Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This office action is responsive to Applicants’ reply filed on 08/06/2021.
Claims 1 – 24 remain pending; wherein claims 1, 3, 4, 9 – 11, 14 – 16, 20, 23, and 24 have been amended.
Claims 1 – 24 have been examined; wherein:
claims 1 – 19 are allowed after claims 1 and 9 are amended to correct informalities; and 
claims 20 – 24 are being finally rejected.

Response to Amendment
Claim objections for claims 3, 10, 15, 23, and 24 are withdrawn in view of Applicants’ amendments.

Claim Objections
Claims 1 – 17 are objected to because of the following informalities:
Claim 1
Lines 21 – 22; change “a hash of a software package” to --the hash of the software package--.
Claims 2 – 8 

Claim 9
Lines 18 – 19; change “a hash of a software package” to --the hash of the software package--.
Claims 10 – 13 
These claims are dependent claims of claim 9 either directly or indirectly; therefore, they inherit the deficiency of claim 9.
Claim 14
Lines 17 – 18; change “a hash of a software package” to --the hash of the software package--.
Claims 15 – 17 
These claims are dependent claims of claim 14 either directly or indirectly; therefore, they inherit the deficiency of claim 14.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 20 – 22 are rejected under 35 U.S.C. 103 as being unpatentable over B. Moran (NPL “A Firmware Update Architecture for Internet of Things Devices draft-ietf-suit-architecture-01”; hereinafter Moran; IDS filed on 05/03/2019; art of the record) in view of Pappachan et al. (Pub. No. US 2017/0024570 A1; hereinafter Pappachan; art of the record) and N. Asokan (NPL “SEDA: Scalable Embedded Device Attestation”; hereinafter Asokan; IDS filed on 05/03/2019; art of the record.)

