DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the preliminary amendment dated April 23, 2021.
In the preliminary amendment dated April 23, 2021, claims 1, 3, 7, 9, 13 and 15 have been amended, claims 2, 8 and 14 have been canceled and all other claims are previously presented.
Claims 1, 3-7, 9-13 and 15-21 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. Robert Graham of registration number 43,430, on April 26, 2021.  During the telephone conference, Mr. Graham has agreed and authorized the examiner to further amend Claims 1, 3-7, 9-13 and 15-21 on the preliminary amendment dated on April 23, 2021.

Claims
Replacing Claims 1, 3-7, 9-13 and 15-21 of the preliminary amendment dated on April 23, 2021with the following:
Claim 1:
A message processing server comprising:
a memory storing a data record, wherein the data record includes a first-layer access restriction indicator stored in association with a first cryptographic key, and further includes a second-layer access restriction indicator stored in association with a second cryptographic key; and
a message processor coupled to the memory and configured to:
receive from a first network device a first data access request that includes a first authentication credential and a multi-layer token, wherein the multi-layer token includes a first data layer and a second data layer, the first data layer is encrypted with the first cryptographic key, and the second data layer includes the first data layer and is encrypted with the second cryptographic key;
determine that, prior to the first data access request, the first authentication credential was stored in the data record in association with the first-layer access restriction indicator and not in association with the second-layer access restriction indicator;
recover the first data layer from the multi-layer token by (i) locating the second cryptographic key in the data record, and (ii) decrypting the second ;
provide the first network device with the first data layer;
receive from a second network device a second data access request that includes a second authentication credential and the multi-layer token;
determine that, prior to the second data access request, the second authentication credential was stored in the data record in association with the first-layer access restriction indicator and the second-layer access restriction indicator;
locate the first cryptographic key in the data record;
recover the second data layer from the multi-layer token; and
provide the second network device with the first cryptographic key and the second data layer.
Claim 2: 	(cancelled).
Claim 3: 
The message processing server according to claim 1, wherein 
the message processor is further configured to:
receive from a third network device a third data access request that includes a third authentication credential and the multi-layer token;
determine that, prior to the third data access request, the third authentication credential was stored in the data record  and not in association with the first-layer access restriction indicator;
recover the second data layer from the multi-layer token; and
provide the third network device with the second data layer.
Claim 4: 
The message processing server according to claim 1, wherein the message processor is further configured to:
receive from a third network device a token update request that includes additional data, an additional authentication credential and the multi-layer token,
save an additional access restriction indicator in the data record in association with the additional authentication credential and an additional cryptographic key,
generate an additional data layer by encrypting the additional data and an outermost data layer of the multi-layer token with the additional cryptographic key,
generate an updated multi-layer token from the additional data layer and the received multi-layer token, and
provide the third network device with the updated multi-layer token.
Claim 5: 
The message processing server according to claim 4, wherein the data record includes a token identifier, and the token update request includes the token identifier; and
the message processor is further configured to:
determine that, prior to the token update request, the token identifier was stored in the data record, and
generate the additional data layer, after determining that, prior to the token update request, the token identifier was stored in the data record.
Claim 6: 
The message processing server according to claim 4, wherein the data record includes a token identifier stored in association with the first-layer access restriction indicator, and the token update request includes the token identifier; and
the message processor is further configured to:
determine that, prior to the token update request, the token identifier was stored in the data record in association with the first-layer access restriction indicator, and
after determining that, prior to the token update request, the token identifier was stored in the data record in association with the first-layer access restriction indicator, (i) save the token identifier in the data record in association with the additional access restriction indicator, and (ii) generate the additional data layer.
Claim 7: 
A method of providing controlled access to data using an access control database that stores a data record, the data record including a first-layer access restriction indicator stored in association with a first cryptographic key, and further including a second-layer access restriction indicator stored in association with a second cryptographic key, the method comprising:
a computer processor receiving from a first network device a first data access request that includes [[the]]a first authentication credential and a multi-layer token, wherein the multi-layer token includes a first data layer and a second data layer, the first data layer is encrypted with the first cryptographic key, and the second data layer includes the first data layer and is encrypted with the second cryptographic key;
the computer processor determining that, prior to the first data access request, the first authentication credential was stored in the data record in association with the first-layer access restriction indicator and not in association with the second-layer access restriction indicator;
the computer processor recovering the first data layer from the multi-layer token by (i) locating the second cryptographic key in the data record, and (ii) decrypting the second data layer with the second cryptographic key;
the computer processor providing the first network device with the first data layer;
the computer processor receiving from a second network device a second data access request that includes a second authentication credential and the multi-layer token;
the computer processor determining that, prior to the second data access request, the second authentication credential was stored in the data record in association with the first-layer access restriction indicator and the second-layer access restriction indicator;
the computer processor locating the first cryptographic key in the data record;
the computer processor recovering the second data layer from the multi-layer token; and
the computer processor providing the second network device with the first cryptographic key and the second data layer.
Claim 8: 	(cancelled).
Claim 9: 
The method according to claim 7, further comprising:
third network device a third data access request that includes a third authentication credential and the multi-layer token;
the computer processor determining that, prior to the third data access request, the third authentication credential was stored in the data record and not in association with the first-layer access restriction indicator;
the computer processor recovering the second data layer from the multi-layer token; and
the computer processor providing the third network device with the second data layer.
Claim 10: 
The method according to claim 7, further comprising:
the computer processor receiving from a third network device a token update request that includes additional data, an additional authentication credential and the multi-layer token;
the computer processor saving an additional access restriction indicator in the data record in association with the additional authentication credential and an additional cryptographic key;
the computer processor generating an additional data layer by encrypting the additional data and an outermost data layer of the multi-layer token with the additional cryptographic key;

