DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 4/12/2021, for application 16/144,317 has been entered.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
As per instant Amendment, Claims 2, 6, 9, 11, 15, 16, and 18 were canceled; Claims 21-27 have been added; Claims 1, 3-5, 7, 8, 10, 12-14, 17, 19, and 20 have been amended. Claims 1, 10, and 19 are independent claims.  Claims 1, 3-5, 7, 8, 10, 12-14, 17, and 19-27 have been examined and are pending. This Action is made Non-FINAL. 
Response to Arguments
Applicants’ arguments, see Applicant Arguments/Remarks Made in an Amendment, filed 4/12/2021, with respect to the rejections of claims 1, 3-5, 7, 8, 10, 12-14, 17, and 19-27 have been fully considered but are not persuasive.
Applicant remarked as follows:  Examiner Interview,  The undersigned Applicant’s Attorney wishes to thank the Examiner for affording him the opportunity to 
Examiner notes that the interview summary filed 2/23/2021 reads as follows: The examiner pointed out his position that the proposed amended claims do not appear to overcome the prior art of record but further review is needed. Examiner notes that paragraph 0002 of Kumar discloses remote execution of applications. The examiner and the applicant further discussed possible amendments to clarify the claimed invention and to distinguish the claimed invention over the prior art. The examiner respectfully suggested that the independent claims be further amended by incorporating limitations recited in the dependent claims to clarify the claimed invention and to distinguish the claimed invention over the prior art. The applicant agreed to consider further amendment that will be submitted for further examination. See Advisory Action for discussion of Applicant’s remarks filed 2/10/2021.
Applicant argued as follows:  The Applicant respectfully submits, however, that the Kumar reference, the Haworth reference, and the Obaidi reference, taken alone or in proper (if possible) combination, do not appear to teach or suggest at least the following with regard to amended claim 1: “in response to an application window of an untrusted computing device having focus, receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote 
Examiner respectfully disagrees.  The independent claims are now rejected by Habraken in combination with Beaumont and Sikka.  Habraken, in paragraphs 0042 and 0034, discloses receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device.  Beaumont discloses, in paragraphs 0180 and 0177, receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window.  Habraken discloses, in paragraph 0042, to the remote application being executable on the remote VM.  Sikka, in paragraph 0047, discloses in response to an application window of an untrusted computing device having focus, receiving, by an encryption device, a first command from 
Applicant argued as follows:  Dependent claims 4, 5, 7, 8, and 17 (indicated in parentheses below) were rejected under 35 U.S.C. § 103 as being unpatentable over the Kumar reference in view of the Haworth reference and the Obaidi reference, and in further view of one or more additional patent references, as follows •    Haga et al. (USP Pub. 2017/0012785; the “Haga reference”) (claims 4 and 5); •    Haga reference and Wood (USP Pub.2008/0137657; the “Wood reference”) (claim 7); •    Haga reference, Wood reference, and Gheorghe et al. (USP Pub. 2017/0250859; the “Gheorghe reference”) (claim 8); and •    Heldt-Sheller et al. (USP Pub. 2016/0180080; the “Heldt-Sheller reference”) (claim 17).  The Applicant respectfully submits, however, that the Haga reference, the Wood reference, the Gheorghe reference, and/or the Heldt-Sheller reference do not appear to remedy at least the aforementioned deficiencies of the Kumar reference, the Haworth reference, and the Obaidi reference. The combined (if possible to be combined) teachings of the Kumar reference, the Haworth reference, the Obaidi reference, the Haga reference, the Wood reference, the Gheorghe reference, and/or the Heldt-Sheller reference therefore would not suggest to one of ordinary skill in the art, before the effective filing date of the subject application, the subject matter of claims 4, 5, 7, and 8 (each of which depends either directly or ultimately from claim 1) and/or the subject matter of claim 17 (which depends directly from claim 10). Accordingly, it is respectfully submitted that these claim rejections under 35 U.S.C. § 103 should likewise be withdrawn.
Examiner respectfully submits that all claims have properly been rejected over the prior art of record.

The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272 5368 to schedule an interview.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor 
Claims 1, 10, 13, and 19 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, and Sikka (US20160034702), filed 10/16/2015.
Regarding claim 1, Habraken discloses a method comprising:
receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  Minidriver 410 passes the encrypt command to PC SC, which in turn passes it to the host connector and the client connector (which operate to hide the network 206).  The client connector passes the encrypt command to CCID driver 414 which passes it to the smart card 112 (via reader 104).”; paragraph 0034, “Chip card interface device (CCID) driver 414 packages the commands for communication across a Universal Serial Bus (USB) link to a peripheral, in this case smart card reader 104.  CCID driver 414 further extracts responses from communications received from the smart card reader and provides them to the PCSC module 412.”);
to the remote application being executable on the remote VM (Habraken, paragraph 0042, “The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  If the authentication information is correct, the smart card's cryptoprocessor enters a user-authentication state and returns an acknowledgement response along the chain to the minidriver 410.  The minidriver 410 then retries the encrypt command and this time the smart card 112 responds with the encrypted data.”);
in response to entering the encryption mode of operation, encrypting, by the encryption device, data in communication with the untrusted computing device (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  Minidriver 410 passes the encrypt command to PC SC, which in turn passes it to the host connector and the client connector (which operate to hide the network 206).  The client connector passes the encrypt command to CCID driver 414 which passes it to the smart card 112 (via reader 104).”);
to the remote application hosted by the remote VM (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  The 
Habraken discloses receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by  the untrusted computing device, in response to entering the encryption mode of operation, encrypting, by the encryption device, data in communication with the untrusted computing device, but does not explicitly disclose receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the untrusted computing device being in communication with a keyboard; in response to entering the encryption mode of operation, encrypting, by the encryption device, data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device.
