Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

DETAILED ACTION
This action is responsive to amendment filed on 1/13/2021. Claims 1, 8 and 14 are independents. Claims 1, 8, 11, 12 and 14 are amended. Claims 1-20 are currently pending

Response to Argument
Applicant’s arguments with respect to rejection under 35 U.S.C. 102 and 103 have been fully considered. The amendment overcomes the prior art of record and the argument is persuasive. However, a new rejection is given upon a new round of search. 

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 21, 26-28, 30, 31, 34, 35, 38-41 and 37 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Brinskelle (US 8856869 B1), in view of Gunter et al. (US 7055027 B1), hereinafter Gunter.

Regarding claims 21, 31 and 37, Brinskelle teaches a method for session control of a secure session between a first host and a second host (FIG. 10, client [first host], server [second host]), comprising:
connections between parties using a cryptographic protocol (col3 ln4-21, secure communication channel such as SSL/TLS); 

using the results in processing the secure session between the first host and the second host (FIG. 10 #1045-1070 and col37 ln4-26,process this response).
Brinskelle does not explicitly disclose connecting, by an interceptor device, to a private key server separate from the first host and the second host; and receiving, by the interceptor device, results of the requested private key operation. However, in an analogous art, Gunter teaches connecting, by an interceptor device, to a private key server separate from the first host and the second host (FIG. 2, external client [first host], internal client [second host], firewall [interceptor] and key server [private key server]); and receiving, by the computing interceptor device, results of the requested private key operation (col3 ln10-28, The firewall authenticates the signature by decrypting the message using the internal client's public key (obtained from the key server or directly from the internal computer). The firewall then decrypts the session key using its own private key).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the teachings of Brinskelle with the teachings of Gunter because it provides a network architecture that allows legitimate trusted inspection of a VPN data stream at an intermediary, such as a firewall or proxy server (Gunter col8 ln13-21).

Regarding claims 26 and 34, the combination of Brinskelle and Gunter teaches all of the limitations of claims 21 and 31, respectively. Brinskelle further teaches comprising performing a man-in-the-middle attack by an interceptor device based on the results of the requested private key operation without direct access to the private key (col37 ln27-33, an example of a security agent that performs as a transparent man-in-the-middle with the ability to access encrypted communications in order to inspect and ensure proper online communications. The security agent may be integrated into a web proxy, a client application itself, a web browser, a web browser extension or add-on, a device on the network, or other component).

Regarding claims 27 and 39, the combination of Brinskelle and Gunter teaches all of the limitations of claims 21 and 37, respectively. Brinskelle further teaches comprising causing performing of the requested private key operation on another server than the private key server, the other server having access to a relevant private key, and receiving the results of the private key operation directly or indirectly from said other server (col37 ln27-33, the security agent may be integrated into a web proxy, a client application itself, a web browser, a web browser extension or add-on, a device on the network, or other component; when there is other component integrated, then the security agent talks to other component for the operation).

Regarding claims 28 and 40, the combination of Brinskelle and Gunter teaches all of the limitations of claims 21 and 37, respectively. Brinskelle further teaches comprising identifying a server that has access to a private key corresponding to a certificate for a destination server of the encrypted session, and causing use of the private key accessible by the identified server during the private key operation (col2 ln56-col3 ln3 and col9 ln51-65).

Regarding claims 30 and 35, the combination of Brinskelle and Gunter teaches all of the limitations of claims 21, as shown above. Brinskelle further teaches wherein said information about the secure session comprises information identifying a destination computer for the secure session the request relates to (col3 ln54-col4 ln3, Destination identifiers may be used to distinguish request destinations. Origin identifiers may be used to identify data origins. The origin and/or destination may be securely identified such as for example using secure protocols such as SSL/TLS). 

Regarding claim 41, the combination of Brinskelle and Gunter teaches all of the limitations of claims 21, as shown above. Brinskelle further teaches configured to identify a destination server for the secure session based on the information in the request, and cause the destination server to perform the requested private key operation (col3 ln54-col4 ln3, Destination identifiers may be used to distinguish request destinations. Origin identifiers may be used to identify data origins. The origin and/or destination may be securely identified such as for example using secure protocols such as SSL/TLS).

Regarding claim 38, the combination of Brinskelle and Gunter teaches all of the limitations of claims 37. Brinskelle further teaches configured to cause performing of the requested private key operation on a private key related to an Secure Shell (SSH) session on behalf of the interceptor device (col83 ln19-67, using SSH).

