DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restrictions warranted at applicant’s initial time of filing for patent. 
Priority
Applicant’s instant application claim[s] domestic priority under 35 USC 120 to parent application # 16/062192, filed on 06/14/2018, now US PAT # 10887310, to which claim[s] domestic priority as a BY – PASS application to PCT/EP2016/08016, filed on 12/08/2016. 
Applicants instant application also claim[s] foreign priority under 35 USC 119[a-d] to EP 201664.8, filed on 12/21/2015. 
Applicant’s required foreign priority documents were filed with the office on 11/25/2020. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/12/2020, the submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Oath/Declaration
Applicant’s oath was filed on 11/12/2020. 
Drawings
The drawings are objected to under 37 CFR 1.83(a) because they fail to show the labels of components: 110, 111, 112, 113, 120, 130, 131, 132, 140, 150…etc., of Figure # 1, and Figure # 9b, components: 1110, 1120, 1122, 1124, 1126, 1130, as described in the specification. Any structural detail that is essential for a proper understanding of the disclosed invention should be shown in the drawing. MPEP § 608.02(d). Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
	Appropriate action required. 

INFORMATION ON HOW TO EFFECT DRAWING CHANGES


Replacement Drawing Sheets

Drawing changes must be made by presenting replacement sheets which incorporate the desired changes and which comply with 37 CFR 1.84.  An explanation of the changes made must be presented either in the drawing amendments section, or remarks, section of the amendment paper.  Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d).  A replacement sheet must include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended.  The figure or figure number of the amended drawing(s) must not be labeled as “amended.”  If the changes to the drawing figure(s) are not accepted by the examiner, applicant will be notified of any required corrective action in the next Office action.  No further drawing submission will be required, unless applicant is notified.

Identifying indicia, if provided, should include the title of the invention, inventor’s name, and application number, or docket number (if any) if an application number has not been assigned to the application. If this information is provided, it must be placed on the front of each sheet and within the top margin. 

Annotated Drawing Sheets

A marked-up copy of any amended drawing figure, including annotations indicating the changes made, may be submitted or required by the examiner.  The annotated drawing sheet(s) must be clearly labeled as “Annotated Sheet” and must be presented in the amendment or remarks section that explains the change(s) to the drawings.

Timing of Corrections

Applicant is required to submit acceptable corrected drawings within the time period set in the Office action. See 37 CFR 1.85(a). Failure to take corrective action within the set period will result in ABANDONMENT of the application. 

If corrected drawings are required in a Notice of Allowability (PTOL-37), the new drawings MUST be filed within the THREE MONTH shortened statutory period set for reply in the “Notice of Allowability.” Extensions of time may NOT be obtained under the provisions of 37 CFR 1.136 for filing the corrected drawings after the mailing of a Notice of Allowability. 