However, in an analogous art, Beaumont discloses receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window (Beaumont, paragraph 0180, “The client-side GUI application displays the remote desktop from the server and sends mouse and keyboard events back to the server.”; paragraph 0177, “This architecture requires the use of a server-side application on the trusted remote server 104, but only an untrusted viewer application on the client machine.”);
the untrusted computing device being in communication with a keyboard (Beaumont, FIG. 1, keyboard 14 in communication with untrusted client computer 17); 
the application being configured to cause a user interface for the remote application to appear within the application window (Beaumont, paragraph 0180, “The client-side GUI application displays the remote desktop from the server and sends mouse and keyboard events back to the server.”);
in response to entering the encryption mode of operation, encrypting, by the encryption device, data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device (Beaumont, paragraph 0162, “The encrypted keyboard and mouse data 49 is forwarded to a remote trusted server 19 via the untrusted network/Internet 18 where it can be decrypted 24'.”; paragraph 0025, “The proxy server specifically finds and removes bounding patterns in the stream and decrypts the encapsulated keystrokes using a standard Public Key Infrastructure (PKI) asymmetric algorithm that uses a public server key and a private server key.”)
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Beaumont with the system/method/computer program product of Habraken to include receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the untrusted computing device being in communication with a keyboard; in response to entering the encryption mode of operation, encrypting, by the encryption device, data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device.
One would have been motivated to provide users with the benefits of veracity of information providing to a computer by human input devices (Beaumont: paragraph 0001).
Habraken and Beaumont disclose receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard, but do not explicitly disclose in response to an application window of an untrusted computing device having focus, receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard.
However, in an analogous art, Sikka discloses in response to an application window of an untrusted computing device having focus, receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard (Sikka, paragraph 0047, “As claimed, device assignment and/or device IO routing could be dynamically modified based on which Domain owns the window with the current focus.  For example, while a window from a Trusted Domain has focus, keyboard and audio devices or just IO from those devices could be passed to the Trusted Domain that owns the window.  When a window belonging to another domain including an Untrusted Domain has focus, devices or just IO can be passed to the Untrusted Domain that owns the window with focus.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Sikka with the system/method/computer program product of Habraken and Beaumont to include in response to an application window of an untrusted computing device having focus.
One would have been motivated to provide users with the benefits of protecting sensitive data (Sikka: paragraph 0004).
Regarding claim 10, Habraken discloses a system comprising: a memory: and processing circuitry configured to execute program instructions out of the memory (Habraken, paragraph 0027, “Upon powering-up of the client computer 202, the CPUs 302 may retrieve operating system (OS) components and other software modules from disk 316 and store them in system memory 304 (i.e., "load the software") for execution.  Alternatively, the CPUs 302 may load and execute some software modules in response to actions or commands received via the user interface 106, or perhaps in response to other actions such as the insertion of a smart card into reader 104.  In accordance with the methods discussed further below, the loaded software may include a security state management (SSM) module 308, shown in FIG. 3 as resident in system memory 308.  SSM module 308, when executed by one or more of the CPUs 302, causes them to implement an SSM method that may protect against certain vulnerabilities of traditional security token-reliant security methods when implemented in the cloud. “);
to receive a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  Minidriver 410 passes the encrypt command to PC SC, which in turn passes it to the host connector and the client connector (which operate to hide the network 206).  The client connector passes the encrypt command to CCID driver 414 which passes it to the smart card 112 (via reader 104).”; paragraph 0034, “Chip card interface device (CCID) driver 414 packages the commands for communication across a Universal Serial Bus (USB) link to a peripheral, in this case smart card reader 104.  CCID driver 414 further extracts responses from communications received from the smart card reader and provides them to the PCSC module 412.”);
to the remote application being executable on the remote VM (Habraken, paragraph 0042, “The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  If the authentication information is correct, the smart card's cryptoprocessor enters a user-authentication state and returns an acknowledgement response along the chain to the minidriver 410.  The minidriver 410 then retries the encrypt command and this time the smart card 112 responds with the encrypted data.”);
in response to entering the encryption mode of operation to encrypt in communication with the untrusted computing device (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  Minidriver 410 passes the encrypt command to PC SC, which in turn passes it to the host connector and the client connector (which operate to hide the network 206).  The client connector passes the encrypt command to CCID driver 414 which passes it to the smart card 112 (via reader 104).”);
to the remote application hosted by the remote VM (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  The 
Habraken discloses receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by  the untrusted computing device, in response to entering the encryption mode of operation, encrypting data in communication with the untrusted computing device, but does not explicitly disclose receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the untrusted computing device being in communication with a keyboard; in response to entering the encryption mode of operation, encrypting data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device.
However, in an analogous art, Beaumont discloses receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window (Beaumont, paragraph 0180, “The client-side GUI application displays the remote desktop from the server and sends mouse and keyboard events back to the server.”; paragraph 0177, “This architecture requires the use of a server-side application on the trusted remote server 104, but only an untrusted viewer application on the client machine.”);
the untrusted computing device being in communication with a keyboard (Beaumont, FIG. 1, keyboard 14 in communication with untrusted client computer 17); 
the application being configured to cause a user interface for the remote application to appear within the application window (Beaumont, paragraph 0180, “The client-side GUI application displays the remote desktop from the server and sends mouse and keyboard events back to the server.”);
in response to entering the encryption mode of operation, encrypting data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device (Beaumont, paragraph 0162, “The encrypted keyboard and mouse data 49 is forwarded to a remote trusted server 19 via the untrusted network/Internet 18 where it can be decrypted 24'.”; paragraph 0025, “The proxy server specifically finds and removes bounding patterns in the stream and decrypts the encapsulated keystrokes using a standard Public Key Infrastructure (PKI) asymmetric algorithm that uses a public server key and a private server key.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Beaumont with the system/method/computer program product of Habraken to include to receive a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the untrusted computing device being in communication with a keyboard; in response to entering the encryption mode of operation, encrypting data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device.
