Notice of Pre-AIA  or AIA  Status
The present application, filed on or after January 09, 2020, is being examined under the first inventor to file provisions of the AIA .
Specification 
The specification filed on January 09, 2020 is accepted. 
Drawings
The drawings filed on January 09, 2020 are accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/08/2020, 09/18/2020, 11/02/2020, 09/28/2021, 11/01/2021 and 12/17/2021 was filed after the mailing date of the application 16739015 on 01/09/2020.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to 103 
Applicants argument filled on 08/12/2021 have been fully considered and are partially persuasive.
In response to applicants argument on para 1 of page 12 of remarks that none of the cited reference distinct host, user and manager device. The examiner acknowledges applicants point of view but respectfully disagrees because distinct host and manager device are taught by BASKARAN (i.e. primary reference) on [0041 and 0047] teaches the authentication server 104, performing suitable processing of the input or output or both, communicating with other devices (i.e. host device) and a request is sent by the user device 106 (i.e. second device) to the transaction server 114 (i.e. manager device as third device).
to unlock data for the host device) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
 In response to applicants argument on page 12 para 2-3 of remarks that none of the cited reference fails to teach the unlock process of amended limitation “receive, from the registered user device, an unlock request, determine, based on the authorization data associated with the registered user device, the cryptographic key, and provide, responsive to the unlock request, the cryptographic key to the cryptography engine to decrypt the encrypted user content”. The examiner acknowledges applicants point of view but respectfully disagrees because the cited reference Bolotin (i.e. secondary reference) teaches the amended limitation. Bolotiin on [0302-0310] teaches receiving an unlock command or signal from the mobile device. The unlock request for unlocking a self-encrypting device. See on [0064] teaches the encryption key 116 (i.e. cryptographic key) is determined by the authentication subsystem 104 once a user 122, having an identification number (i.e. authorization data) or key, has been verified. See on [0303] teaches wherein the authentication subsystem stores an encryption key and the authentication subsystem transmits the encryption key to the encryption engine when the self-encrypting device is unlocked (i.e. unlocking the encryption key) which is provided to encryption engine which is used for decrypting the encrypted content.  
	Rest of applicant’s argument regarding separate manager device to receive the challenge from a user device and forward a response to the user device from the manager device are moot in view of new grounds of rejection. The argument do not apply to the current art being used. 

Claim objections
Claims 1, 5, 9 and 19-20 objected to because of the following informalities:    
Claim 1 line 8-10 recites “the storage medium” should read as “the non-volatile storage medium” as recited on line 6.
Claim 1, 19 and 20 recites “an unlock request”. The examiner suggest to clarify the unlock request whether the unlock request is to unlock the data storage device or cryptographic key or something else.
Claim 5 recites “wherein the challenge is based on an unlocking public key ….” The examiner suggest to clarify the role of “unlocking public key” with respect to challenge. Because it’s not clear if the challenge is generated, transmitted or stored based on unlocking public key. Appropriate correction is required.
Claim 9 recites “the challenge is based on an ephemeral public key ….” The examiner suggest to clarify the role of “ephemeral public key” with respect to challenge.

CLAIM INTERPRETATION

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Such claim limitation(s) is/are “means for receiving, means for generating, means for sending, means for calculating and means for creating and storing” in claim 20.


Claim limitation(s) “means for receiving, means for generating, means for sending, means for calculating and means for creating and storing” of claim 20 gives their broadest reasonable interpretation of the claim elements with a limited description in the specification. The examiner notes that the term “means” refers to an access controller within a data storage device for performing the above steps as shown in Fig 1. Accordingly claim 20 invoke 35 U.S.C. 112 (f) or sixth paragraph, but the corresponding structure is described.

Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.



                                               Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 11 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over BASKARAN et al (hereinafter BASKARAN) (US 20180062863) in view of Bolotin et al (hereinafter Bolotin) (US 20190007203) and further in view of Le Saint (US 20180167208).

