Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 16/791,761 filed on 04/12/2020. Claims 1 and 11 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made Non-FINAL.

Drawings
The drawings were received on 04/12/2020.  These drawings are reviewed and accepted by the Examiner.

Information Disclosure Statement
The information disclosure statement (IDS) submitted o 05/14/2021 is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.

Claims 1, 5-6, 10-11, 15-16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Robert Krahn et al, (“ Krahn,” PESOS: Policy Enhanced Secure Object Store, April 23-26, 2018, pages 1-17) in view of Chhabra et al. (“Chhabra,” US 2018/0191716, published Jul. 5, 2018).
Regarding claim 1, Krahn teaches a system, comprising: 
at least one data processor (Krahn:  6.1. Experiment Setup: Hardware. We use IntelXeon E3-1270v5 CPU (v1 SGX) with 64 of main memory to run the PESOS controller); and 
at least one memory (Krahn:  6.1. Experiment Setup: Hardware. We use IntelXeon E3-1270v5 CPU (v1 SGX) with 64 of main memory to run the PESOS controller) storing instructions which, when executed by the at least one data processor, result in operations comprising: 
 establishing, by an enclave executed by a trusted execution environment that runs at an untrusted provider (Krahn: Section 3. Design: “PESOS is a policy enhance secure object store designed to operate in untrusted cloud environments …”, Section 3.1 PESOS Controller, “..The controller run in the (TEE) based on Intel SGX ….”, fig. 2), a trusted relationship with a user accessing a user application (Krahn: Section 3.1 PESOS Controller, “…Clients communicate over a standard mutually authenticated encrypted channel, i.e. Transport Layer Security (TLS), with the controller. Importantly, the channel is terminated inside the TEE…” and “Session context”), wherein the establishment is at least partially based on a trust measurement communicated between the enclave and a certificate authority component associated with the user (Krahn: Section 3.1 PESOS Controller, “... Bootstrap process […] a service for remote attestation and secure deployment of binaries. For remote attestation (RA) an enclave generates a signed measurement representing its identity...”);
associating, by the enclave, one or more access control permissions to a file linked from the user application to a remote file system at the untrusted provider (Krahn: Section 3.3 PESOS Policy Language; ... Each PESOS policy consists of three permission (read, update and delete to control confidentiality, integrity and when an object name can be used.), wherein the one or more access control permissions define one or more parameters of access related to the file and defined by the user for individual users and/or groups of users (Krahn: Section 3.1 PESOS Controller, 3.3. PESOS Policy Language; ... Each PESOS policy consists of three permission (read, up-date and delete to control confidentiality, integrity and when an object name can be used.. and section 5.1 Content Server.), and wherein the file is linked to the remote file system over a secure interface between the user application and the enclave (Krahn: Section 3 Design, “... Clients connect to the PESOS controller to issue storage operation such as create, delete, and update objects…”,  Section 3.1 PESOS Controller, “…Clients communicate over a standard mutually authenticated encrypted channel, i.e. Transport Layer Security (TLS), with the controller. Importantly, the channel is terminated inside the TEE…” and “Session context” and Section 5.1 Content Server); and 
providing, by the enclave, access to the file, wherein the providing is in response to a verification that a request for the file satisfies the one or more access control permissions (Krahn: Section 3.2 PESOS Workflow, … During the execution of request (e.g., put), the request handler queries the policy cache for an existing policy to the object’s key […] to derive whether the request compiles with the policy …” and Section 5.1 Content Server), and wherein the providing comprises the enclave receiving the file in an encrypted form from the remote file system, and sending the file over a protected channel to provide access to the file (Krahn: Section 3.2 PESOS Workflow,   Section 5.1 Content Server, “... TLS connection...”, and Section 2.2 Kinetic Storage, “… Further, PESOS transparently encrypts objects using Advanced Encryption Standard Galois/Counter Mode (AES-GCM) before storing them).
Krahn does not explicitly disclose wherein decrypting the encrypted file.
However, in an analogous art, Chhabra disclose techniques for multi-domain memory encryption, wherein encrypting and decrypting data may occur within trusted execution environment (TEE) (Chhabra: par. 0026, encrypting and decrypting data may only occur within TEE).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chhabra with the method and system of Krahn, wherein decrypting the encrypted file to provide users with means for preventing access to unsecure data (Chhabra: par. 0026).
Regarding claim 5, Krahn discloses the system of claim 1.  Krahn discloses wherein the one or more parameters of access related to the file comprise a level of permission for the individual users and/or the groups of users (Krahn: 3.3. PESOS Policy Language; ... Each PESOS policy consists of three permission (read, up-date and delete to control confidentiality, integrity and when an object name can be used.... and section 5.1)
Regarding claim 6, the combination of Krahn and Chhabra discloses the system of claim 1. Krahn discloses wherein an external, untrusted interface establishes a secure connection comprising the secure interface between the user application and the enclave (Section 3.1 PESOS Controller, “...The controller run in the (TEE) based on Intel SGX ….”,  fig. 2), a trusted relationship with a user accessing a user application (Krahn: Section 3.1 PESOS Controller, “…Clients communicate over a standard mutually authenticated encrypted channel, i.e. Transport Layer Security (TLS), with the controller. Importantly, the channel is terminated inside the TEE…” and “Session context”). 