the computer processor providing the third network device with the updated multi-layer token.
Claim 11: 
The method according to claim 10, wherein the data record includes a token identifier, and the token update request includes the token identifier, and the method further comprises:
the computer processor determining that, prior to the token update request, the token identifier was stored in the data record; and
the computer processor generating the additional data layer, after determining that, prior to the token update request, the token identifier was stored in the data record.
Claim 12: 
The method according to claim 10, wherein the data record includes a token identifier stored in association with the first-layer access restriction indicator, and the token update request includes the token identifier, and the method further comprises:
the computer processor determining that, prior to the token update request, the token identifier was stored in the data record in association with the first-layer access restriction indicator; and
after the computer processor determining that, prior to the token update request, the token identifier was stored in the data record in association with the first-layer access restriction indicator, the computer processor (i) saving the token identifier in the data 
Claim 13: 
A non-transient computer-readable medium storing processing instructions which, when executed by a computer processor, cause the computer processor to:
receive from a first network device a first data access request that includes a first authentication credential and a multi-layer token, wherein the multi-layer token includes a first data layer and a second data layer, the first data layer is encrypted with a first cryptographic key, and the second data layer includes the first data layer and is encrypted with a second cryptographic key;
determine that, prior to the first data access request, the first authentication credential was stored in a data record in association with a first-layer access restriction indicator and not in association with the second-layer access restriction indicator, wherein the data record includes the first-layer access restriction indicator stored in association with the first cryptographic key, and further includes the second-layer access restriction indicator stored in association with the second cryptographic key;
recover the first data layer from the multi-layer token by (i) locating the second cryptographic key in the data record, and (ii) decrypting the second data layer with the second cryptographic key, and
provide the first network device with the first data layer;
receive from a second network device a second data access request that includes a second authentication credential and the multi-layer token;
determine that, prior to the second data access request, the second authentication credential was stored in the data record in association with the first-layer access restriction indicator and the second-layer access restriction indicator;
locate the first cryptographic key in the data record;
recover the second data layer from the multi-layer token; and
provide the second network device with the first cryptographic key and the second data layer.
Claim 14: 	(cancelled).
Claim 15: 
The computer-readable medium according to claim 13, wherein the processing instructions further cause the computer processor to:
receive from a third network device a third data access request that includes a third authentication credential and the multi-layer token;
determine that, prior to the third data access request, the third authentication credential was stored in the data record  and not in association with the first-layer access restriction indicator;
recover the second data layer from the multi-layer token; and
provide the third network device with the second data layer.
Claim 16: 
The computer-readable medium according to claim 13, wherein the processing instructions further cause the computer processor to:
third network device a token update request that includes additional data, an additional authentication credential and the multi-layer token;
save an additional access restriction indicator in the data record in association with the additional authentication credential and an additional cryptographic key;
generate an additional data layer by encrypting the additional data and an outermost data layer of the multi-layer token with the additional cryptographic key;
generate an updated multi-layer token from the additional data layer and the received multi-layer token; and
provide the third network device with the updated multi-layer token.
Claim 17: 
The computer-readable medium according to claim 16, wherein the data record includes a token identifier, and the token update request includes the token identifier, and the processing instructions further cause the computer processor to:
determine that, prior to the token update request, the token identifier was stored in the data record; and
generate the additional data layer, after determining that, prior to the token update request, the token identifier was stored in the data record.
Claim 18: 
The computer-readable medium according to claim 16, wherein the data record includes a token identifier stored in association with the first-layer access restriction indicator, and the token update request includes the token identifier, and the processing instructions further cause the computer processor to:

