DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

Claims 1, 4, 6, 8, 15-17, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Fries, U.S. Publication No. 2020/0059357, in view of Li, U.S. Publication No. 2018/0097777. Referring to claim 1, Fries discloses a network system, such as an IoT network ([0003]), that includes a plurality of client devices (Figure 2, elements 310 & 320 & [0081]) such that the client devices can include mediums storing instructions executable by a device processor ([0063]), which meets the limitation of one or more edge devices [and at least one gateway device] on said secure IoT network, said one or more edge devices [and said at least one gateway device] each comprising at least one memory device storing computer-readable instructions and at least one microprocessor coupled to said at least one memory for executing said computer-readable instructions. The network additionally includes a key distribution server (Figure 2, element 200 & [0081]) that provides a group key to a group of client devices ([0083]: group key reads on the claimed EDK), which meets the limitation of a key server for distributing an exchanged data key (EDK) to each of said one or more edge devices. Each client device of the group locally derives a first-order sub-group key using the received group key ([0084]: first-order sub-group key reads on the claimed DEK), which meets the limitation of wherein each of said one or more edge devices derives a . 
Fries does not disclose that the IoT network includes a gateway. Li discloses an IoT that includes a gateway (Figure 1, 110) such that gateway includes a network security engine ([0022]) that itself includes registers/caches and processing units ([0023]: registers/caches can be mapped to the claimed memory device), which meets the limitation of at least one gateway device on said secure IoT network, said at least one gateway device comprising at least one memory device storing computer-readable instructions and at least one microprocessor coupled to said at least one memory device for executing said computer-readable instructions. The IoT gateway can receive and decrypt messages communicated from endpoints in an IoT group using a group key ([0020]: group ID is utilized as a key to encrypt and decrypt messages between the endpoints and gateway in the group that corresponds with the group ID key), which meets the limitation of IoT data generated by said one or more edge devices for transmission on said secure IoT network to said gateway device, wherein said at least one gateway device decrypts said encrypted IoT data by an authenticated decryption employing said DEK derived from said EDK. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the IoT network of Fries to have included a gateway in order to provide a device that is capable of managing many IoT devices as well as manage many groups of IoT devices as suggested by Li ([0045]).
Referring to claim 4, Fries discloses that the key distribution server can also be designated as an XMPP server ([0061]: XMPP server reads on the claimed provisioning server) that performs client device authentication utilizing a client device certificate in order to obtain access to specific network services ([0062]: allowing access to specific network services would read on the provisioning of those devise to the network as claimed), which meets the limitation of wherein said module in element is a provisioning server that authenticates and then provisions said one or more edge devices on said secure IoT network. 
Referring to claim 6, Fries discloses that the key distribution server can also be designated as an XMPP server ([0061]) that performs client device authentication utilizing a client device certificate ([0062]), which meets the limitation of wherein said key server is also utilized for authenticating said one or more edge devices.
Referring to claim 8, Fries discloses that when utilizing the XMPP communication protocol, the key distribution server can also be designated as an XMPP server ([0061]) that performs client device authentication utilizing a client device certificate ([0062]: authentication is performed as part of the underlying protocol that is XMPP), which meets the limitation of wherein an authentication mechanism of an underlying protocol on said secure IoT network is used for authenticating said one or more edge devices.
Referring to claim 15, Fries discloses a network system, such as an IoT network ([0003]), that includes a plurality of client devices (Figure 2, elements 310 & 320 & [0081]) such that the client devices can include mediums storing instructions executable by a device processor ([0063]), which meets the limitation of one or more edge devices [and at least one gateway device] on said secure IoT network, said one or more edge devices [and said at least one gateway device] each comprising at least one memory device storing computer-readable instructions and at least one microprocessor coupled to said at least one memory for executing said computer-readable instructions. The network additionally includes a key distribution server (Figure 2, element 200 & [0081]) that provides a group key to a group of client devices ([0083]: group key would read on the claimed wrapping key), which meets the limitation of a key server for distributing an wrapping key for each of said one or more edge devices [to said gateway device]. Each client device of the group locally derives a first-order sub-group key using the received group key ([0084]: first-order sub-group key would read on the claimed DEK), which meets the limitation of wherein said one or more edge devices employ said wrapping key to derive a per-message data encryption key (DEK) for encrypting. The client devices can generate messages using sub-group secrets and sub-group keys ([0032]-[0033] & [0041]: generated messages would read on the claimed IoT data), which meets the limitation of IoT data generated by said one or more edge devices for transmission on said secure IoT network [to said at least one gateway device]. The client device messages can be encrypted using the generated first-order sub-group key and transmitted to other devices in the group ([0110]), which meets the limitation of encrypting by an authenticated encryption each message of said IoT data for said transmission. The key distribution server includes functionality that allocates sub-group secrets to the client devices such that the sub-group secrets are utilized to generate the sub-group keys and ultimately allocate a client device to a particular communication group ([0027]-[0032]: functionality of the key distribution server that provides the sub-group secrets would read on the claimed module), which meets the limitation of a module on said secure IoT network for provisioning said one or more edge devices. 
