DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on November 12, 2021.
Status of claims in the instant application:
Claims 1 – 23 are pending.
Claims 1, 8, and 15 are being amended.
Claims 21 – 23 are new.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on November 12, 2021 has been entered.

Response to Amendment
Applicant’s arguments, see page [9 – 12] of Applicant’s remarks on November 12, 2021, with respects to claims 1 – 3, 7 – 10, and 14 – 17 that were rejected under 35 U.S.C. 103 as being unpatentable over US 8719952 B1 to Damm-Goossens, (hereafter, "Damm") in view of US 20190394042 A1 to Peddada have been fully considered, but they are not persuasive. Therefore, the application is directed to the response below: 
In response, Applicant’s remarks noted that Peddada does not disclose or suggest performing processing to validate the host system to the storage system, as set forth in Claim 1, but as the rejection below states, there are mapping in which Peddada discloses “an application server may validate user devices without hitting the database with session authentication requests. For example, each application server may locally support validation for a user device by utilizing a public-private key pair. The application server may transmit the private key of the public-private key pair to a user device (e.g., when setting up the user device as a valid API client), along with either a user certificate or a key identifier (ID) value” [Para. 14] which does validate a user device to an application server by utilizing a public-private key pair. The rest of the step that is explains the validation of the host is system is also mapped using Peddada. Therefore, the rejection under Damn in view of Peddada stands.
	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 3, 7 – 10, 14 – 17, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over US 8719952 B1 to Damm-Goossens, (hereafter, "Damm") in view of US 20190394042 A1 to Peddada.
Regarding claim 1, Damm teaches a method of establishing a trust relationship between a host system and a storage system, comprising: the host system generating an asymmetric pair of encryption keys, including a private key and a public key; [Damm, col. 3 lines 1 – 6 discloses a mobile communication device comprising at least one processor to: generate an asymmetric public key cryptography key pair including a private key and a public key, the private key including a modulus and a private exponent, the public key including the modulus and a public exponent] the host system sending the public key to the storage system [Damm, col. 3 lines 8 – 10 discloses transmit the public key for storage on an authentication server connected to the mobile communication device over a wide area network], wherein the storage system includes a plurality of physical storage devices and at least one director to process I/O operations between the host system and the plurality of physical storage devices [Damm, col. 6 lines 35 – 47 discloses any two or more of the illustrated service provider system 22, authentication server system 60, and client computer systems 20a-c may be implemented on common hardware, e.g. a common physical computer server. The ATM machine may include a service provider, client, and authentication server on a common physical computer system, and connected to each other through the memory or other local structures of the physical computer system. In some embodiments, each of the systems shown in FIG. 1 is implemented on a distinct physical computer system, and is connected to other systems through LAN/WAN/telecom network connections. Col. 6 lines 58 – 67 to col. 7 lines 1 – 2 discloses such devices may be devices capable of web browsing and thus access to remotely-hosted protected websites, such as desktop, laptop, tablet computer devices, or mobile phones such as smartphones. In some embodiments, such devices may also be gateways to local resources, such as automatic teller machines (ATM), physical premise (e.g. building) security devices, or other local-authentication devices. If implemented on separate physical devices from client computer system 20, each of service provider computer system 22 and authentication server computer system 60 includes hardware components similar to the ones shown in FIG. 2. (Examiner notes that Fig. 2 and the authentication server description above show that there are multiple storage devices)], but Damm does not teach the storage system storing the public key on the storage system with an identifier of the host system; and performing processing to validate the host system to the storage system, including: the host system reading a string of data from the storage system, wherein the string of data is generated by the storage system; the host system generating an encrypted string of data by encrypting the string of data with the private key generated by the host system; the host system sending the encrypted string of data to the storage system; the storage system generating a decrypted string of data by decrypting the encrypted string of data with the public key; the storage system determining that the decrypted string of data matches the string of data; and responsive to the storage system determining that the decrypted string of data matches the string of data, validating the identity of the host system and the storage system continuing communications with the host system.
However, Peddada does teach the storage system storing the public key on the storage system with an identifier of the host system; [Peddada, para. 32 discloses when generating a private key-public key pair, the application server may store the public key in a local memory storage system of the application server along with an indication of the associated public key identifier, and may transmit the private key and the public key identifier to the user device. For example, the application server may contain association storage for storing associations between public keys of the public-private key pairs and user-specific or user device-specific key ID values associated with the private key] and performing processing to validate the host system to the storage system [Peddada, para. 14 discloses an application server may validate user devices without hitting the database with session authentication requests. For example, each application server may locally support validation for a user device by utilizing a public-private key pair. The application server may transmit the private key of the public-private key pair to a user device (e.g., when setting up the user device as a valid API client), along with either a user certificate or a key identifier (ID) value], including: the host system reading a string of data from the storage system, wherein the string of data is generated by the storage system; [Peddada, para. 54 discloses  the application server 510 may transmit a server certificate message (e.g., as part of a transport layer security (TLS) handshake protocol). This server certificate message may be an example of a digital X.509 certificate. The user device 505 may verify that the server certificate message corresponds to a trusted application server 510] the host system generating an encrypted string of data by encrypting the string of data with the private key generated by the host system; [Peddada, para. 56 discloses the user device 505 may transmit a client certificate message to the application server 510 (e.g., to continue the TLS handshake protocol). The client certificate message may be an example of a session establishment message. The client certificate message may include one or more certificates, and may be based on the private key. For example, the client certificate message may include the certificate received at 520, a certificate generated by the user device 505, a certificate associated with a name from the list of names of root certificates included in the server certificate message, or any combination of these certificates. In some examples, the client certificate message may be generated by the user device 505 using the private key, and/or may contain a key ID value received at 520. For example, the client certificate message may be encrypted using the private key or may be signed by the private key] the host system sending the encrypted string of data to the storage system; [Peddada, para. 56 discloses the user device 505 may transmit a client certificate message to the application server 510 (e.g., to continue the TLS handshake protocol) ... For example, the client certificate message may be encrypted using the private key or may be signed by the private key.] the storage system generating a decrypted string of data by decrypting the encrypted string of data with the public key; [Peddada, para. 57 discloses the application server 510 may validate that the client certificate message (e.g., the session establishment message) is received from a trusted user device 505. In some cases, the application server 510 may validate the user device 505 based on identifying the public key corresponding to the private key. For example, if the client certificate message contains a certificate, the application server 510 may identify (e.g., derive, extract, etc.) the public key from the certificate. If the client certificate message contains a key ID value, the application server 510 may identify a public key stored at the application server 510 and associated with the key ID value. The application server 510 may validate the user device 505 using the identified public key. For example, the application server 510 may validate that both the certificate included in the client certificate message and the private key used to generate the client certificate message match a same valid user device 505] the storage system determining that the decrypted string of data matches the string of data; [Peddada, para. 57 discloses if the client certificate message contains a certificate, the application server 510 may identify (e.g., derive, extract, etc.) the public key from the certificate. If the client certificate message contains a key ID value, the application server 510 may identify a public key stored at the application server 510 and associated with the key ID value. The application server 510 may validate the user device 505 using the identified public key. For example, the application server 510 may validate that both the certificate included in the client certificate message and the private key used to generate the client certificate message match a same valid user device 505.] and responsive to the storage system determining that the decrypted string of data matches the string of data, validating the identity of the host system and the storage system continuing communications with the host system. [Peddada, para. 59 discloses the application server 510 may establish a database connection with the database 515 of the database system in response to the application server 510 validating the user device 505. The application server 510 may use the database connection for handling resource requests for the user device 505. For example, the user device 505 may transmit resource requests to the database 515 (e.g., via the application server 510) using the established mTLS connection and the established database connection.]
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Peddada’s system with Damm’s system, with a motivation to store the key ID value to help identify a public key being associated with a private key. [Peddada, para. 32]