after determining that, prior to the token update request, the token identifier was stored in the data record in association with the first-layer access restriction indicator, (i) save the token identifier in the data record in association with the additional access restriction indicator, and (ii) generate the additional data layer.
Claim 19: 
The message processing server according to claim 1, wherein the message processor is further configured to:
receive a third data access request that includes a third authentication credential and the multi-layer token;
determine that, prior to the third data access request, the third authentication credential was not stored in the data record in association with the first-layer access restriction indicator or the second-layer access restriction indicator; and
reject the third data access request.
Claim 20: 
The method according to claim 7, further comprising:
the computer processor receiving a third data access request that includes a third authentication credential and the multi-layer token;
the computer processor determining that, prior to the third data access request, the third authentication credential was not stored in the data record in association with 
the computer processor rejecting the third data access request.
Claim 21:  
The computer-readable medium according to claim 13, wherein the processing instructions further cause the computer processor to:
receive a third data access request that includes a third authentication credential and the multi-layer token;
determine that, prior to the third data access request, the third authentication credential was not stored in the data record in association with the first-layer access restriction indicator or the second-layer access restriction indicator; and
reject the third data access request.
Allowable Subject Matter
Claims 1, 3-7, 9-13 and 15-21 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Independent claim 1 is allowable based on the preliminary amendment presented on April 23, 2021 and the examiner’s amendment dated on May 05, 2021.
Specifically, the independent claim 1 now recites limitations as follows:

“A message processing server comprising:

a message processor coupled to the memory and configured to:
receive from a first network device a first data access request that includes a first authentication credential and a multi-layer token, wherein the multi-layer token includes a first data layer and a second data layer, the first data layer is encrypted with the first cryptographic key, and the second data layer includes the first data layer and is encrypted with the second cryptographic key;
determine that, prior to the first data access request, the first authentication credential was stored in the data record in association with the first-layer access restriction indicator and not in association with the second-layer access restriction indicator;
recover the first data layer from the multi-layer token by (i) locating the second cryptographic key in the data record, and (ii) decrypting the second 
provide the first network device with the first data layer;
receive from a second network device a second data access request that includes a second authentication credential and the multi-layer token;
determine that, prior to the second data access request, the second authentication credential was stored in the data record in association with the first-layer access restriction indicator and the second-layer access restriction indicator;