Fries does not disclose that the IoT network includes a gateway. Li discloses an IoT that includes a gateway (Figure 1, 110) such that gateway includes a network security engine ([0022]) that itself includes registers/caches and processing units ([0023]: registers/caches can be mapped to the claimed memory device), which meets the limitation of at least one gateway device on said secure IoT network, said at least one gateway device comprising at least one memory device storing computer-readable instructions and at least one microprocessor coupled to said at least one memory device for executing said computer-readable instructions. Li discloses that group keys can be provided to network endpoints in a number of embodiments ([0020]) and one of those possible embodiments involves the IoT gateway providing the group key to the endpoints of the group ([0020]: In Fries, the key distribution server distributes the group key. Therefore, in order for the IoT gateway to provide the group key to the client devices in Fries, the IoT gateway would first need to receive the group key from the key distribution server.), which meets the limitation of a key server for providing a wrapping key for each of said one or more edge devices to said gateway device, said wrapping key provided by said gateway device to said one or more edge devices. The IoT gateway can receive and decrypt messages communicated from endpoints in an IoT group using a group key ([0020]: group ID is utilized as a key to encrypt and decrypt messages between the endpoints and gateway in the group that corresponds with the group ID key), which meets the limitation of IoT data generated by said one or more edge devices for transmission on said secure IoT network to said gateway device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the IoT network of Fries to have included a gateway in order to provide a device that is capable of managing many IoT devices as well as manage many groups of IoT devices as suggested by Li ([0045]).
Additionally, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the gateway, in the modified IoT network of Fries, to have received the group key from the key distribution server such that the gateway provides the group key to the client devices because Li suggests that such a key distribution embodiment is one of a finite number of possible key distribution embodiments that could have been implemented by one of ordinary skill with a reasonable expectation of success (Li: [0020]).
Referring to claim 16, Fries discloses a network system, such as an IoT network ([0003]), that includes a plurality of client devices (Figure 2, elements 310 & 320 & [0081]: client devices read on the claimed edge devices), which meets the limitation of provisioning at least one edge device on said IoT network. The network additionally includes a key distribution server (Figure 2, element 200 & [0081]) that provides a group key to a group of client devices ([0083]: group key reads on the claimed EDK), which meets the limitation of distributing an exchanged data key (EDK) from a key server on said IoT network to said at least one edge device. Each client device of the group locally derives a first-order sub-group key using the received group key ([0084]: first-order sub-group key reads on the claimed DEK), which meets the limitation of deriving a data encryption key (DEK) at said at least one edge device. The client devices can generate messages using sub-group secrets and sub-group keys ([0032]-[0033] & [0041]: generated messages read on the claimed IoT data), which meets the limitation of generating said IoT data by said at least one edge device. The client device messages can be encrypted using the generated first-order sub-group key and transmitted to other devices in the group ([0110]), which meets the limitation of encrypting at said at least one edge device said IoT data with said DEK to obtain encrypted IoT data, said encrypting utilizing an authenticated encryption, transmitting said encrypted IoT data from said at least one edge device [to a gateway device]. 
Fries does not disclose that the IoT network includes a gateway. Li discloses an IoT that includes a gateway (Figure 1, 110) such that gateway can receive and decrypt messages communicated from endpoints in an IoT group using a group key ([0020]: group ID is utilized as a key to encrypt and decrypt messages between the endpoints and gateway in the group that corresponds with the group ID key), which meets the limitation of transmitting said encrypted IoT data from said at least one edge device to a gateway device, decrypting with said DEK said encrypted IoT data at said gateway device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the IoT network of Fries to have included a gateway in order to provide a device that is capable of managing many IoT devices as well as manage many groups of IoT devices as suggested by Li ([0045]).
Referring to claim 17, Fries discloses that the key distribution server can also be designated as an XMPP server ([0061]: XMPP server reads on the claimed provisioning server) that performs client device authentication utilizing a client device certificate in order to obtain access to specific network services ([0062]: allowing access to specific network services would read on the provisioning of those devise to the network as claimed), which meets the limitation of utilizing a provisioning server for authenticating and then configuring said at least one edge device in said step (a).
