DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication/amendment filed on 05/10/2021.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/10/2021 has been entered.
Status of claims in the instant application:
Calms 1-12, 14-17 and 19-20 are pending.
Claims 1, 15 and 20 have been amended.
Claims 13 and 18 have been canceled.
No new claim has been added.
Response to Arguments
Correction to specification filed on 05/10/2021 is accepted.
Applicant’s arguments, filed on 05/10/2021, with respect to rejection of claims under 35 USC § 103 have been considered but are moot because the new ground of rejection for the amended claim limitations are met with either newly cited portions of the previous prior art or new prior art.
Applicant argued that TAKAHASHI does not disclose dedicated data paths for the security enforcer logic chip or that the security enforcer logic chip preventing transmission of data packet when the security level is incompatible with the port.
In response, the Examiner notes that new section[s] of TAKAHASHI prior art has/have been cited for further clarification for the dedicated data paths for the security enforcer logic. Furthermore, new prior art has been used to meet that discloses the newly amended claim limitation of preventing transmission when the security level is incompatible. Therefore, Applicant is directed to the rejection of the claims in this office action.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”) in view of Pub. No.: US 2005/0097357 A1 to Smith (hereinafter “Smith”).
Regarding Claim 1. TAKAHASHI discloses A multi-level secure switch (TAKAHASHI: Abstract, Para [0008, 0044-0047]) comprising:
a security enforcer logic chip configured to receive and transmit a plurality of data packets (TAKAHASHI, Para [0025-0027, 0069]: … Programmable input/output interface 106 is coupled to the interchangeable physical interface and is configured to route each of the plurality of incoming packets to one of the cryptographic modules 104 for encryption to provide a plurality of encrypted packets … For outgoing packets, programmable input/output interface 106 routes encrypted packets to one of the cryptographic modules 104 for decryption … programmable input/output interface 106, 206, and/or 208 (security enforcer logic chip) is further configured to route a packet to one of the plurality of cryptographic modules 104 based on the source tag …), each of the plurality of data packets having an associated security level (TAKAHASHI, Abstract: … A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level …), wherein the security enforcer logic chip comprises:
a plurality of data paths, wherein each of the plurality of data paths connects a single port of a plurality of ports of a switch chip to a single physical port of a plurality of physical ports (TAKAHASHI, FIG. 2, FIG. 11-13, Para [0101-0102, 0122, 0124, 0008, 0098, 0106, 0132, 0137]: … FIG. 11 shows a multi-level independent security system, according to one embodiment. This system uses four input/output ports 1106 (I/Os) for each of several classified levels such as, e.g., top secret (TS), secret (S), confidential (C) and unclassified (UNC) … Ports 1106 are coupled to a security device 1102, which includes multiple key caches 1104. Security device 1102 receives data from one of ports 1106, encrypts the data, and sends the data for storage in a common encrypted data storage 204 (storage 204 may be, for example, a storage area or a network). In one embodiment, security device 1102 may be implemented based on security device 102 as was discussed above for FIGS. 1-10 … Incoming data from one of packet input engines 1306 is routed by fail safe multiplexer 1310 to cryptographic core 1302 for encryption … The decrypted data is routed by fail safe demultiplexer 1312 to one of several packet output engines 1308. Each packet output engine 1308 corresponds to one of the levels of security classification … each port corresponding to one of a plurality of different levels of security classification; a plurality of cryptographic modules, each cryptographic module dedicated to perform encryption and decryption for one of the different levels of security classification, each cryptographic module coupled to receive incoming data from one of the plurality of data ports … each cryptographic module 104 may be physically isolated by design. So, only a certain packet will go through a module number one and only certain other packets will go through module number two. For example, crypto module number one may only process a certain style of packet. Crypto module number two may only process packets for a particular customer. Thus, it is physically partitioned … security device 1102 comprises a plurality of cryptographic modules (discussed below), and each cryptographic module is dedicated to perform security processing for only one of the different levels of security classification. In one embodiment, the system further comprises key caches 1104. In one embodiment, each of the cryptographic modules is physically isolated from the other of the cryptographic modules …; Examiner’s Interpretation: the security enforcer logic chip is comprised of High-Speed I/O modules of FIG. 2, the switch chip is comprised of Crypto Modules of FIG. 2. High-speed I/O modules connects to physical ports and also to crypto modules. FIG. 13 and related descriptions disclose Packet Input Engines (1306) and Packet Output Engines (1308), the packet input and output engines are considered as plurality of data paths of the Security Enforcer Logic Chip, where a single port on the security enforcer logic chip connects to a single physical port and on the other side a different port connects to a single port on the switch chip (i.e. the crypto modules) …);
the switch chip configured to send the plurality of data packets to and receive the plurality of data packets from the security enforcer logic chip (TAKAHASHI, Para [0012, 0025-0026]: … FIG. 2 shows a systolic-matrix security processing system for receiving and encrypting data packets from a non-encrypted data source, and concurrently processing control and data from a control plane for storage in a common encrypted data storage, according to one embodiment … FIG. 1 shows a security processing system including a security device 102 with a plurality of programmable cryptographic modules 104 (switch chip) and a programmable input/output interface 106 (security enforcer logic chip), according to one embodiment. An interchangeable physical interface 108 is configured to receive a plurality of incoming packets from a data source (e.g., through physical interface 110). In one embodiment, the plurality of cryptographic modules is configured using at least two systolic layers for processing of packets, control data, and keys as discussed further below … Programmable input/output interface 106 is coupled to the interchangeable physical interface and is configured to route each of the plurality of incoming packets to one of the cryptographic modules 104 for encryption to provide a plurality of encrypted packets. The programmable input/output interface 106 is configured to route the encrypted packets to a common internal or external data storage …), wherein the switch chip comprises the plurality of ports of the switch chip (TAKAHASHI, FIG. 2, Para [0098]: … each cryptographic module 104 may be physically isolated by design. So, only a certain packet will go through a module number one and only certain other packets will go through module number two …; Examiner’s Interpretation: Switch Chip is comprised of the cryptographic modules each having its own interface/port, therefore there are plurality of ports …);
a management processor configured to provide security parameters to the security enforcer logic chip (TAKAHASHI, Para [0042], FIG. 2: … Processor 210 (management processor) handles control plane and data processing for the cryptographic modules 104 and the high-speed input/output interfaces 206, 208, 218. In one embodiment, processor 210 is a control plane processor configured to control systolic data flow for the cryptographic modules 104, and also to control loading of keys from an external key manager to an internal key cache (see, e.g., FIG. 9 below) …); and
the plurality of physical ports, wherein each of the physical ports of the plurality of physical ports has an associated security threshold, wherein the plurality of physical ports are configured to send the plurality of data packets to and receive the plurality of data packets from the security enforcer logic chip (TAKAHASHI, Abstract, Para [0045]: … A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage… each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port …; Examiners Note: High-Speed I/O blocks are considered part of Security Enforcer Logic Chip, and Crypto Modules are considered as part of the Switch Chip … ) ; and
However, TAKAHASHI does not explicitly teach, but Smith from same or similar field of endeavor teaches:
“wherein the security enforcer logic chip is configured to prevent transmission one of the plurality of data packets to one of the plurality of physical ports when the security level associated with the one of the plurality of data packets is incompatible with the security threshold associated with the one of the plurality of physical ports (Smith, Para [0033]: … The invention provides a method and apparatus that secures network communications through the addition of security information in the form of a security label to the packets conveyed using this method. After authenticating a user on a given network access port through an authentication protocol (e.g., Institute of Electrical and Electronics Engineers (IEEE) Standard 802.1X-2001), the authentication server can provide the network device (e.g., a layer 2 switch) with security information in the form of a security label for the access port. This security label is then used to tag packets coming from the host using a security label field (e.g., encapsulation that can be supported, for example, using IEEE Standard 802.10-1998). At the egress network access port, the packet's security information (i.e., security label) is compared to security information for the egress port (the security level of the egress port). At this point, a decision as to the handling of the packet can be made based on this comparison. For example, a decision can be made as to whether to permit or deny access to the packet. Thus, if the packet's security level is higher than the port receiving the packet, the packet can be dropped, for example. Alternatively, if a range of security levels is supported by the port, the packet can be dropped if the packet's security level is not within the range of security levels …)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith into the teachings of TAKAHASHI, because it discloses that the “present invention provides a number of advantages. A protocol according to the present invention moves security based on security labeled packets from the egress edge of the network deeper into the core and closer to the originator of the traffic. This improves overall security of the network, reduces the potential leakage of classified traffic from intended paths, provides some protection against distributed denial of service attacks, and improves the available network bandwidth. Moreover, although examples provided herein are specific to IEEE 802.10 security labeled packets, it will be appreciated that a protocol of the present invention can be used for the pruning of any form of security labeled packets (Smith: Para [0042]).”
