Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION

Status of Claims
Claims 1-4, 6, 7, 11-15, 17, 20 are subject to examination.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1, 12, 2, 13, 3, 14, 7, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al., IBM, 2019/0173863 in view of Le Van Gong et al., 2019/0306132 and Higgins et al., 9,967,292.
Referring to claim(s) 1, 12, Chen-IBM discloses, a computer system comprising hardware processor for inspecting encrypted sessions, the processor configured with a cooperator , the cooperator 
associating a cooperator/a cooperator configured for coupling: with a negotiator (synching session data among inspectors, para 7, [0063] The inspectors 303, 304, and 305 may reside (or be collocated) at the client 301 or server 302, within the network, at a proxy, or at any other point in the network such that the data may be intercepted and inspected.  According to an embodiment of the invention, to inspect encrypted data of, for example, a TLS session.  The inspectors 303, 304, and 305 are each able to inspect in step 314 data transmitted during a session between the client 301 and the server 302 in steps 313 and 315.), 
the negotiator (inspector 203, figure 2, 303, para 63) associated with a first computer (client 301 or server 302, within the network) an encrypted session (TLS / encrypted session, claim 9, para 72) being between the first computer (client 201) and a second computer (server 202), the encrypted session (TLS / encrypted session, claim 9, para 72) including cryptographic keys (keys, para 39, 44, 45) and session information (para 7, 39, 44);
the cooperator obtaining the cryptographic keys and the session information from the negotiator (inspectors synching session data and keys, para 7, 44, 45), and 
passing the cryptographic keys and the session information for inspecting the encrypted session (inspectors synching/passing session data and keys and inspecting the encrypted session, para 7, 44, 45).
Chen-IBM also discloses the first computing including a server (client 301 or server 302, within the network).

Chen-IBM does not specifically mention about, which is well-known in the art, which Le-Van-Gong discloses, the cooperator passing the cryptographic keys and the session information to an inspection device for inspecting the encrypted session (software providing the keys and the session information to traffic inspection service for storing/inspection of the session without intercepting, para 16). 
[0071] FIG. 6 illustrates a block diagram of a traffic inspection module 600 configured to generate a key index under an offline approach according to various embodiments of the disclosure.  The traffic inspection module 600 may be implemented as the traffic inspection module 132 of the service provider server 130 or the traffic inspection module 116 of the user device 110.  As shown, the traffic inspection module 600 includes a key generation module 602 and a parsing module 604.  FIG. 7 illustrates the process 700 for generating a key index under an offline approach according to various embodiments of the disclosure.  In some embodiments, the process 700 may be performed by the traffic inspection module 600.  The process 700 begins by obtaining (at step 705) a session file that was captured during an encrypted communication session.  For example, the traffic inspection module 600 may obtain a exchange may include a particular encryption algorithm and a particular key rotation scheme that were negotiated between two devices associated with the encrypted communication session, and the initial encryption key(s) used by the two devices.  [0072] The process 700 may then determine (at step 710) an initial encryption key for the encrypted communication session associated with the session file 610.  For example, the parsing module 604 may extract the initial encryption key(s) from the information related to the initial exchange.  As discussed above, each of the initial encryption keys may include an IV value and a key value.  The traffic inspection module 600 may create a key index 620 and insert the initial encryption keys in the key index 620.  [0073] After determining the initial encryption keys, the process 700 begins (at step 715) parsing the encrypted records from the session file using the encryption keys.  For example, the parsing module 604 may extract each encrypted record from the session file 610 and decrypt the encrypted record using the determined encryption keys.  In the embodiments where the web server 134 uses a different encryption key than the UI application 112, the parsing module 604 may first determine whether the encrypted record is a record transmitted from the web server 134 or a record transmitted from the UI application 112, and may decrypt the record using the corresponding encryption key.  The parsing module 604 may continue to decrypt the records until a "key update message" is detected from a decrypted record.

Le-Van-Gong also discloses the first computing including a server (the software module can be part of the server or user device, para 71).