Referring to claim 21, Fries discloses that when utilizing the XMPP communication protocol, the key distribution server can also be designated as an XMPP server ([0061]) that performs client device authentication utilizing a client device certificate ([0062]: authentication is performed as part of the underlying protocol that is XMPP), which meets the limitation of utilizing an authentication mechanism of an underlying protocol on said IoT network for authenticating said at least one edge device.
Claims 2, 3, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Fries, U.S. Publication No. 2020/0059357, in view of Li, U.S. Publication No. 2018/0097777, and further in view of Rafn, U.S. Patent No. 10,382,213. Referring to claims 2, 18, Fries discloses that the client devices include certificates that are used to authenticate themselves ([0062]). Fries, as modified in view of Li above, does not disclose that the certificates are public key certificates issued by a certificate authority.
Rafn discloses a certificate authority that issues device certificates that can be public key certificates (Col. 4, lines 30-38: CA may issue multiple certificates in a hierarchy with down tree certificates known as subordinate & Col. 2, lines 60-63: device certificates are subordinate certificates & Col. 5, lines 42-44: device certificate can be a public key certificate) such that the client devices utilizes the issued device certificates to register for access to the IoT network (Col. 8, line 60 – Col. 9, line 45 & Col. 11, lines 9-24), which meets the limitation of wherein a certificate authority is used to issue a public key certificate to said one or more edge devices for enrollment on said secure IoT network, utilizing a certificate authority for issuing a public key certificate to said at least one edge device for said authenticating. It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention for the certificates of Fries to have been public key certificates issued by certificate authority and utilized to authenticate the client devices in the manner described in Rafn in order to provide a robust means of authenticating the client devices as suggested by Rafn (Col. 2, lines 15-26).
Referring to claim 3, Fries discloses that the client devices include certificates that are used to authenticate themselves ([0062]). Fries, as modified in view of Li above, does not disclose that the certificates are public key certificates issued by a certificate authority. Rafn discloses a certificate authority that issues device certificates that can be public key certificates (Col. 4, lines 30-38: CA may issue multiple certificates in a hierarchy with down tree certificates known as subordinate & Col. 2, lines 60-63: device certificates are subordinate certificates & Col. 5, lines 42-44: device certificate can be a public key certificate) such that the client devices utilizes the issued device certificates to register for access to the IoT network (Col. 8, line 60 – Col. 9, line 45 & Col. 11, lines 9-24) in a manner that specifically authenticates the device certificate (Col. 9, lines 7-12), which meets the limitation of wherein said public key certificate undergoes authentication checks for authenticating said one or more edge devices on said secure IoT network. It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention for the certificates of Fries to have been public key certificates issued by certificate authority and utilized to authenticate the client devices in the manner described in Rafn in order to provide a robust means of authenticating the client devices as suggested by Rafn (Col. 2, lines 15-26).
Claims 5, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Fries, U.S. Publication No. 2020/0059357, in view of Li, U.S. Publication No. 2018/0097777, and further in view of Campagna, U.S. Publication No. 2018/0343127. Referring to claims 5, 19, Fries, as modified in view of Li above, does not disclose that the client devices include a public/private key pair and a digital certificate that were included at the time the client devices were manufactured.
Campagna discloses client devices in the form of network appliances that generate their own digital certificates and public/private key pairs at manufacturing time ([0095]), which meets the limitation of wherein one of a public-private key pair and a digital certificate is included in said one or more edge devices at a time of their manufacturing, including in said at least one edge device at a time of its manufacturing, one of a public-private key pair and a digital certificate, for said authenticating. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the client devices of Fries to have generated their own digital certificates and public/private key pairs at the time of their manufacture in order to provide a secure means of generating the certificates and key pairs in a manner that allows for managing servers to verify the authenticity of device certificates as suggested by Campagna ([0095]).
Claims 7, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Fries, U.S. Publication No. 2020/0059357, in view of Li, U.S. Publication No. 2018/0097777, and further in view of Abdelhakim, U.S. Publication No. 2018/0310176. Referring to claims 7, 20, Fries discloses that the key distribution server can also be designated as an XMPP server ([0061]) that performs client device authentication ([0062]).
Fries, as modified in view of Li above, does not specify that the authentication is performed utilizing a salted challenge response authentication mechanism. Abdelhakim discloses the use of salted challenge response authenticated mechanism as one of a variety of algorithms utilized to authenticate an IoT device to a network ([0016]), which meets the limitation of wherein a salted challenge response authentication mechanism (SCRAM) protocol is used for authenticating said one or more edge devices with said key server. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the authentication of Fries to have been performed utilizing the salted challenge response authentication mechanism because Abdelhakim discloses that the salted challenge response authentication mechanism is one of a finite number of possible algorithms that could have been utilized to authenticate an IoT device to the network with a reasonable expectation of success (Abdelhakim: [0016]).