Regarding claim 10, the combination of Krahn and Chhabra discloses the system of claim 1. Krahn discloses wherein providing, by the enclave, access to the file is further in response to establishment of a second trusted relationship with a second user having individual access rights or being part of a group with access rights (Krahn: Section 5.1 Content Server, Cloud-based storage systems serve content to clients subject to an access control check. PESOS uses its policy engine to implement per-object access control lists granting read and write access to an object only to a specified a, authenticated client). 
Regarding claim 11, claim 11 is directed to a method associated with the method claimed in claim 1; claim 11 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 16, claim 16 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Regarding claim 20.
Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Robert Krahn et al, (“Krahn,” PESOS: Policy Enhanced Secure Object Store, April 23-26, 2018, pages 1-17) in view of Chhabra et al. (“Chhabra,” US 2018/0191716, published Jul. 5, 2018), further in view of Ittai Anati et al. (“Anati,” Innovative Technology for CPU Based Attestation and Sealing,” 2013, pages 1-7).
Regarding claim 2, the combination of Krahn and Chhabra teaches the system of claim 1. Krahn and Chhabra do not explicitly disclose, wherein establishing the trusted relationship comprises: providing, by the enclave and to the certificate authority component, a server token request comprising a public key; receiving, by the enclave and from the certificate authority component, a server token signed with a certificate authority public key; and verifying, by the enclave, the received server token, wherein the verification is based upon the certificate authority public key. 
However, in an analogous art, Anati discloses Innovative Technology for CPU Based Attestation and Sealing, wherein 
providing, by the enclave and to the certificate authority component, a server token request comprising a public key (Anati: page 2, Section 2. MEASUREMENT, Section 2.2. MRSIGNER - Sealing Identity, … The enclave builder present the hardware with an RSA signed enclave certificate (SIGSSTRUCT) that contains the expected value of the Enclave Identity MRENCLAVE, and public key of the Sealing Authority); 
receiving, by the enclave and from the certificate authority component, a server token signed with a certificate authority public key (Anati: page 2, Section 2. MEASUREMENT, Section 2.2. MRSIGNER - Sealing Identity, The hardware checks the signature on the certificate, using the public key contained within and then it compares the value MRENCLAVE against the signed version); and 
verifying, by the enclave, the received server token, wherein the verification is based upon the certificate authority public key (Anati: page 2, Section 2. MEASUREMENT, Section 2.2. MRSIGNER - Sealing Identity, The hardware checks the signature on the certificate, using the public key contained within and then it compares the value MRENCLAVE against the signed version). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Anati with the method and system of Krahn and Chhabra, wherein providing, by the enclave and to the certificate authority component, a server token request comprising a public key; receiving, by the enclave and from the certificate authority component, a server token signed with a certificate authority public key; and verifying, by the enclave, the received server token, wherein the verification is based upon the certificate authority public key to provide users with means for allowing secure attestation and sealing to application software executing in a secure environment (Anati, page 5, Section 6. Conclusions)
Regarding claim 12, claim 12 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Robert Krahn et al, (“Krahn,” PESOS: Policy Enhanced Secure Object Store, April 23-26, 2018, pages 1-17) in view of Chhabra et al. (“Chhabra,” US 2018/0191716, published Jul. 5, 2018), further in view of Ittai Anati et al. (“Anati,” Innovative Technology for CPU Based Mojarad,” US 2020/0206635, filed Dec. 27, 2020).
Regarding claim 3, the combination of Krahn, Chhadra, and Anati discloses the system of claim 2. The combination of Krahn, Chhadra, and Anati discloses wherein the server token is persisted to memory of the enclave upon verification of the received server token but does not explicitly disclose, wherein the certificate authority public key is hard-coded into the enclave.
However, in an analogous art, Mojarad discloses anti-cheating solution to detect graphic driver tampering for online gaming, wherein public key is hard-coded into the enclave (Mojarad: par. 0150, hardcoded public key in anti-cheating enclave).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mojarad with the method and system of Krahn, Chhabra, and Anati, wherein the certificate authority public key is hard-coded into the enclave to provide users with means for providing the secure communication channel that ensures all the communication between the gaming/anti-cheating server and the software guard extension enclave are encrypted with a shared secret exchanged during attestation and are immune to the man-in-middle attack (Mojarad: abstract, pars. 0002, 0149).
Regarding claim 13.
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Robert Krahn et al, (“Krahn,” PESOS: Policy Enhanced Secure Object Store, April 23-26, 2018, pages 1-17) in view of Chhabra et al. (“Chhabra,” US 2018/0191716, published Jul. 5, 2018), further in view of Ittai Anati et al. (“Anati,” Innovative Technology for CPU Based Attestation and Sealing,” 2013, pages 1-7).
Regarding claim 4, the combination of Krahn, Chhadra, and Anati discloses the system of claim 2. Krahn further discloses, wherein establishing the trusted relationship further comprises: 
receiving, by the enclave and from the user application, an authentication token (Krahn: Section 3 Design, the client is connected to the correct PESOS controller, while the controller uses the client certificate to perform access control …, “Session context”, When a new client connects, as determined by its certificates, the controller creates a session contextl); and 
verifying, by the enclave, the authentication token based upon the certificate authority public key (Krahn: Section 3 Design, the client is connected to the correct PESOS controller, while the controller uses the client certificate to perform access control …, “Session context”, When a new client connects, as determined by its certificates, the controller creates a session context).
Regarding claim 14, claim 14 is similar in scope to claim 4, and is therefore rejected under similar rationale.