Regarding claim 1 BASKARAN teaches A data storage device comprising: a data path comprising  (BASKARAN Fig 2 block 204, 210, 212, 216 and text on [0051] teaches an authentication server (i.e. data storage device) includes processor 210 (i.e. controller), storage 212 (i.e. data store) and network interface (i.e. data path));
 a data port configured to transmit data between a host computer system and the data storage device (BASKARAN on [0041] teaches the network interface (i.e. data path) may refer to any suitable device capable of receiving an input, sending an output from the authentication server 104, performing suitable processing of the input or output or both, communicating with other devices (i.e. host device), the network interface may include one or more ports, conversion software, or both. The network interface connects the authentication server 104 to the network 102 for authenticating user device 106 and servicing data requests made by user 108);
and an access controller configured to: receive, from a user device, a registration request to register the user device (BASKARAN on [0032] teaches user 108 may initiate a service request with the transaction server 114 using any of the one or more user devices 106. The one or more user devices 106 may be registered with the authentication server 104. See also on [0066] teaches user device sends registration data along with other data (i.e. request) to server 104 to complete the registration process as shown in Fig. 4);
generate, responsive to the registration request, a challenge for a manager device (BASKARAN on [0047] teaches the authentication server 104 transmits a challenge to the user device 106 over the second communication channel disparate from the first communication channel over which a request is sent by the user device 106 to the transaction server 114 (i.e. manager device). See also on [0071] teaches the server generates challenge);
and the manager device is located remotely from the data storage device (BASKARAN Fig 1 and text on [0031-0032] teaches the network 102 communicatively couples the user device 106 to a transaction server 114 (i.e. remotely located from data storage device));
calculate the cryptographic key based at least partly on the response calculated by the manager device (BASKARAN on [0030] teaches the authentication server calculates a symmetric public private key pair after passing the result of M2FA. See also on [0066] teaches the registration data is fed in to user device and transmit the registration data in response to prompt to generate public key);
 create and store, on a non-volatile data store of the data storage device, authorization data associated with the user device, wherein the authorization data indicates the cryptographic key, to register the user (BASKARAN Fig 4 and text on [0066] teaches storing in storage of server 104 the income credential such as username and password (i.e. authorization data) of the user. Fig 6 and text on [070] teaches receiving an authentication request containing the credentials (i.e. creating the authentication data). See Fig 4 and text on [0066] teaches user enters credential such as username and password (i.e. authorization data) to register smart device. The registration procedure is triggered by clicking on the link and transmits public key along with relevant data to complete the registration process).
wherein: the host computer system is a first device (BASKARAN on [0041] teaches the authentication server 104, performing suitable processing of the input or output or both, communicating with other devices (i.e. host device is the first device));
the user device is a second device;  the manager device is a third device (BASKARAN on [0047] teaches a request is sent by the user device 106 (i.e. second device) to the transaction server 114 (i.e. manager device as third device)).

Although BASKARAN teaches data path comprises port but fails to explicitly teach a non-volatile storage medium configured to store encrypted user content data, and a cryptography engine connected between the data port and the storage medium and configured to use a cryptographic key to decrypt the encrypted user content data stored on the storage medium in response to a data request from the host computer system, send, to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device, receive, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device, receive, from the registered user device, an unlock request, determine, based on the authorization data associated with the registered user device, the cryptographic key and provide, responsive to the unlock request, the (Bolotin on [0062 and 0070] teaches encrypted data is stored in a non-volatile storage medium 112);
and a cryptography engine connected between the data port and the storage medium and configured to use a cryptographic key to decrypt the encrypted user content data stored on the storage medium in response to a data request from the host computer system (Bolotin Fig 1 block 106, 110, 112 and text on [0062-0064] teaches an encryption engine 110 is between communication channel 102 (i.e. data port in instant case) and storage media 112. The encryption engine 110 also converts encrypted information from the storage media 112 and decrypts it to clear information for the host computer system 120 based on encryption key 116); 
receive, from the registered user device, an unlock request (Bolotin on [0302] teaches receiving unlock command from mobile device);
determine, based on the authorization data associated with the registered user device, the cryptographic key (Bolotin on [0064] teaches the encryption key 116 (i.e. cryptographic key) is transmitted to the encryption engine 110 by the authentication subsystem 104 once a user 122, having an identification number (i.e. authorization data ) or key, has been verified);
and provide, responsive to the unlock request, the cryptographic key to the cryptography engine to decrypt the encrypted user content (Bolotin on [0303] teaches wherein the authentication subsystem stores an encryption key and the authentication subsystem transmits the encryption key to the encryption engine when the self-encrypting device is unlocked. See on [0063 and 0067] teaches an encryption key 116 is required by the encryption engine 110 to encrypt/decrypt the information).