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Fries, U.S. Publication No. 2020/0059357, in view of Li, U.S. Publication No. 2018/0097777, and further in view of Krawczyk, RFC 5869, “HMAC-based Extract-and-Expand Key Derivation Functin (HKDF), Published 2010. Referring to claim 11, Fries discloses that each client device of the group locally derives a first-order sub-group key using the received group key ([0084]), which meets the limitation of wherein said one or more edge devices derive said DEK from said EDK [by employing a key derivation function based on a hash-based message authentication code.]
Fries does not disclose that the IoT network includes a gateway. Li discloses an IoT that includes a gateway (Figure 1, 110) such that gateway can receive and decrypt messages communicated from endpoints in an IoT group using a group key ([0020]: in Fries the first-order sub-group key utilized to encrypt the communications [0110] is generated utilizing a group key received from the key distribution server [0083]. Therefore, in order to utilize the first-order sub-group key to decrypt received communications, the gateway would need to have received the group key from the key distribution server in the same manner as the client devices and generate the first-order sub-group key utilizing the received group key.), which meets the limitation of wherein said at least one gateway device derives said DEK from said EDK [by employing a key derivation function based on a hash-based message authentication code (HKDF)]. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the IoT of Fries to have included a gateway, that receives the group key from the key distribution server and generates the first-order sub-group key in the same manner performed by the client devices, in order to provide a device that is capable of managing many IoT devices as well as manage many groups of IoT devices as suggested by Li ([0045]).
Fries, as modified in view of Li above, does not specify that the first-order sub-group key is generated using a HKDF. Krawczyk discloses deriving a cryptographic key utilizing an HMAC-based key derivation function (HKDF)(Pages 3-4, Section 2-2.3), which meets the limitation of employing a key derivation function based on a hash-based message authentication code (HKDF). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the key derivation function of Fries to have been HKDF in order to provide a cryptographically strong key from imperfect keying material as suggested by Krawczyk (Page 2, fourth paragraph & Page 7, Section 4).
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Fries, U.S. Publication No. 2020/0059357, in view of Li, U.S. Publication No. 2018/0097777, and further in view of Chhabra, U.S. Publication No. 2019/0220721. Referring to claim 12, Fries, as modified in view of Li above, does not disclose the use of AES in Galois/counter mode encryption. Chhabra discloses the use of AES in Galois/counter mode encryption ([0075]), which meets the limitation of wherein said authenticated encryption employs an advanced encryption standard (AES) in Galois/counter mode (GCM). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the encryption of Fries to have been performed utilizing AES in Galois/counter mode encryption in order to provide confidentiality and integrity at near zero latency costs as suggested by Chhabra ([0066]).
Claims 14, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Fries, U.S. Publication No. 2020/0059357, in view of Li, U.S. Publication No. 2018/0097777, and further in view of Kahn, U.S. Publication No. 2016/0127894. Referring to claims 14, 23, Fries discloses that client device messages can be encrypted using the generated first-order sub-group key and transmitted to other devices in the group ([0110]).
Fries, as modified in view of Li above, does not disclose the use of type length value (TLV) encoding on each filed of the encrypted client devices messages. Kahn discloses network communication encryption that includes type length value (TLV) encoding of encrypted context information from fields of the packet ([0034]), which meets the limitation of wherein a type length value (TLV) encoding is employed to encode each field of an encrypted IoT message of said encrypted IoT data for transmission. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the encrypted transmissions of Fries to have utilized the use of type length (TLV) encoding as discussed in Kahn in order to enable connectionless access by the client devices to the communication network as suggested by Kahn ([0032]).
Allowable Subject Matter
Claims 9-10, 13, 22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Smith, U.S. Publication No. 2016/0366105 discloses a secure IoT network wherein a gateway is provided with a communication that includes a group key wrapped using a session key negotiated using Diffie-Hellman exchange ([0026]). However, Smith does not specify that the group key is utilized by group IoT devices to create a communication key that is utilized to encrypt the communication to the gateway that includes the wrapped group key. 
Agiwal, U.S. Publication No. 2016/0205555, discloses secure communication establishment between devices using a key generated using a key derivation function.
Brands, U.S. Publication No. 2019/0014104, discloses an IoT device manufacturing environment that involves key pair and certificate generation for manufactured devices.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805.  The examiner can normally be reached on M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BENJAMIN E LANIER/          Primary Examiner, Art Unit 2437