Claims 7-9 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Robert Krahn et al, (“ Krahn,” PESOS: Policy Enhanced Secure Object Store, April 23-26, 2018, Chhabra,” US 2018/0191716, published Jul. 5, 2018), further in view of Saur et al. (“Saur,” US 2018/0145836, published May 24, 2018).
Regarding claim 7, the combination of Krahn and Chhabra discloses the system of claim 1. Krahn discloses wherein the file is encrypted with a file key (Krahn: Section 2.2 Kinetic Storage, “… Further, PESOS transparently encrypts objects using Advanced Encryption Standard Galois/Counter Mode (AES-GCM) before storing them). Krahn does not explicitly the file key unique to the file and derived from a root key generated by the enclave. 
However, in an analogous art, Saur disclose technology for secure partitioning and updating of distributed digital ledger, wherein file key unique to the file and derived from a root key generated by the enclave (Saur: par. 0030, Validator application 32 launches KPM 33 in a secure enclave in TEE 56, and KPM 33 then uses a secure execution entity (such as an instruction or microcode) from processor 22 to generate a key pair based on root key 50).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Saur with the method and system of Krahn and Chhabra, wherein the file key unique to the file and derived from a root key generated by the enclave to provide users with means for facilitating secure partitioning and updating of distributed ledgers.  A DLS that uses secure partitioning according to the present teachings may avoid some or all of the scaling issues experienced by other types of DLSs, with regard to the number of messages sent, and with regard to the number of transactions stored by a typical validator (Saur: par. 0008)
Regarding claim 8, the combination of Krahn, Chhabra, and Saur discloses the system of claim 7.  The combination of Krahn further discloses, wherein the encryption of the file with the file key occurs within the enclave (Krahn: ection 2.2 Kinetic Storage, “ … Further, PESOS transparently encrypts objects using Advanced Encryption Standard Galois/Counter Mode (AES-GCM) before storing them; Chhabra: par. 0026). 
Regarding claim 9, the combination of Krahn, Chhabra, and Saur discloses the system of claim 8.  The combination of Krahn, Chhabra, and Saur further discloses, wherein the encrypted file is decrypted in the enclave and sent to the user application over a channel comprising a secure interface (Section 5.1 Content Server, “... TLS connection...”, and Section 2.2 Kinetic Storage, “ … Further, PESOS transparently encrypts objects using Advanced Encryption Standard Galois/Counter Mode (AES-GCM) before storing them; Chhabra: par. 0026).
Regarding claim 17, claim 17 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is similar in scope to claim 8, and is therefore rejected under similar rationale.
Regarding claim 19, claim 19 is similar in scope to claim 9, and is therefore rejected under similar rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
September 16th 2014



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439