TAKAHASHI further discloses:
“wherein the switch chip and the management processor are not in direct electronic communication with one another (TAKAHASHI, Para [0095] Each crypto module may have its own CPU which controls programming. Examiner’s interpretation: any communication between processor 210 and a crypto module occurs via the dedicated CPU that controls the crypto module and therefore the processor 210 (management processor) and the crypto module (the switch chip) are not in direct electronic communication with one another);
wherein the security enforcer chip is physically separate from the management processor (TAKAHASHI, Para [0042], FIG. 2: … Processor 210 (management processor) …; Examiner’s Interpretation: processor 210 in FIG. 2 is an independent/separate block from the programmable/high-speed IO block (security enforcer chip) …); and
Geoffrey Miller et al.Serial No.: 16/015,653Filed: June 22, 2018wherein each of the plurality of data paths of the security enforcer logic chip is isolated from every other data path of the plurality of data paths of the security enforcer logic chip (TAKAHASHI, FIG.13, Para [0126, 0124, 0133, 0135]: … a multi-level secure architecture has four I/Os for each classified level: top secret (TS), secret (S), confidential (C) and unclassified (UNC). Each classified input uses packet input engine 1306 to process … the decrypted data is routed by fail safe demultiplexer 1312 to one of several packet output engines 1308. Each packet output engine 1308 corresponds to one of the levels of security classification … data paths in the security system are physically isolated … The packet output engines 1308 are physically isolated …; Examiner’s Note: the packet input and output engines are separated/isolated per security level/classification …).”
Regarding Claim 3. The combination of TAKAHASHI-Smith discloses the multi-level secure switch according to claim 1, TAKAHASHI further discloses, “wherein the switch chip is further configured to receive one of the plurality of data packets from the security enforcer logic chip and transmit the one of the plurality of data packets to a data path of the security enforcer logic chip associated with one of the plurality of physical ports (TAKAHASHI, Para [0043]: … Physical interface 212 receives a plurality of incoming packets from data source 202. The first programmable high-speed input/output interface 208 routes each of the plurality of incoming packets to one of the cryptographic modules 104 for encryption processing to provide encrypted packets. The second programmable high-speed programmable input/output interface 206 routes the encrypted packets from the cryptographic module 104 to common encrypted data storage 204 via physical interface 214 …).”
Regarding Claim 4. The combination of TAKAHASHI-Smith discloses the multi-level secure switch according to claim 3, TAKAHASHI further discloses, “wherein security enforcer logic chip verifies the security level of the one of the plurality of data packets is compatible with the security threshold associated with the one of the plurality of physical ports (TAKAHASHI, Abstract, Para [0045, 0068-0069]: … each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port … each of the incoming packets to a cryptographic module 104 includes a key tag to identify at least one key associated with the packet to be security processed, and further may also include a source tag to identify a data source and keys for the packet. The internal key manager 902 is configured to retrieve the keys from one of key caches 908 using the key tag for the packet to be processed by the respective cryptographic module 104 … programmable input/output interface 106, 206, and/or 208 is further configured to route a packet to one of the plurality of cryptographic modules 104 based on the source tag …) and wherein the security enforcer logic chip drops the one of the plurality of data packets when the security level of the one of the plurality of data packets is incompatible with the security threshold associated with the one of the plurality of physical ports (TAKAHASHI, Para [0126-0127]: … multi-level secure architecture has four I/Os for each classified level: top secret (TS), secret (S), confidential (C) and unclassified (UNC). Each classified input uses packet input engine 1306 to process, detect, or modify packet headers of the incoming data packets and to insert header bits to denote and authenticate the classified data prior to sending to fail safe multiplexer (MUX) 1310 … the fail safe MUX 1310 is configured to ensure that the data from different classified levels will not mix with other data from a different classified level. If there is a failure in the MUX, the MUX will fail safe in a safe state. The MUX will also zeroize itself after each classified level of data is processed. This leaves no data from the last processing in the MUX (i.e., the data is erased) …; Examiner’s interpretation: data packet associated with each port has its own security classification (level) based on the tag associated with input ports and the mux (part of security enforcer logic chip) ensures that security classification of data packet arriving at an input to the mux has the appropriate classification (security level), otherwise mux will stop processing and zeroizes the data packet i.e. drops data packet).”
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”) in view of Pub. No.: US 2005/0097357 A1 to Smith (hereinafter “Smith”), as applied to claim 1 above, and in view of Patent No.: US 7388958 to Maier (hereinafter “Maier”).
Regarding Claim 2. The combination of TAKAHASHI-Smith discloses the multi-level secure switch according to claim 1, however it does not explicitly teach, but Maier from same or similar field of endeavor teaches, “further comprising a plurality of magnetic isolation transformers (Maier, Column [16, 12], Lines [11-21, 33-47]; FIG. 6B: … The Tx mux 130 transfers the internal data signals to a T1 interface 141 of the DAC 122, which places the internal data signals on a T1 link associated with the transmitting system source and destination component 12a in a compartmentalized manner by means of transformer coupling. The T1 link collectively moves the compartmentalized internal data signals including the present red internal data signal to the switching unit 14 … The T1 input/output part typically has a plurality of T1 interfaces per card, e.g., four T1 interfaces per card. Each T1 interface comprises two transformer-coupled twisted pairs, one pair for transmit and one pair for receive …); and
wherein each of the plurality of magnetic isolation transformers is in electrical communication with only one of the plurality of physical ports (Maier, Column [16, 12], Lines [11-21, 33-47]; FIG. 6B: … All cards of the switching unit 14 generally comprise two parts, a processor part and an input/output part. For example, the T1 card, which provides an interface between the switching unit 14 and the T1 links, has two hardware parts, a processor part and a T1 input/output part. The T1 input/output part typically has a plurality of T1 interfaces per card, e.g., four T1 interfaces per card. Each T1 interface comprises two transformer-coupled twisted pairs, one pair for transmit and one pair for receive. All internal data signals enter the system 10 through the internal or external system source and destination components 12. Each T1 interface connects with an internal system source and destination component 12 via a T1 link enabling the transport of internal data signals between the internal system source and destination component and the switching unit 14).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Maier into the combined teachings of TAKAHASHI-Smith, because it discloses that “A number of advantageous features are realized by the communication system of the present invention. As noted above, the primary function of the internal encryption in the system is to compartmentalize the internal data signals moving on common media so that the separate internal data signals can be distinguished from one another at the data destinations. However, internal encryption also functions to enhance the security of the internal data signals. The internal encryption provides an added level of security in the event internal data signals are intercepted by an unintended recipient external to the system. Another advantageous feature of the present invention is that internal encryption lowers the spectrum of the signal. An unintended recipient could theoretically access a weakly encrypted internal data signal through electromagnetic emanations. However, the internal encryption process distributes the signal energy more evenly across the spectrum making the internal data signal closer to the noise floor and more difficult to detect when being eavesdropped on (Maier: Column [3, 4], Lines [43-67, 1-5]).”