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Cheng-IBM to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well known usage of an inspection device. The inspection device would inspect the provided session and would determine whether the session information is normal. The inspection device would take needed action if the session information is not normal, para 48. 
Chen-IBM and Le Van Gong do not specifically mention about, which is well-known in the art, which Higgins discloses, the inspection device correlating the cryptographic keys with data from the encrypted session based on the session information (As used herein the "correlation information" refers to information that may be used to correlate key information with particular flows, sessions, or connections, or the like.  Correlation information may include various values that may be associated with a flow, such as, tuple information, client/server random numbers, handshake hashes, date-time information, timestamps, or the like, or combination thereof.  Generally, correlation information may be information that a NMC may determine or observe without using the key information or decrypting the Correlation information is stored in a key escrow with its corresponding key information (col., 8, lines 42-51) In one or more of the various embodiments, the secret sharing engines may be arranged to communicate with an NMC to enable correlation information to be associated with the cryptographic key information.  For example, NMC 508 may be arranged to obtain key information from the secret sharing engine.  Accordingly, NMC 508 may determine the correlation information that correlates the communication session with the key information.  Thus, in this example, NMC 506 may store the key information with the relevant correlation information in the key escrow 512 (col., 24, lines 1-9) At block 910, in one or more of the various embodiments, the NMC may be arranged to decrypt network traffic comprising the secure sessions for inspection.  In one or more of the various embodiments, the NMC may be arranged to apply various configuration information or rule-based policies to determine if network traffic associated with the secure session should be decrypted.  Likewise, in one or more of the various embodiments, the NMC may be arranged to apply configuration information or rule-based policies to determine various actions to perform, such as, determining which network packets or network flows to inspect, looking for particular types of content or patterns, tracking application behavior, or the like, or combination thereof (col., 30., lines 38-50).

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Cheng-IBM to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well known usage of an inspection device. The inspection device would inspect the provided session and would determine what the session information is about. The correlating the keys with data from the encrypted session would enable taking necessary action if the session information is not normal or to determine which of the various actions to perform (col., 30, lines 38-50).
Also, regarding limitations, the first computer including a server, Higgins also discloses, For clarity, clients and servers are described separately, but one of ordinary skill in the art will appreciate that a given computer, application, or program may sometimes operate as a server and other times operate as a client depending on whether it is requesting services or responding to requests for services, col., 25, lines 36-40.


Referring to claim(s) 2, 13, Chen-IBM discloses, wherein the cooperator obtains the cryptographic keys and the session information from the negotiator having negotiated the encrypted session using a protocol (using TLS / encrypted session, claim 9, para 72). Also, Higgins discloses, 
the inspection device correlating the cryptographic keys with data from the encrypted session based on the session information (As used herein the "correlation information" refers to information that may be used to correlate key information with particular flows, sessions, or connections, or the like.  Correlation Correlation information is stored in a key escrow with its corresponding key information (col., 8, lines 42-51) In one or more of the various embodiments, the secret sharing engines may be arranged to communicate with an NMC to enable correlation information to be associated with the cryptographic key information.  For example, NMC 508 may be arranged to obtain key information from the secret sharing engine.  Accordingly, NMC 508 may determine the correlation information that correlates the communication session with the key information.  Thus, in this example, NMC 506 may store the key information with the relevant correlation information in the key escrow 512 (col., 24, lines 1-9) At block 910, in one or more of the various embodiments, the NMC may be arranged to decrypt network traffic comprising the secure sessions for inspection.  In one or more of the various embodiments, the NMC may be arranged to apply various configuration information or rule-based policies to determine if network traffic associated with the secure session should be decrypted.  Likewise, in one or more of the various embodiments, the NMC may be arranged to apply configuration information or rule-based policies to determine various actions to perform, such as, determining which network packets or network flows to inspect, looking for particular types of content or patterns, tracking application behavior, or the like, or combination thereof (col., 30., lines 38-50).
 
