DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
Applicant’s election without traverse of Species 1 in the reply filed on 06 January 2022 is acknowledged.
Claims 16-22 and 29-33 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected species, there being no allowable generic or linking claim. Election was made without traverse in the reply filed on 06 January 2022.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4, 5 are rejected under 35 U.S.C. 103 as being unpatentable over Nord, U.S. Publication No. 2014/0164774, in view of Tan, U.S. Publication No. 2003/0028664, and further in view of Gould, U.S. Publication No. 2012/0174198. Referring to claim 1, Nord discloses a data access management system wherein a client computer transmits a user authentication request to a data storage server such that the data storage server transmits the request to a domain server to confirm the identity of the user ([0052]-[0053]: domain server reads on the claimed identity provider), which meets the limitation of performing a login for a user on a client device to an identity provider. If the user is authenticated, the data storage server transmits a validation token to the client computer ([0057]: validation token reads on the claimed attestation), which meets the limitation of receiving in response to the login at the identity provider a [signed] attestation .
Nord does not disclose that the identified specific keys are encrypted. Tan discloses media keys are encrypted using a client public key such the encrypted media keys are provided to the client computer where the encrypted media keys are decrypted using the client private key ([0060] & [0064] & [0068]), which meets the limitation of an encrypted data key (EDK), decrypting the EDK key to generate a data key (DK) using a data decryption key corresponding to the user account and the client device obtained while maintaining a zero-knowledge environment. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the specific keys of Nord to have been encrypted using a client computer public key such that the specific keys are decrypted at the client computer using the corresponding private key in order to ensure that only the client computer can access the keys as suggested by Tan ([0068]).
Nord does not disclose that the validation token is digitally signed. Gould discloses the generation of a token in response to a performed authentication such that the generated token is digitally signed ([0014] & [0018]), which meets the limitation of a signed attestation. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the domain server of Nord to have digitally signed the validation tokens in order to provide a verifiable statement that the authentication has occurred and been performed by a trusted party as suggested by Gould ([0018]).
Referring to claim 2, Nord discloses that the vault server identifies specific keys corresponding to the user such that the vault server provides the identified keys to the client computer of the user ([0059]-[0060] & [0066]), which meets the limitation of where the step of retrieving the EDK key comprises receiving the EDK key in communication from the vault service provider upon confirmation of the identity of the user and the device by the identity provider.
Nord does not disclose that the identified specific keys are encrypted. Tan discloses media keys are encrypted using a client public key such the encrypted media keys are provided to the client computer where the encrypted media keys are decrypted using the client private key ([0060] & [0064] & [0068]), which meets the limitation of where the data decryption key is a data private key (DPRIV) previously generated in a key pair with a data public (DPUB), where the DPRIV key is stored in local storage, where the step of decrypting the EDK key comprises decrypting the EDK key using the DPRIV key. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the specific keys of Nord to have been encrypted using a client computer public key such that the specific keys are decrypted at the client computer using the corresponding private key in order to ensure that only the client computer can access the keys as suggested by Tan ([0068]).
Referring to claim 4, Nord does not disclose that the validation token is digitally signed. Gould discloses the generation of a token in response to a performed authentication such that the generated token is digitally signed ([0014] & [0018]) such that the digital signature can be validated using the public key ([0015]-[0016]: public key reads on the claimed asymmetric attestation signing key), which meets the limitation of where the step of receiving the signed attestation includes receiving the signed attestation as an attestation comprising a signature to be validated by the identity provider using an asymmetric attestation signing key. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the validation tokens of Nord to have been digitally signed in order to provide a verifiable statement that the authentication has occurred and been performed by a trusted party as suggested by Gould ([0018]).
Examiner notes that the claim language that specifies “a signature to be validated by the identity provider” represents an intended use claim limitation. A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art.  If the prior art structure is capable of performing the intended use, then it meets the claim. In the instant case, the domain server of Nord is clearly capable of verifying a digital signature.
Referring to claim 5, Nord discloses the use of asymmetric key implementations such as RSA ([0048]). Therefore, when Nord is modified as proposed above in view of Gould, to include the domain servers digitally signing the validation tokens, the digital signatures would be created using RSA implementations (Nord: [0048]), which meets the limitation of wherein the step of receiving the signed attestation as the attestation signed by the identity provider by the attestation signing key as an asymmetric signing key according to RSA. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the domain server of Nord to have digitally signed the validation tokens in order to provide a verifiable statement that the authentication has occurred and been performed by a trusted party as suggested by Gould ([0018]).