(Bolotin on [0013]).
Although the combination of BASKARAN and Bolotin teaches generating challenge for manager device and generating a response based on the challenge but fails to explicitly teach send, to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device, receive, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device, however Le Saint from analogous art teaches send, to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device (Le Saint on [0066-0067] teaches the provisioning server (i.e. user device in instant cased) 360 may receive the authentication request from the authentication server 340 (i.e. controller in instant case).  The provisioning server 360 may send the authentication request to the user device, wherein the authentication request include the challenge);
receive, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device (Le Saint on [0067-0069] teaches the provisioning server 360 (i.e. user device in instant case) may send the authentication response from the user device 320 to the authentication server 340 (i.e. controller in instant case). Further teaches the user device 320 (i.e. manager device) may process the authentication request. Processing the authentication request may include adding additional data to the received authentication challenge, authenticating or verifying a user of user device 320, and signing the challenge using the user device authentication private key stored at the user device 320 as described above with reference to FIG. 1. At 304, the user device 320 sends an authentication response including the signed challenge data, and possibly other data, to the provisioning server 360. Further teaches the authentication server 340 may verify the signed authentication challenge using the user device authentication public key 328 stored at the authentication server 340. In some embodiments, the authentication server 340 may also verify that the signed authentication challenge matches the authentication challenge of the authentication request. Thus, the user device 320 may register with the authentication server 340 and be authenticated by the authentication server 340).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Le Saint into the teaching of BASKARAN and Bolotin by sending the challenge to the manager device and generating a response by the manager device based on the challenge. One would be motivated to do so in order to securely perform authentication for a user device (Le Saint on [0005]).