Claim 20
Moran teaches an edge computing device for attestation manifest derivation and distribution (Moran, p. 12 – 14, Figs. 1 – 4, system has devices and servers.  P. 7, section 3.3; End-to-end security between the author and the device, as shown in section 5, is used to ensure that the device can verify firmware images and manifests produced by authorized authors…; p. 10 & p. 13, verifying the manifest), the edge computing device comprising: 
processing circuitry; and 
memory including instructions (Moran, p. 4, fourth and fifth full paragraphs; Device: The device is the recipient of the firmware image and the manifest…--… Communicator: The communicator component of the device interacts with the firmware update server…; device has processing circuitry and memory) that, when executed by the processing circuitry, cause the processing circuitry to perform operations to: 
transmit a software update package manifest to an orchestration edge device (Moran, pp. 17 – 18, The following example message flow illustrates the interaction for distributing a firmware image to a device (an edge device)…--…The (computing edge device)…; p. 15, manifest data structure comprises cryptographic information such as digital signatures or message authentication codes (MACs)), [;
install a software update package associated with the software update package manifest (Moran, p. 10, An alternative approach is to consider the steps a device has to go through in the course of an update…--… If the Device has downloaded a new firmware image and is ready to install it, it may need to wait for a trigger from a Communicator to install the firmware update, may trigger the update automatically, or may go through a more complex decision making process to determine the appropriate timing for an update…; pp. 17 – 18, software update is installed.)
But, Moran does not explicitly teach the software update package manifest including a security version number; 
Pappachan teaches 
the software update package manifest including a security version number (Pappachan, Fig. 4; [0045] … The computing device 100 may collect attestation information such as the identity of the I/O controller 144, the identity of the firmware code (e.g., a cryptographic hash of the firmware code), the signer of the firmware code, and/or a security version number of the firmware code…The computing device 100 may verify, for example, the cryptographic hash of the firmware code and ensure that the ® or a manufacturer of the computing device 100), verify the security version number, or verify other information associated with the firmware code);
 one integrity measurementbased on the security version number included in the software update package manifest (Pappachan, Fig. 4; [0045] … The computing device 100 may collect attestation information such as the identity of the I/O controller 144, the identity of the firmware code (e.g., a cryptographic hash of the firmware code), the signer of the firmware code, and/or a security version number of the firmware code…The computing device 100 may verify, for example, the cryptographic hash of the firmware code and ensure that the code was signed by a trusted entity (e.g., a processor manufacturer such as Intel® or a manufacturer of the computing device 100), verify the security version number, or verify other information associated with the firmware code)
Moran and Pappachan are in the same analogous art as they are in the same field of endeavor, verifying devices having software.  Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to incorporate Asokan teachings into Moran invention to use utilize include security version number for firmware and use it to verify the firmware as suggested by Pappachan ([0045].)
But, Moran and Pappachan does not teach receive an attestation request from the orchestration edge device; seed a key generation process with a hash of the software update package; generate an attestation key generated using the key generation process; transmit a signature for a current cryptographic identity of the edge computing device and a hash of the software update package; and transmit an attestation response to the orchestration edge device to generate an attestation record, wherein the attestation response includes the attestation key and is generated in part using at least one integrity measurement 
However, Asokan teaches
receive an attestation request from the orchestration edge device (Asokan, Fig. 1, p. 3 – p. 4, section “4. PROTOCOL DESCRIPTION”; SEDA has two phases: (1) an off-line phase whereby devices are introduced into the swarm, and (2) an on-line phase performing actual attestation. The off-line phase is executed only once and consists of device initialization and device registration. The on-line phase is executed repeatedly for every attestation request from a verifier VRF. In this phase, each device Di (edge device, orchestration edge device) is attested individually and accumulated attestation is reported to VRF. Figure 1 shows a sample swarm formed initially of seven devices with an eighth device D8 being initialized by the swarm operator OP and joining the swarm. It also shows VRF running an attestation protocol instance…); 