One would have been motivated to provide users with the benefits of veracity of information providing to a computer by human input devices (Beaumont: paragraph 0001).
Habraken and Beaumont disclose to receive a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard, but do not explicitly disclose in response to an application window of an untrusted computing device having focus, to receive a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard.
However, in an analogous art, Sikka discloses in response to an application window of an untrusted computing device having focus, to receive a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard (Sikka, paragraph 0047, “As claimed, device assignment and/or device IO routing could be dynamically modified based on which Domain owns the window with the current focus.  For example, while a window from a Trusted Domain has focus, keyboard and audio devices or just IO from those devices could be passed to the Trusted Domain that owns the window.  When a window belonging to another domain including an Untrusted Domain has focus, devices or just IO can be passed to the Untrusted Domain that owns the window with focus.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Sikka with the system/method/computer program product of Habraken and Beaumont to include in response to an application window of an untrusted computing device having focus.
One would have been motivated to provide users with the benefits of protecting sensitive data (Sikka: paragraph 0004).
Regarding claim 13, Habraken, Beaumont, and Sikka disclose the system of claim 10.  Habraken discloses wherein encryption of the data is done with use of one or more encryption/decryption keys including one or more of (i) pre-shared keys, (ii) (Habraken, paragraph 0030, “Using the cryptographic API 406, application program 402 initiates cryptographic operations on the physical security token 112 and receives responses.  Illustrative cryptographic operations include encrypting data with a public key, decrypting data with a private key, obtaining a digital certificate including a public key signed by a certification authority (CA), authentication of user-provided information, and the generation of cryptographic keys, the importation of cryptographic keys, the importation of digital certificates, the loading and unloading of application data, setting configuration data such as the number of authentication tries and the length of a user authenticator such as a PIN, and blocking and unblocking of user credentials.”).
Regarding claim 19, Habraken discloses a computer program product including non-transitory, computer-readable media having instructions that, when executed by control circuitry of a computerized apparatus, cause the control circuitry to perform a method comprising (Habraken, paragraph 0027, “Upon powering-up of the client computer 202, the CPUs 302 may retrieve operating system (OS) components and other software modules from disk 316 and store them in system memory 304 (i.e., "load the software") for execution.  Alternatively, the CPUs 302 may load and execute some software modules in response to actions or commands received via the user interface 106, or perhaps in response to other actions such as the insertion of a smart card into reader 104.  In accordance with the methods discussed further below, the loaded software may include a security state management (SSM) module 308, shown in FIG. 3 as resident in system memory 308.  SSM module 308, when executed by one or more of the CPUs 302, causes them to implement an SSM method that may protect against certain vulnerabilities of traditional security token-reliant security methods when implemented in the cloud. “);
receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  Minidriver 410 passes the encrypt command to PC SC, which in turn passes it to the host connector and the client connector (which operate to hide the network 206).  The client connector passes the encrypt command to CCID driver 414 which passes it to the smart card 112 (via reader 104).”; paragraph 0034, “Chip card interface device (CCID) driver 414 packages the commands for communication across a Universal Serial Bus (USB) link to a peripheral, in this case smart card reader 104.  CCID driver 414 further extracts responses from communications received from the smart card reader and provides them to the PCSC module 412.”)
to the remote application being executable on the remote VM (Habraken, paragraph 0042, “The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  If the authentication information is correct, the smart card's cryptoprocessor enters a user-authentication state and returns an acknowledgement response along the chain to the minidriver 410.  The minidriver 410 then retries the encrypt command and this time the smart card 112 responds with the encrypted data.”);
in response to entering the encryption mode of operation, encrypting, by the encryption device, data in communication with the untrusted computing device (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  Minidriver 410 passes the encrypt command to PC SC, which in turn passes it to the host connector and the client connector (which operate to hide the network 206).  The client connector passes the encrypt command to CCID driver 414 which passes it to the smart card 112 (via reader 104).”);
to the remote application hosted by the remote VM (Habraken, paragraph 0042, “FIG. 7 is a timeline of an illustrative transaction sequence on a networked system lacking SSM 602.  The application program 402 executing on the virtual machine initiates, via minidriver 410, a cryptographic operation (in this example, a request to encrypt data).  The minidriver 410 then retries the encrypt command and this time the smart card 112 responds with the encrypted data.”).
Habraken discloses receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by  the untrusted computing device, in response to entering the encryption mode of operation, encrypting, by the encryption device, data in communication with the untrusted computing device, but does not explicitly disclose receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the untrusted computing device being in communication with a keyboard; in response to entering the encryption mode of operation, encrypting, by the encryption device, data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device.