	Regarding claim 2 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 1 above, BASKARAN further teaches wherein the challenge is shareable over an insecure communication channel (BASKARAN on [0047] teaches the authentication server 104 transmits a challenge to the user device 106 over the second communication channel).
Regarding claim 3 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 1 above, BASKARAN further teaches wherein the registration request comprises a public key of the user device (BASKARAN Fig 4 and text on [0066] teaches request for registration is public key of user device).
4 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 3 above, BASKARAN further teaches wherein the access controller is further configured to generate and send the challenge upon determining, based on the public key, that the user device is not registered with the data storage device (BASKARAN Fig 6 and associated text on [00700-0074] teaches challenge generated by processor of authentication server 114 to register device based on public key).
Regarding claim 11 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 3 above, BASKARAN further teaches wherein: the access controller is further configured to store, on the data store and before receiving the registration request, multiple entries associated with respective multiple manager devices (BASKARAN Fig 4 and text on [0066] teaches storing in storage of server 104 the income credential such as username and password of the user to start the registration process). Further teaches storing K.sub.PRI,U and the data received from the user device 106 and store other data received from SP server 114 (i.e. manager device) and user device);
Bolotin teaches one manager device of the multiple manager devices is associated with a remote approver role defined by enabling the generation of the challenge for the one manager device of the multiple manager devices (Bolotin Fig 6A and text on [0107-0111] teaches management server 604 may manage a plurality of devices, such as laptops 228, PCs 661, thermostats 664, smart TVs 666, tablets 668, servers 670, printers and scanners 672, smart appliances 674, mobile devices 610, and other devices (i.e. multiple devices). Further teaches a management server 604 that includes a user management database 642, provides remote management, including remote security, of devices via a network, such as a cloud 650. The remote management server 604 may control the access to an SED 101 control different types of motors that can open or close a door or a safe, provide controlled access to video security cameras and their recorded video, etc.). 
(Bolotin on [0013]).
Regarding claim 16 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 1 above, BASKARAN further teaches wherein: transmitting data between the host computer system and the data storage device is over a data channel (BASKARAN on [0009] teaches transmitting a challenge to a user device associated with the request over a second communication channel disparate from the first communication channel);
and receiving the registration request, sending the challenge, and receiving the response is over a communication channel that is different from the data channel (BASKARAN on [0009 and 0030] teaches transmitting a challenge to a user device associated with the request over a second communication channel disparate from the first communication channel. A user when challenged with a "challenge", provides a response. Channel: It is a communications path. It can be a communication path between two applications over a network. For example, a channel can be a TCP/IP connection. Separate/second channel: a channel other than the primary, or first channel. A second channel is considered out-of-band with respect to a first channel).
	Regarding claim 17 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 16 above, BASKARAN further teaches wherein: the communication channel is a wireless communication channel; and generating the challenge for the manager device remote from the data storage device comprises generating the challenge for the manager device that is out of range of the wireless communication channel (BASKARAN on [0009 and 0030] teaches transmitting a challenge to a user device associated with the request over a second communication channel disparate from the first communication channel. A user when challenged with a "challenge", provides a response. Channel: It is a communications path. It can be a communication path between two applications over a network. For example, a channel can be a TCP/IP connection. Separate/second channel: a channel other than the primary, or first channel. A second channel is considered out-of-band with respect to a first channel. See on [0035] teaches wireless communication network).
	Regarding claim 18 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 1 above, BASKARAN further teaches wherein receiving the registration request, sending the challenge, and receiving the response is in communication with an application installed on the user device (BASKARAN on [0078-0079] teaches application running on mobile device for receiving response).
Regarding claim 19 BASKARAN teaches a method for approving access to a data storage device, the method comprising (BASKARAN on [0009] teaches method for accessing data storage);
receiving, from a user device, a registration request to register the user device receiving, from a user device, a request to register the user device (BASKARAN on [0032] teaches user 108 may initiate a service request with the transaction server 114 using any of the one or more user devices 106. The one or more user devices 106 may be registered with the authentication server 104. See also on [0066] teaches user device sends registration data along with other data (i.e. request) to server 104 to complete the registration process as shown in Fig. 4);