Referring to claim(s) 3, 14, Chen-IBM discloses, wherein the protocol includes at least one of a Transport Layer Security (TLS) protocol or a Secure Socket Layer (SSL) protocol (TLS / encrypted session, claim 9, para 72). Also, Higgins discloses, 
the inspection device correlating the cryptographic keys with data from the encrypted session based on the session information (As used herein the "correlation information" refers to information that may be used to correlate key information with particular flows, sessions, or connections, or the like.  Correlation information may include various values that may be associated with a flow, such as, tuple information, client/server random numbers, handshake hashes, date-time information, timestamps, or the like, or combination thereof.  Generally, correlation information may be information that a NMC may determine or observe without using the key information or decrypting the encrypted network traffic.  Correlation information is stored in a key escrow with its corresponding key information (col., 8, lines 42-51) In one or more of the various embodiments, the secret sharing engines may be arranged to communicate with an NMC to enable correlation information to be associated with the cryptographic key information.  For example, NMC 508 may be arranged to obtain key information from the secret sharing engine.  Accordingly, NMC 508 may determine the correlation information that correlates the communication session with the key information.  Thus, in this example, NMC 506 may store the key information with the relevant correlation information in the key escrow 512 (col., 24, lines 1-9) At block 910, in one or more of the various embodiments, the NMC may be arranged to decrypt network traffic comprising the secure sessions for inspection.  In one or more of the various embodiments, the NMC may be arranged to apply various configuration information or rule-based policies to determine if network traffic associated with the secure session should be decrypted.  Likewise, in one or more of the various embodiments, the NMC may be arranged to apply configuration information or rule-based policies to determine various actions to perform, such as, determining which network packets or network flows to inspect, looking for particular types of content or patterns, tracking application behavior, or the like, or combination thereof (col., 30., lines 38-50).

Referring to claim(s) 7, Le-Van-Gong discloses, wherein the at least one the second computer includes a client (server and/or client, para 71). Also, regarding limitations, the first computer including a server, also Higgins discloses, For clarity, clients and servers are described separately, but one of ordinary skill in the art will appreciate that a given computer, application, or program may sometimes operate as a server and other times operate as a client depending on whether it is requesting services or responding to requests for services, col., 25, lines 36-40.
 
Referring to claim(s) 20, Le-Van-Gong discloses, the at least one second computers includes a client (server and/or client, para 71). Also, regarding limitations, the first computer including a server, also Higgins discloses, For clarity, clients and servers are described separately, but one of ordinary skill in the art will appreciate that a given computer, application, or program may sometimes operate as a server and other times operate as a client depending on whether it is requesting services or responding to requests for services, col., 25, lines 36-40.
 
Claim(s) 4, 15, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen-IBM in view of Le-Van-Gong, and Li et al., 2014/0115702.
Referring to claim(s) 4, 15, Chen-IBM, Higgins,  and Le-Van-Gong do not disclose, which is well-known in the art, which Li discloses, an SSL master secret or a TLS master secret (para 31, 41 along with inspection). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen-IBM to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known usage of SSL master secret or a TLS master secret. One of ordinary . 

Claim(s) 6, 17, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen-IBM in view of Le-Van-Gong, Higgins and Egorov 9,591,084.
Referring to claim(s) 6, 17, Chen-IBM, Higgins, and Le-Van-Gong do not disclose, which is well-known in the art, which Egorov discloses, wherein the session information includes at least one of: an SSL identifier or a TLS session identifier (col., 10, lines 19-36); a TLS ticket (abstract), the identity of one or more of the first computer and the second computer (col., 11, lines 55-53), additional data associated with an SSL handshake or a TLS handshake associated with the encrypted session from at least one of the first computer and the second computer (col., 13, lines 42-51), an IP address of one or more of the first computer and the second computer; and, layer 4 ports of the session (col., 13, lines 42-51). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen-IBM to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of session information for maintaining the session securely.  One of ordinary skilled in the art would readily know that the main purpose of an SSL is to provide privacy and data integrity for communication between a server and a client. The server and client exchange important information required to establish a secure connection. Hence, the session information/identifier would enable implementing the privacy and data integrity for communication, col., 13, lines 42-51.

Claim(s) 11, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen-IBM in view of Le-Van-Gong, Higgins, and Reid et al., 2018/0232526.
Referring to claim(s) 11, Chen-IBM discloses wherein the cooperator obtains the cryptographic keys and the session information from the negotiator (inspectors synching session data and keys, para 7, 44, 45). Chen-IBM and Le-Van-Gong do not disclose, which is well-known in the art, which Reid discloses, pulling (pulling of many data elements including keys, identifiers/identities of the session/transaction, para 880). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen-IBM to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide well-known usage of pulling information/data. One of ordinary skilled in the art would readily know that Pull means to request data from another program or computer. The opposite of pull is push, where data is sent without a request being made. The terms push and pull are used frequently to describe data sent over the Internet. Hence, the pulling would enable requesting data/information for further processing of it, para 880. 