Specification
The abstract of the disclosure is objected to because the abstract is replete with numbers-parenthesis that makes reading the abstract distracting.  
Correction is required.  See MPEP § 608.01(b).
Claim Objections
NO objections warranted at applicant’s initial time of filing for patent. 
Claim Interpretation – 35 USC 112th 6th or F
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  
Such claim limitation(s) is/are: 
As per claim 1. An enrollee device for use in a network system arranged for wireless communication between network devices for secure communication according to a security protocol, the network system comprising:
a network device arranged “to act as the enrollee device according to the security protocol, and a network device arranged to act as a configurator device according to the security protocol;” 
wherein the configurator device comprises a configurator communication unit arranged “to receive, from the enrollee device, a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key,” and 
a configurator processor comprising a memory arranged “to have, for the configurator device, a configurator public key and a corresponding configurator private key and to have, for the network system, a network public key and a corresponding network private key,” the configurator processor arranged “to:
derive a first shared key based on the network private key and the first enrollee public key,
decode the encoded second enrollee public key using the first shared key,
verify the encoded second enrollee public key was encoded by the first shared key,
generate security data using the second enrollee public key and the configurator private key,
derive a second shared key based on the first enrollee public key, the second enrollee public key and the network private key,
protect cryptographically, using the second shared key, at least one of the security data and configurator public key, and
generate a network access message according to the security protocol, the network access message including at least one of the protected security data and protected configurator public key;” the enrollee device comprising:
an enrollee wireless communication unit, an enrollee sensor arranged “to:
acquire a data pattern, the data pattern being provided in the area and representing the network public key; and
an enrollee processor comprising a memory arranged to have the first enrollee public key and a corresponding first enrollee private key and to have the second enrollee public key and a corresponding second enrollee private key,” the enrollee processor arranged “to: 
derive the first shared key based on the network public key and the first enrollee private key, encode the second enrollee public key using the first shared key, generate the network access request according to the security protocol, the network access request including the encoded second enrollee public key and the first enrollee public key, and transfer the network access request to the configurator device;” the enrollee processor further arranged “to: 
receive the network access message in the form of action frames from the configurator, derive the second shared key based on the first enrollee private key, the second enrollee private key and the network public key, verify at least one of the protected security data and the protected configurator public key was cryptographically protected by the second shared key, and engage the secure communication based on the second enrollee private key and the security data.”
As per claim 2. The enrollee device as claimed in claim 1, wherein the enrollee processor is arranged “to generate a temporary enrollee public key and a corresponding temporary enrollee private key, which keys constitute the first enrollee public key and the corresponding first enrollee private key;” 
and/or the enrollee processor is arranged “to generate a further temporary enrollee public key and a corresponding further temporary enrollee private key, which keys constitute the second enrollee public key and the corresponding second enrollee private key.”
As per claim 3. The enrollee device as claimed in claim 1, the configurator processor being further arranged “to: 
generate the security data by providing a configurator session key and transferring the configurator session key to the enrollee;” 
wherein the enrollee processor is further arranged “to 
receive the configurator session key, and engage the secure communication based on the configurator session key.”
As per claim 4. The enrollee device as claimed in claim 1, the configurator processor being further arranged to: 
“generate a configurator session public key and a corresponding configurator session private key, derive a third shared key based on the configurator session private key and the second enrollee public key, and transfer the configurator session public key to the enrollee;” wherein the enrollee processor is further arranged “to: 
receive the configurator session public key, derive the third shared key based on the second enrollee private key and the configurator session public key and engage secure communication based on the third shared key.”
As per claim 5. The enrollee device as claimed in claim 1, the network system comprising a further network device arranged “to: 
receive the second enrollee public key and the security data, provide a session network public key and a corresponding session network private key, derive a fifth shared key based on the session network private key and the second enrollee public key and transferring the session network public key to the enrollee;” wherein the enrollee processor is further arranged “to: 
receive the session network public key, derive the fifth shared key based on the second enrollee private key and the session network public key, and engage securely communication with the further network device based on the fifth shared key.”
As per claim 6. The enrollee device as claimed in claim 1, the configurator processor being further arranged: 
“to generate the security data comprising a digital signature by digitally signing the second enrollee public key with the configurator private key, to transfer the digital signature to a third device and/or to the enrollee for enabling secure communication between the enrollee and the third device;” 
the enrollee processor is further arranged “to: receive the digital signature, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was correctly signed and, if so, engage the secure communication based on the second enrollee private key.”