As per claim 2, modified Damm teaches the method of claim 1, wherein the private key is stored on the host system and is unreadable. [Damm, col. 3 lines 6 – 8 discloses store the private key in encrypted, unstructured form on the mobile communication device. Col. 14 lines 25 - 30 discloses the unstructured private key is encrypted with the user's password. When an attacker attempts to decrypt private key by brute force or other means, the result is always an unstructured sequence of numbers and/or characters, with no indicator of a successful decryption. (Examiner notes that the unstructured private key is inaccessible to outside attacker and is therefore unreadable to the attacker)]

As per claim 3, modified Damm teaches the method of claim 1, wherein an unreadable encryption key unique to the host system is stored on the host system, [Damm, col. 13 lines 4 - 8 discloses mobile communication device receives identity and other setup information from a user. Such information may include a human-readable name for personal use, a user ID, password, and host address and port] and wherein the method further comprises: encrypting the private key with the unreadable encryption key; [Damm, col. 14 lines 25 - 26 discloses the unstructured private key is encrypted with the user's password] and storing the encrypted private key on the host system [Damm, col. 3 lines 6 – 8 discloses store the private key in encrypted, unstructured form on the mobile communication device],

As per claim 7, modified Damm teaches the method of claim 1, wherein the generating, the sending and the storing are performed during a provisioning of the host system to the storage system. [Damm, col. 12 lines 38 - 48 discloses mobile communication device registers itself at authentication server. Mobile communication device creates a cryptographic key pair and transmits a public key to authentication server, while storing a corresponding private key locally on mobile communication device. As specified above, the term "public key" is used herein because of its common usage referring to one part of an asymmetric key pair; the described public key need not be, and preferably is not, made available to the public, and is stored securely and confidentially on authentication server]