Claims 5, 6, 7, 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”) in view of Pub. No.: US 2005/0097357 A1 to Smith (hereinafter “Smith”), as applied to claim 1 above, and in view of Pub. No.: US 2007/0192621 to Li (hereinafter “Li”).
Regarding Claim 5. The combination of TAKAHASHI-Smith discloses the multi-level secure switch according to claim 1, however it does not explicitly teach, but Li from same or similar field of endeavor teaches, “wherein the management processor comprises a rules engine adapted to provide security parameters to the security enforcer logic chip (Li, Abstract, Para [0012-0013]: … the security processor comprising: a data communication interface for transferring a communication data packet between the network communication security processor and an external network; a secure connection database for storing the security policy and secure connection parameters relevant to the data packet; a secure connection database operating engine for operating and maintaining the secure connection database; a multi-channel security processing engine for performing security processing on the data packet by invoking an encryption operation module; and the encryption operation module for performing encryption/decryption operations on the data packet …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Li into the combined teachings of TAKAHASHI-Smith, because it provides “a secure connection database operating engine, and a multi-channel security processing engine, allowing the security processing of data packets mainly performed by network communication security processor hardware circuit, thus on the one hand guaranteeing the high-speed capability of the data packet security processing, on the other hand making the central processor free from the security processing operations on each particular data packet and focused on implementing high level protocols, thereby reducing the difficulty of the system development and enhancing the system reliability (Li: Para [0031]).”
Regarding Claim 6. The combination of TAKAHASHI-Smith-Li discloses the multi-level secure switch according to claim 5, TAKAHASHI further discloses, “wherein the security enforcer logic chip is adapted to append a security tag, indicative of the security level, to each of the plurality of data packets (TAKAHASHI, Abstract, Para [0090]: … each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level … There may be two components to the programmable I/O interface. On one side, the interface programs the type of I/O that is desired. The other side of the interface is the router/switch. The router/switch multiplexer knows which crypto module 104 is to receive a given packet. Also, the router/switch knows which crypto module is ready for processing of a packet. For example, if crypto module number one is ready for processing, it will flag itself as being ready for processing. For example, there is a semaphore flag or packet header bits used that tells I/O interface 106 which module is ready to process data. Whatever port is used to bring in the data, that data will be processed in one of the crypto modules, and then tagged out back to the same port when later being decrypted and sent out from storage (e.g., the packet is tagged with some identification of the port using a tag). The tag is used to redirect the packet back to the correct port of original entry …).”
Regarding Claim 7. The combination of TAKAHASHI-Smith-Li discloses the multi-level secure switch according to claim 6, TAKAHASHI further discloses, “wherein the security enforcer logic chip examines the security tag appended to each of the plurality of data packets received from the switch chip and provides each of the plurality of data packets to one of the plurality of physical ports only when the security tag of the data packet meets the security threshold associated with the physical port (TAKAHASHI, Para [0043-0045], Abstract: In one embodiment, the routing and switching functions of high-speed interfaces 206 and 208 are provided by programmable input/output interface 106 of FIG. 1. In one embodiment interchangeable physical input/output interface 108 includes physical interface 212 and/or 214 … each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port … each port corresponding to one of a plurality of different levels of security classification …).”
Regarding Claim 8. The combination of TAKAHASHI-Smith-Li discloses the multi-level secure switch according to claim 7, TAKAHASHI further discloses, “wherein the security threshold may be defined as accepting data packets associated with a single security level (TAKAHASHI, Para [0006]: … a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level …);” and
Li further discloses, “wherein the single security level may be configured by the rules engine (Li, Para [0023-0025]: … the secure connection database operating engine looking up the information corresponding to the received data packet in the secure connection database; determining the processing to be performed on the data packet according to the results of the looking up; and when it is determined that security processing needs to be performed on the data packet … the looking up step further comprises: the secure connection database operating engine extracting a lookup-table key from the received data packet; the secure connection database operating engine looking up the security policy and secure connection parameters corresponding to the received data packet in the secure connection database according to the lookup-table key … the determining step further comprises: determining the results of the looking up: if there is no security policy corresponding to the data packet in the secure connection database, sending the data packet to the data communication interface for sending out; if there is a security policy corresponding to the data packet in the secure connection database, but the security policy is to prohibit the passage of the data packet, discarding the data packet; and if there is a security policy corresponding to the data packet in the secure connection database, and the security policy is to allow the passage of the data packet …).”
The Motivation to further combine Li remains same as in claim 5.
Regarding Claim 9. The combination of TAKAHASHI-Smith-Li discloses the multi-level secure switch according to claim 7, TAKAHASHI further discloses, “wherein the security threshold may be defined as accepting data packets associated with a plurality of security levels (TAKAHASHI, Para [0071, 0075]: … security device 102 may provide one or more of the following advantages: A multi-level security architecture to secure different levels of classified data using a single encryptor. Each classification of data will be encrypted/decrypted using a unique key per the data class. In this way, each classification of data will be uniquely encrypted/decrypted and stored in a common storage area …);” and
Li further discloses, “wherein the single security level may be configured by the rules engine (Li, Para [0023-0025]: … the secure connection database operating engine looking up the information corresponding to the received data packet in the secure connection database; determining the processing to be performed on the data packet according to the results of the looking up; and when it is determined that security processing needs to be performed on the data packet … the looking up step further comprises: the secure connection database operating engine extracting a lookup-table key from the received data packet; the secure connection database operating engine looking up the security policy and secure connection parameters corresponding to the received data packet in the secure connection database according to the lookup-table key … the determining step further comprises: determining the results of the looking up: if there is no security policy corresponding to the data packet in the secure connection database, sending the data packet to the data communication interface for sending out; if there is a security policy corresponding to the data packet in the secure connection database, but the security policy is to prohibit the passage of the data packet, discarding the data packet; and if there is a security policy corresponding to the data packet in the secure connection database, and the security policy is to allow the passage of the data packet …).”
The Motivation to further combine Li remains same as in claim 5.
Claims 10 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”) in view of Pub. No.: US 2005/0097357 A1 to Smith (hereinafter “Smith”) and Pub. No.: US 2007/0192621 to Li (hereinafter “Li”), as applied to claim 6 above, and further in view of Pub. No.: US 2013/0212670 to Sutardja et al. (hereinafter “Sutardja”).
Regarding Claim 10. The combination of TAKAHASHI-Smith-Li discloses the multi-level secure switch according to claim 6, however it does not explicitly teach, but Sutardja from same or similar field of endeavor teaches, “wherein the security enforcer logic chip examines the security tag appended to each of the plurality of data packets received from the switch chip and drops each of the plurality of data packets when the security tag appended to the data packet does not meet the security threshold of the physical port to which the data packet is to be transmitted (Sutardja, Para [0043-0044, 0048]: … The ingress parsing module 116-2 may discard invalid packets and may forward valid packets and/or headers of the valid packets to the interface bus 118 and the first receive module 116-3 … The portions of the packets may include one or more headers, and/or payloads of the packets. The packet information may include information included within the headers and/or other information, such as an inspection level of the packet, a source address, a destination address, a source ID, a destination ID, a protocol ID, a length of the packet, etc. The inspection level may indicate whether the packet is: a valid packet; a packet for which additional inspection is to be performed by the bus control module 132 and/or a bus regular expression module 134; a packet to be tunneled to a central control module (e.g., the central control module 62); or an invalid packet that is to be dropped … The bus control module 132 and/or the bus RegEx module 134 may perform DPI to determine a security level of packets received, drop invalid packets, forward valid packets, and/or tunnel packets to the central control module for further inspection. The bus control module 132 may control RegEx parsing performed by the bus RegEx module 134. The bus control module 132 may use the bus memory 130, the memory control module 104 and/or the PHY memory 106 when performing zero day attack prevention. As each of the PHY modules 102 may include a bus control module and/or one or more RegEx module(s), a bus control module and a RegEx module may be provided for each of the MDIs 114. This provides interface or port specific packet inspection and RegEx parsing …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sutardja into the combined teachings of TAKAHASHI-Smith-Li, because it discloses that “Since the line cards do not include access switches and the fabric cards control access, aggregation and switching functionality for the line cards, network devices, and the Internet, the access network chassis is easily upgradable. During an upgrade, control logic, software, and/or hardware may be altered and/or replaced. The access network may be upgraded by simply replacing one or more of the fabric cards and not the line cards. In addition, complexity of a control plane associated with the access network is reduced, since switching of the connections is performed in one or more centralized locations, as opposed to being performed in numerous line cards and fabric cards (Sutardja: Para [0021]).”
