (dependent on claim 15):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 3 and the claim(s) is/are rejected for the reasons detailed with respect to claim 3.

Claim(s) 7 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over IEEE 802.1X ‘2010 in view of IEEE Std 802.1 AE-2006 (hereinafter “IEEE 802.1 AE ‘2006”; provided by IDS dated 04/18/2019).
Per claim 7 (dependent on claim 1):
IEEE 802.1X ‘2010 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
IEEE 802.1X ‘2010 discloses: The method according to claim 1, wherein the method further comprises: receiving, by the first member device, a data packet sent by the second member device (6. Principles of port-based network access control operation, pages 19, “The mechanisms specified in this standard allow any type of system, including bridges and routers, to authenticate, authorize, and secure communications through one of its ports to any other system attached to the same LAN” [Emphasis added.]; 6.3.1 Authentication exchanges, pages 25-26, “Each PAE may operate EAP … to transmit EAP frames over the LAN (EAPOL) … conveying EAP frames between the EAP PAEs … each PAE adopts …  distinct EAP specified roles: a) Authenticator () b) Supplicant () EAP … c) Authentication Server ()” [Emphasis added.]; 11. EAPOL PDUs, pages 87, “This clause specifies the EAPOL PDUs exchanged between peer PAEs: to support authentication using EAP (PACP, see Clause 8); to support the MACsec Key Agreement protocol (MKA, see Clause 9);” [Emphasis added.]; 11.3.2 Packet Type, Table 11-3, “Packet Type: EAPOL-MKA”; 11.11 EAPOL-MKA, pages 95-96, Figure 11-6, Table 11-4, Table 11-7 “The Packet Body of each EAPOL PDU with a Packet Type of EAPOL-MKA conveys an MKPDU. The use of MKPDU parameters by the MACsec Key Agreement protocol (MKA) is specified in Clause 9” [Emphasis added.] where EAPOL PDUs (data packet), which supports the MKA by setting up a packet type as EAPOL-MKA as Table 11-3, are exchanged between peer PAEs (member devices such as 1st, 2nd device etc.) on a same LAN where the PAEs is guaranteed to be on the same LAN by sharing a same CAK (Connectivity Association Key).);
determining, by the first member device based on a key indication in the data packet, a target cipher suite and a target SAK corresponding to the target cipher suite that are used to  (9.5 Key server election, pages 67, “the MKA participant for the PAE that was the EAP Authenticator will be the Key Server … Each participant in an MKA instance with a CAK  … uses the Key Server Priority (an 8-bit integer) encoded in each MKPDU to agree on the Key Server. Each such participant selects the live participant advertising the highest priority as its Key Server whenever the Live Peers List changes” [Emphasis added.]; 9.7 Cipher suite selection, pages 69, “The cipher suite … is selected by the Key Server and advertised with each key … identified by a reference number (IEEE Std 802.1AE-2006, Table 14-1)” [Emphasis added.]; 9.8 SAK generation, distribution, and selection, pages 69-70, “The Key Server is responsible for generating (9.8.1) and distributing MACsec SAKs, using AES Key Wrap (9.8.2), to each of the other members of the CA, using the MKA transport … Once a Key Server has generated an SAK, it shall be distributed in each MKPDU transmitted until all live peers that can use the selected Cipher Suite … A Key Server shall distribute a fresh SAK whenever it selects a new MACsec Cipher Suite (9.7) unless the new Cipher Suite is the Null Cipher Suite, i.e., plain text transmission is selected” [Emphasis added.] where a key server (first member device) may select a target cipher suite on which a fresh target SAK is generated and distributed until all other PAEs use the selected cipher suite ensuring that all member device in a same CA support the cipher suite.);
IEEE 802.1X ‘2010 does not disclose but IEEE 802.1 AE ‘2006 discloses: perform integrity check and decryption on the data packet (3. Definitions, pages 6, “3.13 integrity check value (ICV): A value that is derived by performing an algorithmic transformation on the data unit for which data integrity services are provided. The ICV is sent with the protected data unit and is recalculated and compared by Protect and validate MACsec PDUs by using Cipher Suites as specified in 14.1.” [Emphasis added.]; Figure 14-1, pages 121, 

    PNG
    media_image1.png
    326
    757
    media_image1.png
    Greyscale


where a EAPOL PDU (packet) that may include a cipher suite is exchanged between PAEs (member device). The packet received at a PAE (first member device) would be protected and validated by using the cipher suite of the packet. Note that the received user data (data packet) is decrypted by the Validate function and validated (integrity check) by the function via the ICV (integrity check value).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified IEEE 802.1X ‘2010 with the integrity check and decryption of the user data based on a received cipher suite as taught by IEEE 802.1 AE ‘2006 because it would more effectively protect and validate the user data by selecting a cryptographic algorithm based on a selected cipher suite.

Per claim 14 (dependent on claim 8):

The limitations of the claim(s) correspond(s) to features of claim 7 and the claim(s) is/are rejected for the reasons detailed with respect to claim 7.

Allowable Subject Matter
Claim(s) 5, 12 and 18 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims contain the following underlined features which, when combined with other features of the claim, prior art of record failed to anticipate or render obvious at the time of instant invention was filed:
Per claim 5 (dependent on claim 1):
The method according to claim 1, wherein after the sending, by the first member device, the first cipher suite and the first SAK to the second member device in the CA, the method further comprises: receiving, by the first member device, a third EAPOLMKA packet sent by the second member device, wherein the third EAPOL-MKA packet comprises an updated cipher suite list, and the updated cipher suite list is used to indicate a cipher suite supported by the second member device after the second member device updates the second cipher suite list; determining, by the first member device, a second cipher suite, wherein the second cipher suite is a cipher suite supported by all the member devices in the CA, and the second cipher suite belongs to the cipher suite indicated by the updated cipher suite list; determining, by the first member device, whether the second cipher suite is the same as the first cipher suite;  when determining that the second cipher suite is different from the first cipher suite, determining, by the first member device, a second SAK corresponding to the second cipher suite; and sending, by the first member device, the second cipher suite and the second SAK to the second member device in the CA.

Per claim 12 (dependent on claim 8):
The network device according to claim 8, wherein the transceiver is further configured to receive a third EAPOL-MKA packet sent by the second member device, wherein the third EAPOL-MKA packet comprises an updated cipher suite list, and the updated cipher suite list is used to indicate a cipher suite supported by the second member device after the second member device updates the cipher suite list; the processor is further configured to determine a second cipher suite, wherein the second cipher suite is a cipher suite supported by all the member devices in the CA, and the second cipher suite belongs to the cipher suite indicated by the updated cipher suite list; the processor is further configured to determine whether the second cipher suite is the same as the first cipher suite; the processor is further configured to: when determining that the second cipher suite is different from the first cipher suite, determine a second SAK corresponding to the second cipher suite; and the transceiver is further configured to send the second cipher suite and the second SAK to the second member device in the CA.

Per claim 18 (dependent on claim 15):
The network device according to claim 15, wherein the transceiver is further configured to send a third EAPOLMKA packet to the first member device, wherein the third EAPOL-MKA packet comprises an updated cipher suite list, and the updated cipher suite list is used to indicate a cipher suite supported by the network device after the network device updates the cipher suite list; the transceiver is further configured to receive a second cipher suite and a second SAK that are sent by the first member device, wherein the second cipher suite belongs to the cipher suite indicated by the updated cipher suite list; and the processor is further configured to determine to perform MACsec secure data transmission with the first member device by using the second cipher suite and the second SAK.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332.  The examiner can normally be reached on Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/SANGSEOK PARK/Examiner, Art Unit 2494                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491