Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement filed 9/5/2019 fails to comply with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 because Non-Patent Literature document (“DIERKS, T. et al”) has incorrect formatting for a date. The date listed is “January 999” which appears to be a typo and should be addressed in order to have the document considered.  It has been placed in the application file, but the information referred to therein has not been considered as to the merits.  Applicant is advised that the date of any re-submission of any item of information contained in this information disclosure statement or the submission of any missing element(s) will be the date of submission for purposes of determining compliance with the requirements based on the time of filing the statement, including all certification requirements for statements under 37 CFR 1.97(e).  See MPEP § 609.05(a).

Claim Objections
Claim 8 is objected to because of the following informalities:  Claim 8 recites “the secure session connection” which should be changed to --the secure session connection processor--.  Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-7, 9, 10, 13-16, 19, 21-23 and 37 of U.S. Patent No. 10,447,658. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of the instant application overlap in scope, and are thus anticipated, by respective claims 1-7, 9, 10, 13-16, 19, 21-23, and 37 of the ‘658 patent.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 4, 6, 12-14, 17, and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claims 6 and 19 recite the limitation "wherein the instruction" in lines 1-2.  There is insufficient antecedent basis for this limitation in the claim.
Claim 12 recites the limitation “the first secure session connection” in line 7. There is insufficient antecedent basis for this limitation in the claim.
Claim 13 recites the limitation “the split proxy mode” in line 5.  There is insufficient antecedent basis for this limitation in the claim.
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 19 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 19 recites “The method of claim 19”, which incorrectly refers to itself.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-10, 12, and 15-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Yang” (US 2017/0163633) in view of “Karandikar” (US 2008/0307219).

Regarding Claim 1:
Yang teaches:
An appliance (Fig. 1, element 400) comprising: 
one or more network interfaces configured to facilitate secure communications (Fig. 1, elements 410 and 420 are respective proxy devices within element 400; ¶0050, “Specifically, the system 400 may include a client facing node 410 being a first SSL gateway, a server facing node 420 being a second SSL gateway, and, optionally, a monitoring node 430 and a storage node 440…”) ) between a client device (Fig. 1, element 120) and a server (Fig. 1, element 130), wherein the secure communications involve a plurality of secure session connections between the client device and the appliance and between the appliance and another appliance (Fig. 5 details that a client 120 is connected to client facing node 410 via SSL session 505, client facing node 410 connected to server facing node 420 via SSL session 510, and service facing node 420 connected to server 130 via SSL session 515); and 
a secure session connection processor (Fig. 1, element 410) configured to: 
determine, using information in a secure session connection request received from the client device, whether client authentication is required by the server (Fig. 3, step 302; ¶0037, “The method 300 may commence with intercepting a client request sent by a client at operation 302. The session request may be intercepted by a client facing node. The client facing node may analyze the client request and determine that the client request includes session-specific information and a session request to establish an SSL communication session between the client and a server”; i.e., intercept, at the client facing node, a session request sent by the client, where session-specific information within the session request is used to determine whether a SSL communication session is to be established between the client and the server. Here, the examiner interprets the session-specific information contained within the request as providing determination, to the client facing node, that the server requires client authentication in order to establish the SSL session), 
“The method 300 may further include sending the extended session request by the client facing node to a server facing node at operation 308”), and 
wherein communications received from the client device are decrypted using a key … with the client device (¶0048, “… the session request may be sent by the client in an encrypted form. The method 300 may include decrypting, by the client facing node, the session request to obtain a decrypted session request in a form of clear text.”; Here, the examiner asserts that use of a key would be inherent to decrypt communications between a client and a client facing node), and the decrypted communications sent to the other appliance are encrypted using a key … with the other appliance (¶0047, “The session request present in the extended session request may be sent by the client facing node to the server facing node in an encrypted form”; Here, the examiner assert that use of a key would be inherent to encrypt communications between a client facing node and a server facing node).
Yang does not expressly disclose:
wherein communications received from the client device are decrypted using a key shared with the client device, and the decrypted communications sent to the other appliance are encrypted using a key shared with the other appliance.
Karandikar teaches:
“… the communication link between the proxy 117 and the client 109 may itself be an SSL communication link”; ¶0036, “… the SSL protocol provides for an exchange of session keys between nodes participating in the secure exchange … The session keys are symmetric cryptographic keys, meaning the two nodes each use the same key to encrypt/decrypt content”; i.e., maintain a shared key between the client and the client proxy to encrypt/decrypt communications), and the decrypted communications sent to the other appliance are encrypted using a key shared with the other appliance (¶0042, “Because the proxies will be exchanging the symmetric keys used for SSL communications between the client and the server and will also be passing unencrypted SSL records between themselves, the communication link may need to be secured. This may be done using separate SSL encryption (requiring a separate SSL handshake between the proxies)…”; ¶0036, “… the SSL protocol provides for an exchange of session keys between nodes participating in the secure exchange … The session keys are symmetric cryptographic keys, meaning the two nodes each use the same key to encrypt/decrypt content”; i.e., maintain a shared key between the client proxy and the server proxy to encrypt/decrypt communications between the proxies71).
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Yang’s system for exchanging information between SSL gateways by enhancing Yang’s SSL communications between a client, a client proxy, and a server proxy to each utilize a shared key to 
	The motivation is to implement a SSL connection between a client and a client proxy and a SSL connection between the client proxy and a server proxy utilizing shared, symmetrical keys. This ensures that two-way communication between each entity can be secured via the same key which makes key distribution and management easier.