 generating a challenge for a manager device, wherein the manager device is located remotely from the data storage device (BASKARAN on [0047] teaches the authentication server 104 transmits a challenge to the user device 106 over the second communication channel disparate from the first communication channel over which a request is sent by the user device 106 to the transaction server 114 (i.e. manager device). See also on [0071] teaches the server generates challenge. See Fig 1 and text on [0031-0032] teaches the network 102 communicatively couples the user device 106 to a transaction server 114 (i.e. remotely located from data storage device));
(BASKARAN on [0030 and 0048] teaches the authentication server calculates a symmetric public private key pair after passing the result of M2FA and decrypting the response based on public-private key pair. See also on [0066] teaches the registration data is fed in to user device and transmit the registration data in response to prompt to generate public key);
creating and storing, on a non-volatile data store in the data storage device, authorization data associated with the user device (BASKARAN Fig 4 and text on [0066] teaches storing in storage of server 104 the income credential such as username and password (i.e. authorization data) of the user. Fig 6 and text on [070] teaches receiving an authentication request containing the credentials (i.e. creating the authentication data));
the authorization  data indicating the cryptographic key, to register the user device with the data storage device (BASKARAN Fig 4 and text on [0066] teaches user enters credential such as username and password (i.e. authorization data) to register smart device. The registration procedure is triggered by clicking on the link and transmits public key along with relevant data to complete the registration process);
wherein: the host computer system is a first device (BASKARAN on [0041] teaches the authentication server 104, performing suitable processing of the input or output or both, communicating with other devices (i.e. host device is the first device));
the user device is a second device;  the manager device is a third device (BASKARAN on [0047] teaches a request is sent by the user device 106 (i.e. second device) to the transaction server 114 (i.e. manager device as third device)).
Although BASKARAN teaches generating challenger and sending the challenge between the authentication server and user device, but fails to explicitly teach send to the user device, the challenge (Bolotin on [0302] teaches receiving unlock command from mobile device);
determine, based on the authorization data associated with the registered user device, the cryptographic key (Bolotin on [0064] teaches the encryption key 116 (i.e. cryptographic key) is transmitted to the encryption engine 110 by the authentication subsystem 104 once a user 122, having an identification number (i.e. authorization data ) or key, has been verified);
and using, responsive to the unlock request and a data request from a host computer system, the cryptographic key to decrypt encrypted user content from a storage medium of the data storage device (Bolotin on [0303] teaches wherein the authentication subsystem stores an encryption key and the authentication subsystem transmits the encryption key to the encryption engine when the self-encrypting device is unlocked. See on [0310] teaches receiving unlocking request along with user authentication information to unlock the system. See on [0063 and 0067] teaches an encryption key 116 is required by the encryption engine 110 to encrypt/decrypt the information).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Bolotin into the teaching of BASKARAN by having data port connected to a non-volatile storage medium for storing information encrypted by cryptographic engine and decrypting (Bolotin on [0013]).
Although the combination of BASKARAN and Bolotin teaches generating challenge for manager device and generating a response based on the challenge but fails to explicitly teach send, to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device, receive, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device, however Le Saint from analogous art teaches send, to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device (Le Saint on [0066-0067] teaches the provisioning server (i.e. user device in instant cased) 360 may receive the authentication request from the authentication server 340 (i.e. controller in instant case).  The provisioning server 360 may send the authentication request to the user device, wherein the authentication request include the challenge);
receive, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device (Le Saint on [0067-0069] teaches the provisioning server 360 (i.e. user device in instant case) may send the authentication response from the user device 320 to the authentication server 340 (i.e. controller in instant case). Further teaches the user device 320 (i.e. manager device) may process the authentication request. Processing the authentication request may include adding additional data to the received authentication challenge, authenticating or verifying a user of user device 320, and signing the challenge using the user device authentication private key stored at the user device 320 as described above with reference to FIG. 1. At 304, the user device 320 sends an authentication response including the signed challenge data, and possibly other data, to the provisioning server 360. Further teaches the authentication server 340 may verify the signed authentication challenge using the user device authentication public key 328 stored at the authentication server 340. In some embodiments, the authentication server 340 may also verify that the signed authentication challenge matches the authentication challenge of the authentication request. Thus, the user device 320 may register with the authentication server 340 and be authenticated by the authentication server 340).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Le Saint into the teaching of BASKARAN and Bolotin by sending the challenge to the manager device and generating a response by the manager device based on the challenge. One would be motivated to do so in order to securely perform authentication for a user device (Le Saint on [0005]).