As per claim 7. The enrollee device as claimed in claim 6, wherein the network system comprises a further network device arranged “to: 
obtain the configurator public key, receive the digital signature and the second enrollee public key, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was correctly signed and, if so, engage the secure communication with the enrollee device based on the second enrollee public key.”
As per claim 8. The enrollee device as claimed in claim 1, the configurator processor being further arranged “to:
generate further security data comprising a further digital signature by digitally signing, with the configurator private key, a further public key of a further network device;” 
wherein the enrollee processor is further arranged “for using the further security data by:
receiving the further public key and the further digital signature, verifying, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and, if so, securely communicating with the further network device using the second enrollee private key and the further public key.”
As per claim 9. ‘The enrollee device as claimed in claim 1, the configurator processor being further arranged “to:
decode encoded enrollee test data using the second shared key, verify whether the enrollee test data was encoded by the second shared key at the enrollee” wherein the enrollee processor is further arranged “to: 
generate the enrollee test data, encode the enrollee test data using the second shared key, transfer the encoded enrollee test data to the configurator.”
As per claim 10. The enrollee device as claimed in claim 1, the configurator processor being further arranged “to: 
generate configurator test data, encode the configurator test data using the second shared key, transfer the encoded configurator test data to the enrollee;” 
wherein the enrollee processor is further arranged “to: 
decode the encoded configurator test data using the second shared key, verify whether the configurator test data was encoded by the second shared key at the configurator.”
As per claim 11. Enrollee method for use in a network system arranged for wireless communication between network devices in an area and for secure communication according to a security protocol, the network system comprising:
a network device executing the enrollee method to act as an enrollee device according to the security protocol, and
a network device arranged “to act as a configurator device according to the security protocol for enabling access to the network by the enrollee device;” 
wherein the configurator device comprises:
a configurator communication unit arranged “to receive a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key,” and
a configurator processor comprising a memory arranged “to have, for the configurator device, a configurator public key and a corresponding configurator private key and to have, for the network system, a network public key and a corresponding network private key,” the configurator processor arranged “to:
derive a first shared key based on the network private key and the first enrollee public key, decode the encoded second enrollee public key using the first shared key, verify the encoded second enrollee public key was encoded by the first shared key, generate security data using the second enrollee public key and the configurator private key, derive a second shared key based on the first enrollee public key, the second enrollee public key and the network private key, protect cryptographically, using the second shared key, at least one of the security data and configurator public key, and
generate a network access message according to the security protocol, the network access message including at least one of the protected security data and protected configurator public key;”
the enrollee method comprising:
acquire a data pattern, the data pattern being provided in the area and representing the network public key; and
an enrollee processor comprising a memory arranged “to have the first enrollee public key and a corresponding first enrollee private key and to have the second enrollee public key and a corresponding second enrollee private key,” the enrollee processor arranged “to:
derive the first shared key based on the network public key and the first enrollee private key, encode the second enrollee public key using the first shared key, generate the network access request according to the security protocol, the network access request including the encoded second enrollee public key and the first enrollee public key, and
transfer the network access request to the configurator device;”
 the enrollee method further comprising: 
receiving the network access message in the form of action frames from the configurator, deriving the second shared key based on the first enrollee private key, the second enrollee private key and the network public key, verifying at least one of the protected security data and the protected configurator public key was cryptographically protected by the second shared key, and engaging the secure communication based on the second enrollee private key and the security data.
As per claim 12. The enrollee method as claimed in claim 11, wherein the enrollee processor is arranged “to generate a temporary enrollee public key and a corresponding temporary enrollee private key, which keys constitute the first enrollee public key and the corresponding first enrollee private key;” and/or 
the enrollee processor is arranged “to generate a further temporary enrollee public key and a corresponding further temporary enrollee private key, which keys constitute the second enrollee public key and the corresponding second enrollee private key.”
As per claim 13. The enrollee method as claimed in claim 11, the configurator processor being further arranged “to: 
generate the security data by providing a configurator session key and transferring the configurator session key to the enrollee; wherein the enrollee processor is further arranged to receive the configurator session key, and engage the secure communication based on the configurator session key.”
As per claim 14. The enrollee method as claimed in claim 11, the configurator processor being further arranged “to: 
generate a configurator session public key and a corresponding configurator session private key, derive a third shared key based on the configurator session private key and the second enrollee public key, and transfer the configurator session public key to the enrollee;” 