Regarding Claim 12. The combination of TAKAHASHI-Smith-Li discloses the multi-level secure switch according to claim 7, however it does not explicitly teach, but Sutardja from same or similar field of endeavor teaches, “wherein the security enforcer logic chip retains the security tag appended to each of the plurality of data packets and transmits the security tag and the data packet to the physical port (Sutardja, Para [0053-0054]: … The egress parsing module 120-2 may discard invalid packets and may forward valid packets and/or headers of the valid packets to the interface bus 118 and the second receive module 120-3. The second receive module 120-3 may be a DMA device and copy and/or store packets, portions of the packets, packet descriptors, and/or packet information received from the egress parsing module 120-2 and/or the interface bus 118 in the bus memory 130 and/or the PHY memory 106. Storage in the bus memory 130 may be performed via the bus control module 132. Storage in the PHY memory 106 may be performed via the memory control module 104. The portions of the packets may include one or more headers, and/or payloads of the packets. The packet information may include information included within the headers and/or other information, such as an inspection level of the packet, a source address, a destination address, a source ID, a destination ID, a protocol ID, a length of the packet, etc. … The second receive module 120-3 may store packets in and/or copy packets to the PHY memory 106 and/or forward packets to the transmit FIFO module 120-4 based on instructions from the interface bus 118 …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sutardja into the combined teachings of TAKAHASHI-Smith-Li, because it discloses that “Since the line cards do not include access switches and the fabric cards control access, aggregation and switching functionality for the line cards, network devices, and the Internet, the access network chassis is easily upgradable. During an upgrade, control logic, software, and/or hardware may be altered and/or replaced. The access network may be upgraded by simply replacing one or more of the fabric cards and not the line cards. In addition, complexity of a control plane associated with the access network is reduced, since switching of the connections is performed in one or more centralized locations, as opposed to being performed in numerous line cards and fabric cards (Sutardja: Para [0021]).”
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”) in view of Pub. No.: US 2005/0097357 A1 to Smith (hereinafter “Smith”) and Pub. No.: US 2007/0192621 to Li (hereinafter “Li”), as applied to claim 7 above, and further in view of Pub. No.: US 2018/0287820 to MAYER-WOLF et al. (hereinafter “MAYER-WOLF”).
Regarding Claim 11. The combination of TAKAHASHI-Smith-Li discloses the multi-level secure switch according to claim 7, however it does not explicitly teach, but MAYER-WOLF from same or similar field of endeavor teaches, “wherein the security enforcer logic chip strips the security tag appended to each of the plurality of data 16packets received from the switch chip prior to transmitting the data packet to the physical port (MAYER-WOLF, Para [0080]: … The processor 858 executes the particular set of computer-readable instructions to perform the corresponding set of egress processing operations with respect to the packet. For example, if the packet is a packet ingressing the network switching system 100, the packet processor 858 executes the set of computer-readable instructions to insert a forwarding tag into the header of the packet provided in the packet information 856. As another example, if the packet is a packet egressing the network switching system 100, the processor 858 executes the set of computer-readable instructions to strip a forwarding tag from the header of the packet provided in the packet information 856. As yet another example, the processor 858 executes the set of computer-readable instructions to perform a security check on the packet and to determine, based on the security check, whether or not to drop the packet …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of MAYER-WOLF into the combined teachings of TAKAHASHI-Smith-Li, because it discloses that “engaging hardware accelerator engines 864 to perform the processing operations allows the packet processor 858 to, for example, more quickly insert a tag (e.g., a forwarding tag) into a header of a packet and/or to more quickly strip a tag (e.g., a forwarding tag) from a header of a packet as compared to an implementation in which a processor executing computer-readable instructions does not engage hardware engines to perform the operations (e.g., the information shifting operations) (MAYER-WOLF: Para [0081]).”
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”) in view of Pub. No.: US 2005/0097357 A1 to Smith (hereinafter “Smith”), as applied to claim 1 above, and further in view of Pub. No.: US 2013/0212670 to Sutardja et al. (hereinafter “Sutardja”).
Regarding Claim 14. The combination of TAKAHASHI-Smith discloses the multi-level secure switch according to claim 1, however it does not explicitly teach, but Sutardja from same or similar field of endeavor teaches, “ wherein the management processor is configured to receive one of the plurality of data packets only when the data packet is specifically designated for the management processor (Sutardja, Para [0028-0029, 0043, 0070]: … The PHY module may inspect ingress packets, forward the ingress packets towards the aggregation switch 38, tunnel the ingress packets to the central control module 36 for further inspection, and/or drop invalid or unsecure ones of the ingress packets … packets for which centralized inspection is to be performed … The inspection level may indicate whether the packet is: a valid packet; a packet for which additional inspection is to be performed by the bus control module 132 and/or a bus regular expression module 134; a packet to be tunneled to a central control module (e.g., the central control module 62); or an invalid packet that is to be dropped …).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sutardja into the combined teachings of TAKAHASHI-Smith, because it discloses that “the ingress parsing module 116-2 may not analyze a received packet having a pattern of an indiscernible packet type stored in the SCM 150. The ingress parsing module 116-2 may instead directly transfer the packet to a central control module for evaluation. This reduces RegEx processing time of the ingress parsing module 116-2 (Sutardja: Para [0070]).”
Claims 15 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”).