Claims 1, 6, 7 are rejected under 35 U.S.C. 103 as being unpatentable over Nord, U.S. Publication No. 2014/0164774, in view of Dawson, U.S. Publication No. 2014/0304505, and further in view of Gould, U.S. Publication No. 2012/0174198. Referring to claims 1, 6, 7, Nord discloses a data access management system wherein a client computer transmits a user authentication request to a data storage server such that the data storage server transmits the request to a domain server to confirm the identity of the user ([0052]-[0053]: domain server reads on the claimed identity provider), which meets the limitation of performing a login for a user on a client device to an identity provider. If the user is authenticated, the data storage server transmits a validation token to the client computer ([0057]: validation token reads on the claimed attestation), which meets the limitation of receiving in response to the login at the identity provider a [signed] attestation generated by the identity provider confirming the identity of the user. The client computer transmits a device identifier ([0059]) and the validation token to a vault server ([0064]: vault server can be part of a server farm that includes the data storage server [0026] & [0058]. Combined server farm reads on the claimed vault service provider), which meets the limitation of sending the [signed] attestation and a device identifier to the vault service provider configured to validate the [signed] attestation. The vault server identifies specific keys corresponding to the user such that the vault server provides the identified keys to the client computer of the user ([0059]-[0060] & [0066]), which meets the limitation of retrieving an [encrypted] data key (EDK) corresponding to the user and the client device identified by the device identifier while maintaining a zero-knowledge environment. The received keys are then used to decrypt locally stored encrypted data ([0068] & [0071]), which meets the limitation of decrypting encrypted data records stored in a local storage using the data key. The client device can encrypt data ([0071]) such that the encrypted data is sent to the data storage server for storage ([0071]: vault server can be part of a server farm that includes the data storage server [0026] & [0058]. Combined server farm reads on the claimed vault service provider), which meets the limitation of encrypting data to send to the vault service provider.
Nord does not disclose that the identified specific keys are encrypted. Dawson discloses keys that are encrypted using an AES-256 bit key such that the encrypted key can be decrypted the same AES-256 bit key([1105]-[1106]), which meets the limitation of an encrypted data key (EDK), decrypting the EDK key to generate a data key (DK) using a data decryption key corresponding to the user account and the client device obtained while maintaining a zero-knowledge environment, wherein the step of decrypting the EDK key includes generating the DK key as a 256-bit or stronger ciphertext, wherein the step of decrypting the EDK key includes generating the DK key according to the AES-GCM standard. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the specific keys of Nord to have been encrypted using an AES-256 bit key in order to ensure protection of the keys using an encryption algorithm that is well proven and has been subjected to public scrutiny as suggested by Dawson ([1105]-[1106]).
Nord does not disclose that the validation token is digitally signed. Gould discloses the generation of a token in response to a performed authentication such that the generated token is digitally signed ([0014] & [0018]), which meets the limitation of a signed attestation. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the domain server of Nord to have digitally signed the validation tokens in order to provide a verifiable statement that the authentication has occurred and been performed by a trusted party as suggested by Gould ([0018]).
Claims 3, 23, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Nord, U.S. Publication No. 2014/0164774, in view of Tan, U.S. Publication No. 2003/0028664, in view of Gould, U.S. Publication No. 2012/0174198, and further in view of Smith, U.S. Publication No. 2004/0133908. Referring to claim 3, Nord does not specify the use of a session token. Smith discloses a server transmitting a session token to a client ([0051]), which meets the limitation of receiving a session token from the vault service provider. The client utilizes the session token to access content transmitted from the server to the client ([0051] & [0056]), which meets the limitation of using the session token in communications connections between the client device and the vault service provider. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the data access management system of Nord to have utilized session tokens in the manner described in Smith in order to allow for data access to resume when a disruption occurs as suggested by Smith ([0056]).
Referring to claim 23, Nord discloses a data access management system wherein a client computer transmits a user authentication request to a data storage server such that the data storage server transmits the request to a domain server to confirm the identity of the user ([0052]-[0053]: domain server reads on the claimed identity provider), which meets the limitation of client device performing a login at an identity provider. If the user is authenticated, the data storage server transmits a validation token to the client computer ([0057]: validation token reads on the claimed attestation). The client computer transmits a device identifier ([0059]) and the validation token to a vault server ([0064]: vault server can be part of a server farm that includes the data storage server [0026] & [0058]. Combined server farm reads on the claimed vault service provider), which meets the limitation of receiving the [signed] attestation and a device identifier to from the client device in response to the client device performing a login at an identity provider. The vault server confirms validity of the validation token ([0064]) and identifies specific keys corresponding to the device identifier such that the vault server provides the identified keys to the client computer of the user ([0059]-[0060] & [0066]), which meets the limitation of verifying the [signed] attestation [using an attestation public key corresponding to the user] and verifying the client device as registered with the vault service provider according to the device identifier, sending an [encrypted] data key (EDK) corresponding to the user of the client device identified by the device identifier. The received keys are then used to decrypt locally stored encrypted data ([0068] & [0071]), which meets the limitation of a data key for accessing encrypted data records in a local storage of the client device. 