Regarding claim 20 BASKARAN teaches a data storage device comprising: (BASKARAN Fig 2 block 204, 210, 212, 216 and text on [0051] teaches an authentication server (i.e. data storage device) includes processor 210 (i.e. controller), storage 212 (i.e. data store) and network interface (i.e. data path));
means for receiving, from a user device, a registration request to register the user device (BASKARAN on [0032] teaches user 108 may initiate a service request with the transaction server 114 using any of the one or more user devices 106. The one or more user devices 106 may be registered with the authentication server 104. See also on [0066] teaches user device sends registration data along with other data (i.e. request) to server 104 to complete the registration process as shown in Fig. 4);
 means for generating a challenge for a manager device, wherein the manager device is located remotely from the data storage device (BASKARAN on [0047] teaches the authentication server 104 transmits a challenge to the user device 106 over the second communication channel disparate from the first communication channel over which a request is sent by the user device 106 to the transaction server 114 (i.e. manager device). See also on [0071] teaches the server generates challenge. Fig 1 and text on [0031-0032] teaches the network 102 communicatively couples the user device 106 to a transaction server 114 (i.e. remotely located from data storage device));
means for calculating a cryptographic key, usable to decrypt user content data stored on the data storage device, based at least partly on the response calculated by the manager device (BASKARAN on [0030 and 0048] teaches the authentication server calculates a symmetric public private key pair after passing the result of M2FA and decrypting the response based on public-private key pair. See also on [0066] teaches the registration data is fed in to user device and transmit the registration data in response to prompt to generate public key);
means for creating and storing, on a non-volatile data store, authorization data associated with the user device (BASKARAN Fig 4 and text on [0066] teaches storing in storage of server 104 the income credential such as username and password (i.e. authorization data) of the user. Fig 6 and text on [070] teaches receiving an authentication request containing the credentials (i.e. creating the authentication data));
the authorization data indicating the cryptographic key, to register the user device with the data storage device (BASKARAN Fig 4 and text on [0066] teaches user enters credential such as username and password (i.e. authorization data) to register smart device. The registration procedure is triggered by clicking on the link and transmits public key along with relevant data to complete the registration process);
wherein: the host computer system is a first device (BASKARAN on [0041] teaches the authentication server 104, performing suitable processing of the input or output or both, communicating with other devices (i.e. host device is the first device));
BASKARAN on [0047] teaches a request is sent by the user device 106 (i.e. second device) to the transaction server 114 (i.e. manager device as third device)).
Although BASKARAN teaches generating challenger and sending the challenge between the authentication server and user device, but fails to explicitly teach send to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device, receive, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device, receive, from the registered user device, an unlock request, determine, based on the authorization data associated with the registered user device, the cryptographic key and provide, responsive to the unlock request, the cryptographic key to the cryptography engine to decrypt the encrypted user content, however Bolotin from analogous art teaches means for receiving, from the registered user device, an unlock request (Bolotin on [0302] teaches receiving unlock command from mobile device);
means for determining, based on the authorization data associated with the registered user device, the cryptographic key (Bolotin on [0064] teaches the encryption key 116 (i.e. cryptographic key) is transmitted to the encryption engine 110 by the authentication subsystem 104 once a user 122, having an identification number (i.e. authorization data ) or key, has been verified);
and means for using, responsive to the unlock request and a data request from a host computer system, the cryptographic key to decrypt encrypted user content from a storage medium of the data storage device (Bolotin on [0303] teaches wherein the authentication subsystem stores an encryption key and the authentication subsystem transmits the encryption key to the encryption engine when the self-encrypting device is unlocked. See on [0310] teaches receiving unlocking request along with user authentication information to unlock the system. See on [0063 and 0067] teaches an encryption key 116 is required by the encryption engine 110 to encrypt/decrypt the information).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Bolotin into the teaching of BASKARAN by having data port connected to a non-volatile storage medium for storing information encrypted by cryptographic engine and decrypting encrypted content based on unlock request. One would be motivated to do so in order to improve and maintain connectivity of data security system (Bolotin on [0013]).
Although the combination of BASKARAN and Bolotin teaches generating challenge for manager device and generating a response based on the challenge but fails to explicitly teach send, to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device, receive, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device, however Le Saint from analogous art teaches means for sending, to the user device, the challenge for the manager device, wherein the user device is configured to communicate the challenge to the manager device (Le Saint on [0066-0067] teaches the provisioning server (i.e. user device in instant cased) 360 may receive the authentication request from the authentication server 340 (i.e. controller in instant case).  The provisioning server 360 may send the authentication request to the user device, wherein the authentication request include the challenge);
means for receiving, from the user device, a response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the response from the manager device (Le Saint on [0067-0069] teaches the provisioning server 360 (i.e. user device in instant case) may send the authentication response from the user device 320 to the authentication server 340 (i.e. controller in instant case). Further teaches the user device 320 (i.e. manager device) may process the authentication request. Processing the authentication request may include adding additional data to the received authentication challenge, authenticating or verifying a user of user device 320, and signing the challenge using the user device authentication private key stored at the user device 320 as described above with reference to FIG. 1. At 304, the user device 320 sends an authentication response including the signed challenge data, and possibly other data, to the provisioning server 360. Further teaches the authentication server 340 may verify the signed authentication challenge using the user device authentication public key 328 stored at the authentication server 340. In some embodiments, the authentication server 340 may also verify that the signed authentication challenge matches the authentication challenge of the authentication request. Thus, the user device 320 may register with the authentication server 340 and be authenticated by the authentication server 340).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Le Saint into the teaching of BASKARAN and Bolotin by sending the challenge to the manager device and generating a response by the manager device based on the challenge. One would be motivated to do so in order to securely perform authentication for a user device (Le Saint on [0005]).