wherein the enrollee processor is further arranged “to: 
receive the configurator session public key, derive the third shared key based on the second enrollee private key and the configurator session public key and engage secure communication based on the third shared key.”
As per claim 15. The enrollee method as claimed in claim 11, the network system comprising a further network device arranged “to: 
receive the second enrollee public key and the security data, provide a session network public key and a corresponding session network private key, derive a fifth shared key based on the session network private key and the second enrollee public key and transferring the session network public key to the enrollee;” 
wherein the enrollee processor is further arranged “to:
 receive the session network public key, derive the fifth shared key based on the second enrollee private key and the session network public key, and engage securely communication with the further network device based on the fifth shared key.”
As per claim 16. The enrollee method as claimed in claim 11, the configurator processor being further arranged: 
“to generate the security data comprising a digital signature by digitally signing the second enrollee public key with the configurator private key, to transfer the digital signature to a third device and/or to the enrollee for enabling secure communication between the enrollee and the third device;”
 wherein the enrollee processor is further arranged “to: 
receive the digital signature, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was correctly signed and, if so, engage the secure communication based on the second enrollee private key.”
As per claim 17. The enrollee method as claimed in claim 16, wherein the network system comprises a further network device arranged “to: 
obtain the configurator public key, receive the digital signature and the second enrollee public key, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was correctly signed and, if so, engage the secure communication with the enrollee device based on the second enrollee public key.”
As per claim 18. The enrollee method as claimed in claim 11, the configurator processor being further arranged “to: 
generate further security data comprising a further digital signature by digitally signing, with the configurator private key, a further public key of a further network device;” 
the enrollee processor is further arranged “for using the further security data by: 
receiving the further public key and the further digital signature, verifying, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and, if so, securely communicating with the further network device using the second enrollee private key and the further public key.”
As per claim 19. The enrollee method as claimed in claim 11, the configurator processor being further arranged “to: 
decode encoded enrollee test data using the second shared key, verify whether the enrollee test data was encoded by the second shared key at the enrollee” wherein the enrollee processor is further arranged “to: 
generate the enrollee test data, encode the enrollee test data using the second shared key, transfer the encoded enrollee test data to the configurator.”
As per claim 20. The enrollee method as claimed in claim 11, the configurator processor being further arranged “to: 
generate configurator test data, encode the configurator test data using the second shared key, transfer the encoded configurator test data to the enrollee;” 
wherein the enrollee processor is further arranged “to: 
decode the encoded configurator test data using the second shared key, verify whether the configurator test data was encoded by the second shared key at the configurator.”
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed 
Appropriate action required. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim[s] 2, 6, 12, 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. It is unclear from the claim language as to which claim limitations are positively limiting the claim language, based the praise of: “…..and/or……..” It is also unclear as to which claim limitations are to be examined, based on that with the recited “…..and/or….,” allows for a single claim limitation is to be examined, or both claim limitations would be required to be examined according to the appropriate section of the MPEP.  
	Appropriate action required. 
Claim[s] 6, 7, 8, 16, 17,18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. It if so,…..,” are required for examination and further limit the claim limitation.  
	Appropriate action required. 
Claim[s] 1 – 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. It would appear to the office that the claim language of the claimed invention is not further limiting. The claim language recites “….arranged to…..,” this suggests that the claim elements are set up for implementation of the claim limitation, or there is no actual implementation of the claimed invention as recited, thus, “….arranged to…..,” makes the claimed invention indefinite. 
	Appropriate action required. 
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim[s] 1 - 11 is/are rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 1 - 11 of U.S. Patent No. 10887310. Although the claims at issue are not identical, they are not patentably distinct from each other the subject matter of both the pending application and the patent are the same or similar in scope in the following manner: 
An enrollee in communication network can use the network by exchanging communication parameters with a configurator to access the network. The enrollee acquires a data pattern and derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, where a network access request. The configurator derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor further derives the second shared key and verifies whether the data was cryptographically protected and that allows for engaging in secure communication based on the second enrollee private key and the security data.
Please see the table below for a claim by claim comparison. 
Pending US App # 17/006062
US PAT # 10887310
1. An enrollee device for use in a network system arranged for wireless communication between
network devices for secure communication according to a security protocol, the network system
comprising:

a network device arranged to act as the enrollee device according to the security protocol, and

a network device arranged to act as a configurator device according to the security protocol; 




wherein the configurator device comprises a configurator communication unit arranged to receive, from the enrollee device, a network access request according to the security protocol,
the network access request including an encoded second enrollee public key and a first enrollee public key, and a configurator processor comprising a memory arranged to have, for the configurator device, a configurator public key and a corresponding configurator private key and to have, for the network system, a network public key and a corresponding network private key, the configurator processor arranged to:

derive a first shared key based on the network private key and the first enrollee public key,

decode the encoded second enrollee public key using the first shared key,

verify the encoded second enrollee public key was encoded by the first shared key,

generate security data using the second enrollee public key and the configurator private key,

derive a second shared key based on the first enrollee public key, the second
enrollee public key and the network private key,

protect cryptographically, using the second shared key, at least one of the
security data and configurator public key, and

generate a network access message according to the security protocol, the
network access message including at least one of the protected security data and protected configurator public key;

the enrollee device comprising:

an enrollee wireless communication unit, an enrollee sensor arranged to:

acquire a data pattern, the data pattern being provided in the area and
representing the network public key; and





an enrollee processor comprising a memory arranged to have the first enrollee public key and a corresponding first enrollee private key and to have the second enrollee public key and a corresponding second enrollee private key, the enrollee processor arranged to:

derive the first shared key based on the network public key and the first enrollee private key,

encode the second enrollee public key using the first shared key, generate the network access request according to the security protocol, the network access request including the encoded second enrollee public key and the first enrollee public key, and

transfer the network access request to the configurator device;


the enrollee processor further arranged to:

receive the network access message in the form of action frames from the
configurator,


derive the second shared key based on the first enrollee private key, the second enrollee private key and the network public key, verify at least one of the protected security data and the protected configurator public key was cryptographically protected by the second shared key, and



engage the secure communication based on the second enrollee private key and the security data.



An enrollee device for use in a network system arranged for wireless communication between network devices in an area and for secure communication according to a security protocol, the network system comprising:

a first network device arranged to act as the enrollee device according to the security protocol for getting
access to the network, and

a second network device arranged to act as a configurator device according to the security protocol for enabling 

wherein the configurator device comprises a configurator communication unit arranged to receive, from the enrollee device, a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key, and a configurator processor comprising a memory arranged to have, for the configurator device, a configurator public key and a corresponding configurator private key and to have, for the network system, a network public key and a corresponding network private key, the configurator processor arranged to:

derive a first shared key based on the network private key and the first enrollee public key,

decode the encoded second enrollee public key using the first shared key,

verify whether the encoded second enrollee public key was encoded by the first shared key and,

generate security data using the second enrollee public key and the configurator private key,

derive a second shared key based on the first enrollee public key, the second enrollee public key and the
network private key,

protect cryptographically, using the second shared key, at least one of the security data and configurator public key, and


generate a network access message according to the security protocol, the network access message including
at least one of the protected security data and protected configurator public key;

the enrollee device comprising:

an enrollee wireless communication unit arranged for wireless communication;

an enrollee sensor arranged to:

acquire a data pattern via an out-of-band channel, the data pattern being provided in the area and
representing the network public key; and

an enrollee processor comprising a memory arranged to have the first enrollee public key and a
corresponding first enrollee private key and to have the second enrollee public key and a corresponding second enrollee private key,
the enrollee processor arranged to:

derive the first shared key based on the network public key and the first enrollee private key,

encode the second enrollee public key using the first shared key, generate the network access request according to the security protocol, the network access request including the encoded second enrollee public key and the first enrollee public key, and

transfer the network access request to the configurator device via the enrollee wireless communication unit;

the enrollee processor further arranged to:

receive the network access message from the configurator via the enrollee wireless communication unit,


derive the second shared key based on the first enrollee private key, the second enrollee private key and the network public key, verify whether at least one of the protected security data and the protected configurator public key was cryptographically protected by the second shared key, and


engage the secure communication based on the second enrollee private key and the security data.

The enrollee device as claimed in claim 1, wherein the enrollee processor is arranged to generate a temporary enrollee public key and a corresponding temporary enrollee private key, which keys constitute the first enrollee public key and the corresponding first enrollee private key; and/or 




the enrollee processor is arranged to generate a further temporary enrollee public key and a corresponding further temporary enrollee private key, which keys constitute the second enrollee public key and the corresponding second enrollee private key.

The enrollee device as claimed in claim 1, wherein the enrollee processor is arranged to generate a temporary enrollee public key and a corresponding temporary
enrollee private key, which keys constitute the first enrollee public key and the corresponding first enrollee private key; and




the enrollee processor is arranged to generate a further temporary enrollee public key and a corresponding
further temporary enrollee private key, which keys constitute the second enrollee public key and the corresponding
second enrollee private key.

The enrollee device as claimed in claim 1, the configurator processor being further arranged to:

generate the security data by providing a configurator session key and transferring the configurator session key to the enrollee;

wherein the enrollee processor is further arranged to receive the configurator session key, and engage the secure communication based on the configurator session key.