Nord does not disclose that the identified specific keys are encrypted. Tan discloses media keys are encrypted using a client public key such the encrypted media keys are provided to the client computer where the encrypted media keys are decrypted using the client private key ([0060] & [0064] & [0068]), which meets the limitation of an encrypted data key (EDK), where the client device decrypts the EDK key to generate a data key (DK) corresponding to the user using a data private key (DPRIV) for accessing encrypted data records in a local storage of the client device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the specific keys of Nord to have been encrypted using a client computer public key such that the specific keys are decrypted at the client computer using the corresponding private key in order to ensure that only the client computer can access the keys as suggested by Tan ([0068]).
Nord does not disclose that the validation token is digitally signed. Gould discloses the generation of a token in response to a performed authentication such that the generated token is digitally signed ([0014] & [0018]) such that the digital signature can be validated using the public key ([0015]-[0016]: public key reads on the claimed asymmetric attestation signing key), which meets the limitation of a signed attestation, verifying the signed attestation using an attestation public key corresponding to the user. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the domain server of Nord to have digitally signed the validation tokens in order to provide a verifiable statement that the authentication has occurred and been performed by a trusted party as suggested by Gould ([0018]).
Nord does not specify the use of a session token. Smith discloses a server transmitting a session token to a client ([0051]), which meets the limitation of sending a session token corresponding to registration of the client device to the client device. The client utilizes the session token to access content transmitted from the server to the client ([0051] & [0056]), which meets the limitation of receiving and second communications between the client device and the vault service provider using the session token for downloading records. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the data access management system of Nord to have utilized session tokens in the manner described in Smith in order to allow for data access to resume when a disruption occurs as suggested by Smith ([0056]).
Referring to claim 24, Nord discloses the use of asymmetric key implementations such as RSA ([0048]). Therefore, when Nord is modified as proposed above in view of Gould, to include the domain servers digitally signing the validation tokens, the digital signatures would be created using RSA implementations (Nord: [0048]), which meets the limitation of wherein the step of receiving the signed attestation includes receiving a document having a signature signed by the identity provider using as an asymmetric signing key according to RSA. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the domain server of Nord to have digitally signed the validation tokens in order to provide a verifiable statement that the authentication has occurred and been performed by a trusted party as suggested by Gould ([0018]).
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Nord, U.S. Publication No. 2014/0164774, in view of Tan, U.S. Publication No. 2003/0028664, in view of Gould, U.S. Publication No. 2012/0174198, and further in view of Purves, U.S. Publication No. 2015/0220914. Referring to claim 15, Nord discloses that the user is registered with an account such that the user account includes registered device information ([0059] & [0102]). 
Nord does not disclose that the user can request removal of a registered device from the user account. Purves a user account wherein users can request a device be delete from their account ([0104]), which meets the limitation of sending a request to remove a second client device to the vault service provider. The user is provided with confirmation of the removal of the requested device from the account ([0103]-[0104]), which meets the limitation of receiving an acknowledgement of removal from the vault service provider, where the acknowledgement of removal is indicative that the second client device deleted the DK key and the vault service provider deleted the EDK key corresponding to the second client device and invalidated the device identifier corresponding to the second client device. Examiner notes that the content of the claimed acknowledgement is not functionally utilized in the claims and would therefore be considered non-functional descriptive material that is not given patentable weight (See MPEP 2111.04-2111.05). Therefore, what the acknowledgement “indicates” does not receive patentable weight. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the data access management system of Nord to have enabled registered users to delete devices from their accounts in order to provide the user with the ability to edit their account accessible devices as suggested by Purves ([0103]-[0104]). 
Allowable Subject Matter
Claims 8-14, 25-28 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Grajek, U.S. Publication No. 2016/0344561, discloses a media server that provides user authentication, key generation, and key distribution services.
Fu, U.S. Publication No. 2011/0293098, discloses a key recovery system that utilizes digital certificates.
Roberts, U.S. Publication No. 2007/0214369, discloses a removable drive that performs encryption based upon a received password.
Khairullah, U.S. Publication No. 2007/0040699, discloses AES encryption with variable strength.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN E LANIER/          Primary Examiner, Art Unit 2437