Regarding claim 8, Damm teaches a system comprising: one or more processors; and memory comprising code stored thereon that, when executed, performs a method of establishing a trust relationship between a host system and a storage system including: the host system generating an asymmetric pair of encryption keys, including a private key and a public key; [Damm, col. 3 lines 1 – 6 discloses a mobile communication device comprising at least one processor to: generate an asymmetric public key cryptography key pair including a private key and a public key, the private key including a modulus and a private exponent, the public key including the modulus and a public exponent] the host system sending the public key to the storage system; [Damm, col. 3 lines 8 – 10 discloses transmit the public key for storage on an authentication server connected to the mobile communication device over a wide area network], wherein the storage system includes a plurality of physical storage devices and at least one director to process I/O operations between the host system and the plurality of physical storage devices [Damm, col. 6 lines 35 – 47 discloses any two or more of the illustrated service provider system 22, authentication server system 60, and client computer systems 20a-c may be implemented on common hardware, e.g. a common physical computer server. The ATM machine may include a service provider, client, and authentication server on a common physical computer system, and connected to each other through the memory or other local structures of the physical computer system. In some embodiments, each of the systems shown in FIG. 1 is implemented on a distinct physical computer system, and is connected to other systems through LAN/WAN/telecom network connections. Col. 6 lines 58 – 67 to col. 7 lines 1 – 2 discloses such devices may be devices capable of web browsing and thus access to remotely-hosted protected websites, such as desktop, laptop, tablet computer devices, or mobile phones such as smartphones. In some embodiments, such devices may also be gateways to local resources, such as automatic teller machines (ATM), physical premise (e.g. building) security devices, or other local-authentication devices. If implemented on separate physical devices from client computer system 20, each of service provider computer system 22 and authentication server computer system 60 includes hardware components similar to the ones shown in FIG. 2. (Examiner notes that Fig. 2 and the authentication server description above show that there are multiple storage devices)], but Damm does not teach the storage system storing the public key on the storage system with an identifier of the host system; and performing processing to validate the host system to the storage system, including: the host system reading a string of data from the storage system, wherein the string of data is generated by the storage system: the host system generating an encrypted string of data by encrypting the string of data with the private key generated by the host system: the host system sending the encrypted string of data to the storage system:, and Page 3 of 14the storage system generating a decrypted string of data by decrypting the encrypted string of data with the public key, the storage system determining that the decrypted string of data matches the string of data; and responsive to the storage system determining that the decrypted string of data matches the string of data, validating the identity of the host system and the storage system continuing communications with the host system.
However, Peddada does teach the storage system storing the public key on the storage system with an identifier of the host system; [Peddada, para. 32 discloses when generating a private key-public key pair, the application server may store the public key in a local memory storage system of the application server along with an indication of the associated public key identifier, and may transmit the private key and the public key identifier to the user device. For example, the application server may contain association storage for storing associations between public keys of the public-private key pairs and user-specific or user device-specific key ID values associated with the private key] and performing processing to validate the host system to the storage system [Peddada, para. 14 discloses an application server may validate user devices without hitting the database with session authentication requests. For example, each application server may locally support validation for a user device by utilizing a public-private key pair. The application server may transmit the private key of the public-private key pair to a user device (e.g., when setting up the user device as a valid API client), along with either a user certificate or a key identifier (ID) value], including: the host system reading a string of data from the storage system, wherein the string of data is generated by the storage system; [Peddada, para. 54 discloses  the application server 510 may transmit a server certificate message (e.g., as part of a transport layer security (TLS) handshake protocol). This server certificate message may be an example of a digital X.509 certificate. The user device 505 may verify that the server certificate message corresponds to a trusted application server 510] the host system generating an encrypted string of data by encrypting the string of data with the private key generated by the host system; [Peddada, para. 56 discloses the user device 505 may transmit a client certificate message to the application server 510 (e.g., to continue the TLS handshake protocol). The client certificate message may be an example of a session establishment message. The client certificate message may include one or more certificates, and may be based on the private key. For example, the client certificate message may include the certificate received at 520, a certificate generated by the user device 505, a certificate associated with a name from the list of names of root certificates included in the server certificate message, or any combination of these certificates. In some examples, the client certificate message may be generated by the user device 505 using the private key, and/or may contain a key ID value received at 520. For example, the client certificate message may be encrypted using the private key or may be signed by the private key] the host system sending the encrypted string of data to the storage system; [Peddada, para. 56 discloses the user device 505 may transmit a client certificate message to the application server 510 (e.g., to continue the TLS handshake protocol) ... For example, the client certificate message may be encrypted using the private key or may be signed by the private key.] the storage system generating a decrypted string of data by decrypting the encrypted string of data with the public key; [Peddada, para. 57 discloses the application server 510 may validate that the client certificate message (e.g., the session establishment message) is received from a trusted user device 505. In some cases, the application server 510 may validate the user device 505 based on identifying the public key corresponding to the private key. For example, if the client certificate message contains a certificate, the application server 510 may identify (e.g., derive, extract, etc.) the public key from the certificate. If the client certificate message contains a key ID value, the application server 510 may identify a public key stored at the application server 510 and associated with the key ID value. The application server 510 may validate the user device 505 using the identified public key. For example, the application server 510 may validate that both the certificate included in the client certificate message and the private key used to generate the client certificate message match a same valid user device 505] the storage system determining that the decrypted string of data matches the string of data; [Peddada, para. 57 discloses if the client certificate message contains a certificate, the application server 510 may identify (e.g., derive, extract, etc.) the public key from the certificate. If the client certificate message contains a key ID value, the application server 510 may identify a public key stored at the application server 510 and associated with the key ID value. The application server 510 may validate the user device 505 using the identified public key. For example, the application server 510 may validate that both the certificate included in the client certificate message and the private key used to generate the client certificate message match a same valid user device 505.] and responsive to the storage system determining that the decrypted string of data matches the string of data, validating the identity of the host system and the storage system continuing communications with the host system. [Peddada, para. 59 discloses the application server 510 may establish a database connection with the database 515 of the database system in response to the application server 510 validating the user device 505. The application server 510 may use the database connection for handling resource requests for the user device 505. For example, the user device 505 may transmit resource requests to the database 515 (e.g., via the application server 510) using the established mTLS connection and the established database connection.]
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Peddada’s system with Damm’s system, with a motivation to store the key ID value to help identify a public key being associated with a private key. [Peddada, para. 32]