However, in an analogous art, Beaumont discloses receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window (Beaumont, paragraph 0180, “The client-side GUI application displays the remote desktop from the server and sends mouse and keyboard events back to the server.”; paragraph 0177, “This architecture requires the use of a server-side application on the trusted remote server 104, but only an untrusted viewer application on the client machine.”);
the untrusted computing device being in communication with a keyboard (Beaumont, FIG. 1, keyboard 14 in communication with untrusted client computer 17); 
the application being configured to cause a user interface for the remote application to appear within the application window (Beaumont, paragraph 0180, “The client-side GUI application displays the remote desktop from the server and sends mouse and keyboard events back to the server.”);
in response to entering the encryption mode of operation, encrypting, by the encryption device, data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device (Beaumont, paragraph 0162, “The encrypted keyboard and mouse data 49 is forwarded to a remote trusted server 19 via the untrusted network/Internet 18 where it can be decrypted 24'.”; paragraph 0025, “The proxy server specifically finds and removes bounding patterns in the stream and decrypts the encapsulated keystrokes using a standard Public Key Infrastructure (PKI) asymmetric algorithm that uses a public server key and a private server key.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Beaumont with the system/method/computer program product of Habraken to include receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the untrusted computing device being in communication with a keyboard; in response to entering the encryption mode of operation, encrypting, by the encryption device, data from the keyboard in communication with the untrusted computing device, the data being encrypted prior to receipt at an operating system (OS) of the untrusted computing device and the encrypted data being sent from the untrusted computing device.
One would have been motivated to provide users with the benefits of veracity of information providing to a computer by human input devices (Beaumont: paragraph 0001).
receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard, but do not explicitly disclose in response to an application window of an untrusted computing device having focus, receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard.
However, in an analogous art, Sikka discloses in response to an application window of an untrusted computing device having focus, receiving, by an encryption device, a first command from a remote application hosted by a remote virtual machine (VM), the first command being provided to the encryption device by an application of the untrusted computing device, the application being configured to cause a user interface for the remote application to appear within the application window, the remote application being executable on the remote VM, and the untrusted computing device being in communication with a keyboard (Sikka, paragraph 0047, “As claimed, device assignment and/or device IO routing could be dynamically modified based on which Domain owns the window with the current focus.  For example, while a window from a Trusted Domain has focus, keyboard and audio devices or just IO from those devices could be passed to the Trusted Domain that owns the window.  When a window belonging to another domain including an Untrusted Domain has focus, devices or just IO can be passed to the Untrusted Domain that owns the window with focus.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Sikka with the system/method/computer program product of Habraken and Beaumont to include in response to an application window of an untrusted computing device having focus.
One would have been motivated to provide users with the benefits of protecting sensitive data (Sikka: paragraph 0004).

Claims 3, 12, 20, and 24-26 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, and Sikka (US20160034702), filed 10/16/2015, and further in view of Haworth (US20180026947), filed 7/20/2016.
Regarding claim 3, Habraken, Beaumont, and Sikka disclose the method of claim 1.  
Habraken, Beaumont, and Sikka disclose an untrusted computing device, a remote application, and an encryption device, but do not explicitly disclose further comprising: in response to the application window of the untrusted computing device losing focus, receiving, at the encryption device, a second command from the remote application, the second command being provided to the encryption device by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, disengaging, by the encryption device, the encryption mode of operation.
Haworth discloses further comprising: in response to the application window of the untrusted computing device losing focus, receiving, at the encryption device, a second command from the remote application, the second command being provided to the encryption device by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, disengaging, by the encryption device, the encryption mode of operation (Haworth, paragraph 0062, “PC applications communicate with the KED through the CDC interface.  Actions such as gaining or losing focus on a window or a field that supports encryption generate an encryption ON or OFF command, which toggles the encryption state on the device MCU.”; paragraph 0087, “A focus listener that is operable to automatically end encryption for the field if the field is in encryption mode and then the field is caused to lose focus.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Haworth with the system/method/computer program product of Habraken, Beaumont, and Sikka to include further comprising: in response to the application window of the untrusted computing device losing focus, receiving, at the encryption device, a second command from the remote application, the second command being provided to the encryption device by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, disengaging, by the encryption device, the encryption mode of operation.
One would have been motivated to provide users with the benefits of encrypting keystrokes such that their capture does not reveal protected information (Haworth: paragraph 0024).
Regarding claim 12, Habraken, Beaumont, and Sikka disclose the system of claim 10.  
Habraken, Beaumont, and Sikka disclose an untrusted computing device, a remote application, and an encryption device, but do not explicitly disclose wherein the processing circuitry is further configured, in response to the application window losing focus, to execute the program instructions out of the memory to receive a second command from the remote application, the second command being provided by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, to disengage the encryption mode of operation.
Haworth discloses wherein the processing circuitry is further configured, in response to the application window losing focus, to execute the program instructions out of the memory to receive a second command from the remote application, the second command being provided by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, to disengage the encryption mode of operation (Haworth, paragraph 0062, “PC applications communicate with the KED through the CDC interface.  Actions such as gaining or losing focus on a window or a field that supports encryption generate an encryption ON or OFF command, which toggles the encryption state on the device MCU.”; paragraph 0087, “A focus listener that is operable to automatically end encryption for the field if the field is in encryption mode and then the field is caused to lose focus.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Haworth with the system/method/computer program product of Habraken, Beaumont, and Sikka to include wherein the processing circuitry is further configured, in response to the application window losing focus, to execute the program instructions out of the memory to receive a second command from the remote application, the second command being provided by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, to disengage the encryption mode of operation.
One would have been motivated to provide users with the benefits of encrypting keystrokes such that their capture does not reveal protected information (Haworth: paragraph 0024).
Regarding claim 20, Habraken, Beaumont, and Sikka disclose the system of claim 10.  