recover the second data layer from the multi-layer token; and
provide the second network device with the first cryptographic key and the second data layer”.
The reference by Barrus et al. (US PGPUB. # US 2008/0244721) discloses, a user request an access to an information provides a token. (Fig. 5(502), ¶51). Barrus further discloses, token processor 102 may generate a digital token 108 that may be stored in a memory of computer system 104. Digital token 108 may be an image comprising information encoding the identifier and the encryption key. Digital token 108 may be electronically communicated (e.g., email) and may be displayable on an output device such as a screen, monitor, visual display, etc. A physical token may be generated using a physical medium such as paper, card, plastic, etc. For example, in system 100 depicted in FIG. 1, a physical token 110 may be generated using a printer 112. Token processor 102 may be configured to send token-related information to printer 112 which may then generate physical token 110 by printing the information on a physical medium such as paper, card, plastic, etc. One or more physical tokens may be generated. (Fig. 5(506), ¶37). Barrus discloses a token associated with a cryptographic key, howerver Barrus doesn’t disclose multi-layer token.
The reference by Goldstein et al. (US PAT. # US 6,128,735) discloses a multi-layer token. FIG. 3 shows data ready to transfer 40 having three (Fig. 3, CL(4), LN(58-67), CL(5), LN(1-5)). Goldstein further discloses, first data layer is retrieved by locating second decryption key and decrypting second data layer with the second decryption key. (Fig. 6(118), CL(7), LN(17-23), Fig. 7(160, 142), CL(7), LN(51-67), CL(8), LN(1-9)).
The reference by Taro Kurita (US PGPUB. # US 2007/0283415) discloses, when the separating request is received by the operating system of the IC card, the separate package is delivered to the file system of the card issuer on the basis of the area ID in the argument. The separate package is then decrypted using the card issuer key KI Subsequently, the separate element package and the size (number of d to retrieve the area key KIi immediately after the separation (the issuer key of the new service provider using this area (i.e., a virtual card issuer)) and the system code SCi Thereafter, the operating system separates a memory area of the requested size from the unused area of the card issuer. Furthermore, the operating system sets the issuer key KIi and the system code SCi for this area to define this area as a new file system. (Fig. 13, ¶116-¶117).
Laxminarayanan et al. (US PGPUB. # US 2016/0119296) discloses, providing a token service environment that allows a token requesting party (e.g. token requestor) to specify parameters for token generation for controlling and customizing the token generation process. For example, the token requesting party may specify (e.g. select from a list or provide a list of) the accounts for tokenization. The accounts may be identified by account identifiers (e.g. account numbers) or bank identification numbers (BINs). The token requesting party may also specify encryption keys for the tokens to be generated. The token requesting party may also specify additional parameters such as notification thresholds indicating when notifications associated with the tokens are to be generated (Abstract).
However, each of the cited references or reference from the updated search, at least, fails to teach or suggest the limitations regarding 
determine that, prior to the second data access request, the second authentication credential was stored in the data record in association with the first-layer access restriction indicator and the second-layer access restriction indicator; locate the first cryptographic key in the data record; recover the second data layer from the multi-layer token; and provide the second network device with the first cryptographic key and the second data layer..”, in combination with the rest of the limitations recited in the independent claim(s).

None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim 1 under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Claims 7 is a method claim of above message processing server claim 1 and Claim 13 is a non-transient computer-readable medium claim of above message processing server claim 1, and therefore, they are also allowed.
Claims 3-6 and 19 depend on the allowed claim 1, and therefore, they are also allowed.
Claims 9-12 and 20 depend on the allowed claim 7, and therefore, they are also allowed.
Claims 15-18 and 21 depend on the allowed claim 15, and therefore, they are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Okamoto et al. (US PGPUB. # US 2015/0249651) discloses, enabling a first network to use the resources of various second networks in order to localize delivery of the first network content from the various second networks in a secure manner. Some embodiments provide a token-based authentication scheme to ensure that any configured content access restrictions are effectuated at the first network and any of the second networks providing localized content delivery for the first network. The scheme involves a two phase user authentication, wherein the user is separately authenticated at the first network and the redirected to second network using either the same or different set of access restrictions. The first network exchanges a first encryption key with content providers for encrypting/decrypting the first access restriction and a second encryption key with a second network for encrypting/decrypting the second access restriction.
Masashi Watanabe (US PGPUB. # US 2015/0288663) discloses, cryptographically process data including a plurality of data segments. The cryptographic process includes (a) receiving a plurality of data segments, (b) selecting, for each data segment, a set of encryption information based on data contained in a predetermined portion of the data segment to be encrypted, and (c) encrypting each data segment using the set of encryption information selected for the data segment. At least one of an encryption algorithm, an encryption key, and an encryption parameter may be changed for each data segment based on the data contained in the predetermined portion. The predetermined portion may include a first predetermined portion for selecting a first set of encryption information, and a second predetermined portion for selecting a second set of encryption information, the encryption information including an encryption algorithm, an encryption key, and optionally an encryption parameter.
Li et al. (US PGPUB. # US 2006/0282901) discloses, an apparatus for transferring protected data (404) having an authorizing entity's outer encryption layer (408) and having a user-fixed inner encryption layer (406) from a first electronic device having a first unique, unalterable identifier to a second electronic device having a second unique, unalterable identifier. A central unit includes a receiver configured to receive (402) from the first electronic device protected data (404) having an authorizing entity's first outer encryption layer (408) corresponding to the first unique, unalterable identifier and having a user-fixed inner encryption layer (406); a processor configured to decrypt (410) the authorizing entity's first outer encryption layer (408) of the protected data (404); a processor configured to encrypt (412) an authorizing entity's second outer encryption layer (414) of the protected data (404) corresponding to the second unique, 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DARSHAN I DHRUV/Examiner, Art Unit 2498