3. The enrollee device as claimed in claim 1, the configurator processor being further arranged to generate the security data by
providing a configurator session key and transferring the configurator session key to the enrollee; 



wherein the enrollee processor is further arranged to receive the configurator session key and engage the secure communication based on the configurator session key.

4. The enrollee device as claimed in claim 1, the configurator processor being further arranged to:

generate a configurator session public key and a corresponding configurator session
private key, derive a third shared key based on the configurator session private key and the second enrollee public key, and

transfer the configurator session public key to the enrollee;


wherein the enrollee processor is further arranged to:


receive the configurator session public key, derive the third shared key based on the second enrollee private key and the configurator session public key and engage secure communication based on the third shared key.


The enrollee device as claimed in claim 1, the configurator processor being further arranged to 

generate a configurator session public key and a corresponding configurator session private key, derive a third shared key based on the configurator session private key and the second enrollee public key, and

transfer the configurator session public key to the enrollee;

wherein the enrollee processor is further arranged to 



receive the configurator session public key, derive the third shared key based on the second enrollee private key and the configurator session public key and engage secure communication based on the third shared key.

The enrollee device as claimed in claim 1, the network system comprising a further network device
arranged to:


receive the second enrollee public key and the security data, provide a session network public key and a corresponding session network private key, derive a fifth shared key based on the session network private key and the second enrollee
public key and transferring the session network public key to the enrollee;

wherein the enrollee processor is further arranged to:

receive the session network public key, derive the fifth shared key based on the second enrollee private key and the session network public key, and
engage securely communication with the further network device based on the fifth shared key.

5. The enrollee device as claimed in claim 1, the network system comprising a further network device arranged to


receive the second enrollee public key and the security data, provide a session network public key and a corresponding session network private key, derive a fifth shared key based on the session network private key and the second enrollee public key and transferring the session network public key to the enrollee;

wherein the enrollee processor is further arranged to


receive the session network public key,
derive the fifth shared key based on the second enrollee private key and the session network public key, and
engage securely communication with the further network device based on the fifth shared key.

6. The enrollee device as claimed in claim 1, the configurator processor being further arranged:


to generate the security data comprising a digital signature by digitally signing the second enrollee public key with the configurator private key, to transfer the digital signature to a third device and/or to the enrollee for enabling secure communication between the enrollee and the third device;


wherein the enrollee processor is further arranged to:

receive the digital signature, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was correctly signed and, if so, 

engage the secure communication based on the second enrollee private key.

The enrollee device as claimed in claim 1, the configurator processor being further arranged


to generate the security data comprising a digital signature by digitally signing the second enrollee public key with the
configurator private key, to transfer the digital signature to a third device or to the enrollee for enabling secure communication between the enrollee and the third device;


wherein the enrollee processor is further arranged to

receive the digital signature, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was
correctly signed and,

engage the secure communication based on the second enrollee private key.


The enrollee device as claimed in claim 6, wherein the network system comprises a further network device arranged to:

obtain the configurator public key,
receive the digital signature and the second enrollee public key, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was correctly signed and, if so,

engage the secure communication with the enrollee device based on the second enrollee public key.


7. The enrollee device as claimed in claim 6, wherein the network system comprises a further network device arranged to

obtain the configurator public key,
receive the digital signature and the second enrollee public key, verify, based on the digital signature and the configurator public key, whether the second enrollee public key was
correctly signed and,

engage the secure communication with the enrollee device based on the second enrollee public key.

8. The enrollee device as claimed in claim 1, the configurator processor being further arranged to:

generate further security data comprising a further digital signature by digitally signing, with the configurator private key, a further public key of a further network device; 


wherein the enrollee processor is further arranged for using the further security data by:


receiving the further public key and the further digital signature, verifying, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and, if so,

securely communicating with the further network device using the second enrollee private key and the further public key.

The enrollee device as claimed in claim 3, the configurator processor being further arranged to 

generate further security data comprising a further digital signature by digitally signing, with the configurator private key, a further public key of a further network device;


wherein the enrollee processor is further arranged for using the further security data by


receiving the further public key and the further digital signature, verifying, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and,

securely communicating with the further network device using the second enrollee private key and the further public
key.