Habraken, Beaumont, and Sikka disclose an untrusted computing device, a remote application, and an encryption device, but do not explicitly disclose wherein the method further comprises: in response to the application window of the untrusted computing device losing focus, receiving, at the encryption device, a second command from the remote application, the second command being provided to the encryption device by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, disengaging, by the encryption device, the encryption mode of operation.
Haworth discloses wherein the method further comprises: in response to the application window of the untrusted computing device losing focus, receiving, at the encryption device, a second command from the remote application, the second command being provided to the encryption device by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, disengaging, by the encryption device, the encryption mode of operation (Haworth, paragraph 0062, “PC applications communicate with the KED through the CDC interface.  Actions such as gaining or losing focus on a window or a field that supports encryption generate an encryption ON or OFF command, which toggles the encryption state on the device MCU.”; paragraph 0087, “A focus listener that is operable to automatically end encryption for the field if the field is in encryption mode and then the field is caused to lose focus.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Haworth with the system/method/computer program product of Habraken, Beaumont, and Sikka to include wherein the method further comprises: in response to the application window of the untrusted computing device losing focus, receiving, at the encryption device, a second command from the remote application, the second command being provided to the encryption device by the application of the untrusted computing device; and in response to receipt of the second command from the remote application, disengaging, by the encryption device, the encryption mode of operation.
One would have been motivated to provide users with the benefits of encrypting keystrokes such that their capture does not reveal protected information (Haworth: paragraph 0024).
Regarding claim 24, Habraken, Beaumont and Sikka disclose the method of claim 1.
Habraken, Beaumont, and Sikka do not explicitly disclose further comprising: receiving, by the encryption device, predetermined data from the keyboard; and in response to receipt of the predetermined data from the keyboard, disengaging, by the encryption device, the encryption mode of operation.
However, in an analogous art, Haworth discloses further comprising: receiving, by the encryption device, predetermined data from the keyboard; and in response to receipt of the predetermined data from the keyboard, disengaging, by the encryption device, the encryption mode of operation (Haworth, paragraph 0062, “PC applications communicate with the KED through the CDC interface.  Actions such as gaining or losing focus on a window or a field that supports encryption generate an encryption ON or OFF command, which toggles the encryption state on the device MCU.”; paragraph 0087, “A focus listener that is operable to automatically end encryption for the field if the field is in encryption mode and then the field is caused to lose focus.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of 
One would have been motivated to provide users with the benefits of encrypting keystrokes such that their capture does not reveal protected information (Haworth: paragraph 0024).
Regarding claim 25, Habraken, Beaumont, Sikka, and Haworth disclose the method of claim 24.  Haworth discloses wherein the predetermined data from the keyboard in communication with the untrusted computing device causes the application window of the untrusted computing device to lose focus (Haworth, paragraph 0062, “PC applications communicate with the KED through the CDC interface.  Actions such as gaining or losing focus on a window or a field that supports encryption generate an encryption ON or OFF command, which toggles the encryption state on the device MCU.”; paragraph 0087, “A focus listener that is operable to automatically end encryption for the field if the field is in encryption mode and then the field is caused to lose focus.”).
Regarding claim 26, Habraken, Beaumont, Sikka, and Haworth disclose the method of claim 24.  Haworth discloses further comprising: delaying, by the encryption device, disengagement of the encryption mode of operation by a predetermined delay time (Haworth, paragraph 0062, “PC applications communicate with the KED through the CDC interface.  Actions such as gaining or losing focus on a window or a field that supports encryption generate an encryption ON or OFF command, which toggles the encryption state on the device MCU.”; paragraph 0087, “A focus listener that is operable to automatically end encryption for the field if the field is in encryption mode and then the field is caused to lose focus.”).

Claims 4 and 5 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, and Sikka (US20160034702), filed 10/16/2015, and further in view of Haga (US20170012785), filed 11/2/2015.
Regarding claim 4, Habraken, Beaumont, and Sikka disclose the method of claim 1 and a VM.  
Habraken, Beaumont, and Sikka do not explicitly disclose further comprising: pre-provisioning a pre-shared key on the encryption device, the pre-shared key being further pre-provisioned in association with the remote VM.
However, in an analogous art, Haga discloses further comprising: pre-provisioning a pre-shared key on the encryption device, the pre-shared key being further pre-provisioned in association with the remote VM (Haga, paragraph 0154, “In S216, the controller 100a transmits the controller ID and certificate ID of the public key certificate, and the device ID of the device regarding which verification was successful in S212 and the certificate ID of the public key certificate, to the manufacturer server 300a, and registers the device ID of the device and the certificate ID of the public key certificate in the connecting device management table.  FIG. 21 is a connecting device management table according to the second embodiment, configured including the shared key shared with the device, in addition to the connecting device management table according to the first embodiment.”; paragraph 0146, “In S208, the device 200c and controller 100a set the key shared in the key exchange as a shared key.”; FIG. 11 and 18).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Haga with the system/method/computer program product of Habraken, Beaumont, and Sikka to include further comprising: pre-provisioning a pre-shared key on the encryption device, the pre-shared key being further pre-provisioned in association with the remote VM.
One would have been motivated to provide users with the benefits of enabling a device and controller to be safely connected (Haga: paragraph 0002).