As per claim 9, modified Damm teaches the system of claim 8, wherein the private key is stored on the host system and is unreadable. [Damm, col. 3 lines 6 – 8 discloses store the private key in encrypted, unstructured form on the mobile communication device. Col. 14 lines 25 - 30 discloses the unstructured private key is encrypted with the user's password. When an attacker attempts to decrypt private key by brute force or other means, the result is always an unstructured sequence of numbers and/or characters, with no indicator of a successful decryption. (Examiner notes that the unstructured private key is inaccessible to outside attacker and is therefore unreadable to the attacker)]

As per claim 10, modified Damm teaches the system of claim 9, wherein an unreadable encryption key unique to the host system is stored on the host system, [Damm, col. 13 lines 4 - 8 discloses mobile communication device receives identity and other setup information from a user. Such information may include a human-readable name for personal use, a user ID, password, and host address and port] and wherein the method further comprises: encrypting the private key with the unreadable encryption key; [Damm, col. 14 lines 25 - 26 discloses the unstructured private key is encrypted with the user's password] and storing the encrypted private key on the host system [Damm, col. 3 lines 6 – 8 discloses store the private key in encrypted, unstructured form on the mobile communication device],

As per claim 14, modified Damm teaches the system of claim 8, wherein the method is performed during a provisioning of the host system to the storage system. [Damm, col. 12 lines 38 - 48 discloses mobile communication device registers itself at authentication server. Mobile communication device creates a cryptographic key pair and transmits a public key to authentication server, while storing a corresponding private key locally on mobile communication device. As specified above, the term "public key" is used herein because of its common usage referring to one part of an asymmetric key pair; the described public key need not be, and preferably is not, made available to the public, and is stored securely and confidentially on authentication server]