Response to Arguments
Applicant's arguments filed 4/7/21, pages 7-13 have been fully considered but they are not persuasive.  Therefore, rejection of claims 1-4, 6, 7, 11-15, 17, 20 is maintained. 
In response to the earlier office action, Amendments to claims 1 and 12 is acknowledged. Accordingly the rejections are updated in the above rejections in view of the amended limitations.
Regarding remarks of amending claims 1 and 12, with “the first computer including a server”. The applicant failed to consider that a same computer can be used as a server or client. Please see above rejected rejections. Applicant is relying upon man-in-the-middle (Mitm) configuration; contrary to the earlier office action that did not relied upon man-in-the-middle (Mitm) configuration. Chen-IBM’s 
Regarding applicant’s concern for “correlating” and “an encrypted session being between the first computer and the second computer” of claims 1 and 23, in the remarks, please see above updated rejections. Applicant fails to consider that “correlating” and “an encrypted session being between the first computer and the second computer” are well-known in the art. Please see the definitions of the correlating and encrypted session in the above rejections. One of ordinary skilled in the art would readily know that adding of such well-known terms over the rejections would not make the claimed invention novel.

Applicant’s keeps relying on man-in-the-middle (Mitm) in the remarks even when it is not relied upon in the rejections and further that it was already clarified in the previous action; the applicant to still rely on man-in-the-middle (Mitm) in the remarks would not overcome the rejections.

Chen-IBM discloses, a computer system comprising hardware processor for inspecting encrypted sessions, the processor configured with a cooperator , the cooperator configured for, a method for inspecting encrypted sessions between computers (inspector inspecting the client 201 and the server 202, figure 2, TLS / encrypted session, claim 9, para 72) comprising:
associating a cooperator/a cooperator configured for coupling: with a negotiator (synching session data among inspectors, para 7, [0063] The inspectors 303, 304, and 305 may reside (or be collocated) at the client 301 or server 302, within the network, at a proxy, or at any other point in the network such that the data may be intercepted and inspected.  According to an embodiment of the invention, to inspect encrypted data of, for example, a TLS session.  The inspectors 303, 304, and 305 are each able to inspect in step 314 data transmitted during a session between the client 301 and the server 302 in steps 313 and 315.), 