Regarding claim 5, Habraken, Beaumont, Sikka, and Haga disclose the method of claim 4 and an encryption device and a remote VM.  Haga discloses wherein a plurality of different pre-shared keys including the pre-shared key pre-provisioned on the encryption device are pre-provisioned in association with the remote VM, and wherein the method further comprises: indexing the plurality of different pre-shared keys by a plurality of predetermined values, respectively (Haga, paragraph 0154, “In S216, the controller 100a transmits the controller ID and certificate ID of the public key certificate, and the device ID of the device regarding which verification was successful in S212 and the certificate ID of the public key certificate, to the manufacturer server 300a, and registers the device ID of the device and the certificate ID of the public key certificate in the connecting device management table.  FIG. 21 is a connecting device management table according to the second embodiment, configured including the shared key shared with the device, in addition to the connecting device management table according to the first embodiment.”; index encompasses the row location in FIG. 21).  The motivation is the same as that of the claim from which this claim depends.

Claim 7 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, Sikka (US20160034702), filed 10/16/2015, and Haga (US20170012785), filed 11/2/2015, and further in view of Wood (US20080137657), filed 12/11/2006.
Regarding claim 7, Habraken, Beaumont, Sikka, and Haga disclose the method of claim 5.  Haga discloses further comprising: in response to receipt of a query for a respective predetermined value from among the plurality of predetermined values, the respective predetermined value being associated with the encryption device (Haga, paragraph 0154, “In S216, the controller 100a transmits the controller ID and certificate ID of the public key certificate, and the device ID of the device regarding which verification was successful in S212 and the certificate ID of the public key certificate, to the manufacturer server 300a, and registers the device ID of the device and the certificate ID of the public key certificate in the connecting device management table.  FIG. 21 is a connecting device management table according to the second embodiment, configured including the shared key shared with the device, in addition to the connecting device management table according to the first embodiment.”; paragraph 0146, “In S208, the device 200c and controller 100a set the key shared in the key exchange as a shared key.”; FIG. 11 and 18).
receiving, at the encryption device, a second command to provide the respective predetermined value.
However, in an analogous art, Wood discloses receiving, at the encryption device, a second command to provide the respective predetermined value (Wood, paragraph 0057, trusted server transmits request to untrusted servers for a path; paragraph 0059, “MPLS encryptors 130 may then determine LSPs to establish the requested QoS connection through the untrusted networks 120-1 and 120-2 (act 640).  For example, untrusted control units 440-U of MPLS encryptors 130-1 and 130-4 may initiate an LSP and create an entry in data table 520 (as stored in untrusted memory units 470-U) to determine an LSP label that may be used to form the requested QoS connection through untrusted network 120-1.  Also in this example, MPLS encryptors 130-2 and 130-4 may initiate an LSP and create an entry in data table 520 stored in untrusted memory units 470-U, to determine an LSP label used to form the requested QoS connection through untrusted network 120-2.  Once LSP labels have been determined, MPLS encryptors 130 may provide the LSP labels to the untrusted servers 150-2 and 150-3 (act 645).  For example, server 150-2 receives LSP labels for network 120-1 and server 150-3 receives LSP labels for network 120-2.  After receiving LSP labels from the MPLS encryptors 130, untrusted servers 150-2 and 150-3 may provide trusted server 150-1 with the LSP labels (act 650).”; paragraph 0058, “Untrusted server 150-2 (associated with network 120-1) may signal MPLS encryptors 130-1 and 130-4 via network 120-1, that a connection may be established from MPLS encryptor 130-1 to MPLS encryptor 130-4.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Wood receiving, at the encryption device, a second command to provide the respective predetermined value.
One would have been motivated to provide users with the benefits of enabling quality of service transmissions over encrypted networks (Wood: paragraph 0008).

Claim 8 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, Sikka (US20160034702), filed 10/16/2015, Haga (US20170012785), filed 11/2/2015, and Wood (US20080137657), filed 12/11/2006, and further in view of Gheorghe (US20170250859), filed 7/1/2016.
Regarding claim 8, Habraken, Beaumont, Sikka, Haga, and Wood disclose the method of claim 7.  
Wood discloses in response to receipt of the second command (Wood, paragraph 0057, trusted server transmits request to untrusted servers for a path; paragraph 0059, “MPLS encryptors 130 may then determine LSPs to establish the requested QoS connection through the untrusted networks 120-1 and 120-2 (act 640).  For example, untrusted control units 440-U of MPLS encryptors 130-1 and 130-4 may initiate an LSP and create an entry in data table 520 (as stored in untrusted memory units 470-U) to determine an LSP label that may be used to form the requested QoS connection through untrusted network 120-1”;  paragraph 0058, “Untrusted server 150-2 (associated with network 120-1) may signal MPLS encryptors 130-1 and 130-4 via network 120-1, that a connection may be established from MPLS encryptor 130-1 to MPLS encryptor 130-4.”).
Sikka discloses the encrypted data being decrypted, by the remote VM running a decryption application (Sikka: paragraph 0050, “Once the remote agent receives the data, it could notify the protected process in a Trusted Domain local to the same remote machine that data is available.  The remote Protected Process could open and decrypt the data to operate on its contents.  In this manner, an encrypted content passing mechanism could exist between local client and remote server Protected Processes.”).
Haga discloses pre-shared keys (Haga, paragraph 0154, “In S216, the controller 100a transmits the controller ID and certificate ID of the public key certificate, and the device ID of the device regarding which verification was successful in S212 and the certificate ID of the public key certificate, to the manufacturer server 300a, and registers the device ID of the device and the certificate ID of the public key certificate in the connecting device management table.  FIG. 21 is a connecting device management table according to the second embodiment, configured including the shared key shared with the device, in addition to the connecting device management table according to the first embodiment.”; index encompasses the row location in FIG. 21).