seed a key generation process with a hash of the software update package (Asokan, Fig. 1, p. 3 – p. 4, section “4. PROTOCOL DESCRIPTION”, …Device initialization. Each Di in a swarm S is initialized by the swarm operator OP with a software configuration ci (e.g., a hash digest of software binaries of Di) and a code certificate cert(ci) signed by OP which guarantees that ci is a valid software i…Device registration. Whenever Di initially joins S or changes its position it executes join with each new neighbor Dj… An attestation key kij, shared between Di and each neighbor Dj is established during join. The set of attestation keys Di established with its neighbors is denoted Ki.  Key establishment can be done using an authenticated key agreement protocol based on devices’ ski, skj, cert(pki) (hash) and cert(pkj) (hash)… In fact, any key establishment protocol can be used with SEDA as long as it provides integrity of key agreement and secrecy of generated keys. Formally:
Join [Di : ski;Dj : skj ;
       *: cert(pki); cert(pkj); cert(ci); cert(cj)]
               [Wingdings font/0xE0][Di : kij ;Dj : kij ].)  cert(ci) == hash of code, see “table 1: Variables and parameters” on p. 3.); 
generate an attestation key generated using the key generation process (Asokan, Fig. 1, p. 3 – p. 4, section “4. PROTOCOL DESCRIPTION”, …Device initialization. Each Di in a swarm S is initialized by the swarm operator OP with a software configuration ci (e.g., a hash digest of software binaries of Di) and a code certificate cert(ci) signed by OP which guarantees that ci is a valid software configuration of Di…Device registration. Whenever Di initially joins S or changes its position it executes join with each new neighbor Dj… An attestation key kij, shared between Di and each neighbor Dj is established during join. The set of attestation keys Di established with its neighbors is denoted Ki.  Key establishment can be done using an authenticated key agreement protocol based on devices’ ski, skj, cert(pki) (hash) and cert(pkj) (hash)… In fact, any key establishment protocol can be used with SEDA as long as it provides integrity of key agreement and secrecy of generated keys. Formally:
i : ski;Dj : skj ;
       *: cert(pki); cert(pkj); cert(ci); cert(cj)]
               [Wingdings font/0xE0][Di : kij ;Dj : kij ].)  cert(ci) == hash of code, see “table 1: Variables and parameters” on p. 3.);
transmit a signature for a current cryptographic identity of the edge computing device and a hash of the software update package (Asokan, Fig. 1; p. 3: right column – p. 4: left column, section “4.1 Offline Phase”; Device initialization. Each Di (edge device) in a swarm S is initialized by the swarm operator OP with a software configuration ci (e.g., a hash digest of software binaries of Di) (hash of software package) and a code certificate cert(ci) signed by OP which guarantees that ci is a valid software configuration of Di.3 Furthermore, Di is initialized with a signing key pair (ski; pki) along with an identity certificate cert(pki) (device cryptographic identity) signed by OP, guaranteeing that pki belongs to Di… An attestation key kij, shared between Di and each neighbor Dj is established during join. The set of attestation keys Di established with its neighbors is denoted Ki …); and
transmit an attestation response to the orchestration edge device to generate an attestation record (Asokan, Fig. 1, p. 3 – p. 4, “4. PROTOCOL DESCRIPTION”; SEDA has two phases: (1) an off-line phase whereby devices are introduced into the swarm, and (2) an on-line phase performing actual attestation. The off-line phase is executed only once and consists of device initialization and device registration. The on-line phase is executed repeatedly for every attestation request from a verifier VRF. In this phase, each device Di (edge device) is attested individually and (record) is reported to VRF. Figure 1 shows a sample swarm formed initially of seven devices with an eighth device D8 being initialized by the swarm operator OP and joining the swarm. It also shows VRF running an attestation protocol instance…), wherein the attestation response includes the attestation key and is generated in part using at least one integrity measurement  (Asokan, Fig. 1, p. 3 – p. 4, “4. PROTOCOL DESCRIPTION”, …Device initialization. Each Di in a swarm S is initialized by the swarm operator OP with a software configuration ci (e.g., a hash digest of software binaries of Di) and a code certificate cert(ci) signed by OP which guarantees that ci is a valid software configuration of Di…Device registration. Whenever Di initially joins S or changes its position it executes join with each new neighbor Dj… An attestation key kij, shared between Di and each neighbor Dj is established during join. The set of attestation keys Di established with its neighbors is denoted Ki.  Key establishment can be done using an authenticated key agreement protocol based on devices’ ski, skj, cert(pki) (hash) and cert(pkj) (hash)… In fact, any key establishment protocol can be used with SEDA as long as it provides integrity of key agreement and secrecy of generated keys. Formally:
Join [Di : ski;Dj : skj ;
       *: cert(pki); cert(pkj); cert(ci); cert(cj)]
               [Wingdings font/0xE0][Di : kij ;Dj : kij ].)  cert(ci) == hash of code, see “table 1: Variables and parameters” on p. 3.)
Moran, Pappachan, and Asokan are in the same analogous art as they are in the same field of endeavor, verifying devices having software.  Therefore, it would have 

