DETAILED ACTION
-Claims 1-10 have been amended.
-No claims are added. No claims are cancelled.
-Objection to claim 6 has been withdrawn based on the claim amendments.
-Rejection of claim 9 under 35 USC 101 has been withdrawn based on the claim amendments.
-Claims 1-10 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to arguments
Applicant’s arguments filed on 8/25/2021 have been considered.
Applicant states that Gennaro [para.0033-0034] only provides a mechanism for individual keys for each node and for the individual nodes to compute a shared key whithout providing a mechanism to determine whether a node should have access to the secret key of another node. Examiner respectfully disagrees. In the following cited portion, Gennaro discloses that: the secret keys of all the intermediate nodes (up to level L, i.e., parents of leaf nodes, are derived using the subset-based scheme described above.  Let <I1, .  . . ,IL>; be the parent of a leaf node and let R=[K1, .  . . Kn] be the secret keys it holds.  Let ID=H(I1, .  . . , IL+1) be the hash Si=IDKi [Gennaro, para.0042]. Therefore, the leaf/child node of a parent node, where the identifier of the parent <I1, .  . . ,IL> is a prefix of the child’s node identifier <I1, .  . . ,IL, IL+1 >, can compute its secret keys Si by using the secret keys of its parent node, namely, [K1……Kn]. As such, Gennaro teaches using the first/parent tenant secret keys for the second/child tenant.
With respect to Hamel, Examiner disagrees with Applicant’s argument that the encryption in Hamel is not a derivation. The claims do not limit how the key is derived in the invention and as such encryption to obtain a key teaches key derivation.
With respect to the argument that Roche does not indicate that the tenant identifier is indicative of whether a tenant has access to the secret key of a parent, Examiner notes that the claim portion for which Roche was relied upon does not recite this feature. Roche was relied upon to teach “on request of a second tenant identified by a second tenant identifier: getting a first tenant identifier of said first tenant from said first token, checking if the first tenant identifier is a prefix of or is equal to said second tenant identifier”. Roche does not only teach whether the AUTH token provides acess rights, Roche also teaches that….. if a tenant is a child tenant of another tenant as a parent tenant, the child tenant object includes a parent tenant property storing a parent tenant ID identifying the parent tenant,) [Roche, col.26, last 3 lines, col.27], where if the parent property is found in the child’s token, it identifies a parent’s credential that can be used by the child. Therefore Roche does teach the claim feature indicated above.
 	Applicant did not address or argue the 112(b) rejection therefore it is maintained.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1, 3-6 and 8-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites “a first tenant secret key” on lines 1-2 and on line 10 of the claim and it is not clear if these two recitations refer to the same first tenant secret. Therefore all claims reciting “said first tenant secret” are ambiguous as it is not clear if they are referring to the first recitation or to the second. For the purpose of examination, the recitation on line 10 is being construed as referring to the “first tenant secret” on line 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 3, 4 and 6-10 are rejected under 35 U.S.C. 103 as being unpatentable over Gennaro et al (US Pub.No.2009/0225986) in view of Hamel et al (US Pub. No.2018/0062835) and further in view of Roche et al (US Patent No.9,774,586).
Re Claim 1. Gennaro method of securely using, by a second tenant, a first tenant secret key stored under an encrypted form in a first token of a first tenant identified by a first tenant identifier and having said first tenant secret key (i.e. An integer-valued secret key s in Zq is chosen.  A given node having the identity ID is provided with the secret key SID=H(ID)s in G1, since an integer multiple of a value from the cyclic group will also be contained within the cyclic group.  In addition to calculating a secret key for each node, shared keys for communication between two nodes are required such that communication between the nodes is not required in order to exchange the shared keys.  The shared key between two nodes with identities ID1 and ID2 is K=e(H(ID1), H(ID2))s in G2.  Therefore, the shared keys are contained in the second cyclic group to which the first cyclic group can be mapped by definition.  The individual nodes can compute the appropriate shared key independently by setting K=e(SID1, H(ID2)) or K=e(H(ID1), SID2) i.e., knowing its own secret key and the hash function value at the identity of the other node and performing the appropriate mapping to the second cyclic group ) [Gennaro, para.0033-0034], wherein each tenant identifier for a tenant comprises a first value (i.e. The identity of a given node corresponds to the path from the root node in the tree to that node), when said tenant is allowed to use a secret key of a parent tenant identified by a parent tenant identifier (i.e. In a hierarchical scheme, an internal node will provide its children with values that are a linear combination of its own values, which are be linear combinations of the master secret keys) [Gennaro, para.0019], said parent tenant identifier, appended before said first value (i.e. The identity of a given node corresponds to the path from the root node in the tree to that node.  This path can be represented by a vector 108 that lists the branch or fork that is taken at every node in the hierarchy to reach a specific intermediate node or leaf node.  