The enrollee device as claimed in claim 1, the configurator processor being further arranged to:

decode encoded enrollee test data using the second shared key,
verify whether the enrollee test data was encoded by the second shared key at the enrollee


wherein the enrollee processor is further arranged to:




generate the enrollee test data,
encode the enrollee test data using the second shared key, transfer the encoded enrollee test data to the configurator.

The enrollee device as claimed in claim 3, the configurator processor being further arranged to

decode encoded enrollee test data using the second shared key,
verify whether the enrollee test data was encoded by the second shared key at the enrollee 



wherein the enrollee processor is further arranged to



generate the enrollee test data, encode the enrollee test data using the second shared key, transfer the encoded enrollee test data to the configurator.

The enrollee device as claimed in claim 1, the configurator processor being further arranged to:


generate configurator test data,
encode the configurator test data using the second shared key,
transfer the encoded configurator test data to the enrollee; 



wherein the enrollee processor
is further arranged to:



decode the encoded configurator test data using the second shared key,
verify whether the configurator test data was encoded by the second shared key
at the configurator.

10. The enrollee device as claimed in churn 3, the configurator processor being further arranged to


generate configurator test data,
encode the configurator test data using the second shared key,
transfer the encoded configurator test data to the enrollee;


wherein the enrollee processor is further arranged to




decode the encoded configurator test data using the second shared key,
verify whether the configurator test data was encoded by the second shared key at the configurator.

11. Enrollee method for use in a network system arranged for wireless communication between
network devices in an area and for secure communication according to a security protocol, the network system comprising:


a network device executing the enrollee method to act as an enrollee device according to the security protocol, and


a network device arranged to act as a configurator device according to the security protocol for enabling access to the network by the enrollee device;


wherein the configurator device comprises:

a configurator communication unit arranged to receive a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key, and


a configurator processor comprising a memory arranged to have, for the configurator device, a configurator public key and a corresponding configurator private key and to have, for the network system, a network public key and a corresponding network private key,







the configurator processor arranged 
to:



derive a first shared key based on the network private key and the first enrollee
public key,


decode the encoded second enrollee public key using the first shared key,

verify the encoded second enrollee public key was encoded by the first shared key,




generate security data using the second enrollee public key and the configurator private key, derive a second shared key based on the first enrollee public key, the second enrollee public key and the network private key,



protect cryptographically, using the second shared key, at least one of the
security data and configurator public key, and

generate a network access message according to the security protocol, the
network access message including at least one of the protected security data and protected configurator public key;





the enrollee method comprising:








acquire a data pattern, the data pattern being provided in the area and
representing the network public key; and

an enrollee processor comprising a memory arranged to have the first enrollee public key and a corresponding first enrollee private key and to have the second enrollee public key and a corresponding second enrollee private key, the enrollee processor arranged to:










derive the first shared key based on the network public key and the first enrollee private key,

encode the second enrollee public key using the first shared key,

generate the network access request according to the security protocol, the
network access request including the encoded second enrollee public key and the first enrollee public key, and

transfer the network access request to the configurator device;


the enrollee method further comprising:

receiving the network access message in the form of action frames from the
configurator,

deriving the second shared key based on the first enrollee private key, the second enrollee private key and the network public key,

verifying at least one of the protected security data and the protected
configurator public key was cryptographically protected by the second shared key, and

engaging the secure communication based on the second enrollee private key and the security data.

Enrollee method for use in a network system arranged for wireless communication between network devices in an area and for secure communication according to a security protocol, the network system comprising:


a first network device executing the enrollee method to act as an enrollee device according to the security protocol for getting access to the network, and

a second network device arranged to act as a configurator device according to the security protocol for enabling
access to the network by the enrollee device;

wherein the configurator device comprises:

a configurator communication unit arranged to receive, from the enrollee device, a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key, and

a configurator processor comprising a memory arranged to have, for the configurator device, a configurator public key and a corresponding configurator private key and to have, for the network system, a network public key and a
corresponding network private key,








the configurator processor arranged 
to:


derive a first shared key based on the network private key and the first enrollee public key,