Claims 5-10 and 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over BASKARAN et al (hereinafter BASKARAN) (US 20180062863) in view of Bolotin et al (hereinafter Bolotin) (US 20190007203), in view of Le Saint (US 20180167208) and further in view of Benson et al (hereinafter Benson) (US 10965474).

Regarding claim 5 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 1 above, the combination fails to explicitly teach wherein the challenge is based on an unlocking  (Benson on [Col 5 line 5-20] teaches the challenge is encrypted using a public key of the security device such that the encrypted challenge can only be decrypted (e.g., using a RSA protocol) with a private secret key embedded in the security device. In some embodiments, a new encrypted challenge is used for each attempt to authenticate the security device so that an attacker cannot use an old version of an encrypted challenge to impersonate the security device. Further on [Col 8 line 25-35] teaches the public key 150 is used to generate a challenge that is used to authenticate the security device. The challenge 155 of some embodiments includes an encrypted verification value that is encrypted with public key 150 such that only the security device 120 can decrypt it using a private secret (e.g., a private key or a shared key generated based on information received from the target device) of the security device 110. See on [Col 14 line 30-38] teaches the target device 520 generates the challenge 555 by encrypting an unlock secret key (USK) (e.g., a randomly generated value, etc.) using the public key 550).   
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN, Bolotin and Le Saint by generating a challenge based on unlocking public key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).

Regarding claim 6 the combination of BASKARAN, Bolotin, Le Saint and Benson teaches all the limitations of claim 5 above, Benson further teaches wherein the unlocking public key associated with the manager device corresponds to an unlocking private key stored on the manager device (Benson on [Col 5 line 5-20] teaches the challenge is encrypted using a public key of the security device such that the encrypted challenge can only be decrypted (e.g., using a RSA protocol) with a private secret key embedded in the security device. In some embodiments, a new encrypted challenge is used for each attempt to authenticate the security device so that an attacker cannot use an old version of an encrypted challenge to impersonate the security device. Further on [Col 8 line 25-35] teaches the public key 150 is used to generate a challenge that is used to authenticate the security device. The challenge 155 of some embodiments includes an encrypted verification value that is encrypted with public key 150 such that only the security device 120 can decrypt it using a private secret (e.g., a private key or a shared key generated based on information received from the target device) of the security device 110. See on [Col 14 line 30-38] teaches the target device 520 generates the challenge 555 by encrypting an unlock secret key (USK) (e.g., a randomly generated value, etc.) using the public key 550).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN, Bolotin and Le Saint by generating a challenge based on unlocking public key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).

Regarding claim 7 the combination of BASKARAN, Bolotin, Le Saint and Benson teaches all the limitations of claim 5 above, Benson further teaches wherein the unlocking public key associated with the manager device is stored on the data store of the data storage device and accessible in response to receiving the registration request (Benson on [Col 5 line 5-20] teaches the challenge is encrypted using a public key of the security device such that the encrypted challenge can only be decrypted (e.g., using a RSA protocol) with a private secret key embedded in the security device. In some embodiments, a new encrypted challenge is used for each attempt to authenticate the security device so that an attacker cannot use an old version of an encrypted challenge to impersonate the security device. Further on [Col 8 line 25-35] teaches the public key 150 is used to generate a challenge that is used to authenticate the security device. The challenge 155 of some embodiments includes an encrypted verification value that is encrypted with public key 150 such that only the security device 120 can decrypt it using a private secret (e.g., a private key or a shared key generated based on information received from the target device) of the security device 110. See on [Col 14 line 30-38] teaches the target device 520 generates the challenge 555 by encrypting an unlock secret key (USK) (e.g., a randomly generated value, etc.) using the public key 550).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN, Bolotin and Le Saint by generating a challenge based on unlocking public key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).

Regarding claim 8 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 1 above, BASKARAN further teaches wherein: the access controller is further configured to store, on the data store and before receiving the registration request, authorization data associated with the manager device (BASKARAN Fig 4 and text on [0066] teaches storing in storage of server 104 the income credential such as username and password (i.e. authorization data) of the user to start the registration process).
Bolotin teaches the authorization data comprises a manager key in encrypted form (Bolotin on [0008] teaches the encryption key is often stored on the media in an encrypted form).
(Bolotin on [0101] teaches the authentication key 118 to decrypt and retrieve the encryption key 116 used to decipher internal content).