Claims 22-25, 29, 32, 33, 36 re rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Brinskelle and Gunter as applied to claims above, and further in view of Al‐Malki (433438 City Research Online 2006).

Regarding claims 22 and 32, the combination of Brinskelle and Gunter teaches all of the limitations of claims 21 and 31, respectively. 
The combination of Brinskelle and Gunter does not explicitly teach wherein the intercepted secure session comprises a Secure Shell (SSH) session and the private key operation comprises cryptographic operation performed using a Secure Shell (SSH) key. However, in an analogous art, Al‐Malki teaches wherein the intercepted secure session comprises a Secure Shell (SSH) session and the private key operation comprises cryptographic operation performed using a Secure Shell (SSH) key (p.10 implemented encryption by using SSH (Secure Shell) on both Windows and UNIX and explained it step by step and described using tunneling (port forwarding) and after that I presented different methods that can be used with VNC for encryption like VPN, SSL used in Stunnel, Zebedee based on Blowfish encryption. In the last part I explained how to traverse firewalls to connect to a VNC system behind a firewall, which I tested between Home machines resident in London and also an overseas machine in Qatar to connect to a UNIX and Windows machines behind a firewall by tunneling and reverse connection).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the teachings of Brinskelle and Gunter with the teachings of Al‐Malki to apply TSL/SSL method to SSH, in order to achieve the predictable result of providing secure connection between devices in the network by employing the well-known and widely used SSH session and SSH key.

Regarding claim 23, the combination of Brinskelle and Gunter teaches all of the limitations of claim 21. 
The combination of Brinskelle and Gunter does not explicitly disclose wherein the private key operation uses a private key corresponding to a Remote Desktop Protocol (RDP) certificate. However, in an analogous art, Al‐Malki teaches wherein the private key operation uses a private key corresponding to a Remote Desktop Protocol (RDP) certificate(pp.122 and 127).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the teachings of Brinskelle and Gunter with the teachings of Al‐Malki to apply TSL/SSL method to RDP, in order to achieve the predictable result of providing secure connection between devices in the network by employing the well-known and widely used TSL/SSL method to RDP.

Regarding claims 24 and 33, the combination of Brinskelle, Gunter and Al‐Malki teaches all of the limitations of claims 24 and 31, respectively. Al‐Malki further teaches comprising running the interceptor device in virtualization environment (pp.3 and 57).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the teachings of Brinskelle and Gunter with the teachings of Al‐Malki to apply TSL/SSL method to Virtual environment, in order to achieve the predictable result of providing secure communication in cloud computing environment.

Regarding claim 25, the combination of Brinskelle, Gunter and Al‐Malki teaches all of the limitations of claims 24 and 31, respectively. Al‐Malki further teaches comprising providing a virtual machine by the interceptor device (pp.3 and 57).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the teachings of Brinskelle and Gunter with the teachings of Al‐Malki, in order to achieve the predictable result of providing secure communication in cloud computing environment.

Regarding claim 29, the combination of Brinskelle and Gunter teaches all of the limitations of claim 21. 
The combination of Brinskelle and Gunter does not explicitly disclose comprising sending information about the secure session to at least one of a vault, a data loss prevention system and an audit server. However, in an analogous art, Al‐Malki teaches comprising sending information about the secure session to at least one of a vault, a data loss prevention system and an audit server (pp.135, 143 and 145).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the teachings of Brinskelle and Gunter with the teachings of Al‐Malki to notify entities about the session in communication.

Regarding claim 36, the combination of Brinskelle and Gunter teaches all of the limitations of claims 21. Al‐Malki teaches comprising an interceptor implemented in a firewall, a server or a gateway and configured to cause decryption of intercepted encrypted sessions (pp.10, 139, 207 and 257) and/or encryption of sessions communicated further from the interceptor device.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the teachings of Brinskelle and Gunter with the teachings of Al‐Malki, in order to achieve the predictable result of encrypting or decrypting the session.

References Cited not Used
The closest prior art Garcia (WO2005060202A1) and Geddes (US9172679) disclose the feature of sending, from the interceptor device, a request to the private key server to cause performance of a private key operation in relation to the secure session processed by the interceptor device, the request comprising information about the secure session; and receiving, by the interceptor device, results of the requested private key operation as claimed in the independent claims.


Conclusion
	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/SHU CHUN GAO/Examiner, Art Unit 2437 




/ALI S ABYANEH/Primary Examiner, Art Unit 2437