For example, the identity of a node at level i is a vector with components (I1,.  . . , Ii) where each Ii is an integer between 1 and the branching factor of the tree, i.e., the number of route choices at any given node in the hierarchy) [Gennaro, para.0017], and said first token has been generated from said first tenant identifier (i.e. The shared key between two nodes with identities ID1 and ID2 is K=e(H(ID1), H(ID2))s in G2 ) [Gennaro, para.0034, ID1 is the first tenant identifier] and a first tenant secret key  (i.e.  The individual nodes can compute the appropriate shared key independently by setting K=e(SID1, H(ID2)) or K=e(H(ID1), SID2)) [Gennaro, para.0034, SID1 is the first tenant secret key] encrypted with said first tenant identifier and encrypted with a first tenant customer master key key (i.e. the secret key SID=H(ID)s) [Gennaro, para.0033, s is interpreted as the customer master key],
	Gennaro does not explicitly disclose whereas Hamel does: said first tenant customer master key having been derived from said first tenant identifier and a secure domain master key (i.e. the creation of a new tenant master key and the first request to encrypt it causes the customer KRS to pick a customer key ID/customer key to use, and then tells the KMS which customer key ID it used to encrypt the tenant master key) [Hamel, para.0049], (i.e. Decrypting the secure repository data requires decrypting the encrypted tenant master key with the customer key, decrypting the encrypted tenant service key with the tenant master key, and finally decrypting the secure data with the tenant service key) [Hamel, para.0030, Note: Hamel’s tenant service key is mapped to the claimed tenant secret key, Hamel’s tenant master key is mapped to the claimed the first tenant master key, Hamel’s customer key is mapped to the claimed secure domain master key], said method comprising the following steps performed by a secure device storing said secure domain master key (i.e. The customer key is stored in a remote hardware security module) [Hamel, para.0030],
Gennaro in view of Hamel does not explicitly disclose whereas Roche does: on request of a second tenant identified by a second tenant identifier: getting a first tenant identifier of said first tenant from said first token, checking if the first tenant identifier is a prefix of or is equal to said second tenant identifier (i.e. in response to the authorization request, AUTH server 180 processes the authorization request, and if validated (i.e. access token is not revoked and expired), generates/transmits an AUTH token to cloud storage server 160 via transaction 240 to allow the requested client to determine whether the user is allowed to access the particular resource within that particular tenant…………………………in response to receiving the AUTH token, at block 241 cloud storage server 160 is configured to determine whether to allow or deny an authenticated/authorized user to access the particular resource within that particular tenant based on information contained in the AUTH token associated with that user.  As used herein, an "authenticated/authorized user" refers to a user associated with an AUTH token that was authenticated and authorized by an AUTH server to access one or more tenants.  According to one embodiment, cloud storage server 160 determines whether to allow or deny the authenticated /authorized user access by extracting and/or decrypting information from the AUTH token.  Continuing on with the above example, cloud storage server 160 extracts information from the AUTH token which includes, but is not limited to, the set of one or more tenants associated with the authenticated/authorized user,………….. Cloud storage server 160 then determines whether the AUTH token contains the first tenant, the first role, and the authorized access privilege obtained from the RBAC database.  If so, cloud storage server 160 allows the user 210 to access the particular resource) [Roche, col. 13-14], (i.e. If a user represented by token object 510 is a member of multiple tenants, token object 510 will include one or more pointers linking with multiple tenant objects 520, each defining specifically one of the tenants of which the user is a member.  For each of the tenants represented by the respective tenant object, the corresponding tenant object includes pointers linking with one or more role objects 530, where each of the role objects 530 defines a specific role within the tenant that the user has.  In one embodiment, if a tenant is a child tenant of another tenant as a parent tenant, the child tenant object includes a parent tenant property storing a parent tenant ID identifying the parent tenant, ) [Roche, col.26, last 3 lines, col.27], 
 Gennaro further discloses: when said first tenant identifier is a prefix of or is equal to said second tenant identifier, recovering said first tenant secret key stored in said first token and using the first tenant secret key for the second tenant (i.e. the secret keys of all the intermediate nodes (up to level L, i.e., parents of leaf nodes, are derived using the subset-based scheme described above.  Let <I1, .  . . ,IL>; be the parent of a leaf node and let R=[K1, .  . . Kn] be the secret keys it holds.  Let ID=H(I1, .  . . , IL+1) be the hash of the identity of one of its leaf nodes, then this node receives the values Si=IDKi) [Gennaro, para.0042].
 It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Gennaro with Hamel for securely storing data is scaled to multiple customers and redundancy is incorporated to improve reliability and speed among other factors [Hamel, para.0116].