Regarding claim 15, Damm teaches one or more non-transitory computer-readable media having software stored thereon, the execution of [Damm, col. 5 lines 11 - 14 discloses computer systems and/or mobile communication devices programmed to perform the methods described herein, as well as computer-readable media encoding instructions to perform the methods described herein.] which results in of establishing a trust relationship between a host system and a storage system, the software comprising: executable code that controls the host system to generate an asymmetric pair of encryption keys, including a private key and a public key; [Damm, col. 3 lines 1 – 6 discloses a mobile communication device comprising at least one processor to: generate an asymmetric public key cryptography key pair including a private key and a public key, the private key including a modulus and a private exponent, the public key including the modulus and a public exponent] the host system sending the public key to the storage system; [Damm, col. 3 lines 8 – 10 discloses transmit the public key for storage on an authentication server connected to the mobile communication device over a wide area network], wherein the storage system includes a plurality of physical storage devices and at least one director to process 1/O operations between the host system and the plurality of physical storage devices [Damm, col. 6 lines 35 – 47 discloses any two or more of the illustrated service provider system 22, authentication server system 60, and client computer systems 20a-c may be implemented on common hardware, e.g. a common physical computer server. The ATM machine may include a service provider, client, and authentication server on a common physical computer system, and connected to each other through the memory or other local structures of the physical computer system. In some embodiments, each of the systems shown in FIG. 1 is implemented on a distinct physical computer system, and is connected to other systems through LAN/WAN/telecom network connections. Col. 6 lines 58 – 67 to col. 7 lines 1 – 2 discloses such devices may be devices capable of web browsing and thus access to remotely-hosted protected websites, such as desktop, laptop, tablet computer devices, or mobile phones such as smartphones. In some embodiments, such devices may also be gateways to local resources, such as automatic teller machines (ATM), physical premise (e.g. building) security devices, or other local-authentication devices. If implemented on separate physical devices from client computer system 20, each of service provider computer system 22 and authentication server computer system 60 includes hardware components similar to the ones shown in FIG. 2. (Examiner notes that Fig. 2 and the authentication server description above show that there are multiple storage devices)], but Damm does not teach executable code that controls the storage system to store the public key on the storage system with an identifier of the host system; and executable code that performs processing that validates the host system to the storage system, including: executable code that controls the host system to read a string of data from the storage system, wherein the string of data is generated by the storage system: executable code that controls the host system to generate an encrypted string of data by encrypting the string of data with the private key generated by the host system: executable code that controls the host system to send the encrypted string of data to the storage system; executable code that controls the storage system to generate a decrypted string of data by decrypting the encrypted string of data using the public key; executable code that controls the storage system to determine that the decrypted string of data matches the string of data; and executable code that, responsive to the storage system determining that the decrypted string of data matches the string of data, controls the storage system to validate the identity of the host system and controls the storage system to continue communications with the host system.
However, Peddada does teach executable code that controls the storage system to store the public key on the storage system with an identifier of the host system; [Peddada, para. 32 discloses when generating a private key-public key pair, the application server may store the public key in a local memory storage system of the application server along with an indication of the associated public key identifier, and may transmit the private key and the public key identifier to the user device. For example, the application server may contain association storage for storing associations between public keys of the public-private key pairs and user-specific or user device-specific key ID values associated with the private key] and executable code that performs processing that validates the host system to the storage system, [Peddada, para. 14 discloses an application server may validate user devices without hitting the database with session authentication requests. For example, each application server may locally support validation for a user device by utilizing a public-private key pair. The application server may transmit the private key of the public-private key pair to a user device (e.g., when setting up the user device as a valid API client), along with either a user certificate or a key identifier (ID) value] including: executable code that controls the host system to read a string of data from the storage system, wherein the string of data is generated by the storage system;[Peddada, para. 54 discloses  the application server 510 may transmit a server certificate message (e.g., as part of a transport layer security (TLS) handshake protocol). This server certificate message may be an example of a digital X.509 certificate. The user device 505 may verify that the server certificate message corresponds to a trusted application server 510] executable code that controls the host system to generate an encrypted string of data by encrypting the string of data with the private key generated by the host system; [Peddada, para. 56 discloses the user device 505 may transmit a client certificate message to the application server 510 (e.g., to continue the TLS handshake protocol). The client certificate message may be an example of a session establishment message. The client certificate message may include one or more certificates, and may be based on the private key. For example, the client certificate message may include the certificate received at 520, a certificate generated by the user device 505, a certificate associated with a name from the list of names of root certificates included in the server certificate message, or any combination of these certificates. In some examples, the client certificate message may be generated by the user device 505 using the private key, and/or may contain a key ID value received at 520. For example, the client certificate message may be encrypted using the private key or may be signed by the private key] executable code that controls the host system to send the encrypted string of data to the storage system; [Peddada, para. 56 discloses the user device 505 may transmit a client certificate message to the application server 510 (e.g., to continue the TLS handshake protocol) ... For example, the client certificate message may be encrypted using the private key or may be signed by the private key.] executable code that controls the storage system to generate a decrypted string of data by decrypting the encrypted string of data using the public key; [Peddada, para. 57 discloses the application server 510 may validate that the client certificate message (e.g., the session establishment message) is received from a trusted user device 505. In some cases, the application server 510 may validate the user device 505 based on identifying the public key corresponding to the private key. For example, if the client certificate message contains a certificate, the application server 510 may identify (e.g., derive, extract, etc.) the public key from the certificate. If the client certificate message contains a key ID value, the application server 510 may identify a public key stored at the application server 510 and associated with the key ID value. The application server 510 may validate the user device 505 using the identified public key. For example, the application server 510 may validate that both the certificate included in the client certificate message and the private key used to generate the client certificate message match a same valid user device 505] executable code that controls the storage system to determine that the decrypted string of data matches the string of data; [Peddada, para. 57 discloses if the client certificate message contains a certificate, the application server 510 may identify (e.g., derive, extract, etc.) the public key from the certificate. If the client certificate message contains a key ID value, the application server 510 may identify a public key stored at the application server 510 and associated with the key ID value. The application server 510 may validate the user device 505 using the identified public key. For example, the application server 510 may validate that both the certificate included in the client certificate message and the private key used to generate the client certificate message match a same valid user device 505] executable code that, responsive to the storage system determining that the decrypted string of data matches the string of data, controls the storage system to validate the identity of the host system and controls the storage system to continue communications with the host system. [Peddada, para. 59 discloses the application server 510 may establish a database connection with the database 515 of the database system in response to the application server 510 validating the user device 505. The application server 510 may use the database connection for handling resource requests for the user device 505. For example, the user device 505 may transmit resource requests to the database 515 (e.g., via the application server 510) using the established mTLS connection and the established database connection.]
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Peddada’s system with Damm’s system, with a motivation to store the key ID value to help identify a public key being associated with a private key. [Peddada, para. 32]

As per claim 16, modified Damm teaches the one or more non-transitory computer-readable media of claim 15, wherein the private key is stored on the host system and is unreadable. . [Damm, col. 3 lines 6 – 8 discloses store the private key in encrypted, unstructured form on the mobile communication device. Col. 14 lines 25 - 30 discloses the unstructured private key is encrypted with the user's password. When an attacker attempts to decrypt private key by brute force or other means, the result is always an unstructured sequence of numbers and/or characters, with no indicator of a successful decryption. (Examiner notes that the unstructured private key is inaccessible to outside attacker and is therefore unreadable to the attacker)]

As per claim 17, modified Damm teaches the one or more non-transitory computer-readable media of claim 15, wherein an unreadable encryption key unique to the host system is stored on the host system, [Damm, col. 13 lines 4 - 8 discloses mobile communication device receives identity and other setup information from a user. Such information may include a human-readable name for personal use, a user ID, password, and host address and port] and wherein the method further comprises: encrypting the private key with the unreadable encryption key; [Damm, col. 14 lines 25 - 26 discloses the unstructured private key is encrypted with the user's password] and storing the encrypted private key on the host system [Damm, col. 3 lines 6 – 8 discloses store the private key in encrypted, unstructured form on the mobile communication device]