Regarding Claim 2:
The appliance of claim 1, wherein Yang in view of Karandikar further teaches the information in the received secure session connection request is used to determine whether a lookup table includes information that client authentication is required by the server (Yang, ¶0033, “In case the security certificate 215 was previously received, the client facing node 410 may retrieve a forged security certificate associated with the security certificate 215 from a storage unit (not shown)”; ¶0046, “In a further embodiment, the method 300 may include analyzing, by the client facing node, the session-specific information. Based on the analysis, the client facing node may determine that a forged security certificate is preliminarily generated by the server facing node for the server. Based on such a determination, the client facing node may generate the SSL extension in a form of a control message”; ¶0038, “… generating a SSL extension by the client facing node at operation 304. The SSL extension may be generated based on the session-specific information”; i.e., access a storage unit (lookup 

Regarding Claim 3:
The appliance of claim 2, wherein Yang in view of Karandikar further teaches the secure session connection processor is further configured to access the lookup table upon receipt of the secure session connection request (Yang, Fig. 3, step 304 occurs in accordance with receiving the request in step 302).

Regarding Claim 4:
The appliance of claim 1, wherein Yang in view of Karandikar further teaches the information that client authentication is not required indicates that the appliance is acting as a split proxy mode (Karandikar, ¶0057, “However, in the case of an intercept decision, the client-side proxy and the server continue the SSL handshake and exchange symmetric encryption keys and cipher information (612). At this point, the client-side proxy and the server-side proxy secure the communication channel between them (if it is not yet secure) (614) and the client-side proxy subsequently provides the symmetric keys and cipher information to the server-side proxy (616)”).
The motivation to reject claim 4 under Karandikar is the same motivation used to combine Karandikar to Yang in the rejection of claim 1 above.

Regarding Claim 5:	
The appliance of claim 1, wherein Yang in view of Karandikar further teaches the information that client authentication is required indicates that the appliance is acting as “The client-side proxy participates in an SSL handshake with the server (604), and makes tunnel/intercept decision based on the server's identity as revealed by its digital certificate or other information related to the client or the server (606). In the case of a decision to tunnel the traffic without decryption or acceleration, the client-side proxy so informs the server-side proxy (608), and the two cooperate to tunnel the SSL traffic until the session is complete (610)”).
The motivation to reject claim 5 under Karandikar is the same motivation used to combine Karandikar to Yang in the rejection of claim 1 above.

Regarding Claim 6:
The appliance of claim 1, wherein Yang in view of Karandikar further teaches the instruction indicates that the other appliance is to initiate a secure session handshake procedure between the other appliance and the server (Yang, Fig. 3, steps 308-312; ¶0040, “The method 300 may further include sending the extended session request by the client facing node to a server facing node at operation 308”, ¶0041, “The method 300 may continue with operation 310, at which the server facing node may identify the session-specific information contained in the SSL extension of the extended session request”, & ¶0042, “At operation 312, the server facing node may generate a further session request for establishing the SSL communication session between the server facing node and the server”).

Regarding Claim 7:


Regarding Claim 8:
The appliance of claim 2, wherein Yang in view of Karandikar further teaches the secure session connection is further configured to determine, using information from the secure session connection request, whether the lookup table includes certificate information (Yang, (Fig. 3, step 308; ¶0033, “In case the security certificate 215 was previously received, the client facing node 410 may retrieve a forged security certificate associated with the security certificate 215 from a storage unit (not shown)”; ¶0040, “The method 300 may further include sending the extended session request by the client facing node to a server facing node at operation 308”; i.e., default to sending the extended session quest to the server facing node when no forged server certificate is detected via the storage unit).