Habraken, Beaumont, Sikka, Haga, and Wood do not explicitly disclose further comprising: in response to receipt of the second command, sending, by the encryption device, the respective predetermined value indexing the pre-shared key for receipt at the remote application, the encrypted data being decrypted, using the pre-shared key, by the remote VM running a decryption application.
in response to receipt of the second command, sending, by the encryption device, the respective predetermined value indexing the pre-shared key for receipt at the remote application, the encrypted data being decrypted, using the pre-shared key, by the remote VM running a decryption application (Gheorghe, paragraph 0075, “The relay initiation component 470 may augment the encrypted token with the key index.  The key index may be transmitted to the clients as a component of the relay information 475 and included in the relay bind requests 410, 415 in an unencrypted form to empower to the relay server components 490 to determine the particular encryption key from the encryption key table used to encrypt and that may be used to decrypt the encrypted token.”; paragraph 0076, “The first relay server component 490 may extract the key index from the first-client relay bind request 410 and extract the encrypted token from the first-client relay bind request 410.  The first relay server component 490 may retrieve the encryption key from the encryption key table based on the key index.”; predetermined value encompasses binding request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Gheorghe with the system/method/computer program product of Habraken, Beaumont, Sikka, Haga, and Wood to include further comprising: in response to receipt of the second command, sending, by the encryption device, the respective predetermined value indexing the pre-shared key for receipt at the remote application, the encrypted data being decrypted, using the pre-shared key, by the remote VM running a decryption application.
One would have been motivated to provide users with the benefits of performing dynamic configuration of load balancing operations (Gheorge: paragraph 0005)
Claims 14 and 27 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, and Sikka (US20160034702), filed 10/16/2015, and further in view of Gheorghe (US20170250859), filed 7/1/2016.
Regarding claim 14, Habraken, Beaumont, and Sikka disclose the system of claim 7 and keyboard.  
Habraken, Beaumont, and Sikka do not explicitly disclose wherein the processing circuitry is further configured to be wired or wirelessly coupled to the keyboard.
However, in an analogous art, Gheorghe discloses wherein the processing circuitry is further configured to be wired or wirelessly coupled to the keyboard (Gheorghe, paragraph 0124, “A user can enter commands and information into the computer 1002 through one or more wire/wireless input devices, for example, a keyboard 1038 and a pointing device, such as a mouse 1040.  Other input devices may include microphones, infra-red (IR) remote controls, radio-frequency (RF) remote controls, game pads, stylus pens, card readers, dongles, finger print readers, gloves, graphics tablets, joysticks, keyboards, retina readers, touch screens (e.g., capacitive, resistive, etc.), trackballs, trackpads, sensors, styluses, and the like.  These and other input devices are often connected to the processing unit 1004 through an input device interface 1042 that is coupled to the system bus 1008, but can be connected by other interfaces such as a parallel port, IEEE 1394 serial port, a game port, a USB port, an IR interface, and so forth.”).
processing circuitry is further configured to be wired or wirelessly coupled to the keyboard.
One would have been motivated to provide users with the benefits of performing dynamic configuration of load balancing operations (Gheorge: paragraph 0005).  
Regarding claim 27, Habraken, Beaumont, and Sikka disclose the method of claim 1 and keyboard.  
Habraken, Beaumont, and Sikka do not explicitly disclose further comprising: wirelessly pairing the encryption device with the untrusted computing device, the keyboard being wirelessly paired with the encryption device.
However, in an analogous art, Gheorghe discloses further comprising: wirelessly pairing the encryption device with the untrusted computing device, the keyboard being wirelessly paired with the encryption device (Gheorghe, paragraph 0124, “A user can enter commands and information into the computer 1002 through one or more wire/wireless input devices, for example, a keyboard 1038 and a pointing device, such as a mouse 1040.  Other input devices may include microphones, infra-red (IR) remote controls, radio-frequency (RF) remote controls, game pads, stylus pens, card readers, dongles, finger print readers, gloves, graphics tablets, joysticks, keyboards, retina readers, touch screens (e.g., capacitive, resistive, etc.), trackballs, trackpads, sensors, styluses, and the like.  These and other input devices are often connected to the processing unit 1004 through an input device interface 1042 that is coupled to the system bus 1008, but can be connected by other interfaces such as a parallel port, IEEE 1394 serial port, a game port, a USB port, an IR interface, and so forth.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Gheorghe with the system/method/computer program product of Habraken, Beaumont, and Sikka to include further comprising: wirelessly pairing the encryption device with the untrusted computing device, the keyboard being wirelessly paired with the encryption device.
One would have been motivated to provide users with the benefits of performing dynamic configuration of load balancing operations (Gheorge: paragraph 0005).  

Claim 17 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Kumar (US20160006803), filed July 7, 2014, in view of Haworth (US20180026947), filed 7/20/2016, and Obaidi (US20170012981), filed July 8, 2015, and further in view of Heldt-Sheller (US20160180080), filed 12/22/2014.
Regarding claim 17, Habraken, Beaumont, and Sikka disclose the system of claim 10 and remote VM.
Habraken, Beaumont, and Sikka do not explicitly disclose wherein the remote VM is configured as part of a cloud-computing platform, and wherein the remote application hosted by the remote VM is a web application.
VM is configured as part of a cloud-computing platform, and wherein the remote application hosted by the remote VM is a web application (Heldt-Sheller, paragraph 0027, “a trusted application endpoint may not be present and instead, an endpoint for receipt of trusted input may be at a remote location, such as a cloud-based location by way of a secure internet connection to a cloud-based resource, such as a server computer present at an endpoint data center, such as an enterprised data center.”)