Regarding claim 21, modified Damn teaches the method of Claim 1, but Damn does not teach further comprising: receiving, by the storage system from a second host system impersonating the host system, a second encrypted string of data; the storage system generating a second decrypted string of data by decrypting the second encrypted string of data with the public key associated with the host system; the storage system determining that the second decrypted string of data does not match the string of data; and responsive to the storage system determining that the second decrypted string of data does not match the string of data, determining that the second host system is not the host system that sent the public key and ceasing communication with the second host system.
However, Peddada does teach further comprising: receiving, by the storage system from a second host system impersonating the host system, a second encrypted string of data; [Peddada, para. 44 discloses the application server 325 may remove the local copy of the certificate 365 or the indication of the certificate 365 from memory. For example, in one specific example, the application server 325 may store a list of valid, issued certificates 365 (e.g., for verifying certificates 365 that are received from user devices 315). The application server 325 may remove a certificate 365 from the list of valid certificates stored in persistent memory 340 based on a received revocation message. If the application server 325 receives any future session identifier messages 355 containing this certificate 365, the application server 325 may refrain from establishing a connection with database 370 based this certificate 365 no longer being stored as a valid, issued certificate] the storage system generating a second decrypted string of data by decrypting the second encrypted string of data with the public key associated with the host system; the storage system determining that the second decrypted string of data does not match the string of data; and responsive to the storage system determining that the second decrypted string of data does not match the string of data, determining that the second host system is not the host system that sent the public key and ceasing communication with the second host system. [Peddada, para. 35 discloses the application server 225 may establish a database connection 245 with the database 250 if the user device 205 is validated. In some examples, the validator 240 may grant the user device 205 access to resources associated with the database 250. In some cases, the validator 240 may grant the user device 205 access to a subset of resources associated with the database 250 (e.g., application-specific resources, tenant-specific resources, or a combination thereof). If the user device 205 is found to be invalid (e.g., the private key 215 used for the session establishment message 235 does not correspond to the public key encapsulated by the certificate or stored in memory for the user device, the certificate or key ID value is invalid or revoked, the public key identifier 220 does not grant access to the requested resources, etc.), the application server 225 may terminate the session establishment message 235 at the application server 225 without establishing the database connection 245. In this way, a session establishment message 235 is not granted access to the database 250 unless the user device 205 is first identified as a valid user device 205 by the application server 225.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Peddada’s system with Damm’s system, with a motivation to store the key ID value to help identify a public key being associated with a private key. [Peddada, para. 32]

7.	Claims 4 – 6, 11 – 13, and 18 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 8719952 B1 to Damm-Goossens, (hereafter, "Damm") in view of US 20190394042 A1 to Peddada in further view of US 20150281233 A1 to Asenjo et al., (hereafter, “Asenjo”) 
Regarding claim 4, modified Damm teaches the method of claim 1, wherein storing the public key on the storage system, but modified Damm does not teach includes storing the public key in a data structure that defines I/O connectivity between one or more host ports of the host system, one or more storage ports of the storage system and one or more logical storage units for one or more applications executing on the host system for which data is stored on the storage system.
However, Asenjo does teach includes storing the public key in a data structure that defines I/O connectivity between one or more host ports of the host system, one or more storage ports of the storage system and one or more logical storage units for one or more applications executing on the host system for which data is stored on the storage system. [Asenjo, para. 45 discloses the authentication component can determine, in one example, an authentication policy for the cloud agent device based on the metadata (e.g., device identification data, industrial facility data, customer data, other data, etc.) associated with the access key. Para. 46 discloses a user can set read permissions, write permissions and/or permissions for one or more cloud services associated with a cloud platform during the registration mode. Therefore, a user (e.g., a cloud service administrator, an owner, etc.) can define privileges to be assigned to each cloud agent device. In a non-limiting example, permissions for one or more cloud services can include permissions for a particular cloud agent device (e.g., a particular cloud agent device associated with a particular MAC address, customer identifier, site identifier and/or location identifier) to utilize a particular cloud storage location and/or cloud application]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to authorize a cloud agent device to utilize one or more cloud services associated with a cloud platform based on an access key for the cloud agent device. [Asenjo, para. 45]

Regarding claim 5, modified Damm teaches the method of claim 1, but modified Damm does not teach wherein one or more logical storage units associated with the host system have data corresponding to the storage system, the method further comprising: for each of the one or more logical storage units, determining a validation security level associated with the logical storage unit.
However, Asenjo does teach wherein one or more logical storage units associated with the host system have data corresponding to the storage system, [Asenjo, para. 50 discloses a system that leverages an agent-based cloud infrastructure to provide secure data collection and/or processing services to customer manufacturing sites] the method further comprising: for each of the one or more logical storage units, determining a validation security level associated with the logical storage unit. [Asenjo, para. 65 discloses the alarms queue can relate to abnormal situations, where the alarm data can also be accessed through the API. This alarms queue can comprise multiple queues associated with different alarm priorities, to allow for individual processing for different alarms having different levels of criticality. Para. 50 discloses this system can provide remote collection and monitoring services in connection with security applications, alarm and event notification for critical industrial assets]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to dynamically configure one or more priority queues that respectively define how the data packets are processed in the cloud platform. [Asenjo, para. 65]

Regarding claim 6, modified Damm teaches the method of claim 5, further comprising: for each of the one or more logical storage units, determining a frequency with which to poll the storage system to validate the host system with respect to the logical storage unit.
However, Asenjo does teach determining a frequency with which to poll the storage system to validate the host system with respect to the logical storage unit. [Asenjo, para. 46 after the defined period of time has expired, the authentication component 202 can generate a different access key for the cloud agent device. For example, after the defined period of time has expired, the cloud agent device can be required to generate another authentication request and be re-authenticated with the cloud platform.]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to authenticate the cloud agent device allowing the cloud data processing component to be configured to receive, at a cloud platform that authenticates the cloud agent device, one or more data packets from the cloud agent device during the defined period of time [Asenjo, para. 47]