decode the encoded second enrollee public key using the first shared key,

verify whether the encoded second enrollee public key was encoded by the first shared key and,





generate security data using the second enrollee public key and the configurator private key, derive a second shared key based on the first enrollee public key, the second enrollee public key and the network
private key,


protect cryptographically, using the second shared key, at least one of the security data and configurator public key, and

generate a network access message according to the security protocol, the network access message including at least one of the protected security data and protected configurator public key;





the enrollee method comprising:

storing the first enrollee public key and a corresponding first enrollee private key and the second enrollee public key and a corresponding second enrollee private key,



acquiring a data pattern via an out-of-band channel, the data pattern being provided in the area and representing the network public key,

















deriving the first shared key based on the network public key and the first enrollee private key,

encoding the second enrollee public key using the first shared key,

generating the network access request according to the security protocol, the network access request including the
encoded second enrollee public key and the first enrollee public key, and


transferring the network access request to the configurator device via the enrollee wireless communication unit;

the enrollee method further comprising:

receiving the network access message from the configurator,

deriving the second shared key based on the first enrollee private key, the second enrollee private key and the
network public key,


verifying whether at least one of the protected security data and the protected configurator public key was
cryptographically protected by the second shared key, and


engaging the secure communication based on the second enrollee private key and the security data.



Claim Rejections - 35 USC § 101
NO rejections warranted at applicant’s initial time of filing for patent. 
While the claimed invention does recite an abstract idea of mathematical concepts: mathematical relationships, mathematical calculations, for example, claim # 1, the claim limitations of:
derive a first shared key based on the network private key and the first enrollee
public key, decode the encoded second enrollee public key using the first shared key,……………………..etc.;

derive a second shared key based on the first enrollee public key, the second
enrollee public key and the network private key,
protect cryptographically, using the second shared key, at least one of the
security data and configurator public key,
derive the first shared key based on the network public key and the first enrollee
private key, encode the second enrollee public key using the first shared key,……………..etc., 
derive the second shared key based on the first enrollee private key, the second
enrollee private key and the network public key,………………….etc.

However, the abstract claim limitations/idea as identified above, is implemented into a practical application. For example, claim # 1, the claim limitations:


verify at least one of the protected security data and the protected configurator
public key was cryptographically protected by the second shared key, and

engage the secure communication based on the second enrollee private key and
the security data.
Claim Rejections - 35 USC § 102
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 103
NO rejections warranted at applicant’s initial time of filing for patent. 
Allowable Subject Matter
Claim[s] 1 – 20 do contain allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
The following is a statement of reasons for the indication of allowable subject matter:  the following prior arts where yielded at time of search for the claimed invention. The listed prior arts do not teach the claimed invention, but are in the general realm of technology to which patent protection is sought:
Nix [US PGPUB # 2019/0356482], who generally does teach receiving a device provisioning protocol authentication request from an initiator. A responder ephemeral private key, a corresponding responder ephemeral public key, and a responder nonce are derived by using a set of cryptographic parameters. An initiator bootstrap public key and a secret key are received from a device provisioning protocol server. Elliptic curve Diffie-Hellman key exchange using the derived responder ephemeral private key and the received initiator bootstrap public key is conducted in order to derive a first shared secret key. Elliptic curve point addition with the secret key and the derived first shared secret key is conducted in order to derive a second shared secret key. Responder nonce is encrypted by using the derived second shared secret key.
Benoit et al. [US PGPUB # 2018/0248694], who generally does teach receiving a first nonce and a network public key associated with the network device, generating a second nonce, determining a shared key based at least in portion on a calculation that includes the first nonce, the second nonce, the network public key, and a client private key associated with the client device, in which the client private key corresponds to a client public key associated with the client device, and sending an authentication response having a least a portion that is derived from the shared key, in which the authentication response includes the second nonce.
Cammarota et al. [US PGPUB# 2018/0109418], who generally does teach a configurator private signing key to an intermediary device authorized to submit an enrollment request to the configurator device. The enrollment request signed by the configurator private signing key is received from the intermediary device, and the request includes enrollee bootstrapping data associated with an enrollee device to be 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DANT B SHAIFER HARRIMAN/           Primary Examiner, Art Unit 2434