Regarding Claim 15. TAKAHASHI discloses A multi-level secure switch (TAKAHASHI: Abstract, Para [0008, 0044-0047]) comprising:
a security enforcer logic chip configured to receive a plurality of data packets (TAKAHASHI, Para [0025-0027, 0069], FIG. 2, FIG. 11-13: … Programmable input/output interface 106 is coupled to the interchangeable physical interface and is configured to route each of the plurality of incoming packets to one of the cryptographic modules 104 for encryption to provide a plurality of encrypted packets … For outgoing packets, programmable input/output interface 106 routes encrypted packets to one of the cryptographic modules 104 for decryption … programmable input/output interface 106, 206, and/or 208 (security enforcer logic chip) is further configured to route a packet to one of the plurality of cryptographic modules 104 based on the source tag …), each having an associated security level (TAKAHASHI, Abstract: … A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level …), and to append a security tag, which is indicative of the security level, to each of the plurality of data packets (TAKAHASHI, Para [0126]: … a multi-level secure architecture has four I/Os for each classified level: top secret (TS), secret (S), confidential (C) and unclassified (UNC). Each classified input uses packet input engine 1306 to process, detect, or modify packet headers of the incoming data packets and to insert header bits to denote and authenticate the classified data prior to sending to fail safe multiplexer (MUX) 1310…), wherein the security enforcer logic chip comprises:
a plurality of data paths, wherein each of the plurality of data paths connects a single port of a plurality of ports of a switch chip to a single physical port of a plurality of physical ports (TAKAHASHI, FIG. 2, FIG. 11-13, Para [0101-0102, 0122, 0124, 0008, 0098, 0106, 0132, 0137]: … FIG. 11 shows a multi-level independent security system, according to one embodiment. This system uses four input/output ports 1106 (I/Os) for each of several classified levels such as, e.g., top secret (TS), secret (S), confidential (C) and unclassified (UNC) … Ports 1106 are coupled to a security device 1102, which includes multiple key caches 1104. Security device 1102 receives data from one of ports 1106, encrypts the data, and sends the data for storage in a common encrypted data storage 204 (storage 204 may be, for example, a storage area or a network). In one embodiment, security device 1102 may be implemented based on security device 102 as was discussed above for FIGS. 1-10 … Incoming data from one of packet input engines 1306 is routed by fail safe multiplexer 1310 to cryptographic core 1302 for encryption … The decrypted data is routed by fail safe demultiplexer 1312 to one of several packet output engines 1308. Each packet output engine 1308 corresponds to one of the levels of security classification … each port corresponding to one of a plurality of different levels of security classification; a plurality of cryptographic modules, each cryptographic module dedicated to perform encryption and decryption for one of the different levels of security classification, each cryptographic module coupled to receive incoming data from one of the plurality of data ports … each cryptographic module 104 may be physically isolated by design. So, only a certain packet will go through a module number one and only certain other packets will go through module number two. For example, crypto module number one may only process a certain style of packet. Crypto module number two may only process packets for a particular customer. Thus, it is physically partitioned … security device 1102 comprises a plurality of cryptographic modules (discussed below), and each cryptographic module is dedicated to perform security processing for only one of the different levels of security classification. In one embodiment, the system further comprises key caches 1104. In one embodiment, each of the cryptographic modules is physically isolated from the other of the cryptographic modules …; Examiner’s Interpretation: the security enforcer logic chip is comprised of High-Speed I/O modules of FIG. 2, the switch chip is comprised of Crypto Modules of FIG. 2. High-speed I/O modules connects to physical ports and also to crypto modules. FIG. 13 and related descriptions disclose Packet Input Engines (1306) and Packet Output Engines (1308), the packet input and output engines are considered as plurality of data paths of the Security Enforcer Logic Chip, where a single port on the security enforcer logic chip connects to a single physical port and on the other side a different port connects to a single port on the switch chip (i.e. the crypto modules) …);
the switch chip configured to receive the plurality of data packets from and transmit the plurality of data packets to the plurality of data paths of the security enforcer logic chip (TAKAHASHI, Para [0012, 0025-0026]: … FIG. 2 shows a systolic-matrix security processing system for receiving and encrypting data packets from a non-encrypted data source, and concurrently processing control and data from a control plane for storage in a common encrypted data storage, according to one embodiment … FIG. 1 shows a security processing system including a security device 102 with a plurality of programmable cryptographic modules 104 and a programmable input/output interface 106, according to one embodiment. An interchangeable physical interface 108 is configured to receive a plurality of incoming packets from a data source (e.g., through physical interface 110). In one embodiment, the plurality of cryptographic modules is configured using at least two systolic layers for processing of packets, control data, and keys as discussed further below … Programmable input/output interface 106 is coupled to the interchangeable physical interface and is configured to route each of the plurality of incoming packets to one of the cryptographic modules 104 for encryption to provide a plurality of encrypted packets. The programmable input/output interface 106 is configured to route the encrypted packets to a common internal or external data storage …), wherein the switch chip comprises the plurality of ports of the switch chip (TAKAHASHI, FIG. 2, Para [0098]: … each cryptographic module 104 may be physically isolated by design. So, only a certain packet will go through a module number one and only certain other packets will go through module number two …; Examiner’s Interpretation: Switch Chip is comprised of the cryptographic modules each having its own interface/port, therefore there are plurality of ports …);
a management processor configured to provide a plurality of security parameters to the security enforcer logic chip (TAKAHASHI, Para [0042], FIG. 2: … Processor 210 handles control plane and data processing for the cryptographic modules 104 and the high-speed input/output interfaces 206, 208, 218. In one embodiment, processor 210 is a control plane processor configured to control systolic data flow for the cryptographic modules 104, and also to control loading of keys from an external key manager to an internal key cache (see, e.g., FIG. 9 below) …); and
the plurality of physical ports, wherein each of the physical ports of the plurality of physical ports has an associated security threshold and, wherein the plurality of physical ports are each configured to receive or transmit the plurality of data packets on one of the plurality of data paths (TAKAHASHI, Abstract, Para [0045]: … A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage… each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port …);
wherein the security enforcer logic chip is adapted to examine the security tag of the one of the plurality of data packets received from the switch chip and provide the one of the plurality of data packets to one of the one of the plurality of physical ports 17only when the security tag of the data packet meets the security threshold associated with the one of the plurality of physical ports (TAKAHASHI, Abstract, Para [0045]: … each port corresponding to one of a plurality of different levels of security classification … each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port …);
wherein the switch chip and the management processor are not in direct electronic communication with one another (TAKAHASHI, Para [0095] Each crypto module may have its own CPU which controls programming. Examiner’s interpretation: any communication between processor 210 and a crypto module occurs via the dedicated CPU that controls the crypto module and therefore the processor 210 (management processor) and the crypto module (the switch chip) are not in direct electronic communication with one another);
wherein the security enforcer chip is physically separate from the management processor (TAKAHASHI, Para [0042], FIG. 2: … Processor 210 (management processor) …; Examiner’s Interpretation: processor 210 in FIG. 2 is an independent/separate block from the programmable/high-speed IO block (security enforcer chip) …); and
wherein each of the plurality of data paths of the security enforcer logic chip is isolated from every other data path of the plurality of data paths of the security enforcer logic chip (TAKAHASHI, FIG.13, Para [0126, 0124, 0133, 0135]: … a multi-level secure architecture has four I/Os for each classified level: top secret (TS), secret (S), confidential (C) and unclassified (UNC). Each classified input uses packet input engine 1306 to process … the decrypted data is routed by fail safe demultiplexer 1312 to one of several packet output engines 1308. Each packet output engine 1308 corresponds to one of the levels of security classification … data paths in the security system are physically isolated … The packet output engines 1308 are physically isolated …; Examiner’s Note: the packet input and output engines are separated/isolated per security level/classification …).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of embodiments of FIG. 1 and FIG. 3 of TAKAHASHI with the embodiment of FIG. 2, because it discloses that the “use of the interchangeable I/O interface 108 and programmable I/O interface 106 (implemented using an FPGA I/O systolic array) provides the following advantages: 1) The FPGA I/O systolic array can be programmed for different interfaces and the interchangeable I/O is designed with the selected interface's physical electronics and connectors. This permits the main physical chassis of security device 102 to remain unchanged and to readily use different interface options that can be changed by a user.  2) The security device architecture in conjunction with the interchangeable I/O provides a high-density connectors capability. These flexible I/O design features can be programmed for many different types of interfaces to maximize interfacing flexibility to an end network application. 3) Scalable performance in programmable specified data rate increments for each cryptographic module up to, e.g., six modules which will have up to six times the programmed full duplex data rates. Other lesser or greater numbers of cryptographic modules may be used in other designs (TAKAHASHI, Para [0033-0036])”
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”), as applied to claim 15 above, and in view of Patent No.: US 7388958 to Maier (hereinafter “Maier”).