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Heldt-Sheller with the system/method/computer program product of Habraken, Beaumont, and Sikka to include wherein the remote VM is configured as part of a cloud-computing platform, and wherein the remote application hosted by the remote VM is a web application.
One would have been motivated to provide users with the benefits of ensuring that an undesired focus change during a trusted application execution does not occur (Heldt-Sheller: paragraph 0012).
Claim 21 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, and Sikka (US20160034702), filed 10/16/2015, and further in view of Henry (US20090293132), filed 10/31/2008.
Regarding claim 21, Habraken, Beaumont, and Sikka disclose the method of 
Habraken, Beaumont, and Sikka do not explicitly disclose wherein the first command is configured as an encrypted command, and wherein the method further comprises: decrypting, by the encryption device, the encrypted command, wherein the entering of the encryption mode of operation includes entering the encryption mode of operation in response to the decrypting of the encrypted command.
However, in an analogous art, Henry discloses wherein the first command is configured as an encrypted command, and wherein the method further comprises: decrypting, by the encryption device, the encrypted command, wherein the entering of the encryption mode of operation includes entering the encryption mode of operation in response to the decrypting of the encrypted command (Henry, paragraph 0017, “In U.S.  Pat.  No. 6,983,374, Hashimoto et al. teach a tamper resistant microprocessor that saves context information for one program whose execution is to be interrupted, where the processor state is encrypted and stored to system memory.  Hashimoto also teaches a technique for fetching encrypted instructions from system memory and apparatus for decrypting and executing the decrypted instructions.  In addition, Hashimoto teaches using a symmetric key to provide the encrypted instructions in memory and then using an asymmetric key algorithm to encrypt the symmetric key, which is stored in memory.  Accordingly, upon execution of a branch instruction, program control is transferred to a "start encrypted execution" instruction which passes a pointer to the encrypted symmetric key.  The processor fetches the encrypted symmetric key and decrypts it using its internal private key.  Subsequently, the encrypted program instructions are fetched from system memory, decrypted using the decrypted symmetric key, and executed by the processor.”).

One would have been motivated to provide users with the benefits of common cache mechanisms, interrupt logic, and exception processing logic for both unencrypted and encrypted code (Henry: paragraph 0017).
Claims 22 and 23 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Habraken (US20190327093), filed 5/20/2019, from PCT/US2016063913, filed 11/29/2016, in view of Beaumont (US20110264922), filed 7/12/2011, Sikka (US20160034702), filed 10/16/2015, and Henry (US20090293132), filed 10/31/2008, and further in view of Haga (US20170012785), filed 11/2/2015 .
Regarding claim 22, Habraken, Beaumont, Sikka, and Henry disclose the method of claim 21.
Habraken, Beaumont, Sikka, and Henry do not explicitly disclose further comprising: pre-sharing a key among the encryption device and the remote application hosted by the remote VM, wherein the encrypted command is encrypted by the remote application using the pre-shared key.

However, in an analogous art, Haga discloses further comprising: pre-sharing a key among the encryption device and the remote application hosted by the remote VM, wherein the encrypted command is encrypted by the remote application using the pre-shared key (Haga, paragraph 0154, “In S216, the controller 100a transmits the controller ID and certificate ID of the public key certificate, and the device ID of the device regarding which verification was successful in S212 and the certificate ID of the public key certificate, to the manufacturer server 300a, and registers the device ID of the device and the certificate ID of the public key certificate in the connecting device management table.  FIG. 21 is a connecting device management table according to the second embodiment, configured including the shared key shared with the device, in addition to the connecting device management table according to the first embodiment.”; index encompasses the row location in FIG. 21).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Haga with the system/method/computer program product of Habraken, Beaumont, Sikka, and Henry to include further comprising: pre-sharing a key among the encryption device and the remote application hosted by the remote VM, wherein the encrypted command is encrypted by the remote application using the pre-shared key.
 (Haga: paragraph 0002).
Regarding claim 23, Habraken, Beaumont, Sikka, and Henry disclose the method of claim 21 and a remote VM.
Beaumont discloses further comprising wherein the decrypting of the encrypted command includes decrypting, by the encryption device, the encrypted command using the pre-shared key (Beaumont, paragraph 0025-0028, “Optionally, the DVG can include the following capability to increase its functionality: a. a Universal Serial Bus (USB) hub for receiving and transmitting USB traffic; b. a means for encrypting, decrypting, compressing and ecompressing data; and c. a network connection port for receiving and transmitting network communications.).
Habraken, Beaumont, Sikka, and Henry do not explicitly disclose pre-sharing a key among the encryption device and the remote application hosted by the remote VM.
However, in an analogous art, Haga discloses pre-sharing a key among the encryption device and the remote application hosted by the remote VM (Haga, paragraph 0154, “In S216, the controller 100a transmits the controller ID and certificate ID of the public key certificate, and the device ID of the device regarding which verification was successful in S212 and the certificate ID of the public key certificate, to the manufacturer server 300a, and registers the device ID of the device and the certificate ID of the public key certificate in the connecting device management table.  FIG. 21 is a connecting device management table according to the second embodiment, configured including the shared key shared with the device, in addition to the connecting device management table according to the first embodiment.”; index encompasses the row location in FIG. 21).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Haga with the system/method/computer program product of Habraken, Beaumont, Sikka, and Henry to include pre-sharing a key among the encryption device and the remote application hosted by the remote VM.
One would have been motivated to provide users with the benefits of enabling a device and controller to be safely connected (Haga: paragraph 0002).


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368.  The examiner can normally be reached on 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications 






/W.J.M/Examiner, Art Unit 2439            



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439