Regarding Claim 9:
The appliance of claim 2, wherein Yang in view of Karandikar further teaches the determination that the lookup table does not include information on client authentication or failing to access the lookup table further comprises the secure session connection processor configured to forward the secure session connection request to the other appliance (Yang, ¶0045, “The forged security certificate may be used by the client facing node for establishing a second secure connection between the client facing node and the client”; ¶0033, “The client facing node 410 may analyze the session request 245 received from the client 120 to determine whether a security certificate 215 was previously received from the server 130. In case the security certificate 215 was previously received, the client facing node 410 may retrieve a forged security certificate associated with the security certificate 215 from a storage unit (not shown)”; Fig. 3, step 308; Here, Yang discloses checking a storage unit (the lookup table) for a forged security certificate (indicating that prior authentication has occurred), and when said certificate is not found then the client facing node forwards the secure session connection request to the server facing node in step 308).

Regarding Claim 10:
The appliance of claim 2, wherein Yang in view of Karandikar further teaches the secure session connection processor is further configured to add an entry in the lookup table, if the entry does not exist for the server, wherein the entry is allocated to store at least one of: mode information, certificate information (Yang, ¶0033, “In case the security certificate 215 was previously received, the client facing node 410 may retrieve a forged security certificate associated with the security certificate 215 from a storage unit (not shown)”), information 49CTX-1277USCN (96046-CON1)that client authentication is not required by the server, and premaster secret information. 

Regarding Claim 12:

receive, from the other appliance, certificate information (Yang, ¶0045, “The server facing node may provide the forged security certificate to the client facing node”); 
establish the first secure session connection using the certificate information in response to the secure connection request (Yang, ¶0045, “The forged security certificate may be used by the client facing node for establishing a second secure connection between the client facing node and the client”); and 
store the certificate information in the lookup table (Yang, ¶0033, “The client facing node 410 may analyze the session request 245 received from the client 120 to determine whether a security certificate 215 was previously received from the server 130. In case the security certificate 215 was previously received, the client facing node 410 may retrieve a forged security certificate associated with the security certificate 215 from a storage unit (not shown).”).

Regarding Claims 15 and 20:
Method claim 15 and non-transitory computer readable storage medium claim 20 correspond to appliance claim 1 and contain no further limitations. Therefore claims 15 and 20 are each rejected by applying the same rationale used to reject claim 1 above.

Regarding Claims 16-19:
.

Claims 13 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Yang” (US 2017/0163633) in view of “Karandikar” (US 2008/0307219) in further view of “Shah” (US 8438628).

Regarding Claim 13:
Yang in view of Karandikar teaches:
The appliance of claim 3, …
Yang in view of Karandikar does not disclose:
…wherein the secure session connection processor is further configured to determine whether the lookup table includes premaster secret information, when determining that the appliance is acting as the split proxy mode.
Shah teaches:
…wherein the secure session connection processor is further configured to determine whether the lookup table includes premaster secret information (Col. 7, lines 43-51, “The CCS message specifies that the communicants … are to start encrypting their communications using a session key that is denoted herein as “K” … Because all data needed to compute the session key (i.e., client and server seeds, pre-Master-Secret) are now known to the client, it may do so at time sequence 286”), when 
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Yang in view of Karandikar’s system for exchanging information between SSL gateways by enhancing Yang in view of Karandikar’s client proxy to determine whether a pre-master secret exists when the proxy is acting within a split-proxy mode, as taught by Shah, in order to generate a session key to secure communications between a client and a server.
	The motivation is to exchange and receive parameters between entities within a split-proxy configuration that result in a pre-master secret being received at a client-side proxy of the split-proxy, which allows the client-side proxy to generate a secure session key for a client to use to securely communication with a server.

Regarding Claim 14:
The appliance of claim 13, wherein Yang in view of Karandikar in further view of Shah further teaches the secure session connection processor is further configured to send the other appliance a request to decrypt client key exchange, based on determining that the lookup table does not include premaster secret information (Shah, Fig. 2, step 282; Col. 6, lines 23-30, “When the client initiates the secure connection, it issues a Client-Hello (CH) message toward the entity with which it wishes to communicate--server 270. The Client-Hello message comprises a client seed (e.g., a 16 or 32 byte random number) that will be used during generation of a session key”; i.e., initially, when a 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491