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Gennaro in view of Hamel with Roche in order to define dynamic access control configurations that can be used to supersede or override the static access control settings, for example, temporarily for a period of time.  An application authorization profile, a tenant authorization profile, or a combination of both can be utilized for the purpose of dynamic configuration of access control[Roche, col.3, last 6 lines].
Re Claim 3. Gennaro in view of Hamel and Roche discloses the method of claim 1, Roche further discloses: comprising, prior to said checking, an authentication by the secure device of said second tenant requesting the use of said first tenant secret key (i.e. Authentication module 184 determines whether the user is authenticated to access the requested tenant) [Roche, col. 16, ll.36-40]. 
 	The same motivation to modify with Roche, as in claim 1, applies.
Re Claim 4.  Gennaro in view of Hamel and Roche discloses the method of claim 1, Gennaro in view of Hamel further discloses: wherein recovering said first tenant secret key comprises: recovering said first tenant customer master key of said first tenant from said first tenant identifier stored in the first token and from said secure domain master key, obtaining the first tenant secret key of the first tenant by decrypting with the recovered first tenant customer master key (i.e. A customer master key is determined based at least in part on the data requested to be retrieved, e.g. the Tenant Master Key needed to perform the decryption.  In some embodiments, the hardware security module is located remotely in a KRS system not physically local to a KMS system.  In 286, the encrypted tenant master key is caused to be decrypted using a customer key.  For example, the encrypted tenant master key is caused to be decrypted using a customer key by sending a request to a Customer HSM to perform decryption of the tenant master key.  In some embodiments, an encrypted tenant master key is decrypted after being retrieved from the key database sent encrypted to the customer HSM and then returned in a decrypted format.  In 288, an encrypted tenant service key is decrypted using the decrypted tenant master key.  In 290, the data is decrypted using the decrypted tenant service key) [Hamel, para.0050].
Gennaro further discloses: said encrypted first tenant secret key of said first tenant stored in the first token (i.e. The individual nodes can compute the appropriate shared key independently by setting K=e(SID1, H(ID2)) or K=e(H(ID1), SID2) i.e., knowing its own secret key and the hash function value at the identity of the other node and performing the appropriate mapping to the second cyclic group ) [Gennaro, para.0033-0034].  
	The same motivation to modify with Hamel, as in claim 1, applies.

Re Claim 6. Gennaro in view of Hamel and Roche discloses the method of the claim 4, Gennaro further discloses: wherein using said first tenant secret key of said first tenant is performed for said second tenant requesting a transciphering of a secret of said first tenant encrypted with said first tenant secret key, and comprises : 
-obtaining a second token generated for the second tenant from said second tenant identifier  (i.e. The shared key between two nodes with identities ID1 and ID2 is K=e(H(ID1), H(ID2))s in G2 ) [Gennaro, para.0034, ID2 is the second tenant identifier] and from a second tenant secret key (i.e.  The individual nodes can compute the appropriate shared key independently by setting K=e(SID1, H(ID2)) or K=e(H(ID1), SID2)) [Gennaro, para.0034] encrypted with said second tenant identifier and with a second tenant customer master key (i.e. the secret key SID=H(ID)s) [Gennaro, para.0033, s is interpreted as the customer master key], 
 	Gennaro does not explicitly disclose whereas Hamel does: said second tenant customer master key having been derived from said second tenant identifier and a secure domain master key (i.e. the creation of a new tenant master key and the first request to encrypt it causes the customer KRS to pick a customer key ID/customer key to use, and then tells the KMS which customer key ID it used to encrypt the tenant master key) [Hamel, para.0049], (i.e. Decrypting the secure repository data requires decrypting the encrypted tenant master key with the customer key, decrypting the encrypted tenant service key with the tenant master key, and finally decrypting the secure data with the tenant service key) [Hamel, para.0030, 
 	Gennaro further discloses: decrypting said encrypted secret with said first tenant secret key (i.e.  The individual nodes can compute the appropriate shared key independently by setting K=e(SID1, H(ID2)) or K=e(H(ID1), SID2)) [Gennaro, para.0034], 
Hamel further discloses: recovering a second tenant customer master key of said second tenant from said second tenant identifier stored in the second token and from said secure domain master key, obtaining said second tenant secret key of the second tenant by decrypting with the recovered second tenant customer master key said encrypted second tenant secret key of said second tenant stored in the second token (i.e. A customer master key is determined based at least in part on the data requested to be retrieved, e.g. the Tenant Master Key needed to perform the decryption.  In some embodiments, the hardware security module is located remotely in a KRS system not physically local to a KMS system.  In 286, the encrypted tenant master key is caused to be decrypted using a customer key.  For example, the encrypted tenant master key is caused to be decrypted using a customer key by sending a request to a Customer HSM to perform decryption of the tenant master key.  In some embodiments, an encrypted tenant master key is decrypted after being retrieved from the key database sent encrypted to the customer HSM and then returned in a decrypted format.  In 288, an encrypted tenant service key is decrypted using the decrypted tenant master key.  In 290, the data is decrypted using the decrypted tenant service key) [Hamel, para.0050],  
Gennaro further discloses: encrypting said decrypted secret with said second tenant secret key of said second tenant (i.e.  The individual nodes can compute the appropriate shared key independently by setting K=e(SID1, H(ID2)) or K=e(H(ID1), SID2)),sending said secret encrypted with said second tenant secret key to said second tenant (i.e. establishing a shared key from communication between two intermediate nodes by evaluating the polynomial at one of the intermediate node using values corresponding to the other intermediate node.  In one embodiment, a key distribution center disposed at the root node in the hierarchy is used to identify the polynomial) [Gennaro, para.0012, implies that the shared key is transmitted to the intermediate nodes].  