Regarding claim 11, modified Damm teaches the system of claim 8, wherein storing the public key on the storage system, but modified Damm does not teach includes storing the public key in a data structure that defines I/O connectivity between one or more host ports of the host system, one or more storage ports of the storage system and one or more logical storage units for one or more applications executing on the host system for which data is stored on the storage system.
However, Asenjo does teach includes storing the public key in a data structure that defines I/O connectivity between one or more host ports of the host system, one or more storage ports of the storage system and one or more logical storage units for one or more applications executing on the host system for which data is stored on the storage system. [Asenjo, para. 45 discloses the authentication component can determine, in one example, an authentication policy for the cloud agent device based on the metadata (e.g., device identification data, industrial facility data, customer data, other data, etc.) associated with the access key. Para. 46 discloses a user can set read permissions, write permissions and/or permissions for one or more cloud services associated with a cloud platform during the registration mode. Therefore, a user (e.g., a cloud service administrator, an owner, etc.) can define privileges to be assigned to each cloud agent device. In a non-limiting example, permissions for one or more cloud services can include permissions for a particular cloud agent device (e.g., a particular cloud agent device associated with a particular MAC address, customer identifier, site identifier and/or location identifier) to utilize a particular cloud storage location and/or cloud application]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to authorize a cloud agent device to utilize one or more cloud services associated with a cloud platform based on an access key for the cloud agent device. [Asenjo, para. 45]

Regarding claim 12, modified Damm teaches the system of claim 8, but modified Damm does not teach wherein one or more logical storage units associated with the host system have data corresponding to the storage system, the method further comprising: for each of the one or more logical storage units, determining a validation security level associated with the logical storage unit.
However, Asenjo does teach wherein one or more logical storage units associated with the host system have data corresponding to the storage system, [Asenjo, para. 50 discloses a system that leverages an agent-based cloud infrastructure to provide secure data collection and/or processing services to customer manufacturing sites] the method further comprising: for each of the one or more logical storage units, determining a validation security level associated with the logical storage unit. [Asenjo, para. 65 discloses the alarms queue can relate to abnormal situations, where the alarm data can also be accessed through the API. This alarms queue can comprise multiple queues associated with different alarm priorities, to allow for individual processing for different alarms having different levels of criticality. Para. 50 discloses this system can provide remote collection and monitoring services in connection with security applications, alarm and event notification for critical industrial assets]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to dynamically configure one or more priority queues that respectively define how the data packets are processed in the cloud platform. [Asenjo, para. 65]

Regarding claim 13, modified Damm teaches the system of claim 12, further comprising: for each of the one or more logical storage units, determining a frequency with which to poll the storage system to validate the host system with respect to the logical storage unit.
However, Asenjo does teach determining a frequency with which to poll the storage system to validate the host system with respect to the logical storage unit. [Asenjo, para. 46 after the defined period of time has expired, the authentication component 202 can generate a different access key for the cloud agent device. For example, after the defined period of time has expired, the cloud agent device can be required to generate another authentication request and be re-authenticated with the cloud platform.]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to authenticate the cloud agent device allowing the cloud data processing component to be configured to receive, at a cloud platform that authenticates the cloud agent device, one or more data packets from the cloud agent device during the defined period of time [Asenjo, para. 47]

Regarding claim 18, modified Damm teaches the one or more non-transitory computer-readable media of claim 15, wherein storing the public key on the storage system, but modified Damm does not teach includes storing the public key in a data structure that defines I/O connectivity between one or more host ports of the host system, one or more storage ports of the storage system and one or more logical storage units for one or more applications executing on the host system for which data is stored on the storage system.
However, Asenjo does teach includes storing the public key in a data structure that defines I/O connectivity between one or more host ports of the host system, one or more storage ports of the storage system and one or more logical storage units for one or more applications executing on the host system for which data is stored on the storage system. [Asenjo, para. 45 discloses the authentication component can determine, in one example, an authentication policy for the cloud agent device based on the metadata (e.g., device identification data, industrial facility data, customer data, other data, etc.) associated with the access key. Para. 46 discloses a user can set read permissions, write permissions and/or permissions for one or more cloud services associated with a cloud platform during the registration mode. Therefore, a user (e.g., a cloud service administrator, an owner, etc.) can define privileges to be assigned to each cloud agent device. In a non-limiting example, permissions for one or more cloud services can include permissions for a particular cloud agent device (e.g., a particular cloud agent device associated with a particular MAC address, customer identifier, site identifier and/or location identifier) to utilize a particular cloud storage location and/or cloud application]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to authorize a cloud agent device to utilize one or more cloud services associated with a cloud platform based on an access key for the cloud agent device. [Asenjo, para. 45]