Regarding Claim 16. TAKAHASHI discloses the multi-level secure switch according to claim 15, however it does not explicitly teach, but Maier from same or similar field of endeavor teaches, “further comprising a plurality of magnetic isolation transformers (Maier, Column [16, 12], Lines [11-21, 33-47]; FIG. 6B: … The Tx mux 130 transfers the internal data signals to a T1 interface 141 of the DAC 122, which places the internal data signals on a T1 link associated with the transmitting system source and destination component 12a in a compartmentalized manner by means of transformer coupling. The T1 link collectively moves the compartmentalized internal data signals including the present red internal data signal to the switching unit 14 … The T1 input/output part typically has a plurality of T1 interfaces per card, e.g., four T1 interfaces per card. Each T1 interface comprises two transformer-coupled twisted pairs, one pair for transmit and one pair for receive …); and
wherein each of the plurality of magnetic isolation transformers is in electrical communication with only one of the plurality of physical ports (Maier, Column [16, 12], Lines [11-21, 33-47]; FIG. 6B: … All cards of the switching unit 14 generally comprise two parts, a processor part and an input/output part. For example, the T1 card, which provides an interface between the switching unit 14 and the T1 links, has two hardware parts, a processor part and a T1 input/output part. The T1 input/output part typically has a plurality of T1 interfaces per card, e.g., four T1 interfaces per card. Each T1 interface comprises two transformer-coupled twisted pairs, one pair for transmit and one pair for receive. All internal data signals enter the system 10 through the internal or external system source and destination components 12. Each T1 interface connects with an internal system source and destination component 12 via a T1 link enabling the transport of internal data signals between the internal system source and destination component and the switching unit 14).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Maier into the teachings of TAKAHASHI, because it discloses that “A number of advantageous features are realized by the communication system of the present invention. As noted above, the primary function of the internal encryption in the system is to compartmentalize the internal data signals moving on common media so that the separate internal data signals can be distinguished from one another at the data destinations. However, internal encryption also functions to enhance the security of the internal data signals. The internal encryption provides an added level of security in the event internal data signals are intercepted by an unintended recipient external to the system. Another advantageous feature of the present invention is that internal encryption lowers the spectrum of the signal. An unintended recipient could theoretically access a weakly encrypted internal data signal through electromagnetic emanations. However, the internal encryption process distributes the signal energy more evenly across the spectrum making the internal data signal closer to the noise floor and more difficult to detect when being eavesdropped on (Maier: Column [3, 4], Lines [43-67, 1-5]).”
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”), as applied to claim 15 above, and in view of Pub. No.: US 2007/0192621 to Li (hereinafter “Li”).
Regarding Claim 17. TAKAHASHI discloses the multi-level secure switch according to claim 15, however it does not explicitly teach, but Li from same or similar field of endeavor teaches, “wherein the management processor comprises a rules engine adapted to provide security parameters to the security enforcer logic chip (Li, Abstract, Para [0012-0013]: … the security processor comprising: a data communication interface for transferring a communication data packet between the network communication security processor and an external network; a secure connection database for storing the security policy and secure connection parameters relevant to the data packet; a secure connection database operating engine for operating and maintaining the secure connection database; a multi-channel security processing engine for performing security processing on the data packet by invoking an encryption operation module; and the encryption operation module for performing encryption/decryption operations on the data packet …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Li into the teachings of TAKAHASHI, because it provides “a secure connection database operating engine, and a multi-channel security processing engine, allowing the security processing of data packets mainly performed by network communication security processor hardware circuit, thus on the one hand guaranteeing the high-speed capability of the data packet security processing, on the other hand making the central processor free from the security processing operations on each particular data packet and focused on implementing high level protocols, thereby reducing the difficulty of the system development and enhancing the system reliability (Li: Para [0031]).”
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”), as applied to claim 15 above, and further in view of Pub. No.: US 2013/0212670 to Sutardja et al. (hereinafter “Sutardja”).
Regarding Claim 19. TAKAHASHI discloses the multi-level secure switch according to claim 15, however it does not explicitly teach, but Sutardja from same or similar field of endeavor teaches, “wherein the management processor is configured to receive one of the plurality of data packets only when the data packet is specifically designated for the management processor (Sutardja, Para [0028-0029, 0043, 0070]: … The PHY module may inspect ingress packets, forward the ingress packets towards the aggregation switch 38, tunnel the ingress packets to the central control module 36 for further inspection, and/or drop invalid or unsecure ones of the ingress packets … packets for which centralized inspection is to be performed … The inspection level may indicate whether the packet is: a valid packet; a packet for which additional inspection is to be performed by the bus control module 132 and/or a bus regular expression module 134; a packet to be tunneled to a central control module (e.g., the central control module 62); or an invalid packet that is to be dropped …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sutardja into the teachings of TAKAHASHI, because it discloses that “the ingress parsing module 116-2 may not analyze a received packet having a pattern of an indiscernible packet type stored in the SCM 150. The ingress parsing module 116-2 may instead directly transfer the packet to a central control module for evaluation. This reduces RegEx processing time of the ingress parsing module 116-2 (Sutardja: Para [0070]).”
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2017/0075821 A1 to TAKAHASHI (hereinafter “TAKAHASHI”) in view of Pub. No.: US 2007/0192621 to Li (hereinafter “Li”), and further in view of Pub. No.: US 2013/0212670 to Sutardja et al. (hereinafter “Sutardja”) and Patent No.: US 7388958 to Maier (hereinafter “Maier”).
Regarding Claim 20. TAKAHASHI discloses A multi-level secure switch (TAKAHASHI: Abstract, Para [0008, 0044-0047]) comprising:
a security enforcer logic chip configured to receive a plurality of data packets, (TAKAHASHI, Para [0025-0027, 0069]: … Programmable input/output interface 106 is coupled to the interchangeable physical interface and is configured to route each of the plurality of incoming packets to one of the cryptographic modules 104 for encryption to provide a plurality of encrypted packets … For outgoing packets, programmable input/output interface 106 routes encrypted packets to one of the cryptographic modules 104 for decryption … programmable input/output interface 106, 206, and/or 208 (security enforcer logic chip) is further configured to route a packet to one of the plurality of cryptographic modules 104 based on the source tag …) each having an associated security level (TAKAHASHI, Abstract: … A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level …), and to append a security tag, indicative of the security level, to each of the plurality of data packets (TAKAHASHI, Para [0126]: … a multi-level secure architecture has four I/Os for each classified level: top secret (TS), secret (S), confidential (C) and unclassified (UNC). Each classified input uses packet input engine 1306 to process, detect, or modify packet headers of the incoming data packets and to insert header bits to denote and authenticate the classified data prior to sending to fail safe multiplexer (MUX) 1310…), wherein the security enforcer logic chip comprises:
a plurality of data paths, wherein each of the plurality of data paths connects a single port of a plurality of ports of a switch chip to a single physical port of a plurality of physical ports (TAKAHASHI, FIG. 2, FIG. 11-13, Para [0101-0102, 0122, 0124, 0008, 0098, 0106, 0132, 0137]: … FIG. 11 shows a multi-level independent security system, according to one embodiment. This system uses four input/output ports 1106 (I/Os) for each of several classified levels such as, e.g., top secret (TS), secret (S), confidential (C) and unclassified (UNC) … Ports 1106 are coupled to a security device 1102, which includes multiple key caches 1104. Security device 1102 receives data from one of ports 1106, encrypts the data, and sends the data for storage in a common encrypted data storage 204 (storage 204 may be, for example, a storage area or a network). In one embodiment, security device 1102 may be implemented based on security device 102 as was discussed above for FIGS. 1-10 … Incoming data from one of packet input engines 1306 is routed by fail safe multiplexer 1310 to cryptographic core 1302 for encryption … The decrypted data is routed by fail safe demultiplexer 1312 to one of several packet output engines 1308. Each packet output engine 1308 corresponds to one of the levels of security classification … each port corresponding to one of a plurality of different levels of security classification; a plurality of cryptographic modules, each cryptographic module dedicated to perform encryption and decryption for one of the different levels of security classification, each cryptographic module coupled to receive incoming data from one of the plurality of data ports … each cryptographic module 104 may be physically isolated by design. So, only a certain packet will go through a module number one and only certain other packets will go through module number two. For example, crypto module number one may only process a certain style of packet. Crypto module number two may only process packets for a particular customer. Thus, it is physically partitioned … security device 1102 comprises a plurality of cryptographic modules (discussed below), and each cryptographic module is dedicated to perform security processing for only one of the different levels of security classification. In one embodiment, the system further comprises key caches 1104. In one embodiment, each of the cryptographic modules is physically isolated from the other of the cryptographic modules …; Examiner’s Interpretation: the security enforcer logic chip is comprised of High-Speed I/O modules of FIG. 2, the switch chip is comprised of Crypto Modules of FIG. 2. High-speed I/O modules connects to physical ports and also to crypto modules. FIG. 13 and related descriptions disclose Packet Input Engines (1306) and Packet Output Engines (1308), the packet input and output engines are considered as plurality of data paths of the Security Enforcer Logic Chip, where a single port on the security enforcer logic chip connects to a single physical port and on the other side a different port connects to a single port on the switch chip (i.e. the crypto modules) …);