Claim 21
Asokan teaches the processing circuitry to perform operations to communicate with an edge device on an edge device network using the attestation record (Asokan, p. 4, section “4.2 Online Phase”; ... Single device attestation. Each attestation protocol instance has a global session identifier q. It is used to construct a spanning tree over the entire swarm…The spanning-tree5 is constructed from the communication graph, where two nodes are connected in the spanning-tree if they are neighbors in the communication graph…Dj attests all its children in this spanning tree.  It then accumulates the attestation results reported by its children, which correspond to the subtrees rooted at each of them, and sends the accumulated result along with an attestation report for itself to its parent Di…) The motivation for incorporating Asokan into Moran/Pappachan is the same as motivation in claim 20.

Claim 22
Moran also teaches the processing circuitry to perform operations to receive the software update package and the software update package manifest from a software update server (Moran, pp. 17 – 18, The following example message flow illustrates the interaction for distributing a firmware image to a device…--…The firmware the device receives manifest and software update package from server.

Claims 23 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Moran in view of Pappachan and Asokan as applied to claim 20 above, and further in view of Thorpe (Pub. No. US 2014/0301548 A1; art of the record.)

Claim 23
Moran teaches the installation of the software update package is based on receipt of an installation command from the orchestration edge device (Moran, p. 10, An alternative approach is to consider the steps a device has to go through in the course of an update… If the Device has downloaded a new firmware image and is ready to install it, it may need to wait for a trigger from a Communicator to install the firmware update, may trigger the update automatically, or may go through a more complex decision making process to determine the appropriate timing for an update…; pp. 17 – 18, software update is installed), and the memory further comprising instructions that, when executed by the processing circuitry, cause the processing circuitry to perform operations to: 
initiate a reset operation upon completion of the installation of the software update package and receipt of a reset command from the orchestration edge device (Moran, device is rebooted.  See picture below.); 

    PNG
    media_image1.png
    434
    624
    media_image1.png
    Greyscale

[
Asokan teaches receive a new device cryptographic identity counter-signed using thekey based on verification of the signature for the current cryptographic identity of the edge computing device and the hash of the software update package, wherein the attestation response includes the new device cryptographic identity (Asokan, Fig. 1, p. 3: right column – p. 4: left column, section 4.1; Device initialization. Each Di (edge device) in a swarm S is initialized by the swarm operator OP with a software configuration ci (e.g., a hash digest of software binaries of Di) and a code certificate cert(ci) signed by OP which guarantees that ci is a valid software configuration of Di.3 Furthermore, Di is initialized with a signing key pair (ski; pki) along with an identity certificate cert(pki) signed by OP, guaranteeing that pki belongs to Di…) The motivation for incorporating into Moran is the same motivation in claim 20.
generate a new key in response to the reset operation; 
However, Thorpe teaches 
generate a new key in response to the reset operation (Thorpe, [0082 – 0083] In one embodiment, the key generation module 308 also generates a device key.  A device key is a globally unique key…In one embodiment, the device key is known only to the NRM server 101 associated with the device key…In one embodiment, the device key is dynamic. For example, in some embodiments, the key generation module 308 generates a new device key each time at start-up (reset) of the NRM server 101 or after detecting an (un)authorized access and expunging the non-persistent memory of all messages, keys, indexes, etc…);
a new device cryptographic identity the new key (Thorpe, [0082 – 0083] In one embodiment, the key generation module 308 also generates a device key.  A device key is a globally unique key…In one embodiment, the device key is known only to the NRM server 101 associated with the device key…In one embodiment, the device key is dynamic. For example, in some embodiments, the key generation module 308 generates a new device key each time at start-up (reset) of the NRM server 101 or after detecting an (un)authorized access and expunging the non-persistent memory of all messages, keys, indexes, etc…)
Moran, Pappachan, Asokan, and Thorpe are in the same analogous art as they are in the same field of endeavor, managing devices.  Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed 

Claim 24
Asokan teaches perform operations to receive the new device cryptographic identity from the orchestration edge device (Asokan, Fig. 1, p. 3: right column – p. 4: left column, section “4.1 Offline Phase”; Device initialization. Each Di (edge device) in a swarm S is initialized by the swarm operator OP with a software configuration ci (e.g., a hash digest of software binaries of Di) and a code certificate cert(ci) signed by OP which guarantees that ci is a valid software configuration of Di.3 Furthermore, Di is initialized with a signing key pair (ski; pki) along with an identity certificate cert(pki) signed by OP, guaranteeing that pki belongs to Di…), wherein the new device identity is signed using a current device cryptographic identity (Asokan; Fig. 1, p. 3: right column – p. 4: left column, section “4.1 Offline Phase”; Device initialization. Each Di in a swarm S is initialized by the swarm operator OP with a software configuration ci (e.g., a hash digest of software binaries of Di) and a code certificate cert(ci) signed by OP which guarantees that ci is a valid software configuration of Di.3 Furthermore, Di is initialized with a signing key pair (ski; pki) along with an identity certificate cert(pki) signed by OP, guaranteeing that pki belongs to Di…) The motivation for incorporating into Moran is the same motivation in claim 20.

Allowable Subject Matter
Claims 1 – 19 are allowed.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Claim 1
The record of prior arts does not disclose limitations “generate a new device cryptographic identity for the edge device upon verification of a signature for a current cryptographic identity of the edge device and verification that a hash of a software update package received from the edge device matches the hash of the reference software update package included in the reference integrity measurement manifest”.  
The limitations, in combination with other elements cited, present subject matter that is novel and non-obvious.
Claims 9 and 14
Claims 9 and 14 recite limitations in the same manner as claim 1; therefore, they are also allowed for the same reasons.

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CUONG V LUU whose telephone number is (571)270-1733.  The examiner can normally be reached on 7:00 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on (571) 272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/S. SOUGH/
Supervisory Patent Examiner, Art Unit 2192