Regarding claim 19, modified Damm teaches the one or more non-transitory computer-readable media of claim 15, but modified Damm does not teach wherein one or more logical storage units associated with the host system have data corresponding to the storage system, the method further comprising: for each of the one or more logical storage units, determining a validation security level associated with the logical storage unit.
However, Asenjo does teach wherein one or more logical storage units associated with the host system have data corresponding to the storage system, [Asenjo, para. 50 discloses a system that leverages an agent-based cloud infrastructure to provide secure data collection and/or processing services to customer manufacturing sites] the method further comprising: for each of the one or more logical storage units, determining a validation security level associated with the logical storage unit. [Asenjo, para. 65 discloses the alarms queue can relate to abnormal situations, where the alarm data can also be accessed through the API. This alarms queue can comprise multiple queues associated with different alarm priorities, to allow for individual processing for different alarms having different levels of criticality. Para. 50 discloses this system can provide remote collection and monitoring services in connection with security applications, alarm and event notification for critical industrial assets]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to dynamically configure one or more priority queues that respectively define how the data packets are processed in the cloud platform. [Asenjo, para. 65]

Regarding claim 20, modified Damm teaches the one or more non-transitory computer-readable media of claim 19, further comprising: for each of the one or more logical storage units, determining a frequency with which to poll the storage system to validate the host system with respect to the logical storage unit.
However, Asenjo does teach determining a frequency with which to poll the storage system to validate the host system with respect to the logical storage unit. [Asenjo, para. 46 after the defined period of time has expired, the authentication component 202 can generate a different access key for the cloud agent device. For example, after the defined period of time has expired, the cloud agent device can be required to generate another authentication request and be re-authenticated with the cloud platform.]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Asenjo’s system with modified Damm’s system, with a motivation to authenticate the cloud agent device allowing the cloud data processing component to be configured to receive, at a cloud platform that authenticates the cloud agent device, one or more data packets from the cloud agent device during the defined period of time [Asenjo, para. 47]
 
Claims 22 – 23 are rejected under 35 U.S.C. 103 as being unpatentable over US 8719952 B1 to Damm-Goossens, (hereafter, "Damm") in view of US 20190394042 A1 to Peddada in further view of US 20130219166 A1 to Ristov et al., (hereinafter, “Ristov”).
Regarding claim 22, modified Damn teaches the method of Claim 3, wherein the unreadable encryption key is a hidden encryption key encoded in hardware in a hardware-encrypted module (HEM) [Damn, col. 13 lines 46 – 60 discloses the security of private key 80b relies on the quality of the user's password. Strong passwords are long and complicated and therefore hard to remember, so some users have the tendency to use simple passwords, which may be easy to guess by an attacker. Some mobile communication devices and/or do not readily allow users to use strong passwords. Even strong passwords may be vulnerable to brute-force attacks given sufficient computing power. To counteract attacks on the password, some embodiments of the present invention store private key 80b in an unstructured form, i.e. a form for which decryption of the private key with the correct password does not appear on the surface (e.g. syntactically) different from decryption with an incorrect password. Thus, an attacker may know readily determine whether a particular decrypted private key is a correct or incorrect private key], but modified Damn does not teach wherein the HEM is configured to receive an Page 6 of 14input and produce an output that is the input encrypted using the hidden encryption key, wherein the hidden encryption key cannot be read by executing code or using an electrical or optical connection to the HEM.  
However, Ristov does teach wherein the HEM is configured to receive an input and produce an output that is the input encrypted using the hidden encryption key, wherein the hidden encryption key cannot be read by executing code or using an electrical or optical connection to the HEM. [Ristov, para. 33 discloses secure key 582 is a key such as an Advanced Encryption Standard (AES) key that may be randomly generated by the HIM 440 when initializing the secure module 460. The secure key 582 is maintained in the secure module 460 at all times and thus is not even accessible to an administrator or root user of the operating system 426. The processor 551 in the secure module 460 encrypts the private key 580 using the secure key 582 to produce an encrypted private key 584 and transfers the encrypted private key to the HIM 440. The private key 580 then may be deleted from the memory of the secure module 460.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Ristov’s system with modified Damm’s system, with a motivation to obtain a private key from the server which is encrypted and securely stored by the client device 400 so that it cannot be misappropriated or otherwise accessed by an unauthorized party. [Ristov, para. 29]

Regarding claim 23, modified Damn teaches the method of Claim 22, but Damn does not teach wherein said encrypting the private key with the unreadable encryption key includes: providing the private key as the input to the HEM; and responsive to said providing, generating the encrypted private key as the output of the HEM.
However, Ristov does teach wherein said encrypting the private key with the unreadable encryption key includes: providing the private key as the input to the HEM; and responsive to said providing, generating the encrypted private key as the output of the HEM. [Ristov, para. 33 discloses secure key 582 is a key such as an Advanced Encryption Standard (AES) key that may be randomly generated by the HIM 440 when initializing the secure module 460. The secure key 582 is maintained in the secure module 460 at all times and thus is not even accessible to an administrator or root user of the operating system 426. The processor 551 in the secure module 460 encrypts the private key 580 using the secure key 582 to produce an encrypted private key 584 and transfers the encrypted private key to the HIM 440. The private key 580 then may be deleted from the memory of the secure module 460.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Ristov’s system with modified Damm’s system, with a motivation to obtain a private key from the server which is encrypted and securely stored by the client device 400 so that it cannot be misappropriated or otherwise accessed by an unauthorized party. [Ristov, para. 29]

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893.  The examiner can normally be reached on Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/P.P./Patent Examiner, Art Unit 2434                                                                                                                                                                                                        /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434