the switch chip configured to interface with the security enforcer logic chip to receive one of the plurality of data packets and transmit the one of the plurality of data packets to one of a plurality of data paths of the security enforcer logic chip (TAKAHASHI, Para [0012, 0025-0026]: … FIG. 2 shows a systolic-matrix security processing system for receiving and encrypting data packets from a non-encrypted data source, and concurrently processing control and data from a control plane for storage in a common encrypted data storage, according to one embodiment … FIG. 1 shows a security processing system including a security device 102 with a plurality of programmable cryptographic modules 104 (switch chip) and a programmable input/output interface 106, (security enforcer logic chip) according to one embodiment. An interchangeable physical interface 108 is configured to receive a plurality of incoming packets from a data source (e.g., through physical interface 110). In one embodiment, the plurality of cryptographic modules is configured using at least two systolic layers for processing of packets, control data, and keys as discussed further below … Programmable input/output interface 106 is coupled to the interchangeable physical interface and is configured to route each of the plurality of incoming packets to one of the cryptographic modules 104 for encryption to provide a plurality of encrypted packets. The programmable input/output interface 106 is configured to route the encrypted packets to a common internal or external data storage …), wherein the switch chip comprises the plurality of ports of the switch chip (TAKAHASHI, FIG. 2, Para [0098]: … each cryptographic module 104 may be physically isolated by design. So, only a certain packet will go through a module number one and only certain other packets will go through module number two …; Examiner’s Interpretation: Switch Chip is comprised of the cryptographic modules each having its own interface/port, therefore there are plurality of ports …);
a management processor (TAKAHASHI, Para [0042], FIG. 2: … Processor 210 handles control plane and data processing for the cryptographic modules 104 and the high-speed input/output interfaces 206, 208, 218. In one embodiment, processor 210 is a control plane processor configured to control systolic data flow for the cryptographic modules 104, and also to control loading of keys from an external key manager to an internal key cache (see, e.g., FIG. 9 below) …), [having a rules engine adapted to provide security parameters to the security enforcer logic chip, configured to interface with the security enforcer logic chip, and configured to receive one of the plurality of data 18packets only when the data packet is specifically designated for the management processor]; and
the plurality of physical ports, wherein each of the physical ports of the plurality of physical ports has an associated security threshold and each is configured to interface with one of the plurality of data paths (TAKAHASHI, Abstract, Para [0045], FIG. 2, FIG. 11-13: … A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage… each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port …) Examiners Note: High-Speed I/O blocks are considered part of Security Enforcer Logic Chip, and Crypto Modules are considered as part of the Switch Chip …); and
[a plurality of magnetic isolation transformers];
wherein the security enforcer logic chip is adapted to examine the security tag of the one of the plurality of data packets received from the switch chip and provide the one of the plurality of data packets to one of the one of the plurality of physical ports only when the security tag of the data packet meets the security threshold associated with the one of the plurality of physical ports (TAKAHASHI, Abstract, Para [0045]: … each port corresponding to one of a plurality of different levels of security classification … each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port …);
[wherein the security enforcer logic chip examines the security tag of the one of the plurality of data packets received from the switch chip and drops the one of the plurality of data packets when the security tag of the data packet does not meet the security threshold associated with the one of the plurality of physical ports to which the data packet is to be transmitted;
wherein each of the plurality of magnetic isolation transformers is in electrical communication with only one of the plurality of physical ports];
wherein each of the plurality of paths is isolated from each of the other paths and each of the plurality of paths connects a single port of the switch chip with a single physical port (TAKAHASHI, Para [0008, 0098, 0106]: … a security device includes: a plurality of data ports, each port corresponding to one of a plurality of different levels of security classification; a plurality of cryptographic modules, each cryptographic module dedicated to perform encryption and decryption for one of the different levels of security classification, each cryptographic module coupled to receive incoming data from one of the plurality of data ports … each cryptographic module 104 may be physically isolated by design. So, only a certain packet will go through a module number one and only certain other packets will go through module number two. For example, crypto module number one may only process a certain style of packet. Crypto module number two may only process packets for a particular customer. Thus, it is physically partitioned … security device 1102 comprises a plurality of cryptographic modules (discussed below), and each cryptographic module is dedicated to perform security processing for only one of the different levels of security classification. In one embodiment, the system further comprises key caches 1104. In one embodiment, each of the cryptographic modules is physically isolated from the other of the cryptographic modules …);
wherein the switch chip and the management processor are not in direct electronic communication with one another (TAKAHASHI, Para [0095] Each crypto module may have its own CPU which controls programming. Examiner’s interpretation: any communication between processor 210 and a crypto module occurs via the dedicated CPU that controls the crypto module and therefore the processor 210 (management processor) and the crypto module (the switch chip) are not in direct electronic communication with one another);
wherein the security enforcer chip is physically separate from the management processor (TAKAHASHI, Para [0042], FIG. 2: … Processor 210 (management processor) …; Examiner’s Interpretation: processor 210 in FIG. 2 is an independent/separate block from the programmable/high-speed IO block (security enforcer chip) …); and
wherein each of the plurality of data paths of the security enforcer logic chip is isolated from every other data path of the plurality of data paths of the security enforcer logic chip (TAKAHASHI, FIG.13, Para [0126, 0124, 0133, 0135]: … a multi-level secure architecture has four I/Os for each classified level: top secret (TS), secret (S), confidential (C) and unclassified (UNC). Each classified input uses packet input engine 1306 to process … the decrypted data is routed by fail safe demultiplexer 1312 to one of several packet output engines 1308. Each packet output engine 1308 corresponds to one of the levels of security classification … data paths in the security system are physically isolated … The packet output engines 1308 are physically isolated …; Examiner’s Note: the packet input and output engines are separated/isolated per security level/classification …).
However, TAKAHASHI does not explicitly teach, but Li from same or similar field of endeavor teaches, “having a rules engine adapted to provide security parameters to the security enforcer logic chip, configured to interface with the security enforcer logic chip (Li, Abstract, Para [0012-0013]: … the security processor comprising: a data communication interface for transferring a communication data packet between the network communication security processor and an external network; a secure connection database for storing the security policy and secure connection parameters relevant to the data packet; a secure connection database operating engine for operating and maintaining the secure connection database; a multi-channel security processing engine for performing security processing on the data packet by invoking an encryption operation module; and the encryption operation module for performing encryption/decryption operations on the data packet …)”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Li into the teachings of TAKAHASHI, because it provides “a secure connection database operating engine, and a multi-channel security processing engine, allowing the security processing of data packets mainly performed by network communication security processor hardware circuit, thus on the one hand guaranteeing the high-speed capability of the data packet security processing, on the other hand making the central processor free from the security processing operations on each particular data packet and focused on implementing high level protocols, thereby reducing the difficulty of the system development and enhancing the system reliability (Li: Para [0031]).”