the cooperator obtaining the cryptographic keys and the session information from the negotiator (inspectors synching session data and keys, para 7, 44, 45), and 
passing the cryptographic keys and the session information for inspecting the encrypted session (inspectors synching/passing session data and keys and inspecting the encrypted session, para 7, 44, 45).
Chen-IBM does not specifically mention about, which is well-known in the art, which Le-Van-Gong discloses, the cooperator passing the cryptographic keys and the session information to an inspection device for inspecting the encrypted session (software providing the keys and the session information to traffic inspection service for storing/inspection of the session without intercepting, para 16), the first computing including a server (the software module can be part of the server or user device, para 71). 
[0071] FIG. 6 illustrates a block diagram of a traffic inspection module 600 configured to generate a key index under an offline approach according to various embodiments of the disclosure.  The traffic inspection module 600 may be implemented as the traffic inspection module 132 of the service provider server 130 or the traffic inspection module 116 of the user device 110.  As shown, the traffic inspection module 600 includes a key generation module 602 and a parsing module 604.  FIG. 7 illustrates the process 700 for generating a key index under an offline approach according to various embodiments of the disclosure.  In some embodiments, the process 700 may be performed by the traffic inspection module 600.  The process 700 begins by obtaining (at step 705) a session file that was captured during an encrypted communication session.  For example, the traffic inspection module 600 may obtain a session file 610.  The session file 610 may correspond to the session file 235 generated at the web server 134, or the session file 245 generated at the UI application 112.  The traffic inspection module 600 may begin to parse the session file 610.  As discussed above, a session file, such as the session file 610, may include information related to the initial exchange (e.g., the handshake) for the encrypted communication session, and the encrypted records communicated between the web server 134 and the UI application 112 during the encrypted communication session.  Since the initial exchange is not encrypted, the parsing module 604 may parse the information related to the initial exchange without any encryption key.  As discussed above, the information related to the initial exchange may include a particular encryption algorithm and a particular key rotation scheme that were negotiated between two devices associated with the encrypted communication session, and the initial encryption key(s) used by the two devices.  [0072] The process 700 may then determine (at step 710) an initial encryption key for the encrypted communication session associated with the session file 610.  For example, the parsing module 604 may extract the initial encryption key(s) from the information related to the initial exchange.  As discussed above, each of the initial encryption keys may include an IV value and a key value.  The traffic inspection module 600 may create a key index 620 and insert the initial encryption keys in the key index 620.  [0073] After determining the initial encryption keys, the process 700 begins the encrypted records from the session file using the encryption keys.  For example, the parsing module 604 may extract each encrypted record from the session file 610 and decrypt the encrypted record using the determined encryption keys.  In the embodiments where the web server 134 uses a different encryption key than the UI application 112, the parsing module 604 may first determine whether the encrypted record is a record transmitted from the web server 134 or a record transmitted from the UI application 112, and may decrypt the record using the corresponding encryption key.  The parsing module 604 may continue to decrypt the records until a "key update message" is detected from a decrypted record.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Cheng-IBM to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well known usage of an inspection device. The inspection device would inspect the provided session and would determine whether the session information is normal. The inspection device would take needed action if the session information is not normal, para 48. 
Chen-IBM and Le Van Gong do not specifically mention about, which is well-known in the art, which Higgins discloses, the inspection device correlating the cryptographic keys with data from the encrypted session based on the session information (As used herein the "correlation information" refers to information that may be used to correlate key information with particular flows, sessions, or connections, or the like.  Correlation information may include various values that may be associated with a flow, such as, tuple information, client/server random numbers, handshake hashes, date-time information, timestamps, or the like, or combination thereof.  Generally, correlation information may be information that a NMC may determine or observe without using the key information or decrypting the encrypted network traffic.  Correlation information is stored in a key escrow with its corresponding key information (col., 8, lines 42-51) In one or more of the various embodiments, the secret sharing engines may be arranged to communicate with an NMC to enable correlation information to be associated with the cryptographic key information.  For example, NMC 508 may be arranged to obtain key information from the secret sharing engine.  Accordingly, NMC 508 may determine the correlation information that correlates the communication session with the key information.  Thus, in this example, NMC 506 may store the key information with the relevant correlation information in the key escrow 512 (col., 24, lines 1-9) At block 910, in one or more of the various embodiments, the NMC may be arranged to decrypt network traffic comprising the secure sessions for inspection.  In one or more of the various embodiments, the NMC may be arranged to apply various configuration information or rule-based policies to determine if network traffic associated with the secure session should be decrypted.  Likewise, in one or more of the various embodiments, the NMC may be arranged to apply configuration information or rule-based policies to determine various actions to perform, such as, determining which network packets or network flows to inspect, looking for particular types of content or patterns, tracking application behavior, or the like, or combination thereof (col., 30., lines 38-50).

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Cheng-IBM to implement these 
Also, regarding limitations, the first computer including a server, Higgins also discloses, For clarity, clients and servers are described separately, but one of ordinary skill in the art will appreciate that a given computer, application, or program may sometimes operate as a server and other times operate as a client depending on whether it is requesting services or responding to requests for services, col., 25, lines 36-40.

Chen does not say that its disclosure is only limited for man-in-the-middle (Mitm); However, the applicant keeps on relying on it.
Hence, in order to not delay prosecution of this application / compact prosecution: 
MPEP 1201 states: Where the differences of opinion concern the denial of patent claims because of prior art or other patentability issues, the questions thereby raised are said to relate to the merits, and appeal procedure within the Office and to the courts has long been provided by statute (35 USC 143). 35 U.S.C. 134 (a) states: An applicant for a patent, any of whose claims has been twice rejected, may appeal from the decision of the primary examiner to the Board of Patent Appeals and Interferences, having once paid the fee for such appeal.




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 5712723862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HARESH N PATEL/               Primary Examiner, Art Unit 2493