	The same motivation to modify with Hamel, as in claim 1, applies.

Re Claim 7.  Gennaro in view of Hamel and Roche discloses the method of the claim 5, Gennaro further discloses wherein said secret is a shared secret key of the first tenant (i.e. In addition to calculating a secret key for each node, shared keys for communication between two nodes are required such that communication between the nodes is not required in order to exchange the shared keys.  The shared key between two nodes with identities ID1 and ID2 is K = e(H(ID1),H(ID2))s in G2) [Gennaro, para.0034].  

Re Claim 8. Gennaro in view of Hamel and Roche discloses the method of the claim 4, Gennaro further discloses: wherein the second tenant has a secret and wherein using said first tenant secret key of said first tenant is performed for said second tenant requesting an encryption of said secret with said first tenant secret key, and comprises: encrypting said secret of the second tenant with said first tenant secret key (i.e. the secret keys of all the intermediate nodes up to level L, i.e. parents of leaf nodes, are derived using the subset-based scheme described above. Let<I1,. . . ,IL>; be the parent of a leaf node and let R= [K1, .  . . Kn] be the secret keys it holds.  Let ID= H(I1, .  . . , IL+1) be the hash of the identity of one of its leaf nodes, then this node receives the values Si=IDKi) [Gennaro, para.0042], sending said encrypted secret of the second tenant to said second tenant (i.e.  an internal node will provide its children with values) [Gennaro, para.0019].  
Re Claim 9. This claim recites features to those in claim 1 and therefore it is rejected in a manner similar to the rejection of claim 1.

Re Claim 10. This claim recites features to those in claim 1 and therefore it is rejected in a manner similar to the rejection of claim 1.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Gennaro et al (US Pub.No.2009/0225986) in view of Hamel et al (US Pub. No.2018/0062835) and Roche et al (US Patent No.9,774,586) as applied to claim 1, and further in view of Khot et al (US Pub.No.2016/0350091).

Re Claim 2. Gennaro in view of Hamel and Roche discloses the method of the claim 1, Gennaro in view of Hamel and Roche do not explicitly disclose whereas Khot does: wherein said first values are generated at random (i.e. Within the platform 30 each tenant is identified by a unique Tenant ID (a random Universal Unique Identifier).  These Tenant IDs are stored in storage 96.  Each event contains this tenant information embedded in it) [Khot, para.0103].
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Gennaro in view of Hamel and Roche with Khot because it yields the expected result of ensuring universal unique Tenant IDs. 
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Gennaro et al (US Pub.No.2009/0225986) in view of Hamel et al (US Pub. No.2018/0062835) and Roche et al (US Patent No.9,774,586) as applied to claim 1, and further in view of Fuller et al (US Patent No.9,172,532).
Re Claim 5.  Gennaro in view of Hamel and Roche discloses the method of the claim 4, wherein using said first tenant secret key of said first tenant is performed for said second tenant requesting a decryption of a secret of said first tenant encrypted with said first tenant secret key (i.e. Because the encryption key retrieved from key(2) data store 160 is encrypted, node(2) 130 may request a decrypt operation from node(1) 135, where the request includes the retrieved encryption key and/or an identifier of the encryption key used to encrypt the encryption key retrieved from key(2) data store 160) [Fuller, col.7], and comprises: decrypting said secret with said first tenant secret key, sending said decrypted secret to said second tenant (i.e. Node(1) 135 can then use the decrypted version of the encryption key retrieved from key(1) data store 170 to decrypt the encryption key retrieved from key(2) data store 160.  The decrypted version of the encryption key retrieved from key(2) data store 160 can then be transmitted to node(2)) [Fuller, col.8].  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Gennaro in view of Hamel and Roche with Fuller because it efficiently regulates the use of encryption keys to encrypt and decrypt data [Fuller, Abstract]. 
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285.  The examiner can normally be reached on Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434