The combination TAKAHASHI-Li does not explicitly teach, but Sutardja from same or similar field of endeavor teaches:
“configured to receive one of the plurality of data 18packets only when the data packet is specifically designated for the management processor (Sutardja, Para [0043]: … The inspection level may indicate whether the packet is: a valid packet; a packet for which additional inspection is to be performed by the bus control module 132 and/or a bus regular expression module 134; a packet to be tunneled to a central control module (e.g., the central control module 62); or an invalid packet that is to be dropped …)”
wherein the security enforcer logic chip examines the security tag of the one of the plurality of data packets received from the switch chip and drops the one of the plurality of data packets when the security tag of the data packet does not meet the security threshold associated with the one of the plurality of physical ports to which the data packet is to be transmitted (Sutardja, Para [0043-0044, 0048]: … The ingress parsing module 116-2 may discard invalid packets and may forward valid packets and/or headers of the valid packets to the interface bus 118 and the first receive module 116-3 … The portions of the packets may include one or more headers, and/or payloads of the packets. The packet information may include information included within the headers and/or other information, such as an inspection level of the packet, a source address, a destination address, a source ID, a destination ID, a protocol ID, a length of the packet, etc. The inspection level may indicate whether the packet is: a valid packet; a packet for which additional inspection is to be performed by the bus control module 132 and/or a bus regular expression module 134; a packet to be tunneled to a central control module (e.g., the central control module 62); or an invalid packet that is to be dropped … The bus control module 132 and/or the bus RegEx module 134 may perform DPI to determine a security level of packets received, drop invalid packets, forward valid packets, and/or tunnel packets to the central control module for further inspection. The bus control module 132 may control RegEx parsing performed by the bus RegEx module 134. The bus control module 132 may use the bus memory 130, the memory control module 104 and/or the PHY memory 106 when performing zero day attack prevention. As each of the PHY modules 102 may include a bus control module and/or one or more RegEx module(s), a bus control module and a RegEx module may be provided for each of the MDIs 114. This provides interface or port specific packet inspection and RegEx parsing …);
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sutardja into the combined teachings of TAKAHASHI-Li, because it discloses that “Since the line cards do not include access switches and the fabric cards control access, aggregation and switching functionality for the line cards, network devices, and the Internet, the access network chassis is easily upgradable. During an upgrade, control logic, software, and/or hardware may be altered and/or replaced. The access network may be upgraded by simply replacing one or more of the fabric cards and not the line cards. In addition, complexity of a control plane associated with the access network is reduced, since switching of the connections is performed in one or more centralized locations, as opposed to being performed in numerous line cards and fabric cards (Sutardja: Para [0021]).”
However, the combination of TAKAHASHI- Li-Sutardja does not explicitly teach, but Maier from same or similar field of endeavor teaches:
“a plurality of magnetic isolation transformers (Maier, Column [16, 12], Lines [11-21, 33-47]; FIG. 6B: … The Tx mux 130 transfers the internal data signals to a T1 interface 141 of the DAC 122, which places the internal data signals on a T1 link associated with the transmitting system source and destination component 12a in a compartmentalized manner by means of transformer coupling. The T1 link collectively moves the compartmentalized internal data signals including the present red internal data signal to the switching unit 14 … The T1 input/output part typically has a plurality of T1 interfaces per card, e.g., four T1 interfaces per card. Each T1 interface comprises two transformer-coupled twisted pairs, one pair for transmit and one pair for receive …);
 wherein each of the plurality of magnetic isolation transformers is in electrical communication with only one of the plurality of physical ports (Maier, Column [16, 12], Lines [11-21, 33-47]; FIG. 6B: … The Tx mux 130 transfers the internal data signals to a T1 interface 141 of the DAC 122, which places the internal data signals on a T1 link associated with the transmitting system source and destination component 12a in a compartmentalized manner by means of transformer coupling. The T1 link collectively moves the compartmentalized internal data signals including the present red internal data signal to the switching unit 14 … The T1 input/output part typically has a plurality of T1 interfaces per card, e.g., four T1 interfaces per card. Each T1 interface comprises two transformer-coupled twisted pairs, one pair for transmit and one pair for receive …);”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Maier into the combined teachings of TAKAHASHI-Li-Sutardja, because it discloses that “A number of advantageous features are realized by the communication system of the present invention. As noted above, the primary function of the internal encryption in the system is to compartmentalize the internal data signals moving on common media so that the separate internal data signals can be distinguished from one another at the data destinations. However, internal encryption also functions to enhance the security of the internal data signals. The internal encryption provides an added level of security in the event internal data signals are intercepted by an unintended recipient external to the system. Another advantageous feature of the present invention is that internal encryption lowers the spectrum of the signal. An unintended recipient could theoretically access a weakly encrypted internal data signal through electromagnetic emanations. However, the internal encryption process distributes the signal energy more evenly across the spectrum making the internal data signal closer to the noise floor and more difficult to detect when being eavesdropped on (Maier: Column [3, 4], Lines [43-67, 1-5]).”
Pertinent prior arts: The following prior arts made of record, but not relied upon in the current office action for rejection of claims in the instant application, are considered pertinent to applicant’s disclosure:
US 7676608 B1 (Crosmer et al.): The present invention is a system for providing Multiple Independent Levels of Security (MILS) partitioning. The system includes a memory, a bus controller communicatively coupled to the memory via a memory bus, and a MILS controller communicatively coupled to the bus controller via a host-side bus, the MILS controller configured for monitoring and controlling system transactions. The system further includes a plurality of input/output (I/O) devices communicatively coupled to the MILS controller via a plurality of corresponding device-side buses. The system further includes a MILS separation kernel configured for mapping regions of the memory to a plurality of user partitions. Each I/O device included in the plurality of I/O devices is allocated to a partition included in the plurality of partitions and is isolated from MILS separation kernel space. The MILS separation kernel is configured for guaranteeing isolation of the partitions of the memory. The system further includes a processor connected to the bus controller via a processor front-side bus. The MILS controller is configured for extending MILS partitioning to the plurality of I/O devices.
US 7681036 B1 (Zuber): A multi-channel radio operating with multiple security levels is disclosed. The multi-channel radio includes more than one input/output. Each of the input/outputs corresponds to a security level. The radio also includes a first common bus coupled to the more than one input/output and a first set of more than one processor coupled to the common bus. Each of the first set of processors corresponds to a security level. Further, the radio includes a second set of more than one processors coupled to the first set of processors and more than one transceiver. Each transceiver is coupled to at least one of the processors of the first set of processors.
US 7546458 B1 (Singla et al.): An access point in a wireless communication system can be configured to include multiple virtual LANS (VLANs) based on security levels, thereby allowing secure traffic to be isolated from insecure traffic. Configuring the access point can include assigning a security level to each VLAN and setting a security association for each station associated with the access point. Based on this security association, each station can be assigned to an appropriate VLAN.
US 20180225230 A1 (Litichever et al.): A device connectable between a host computer and a computer peripheral over a standard bus interface is disclosed, used to improve security, and to detect and prevent malware operation. Messages passing between the host computer and the computer peripherals are intercepted and analyzed based on pre-configured criteria, and legitimate messages transparently pass through the device, while suspected messages are blocked. The device communicates with the host computer and the computer peripheral using proprietary or industry standard protocol or bus, which may be based on a point-to-point serial communication such as USB or SATA. The messages may be stored in the device for future analysis, and may be blocked based on current or past analysis of the messages. The device may serve as a VPN client and securely communicate with a VPN server using the host Internet connection.
US 20130091579 A1 (White): An apparatus comprises a connector, wherein the connector comprises i) a jack, wherein the jack comprises a) a plurality of electrical terminals, and b) a magnetic component electrically coupled to the plurality of electrical terminals; and ii) a physical layer device, wherein the physical layer device comprises a) a physical layer module, wherein the physical layer module comprises an interface configured to receive packets from the jack, and an interface bus configured to inspect the packets, and b) a network interface configured to, based on the inspection of the packets by the interface bus, provide the packets to a device separate from the physical layer device.
	**** Note: Additional relevant prior arts have been provided in the attached PTO-892 form.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434