	The combination of BASKARAN, Bolotin and Le Saint fails to explicitly teach calculate the cryptographic key based on the manager key, However Benson from analogous art teaches calculate the cryptographic key based on the manager key (Benson on [Col 11 line 12-20] teaches derived key 334 is derived from keys stored at SPR).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN, Bolotin and Le Saint by generating a key based on manager key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).

Regarding claim 9 the combination of BASKARAN, Bolotin, Le Saint and Benson teaches all the limitations of claim 8 above, Benson further teaches wherein: the manager key is encrypted based on a discarded ephemeral private key and the challenge is based on an ephemeral public key that corresponds to the ephemeral private key (Benson [Col 5 line 5-20] teaches the challenge includes a verification value that is encrypted such that only the security device is able to decrypt the encrypted verification value. For example, in some embodiments, the challenge is encrypted using a shared key (i.e. ephemeral public key) that is generated (e.g., using an elliptic curve Diffie-Hellman (ECDH) protocol) based on a combination of public values that are shared between the target and security devices and private secret values unique to the target and security devices).
(Benson on [Col 1 line 50-60]).

Regarding claim 10 the combination of BASKARAN, Bolotin, Le Saint and Benson teaches all the limitations of claim 8 above, Benson further teaches wherein the ephemeral public key is stored on the data store and accessible in response to receiving the registration request (Benson [Col 5 line 5-20] teaches the challenge includes a verification value that is encrypted such that only the security device is able to decrypt the encrypted verification value. For example, in some embodiments, the challenge is encrypted using a shared key (i.e. ephemeral public key) that is generated (e.g., using an elliptic curve Diffie-Hellman (ECDH) protocol) based on a combination of public values that are shared between the target and security devices and private secret values unique to the target and security devices).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN, Bolotin and Le Saint by generating a key based on manager key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).

Regarding claim 12 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 11 above, the combination fails to explicitly teach wherein the generation of the challenge is enabled by providing, in response to receiving the request to register, access to an unlocking (Benson on [Col 5 line 5-20] teaches the challenge is encrypted using a public key of the security device such that the encrypted challenge can only be decrypted (e.g., using a RSA protocol) with a private secret key embedded in the security device. In some embodiments, a new encrypted challenge is used for each attempt to authenticate the security device so that an attacker cannot use an old version of an encrypted challenge to impersonate the security device. Further on [Col 8 line 25-35] teaches the public key 150 is used to generate a challenge that is used to authenticate the security device. The challenge 155 of some embodiments includes an encrypted verification value that is encrypted with public key 150 such that only the security device 120 can decrypt it using a private secret (e.g., a private key or a shared key generated based on information received from the target device) of the security device 110. See on [Col 14 line 30-38] teaches the target device 520 generates the challenge 555 by encrypting an unlock secret key (USK) (e.g., a randomly generated value, etc.) using the public key 550).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN, Bolotin and Le Saint by having access to unlocking public key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).

Regarding claim 13 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 11 above, the combination fails to explicitly teach wherein: the generation of the challenge is enabled by providing access, in response to receiving the request to register, to an ephemeral public key and the ephemeral public key is associated with a discarded ephemeral private  (Benson [Col 5 line 5-20] teaches the challenge includes a verification value that is encrypted such that only the security device is able to decrypt the encrypted verification value. For example, in some embodiments, the challenge is encrypted using a shared key (i.e. ephemeral public key) that is generated (e.g., using an elliptic curve Diffie-Hellman (ECDH) protocol) based on a combination of public values that are shared between the target and security devices and private secret values unique to the target and security devices).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN and Bolotin by having access to unlocking public key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).

Regarding claim 14 the combination of BASKARAN, Bolotin and Le Saint teaches all the limitations of claim 1 above, Bolotin further teaches wherein: the authorization data associated with the user device comprises an encrypted user key that is decryptable based at least partly on a further response calculated by the user device (Bolotin on [0008] teaches the encryption key is often stored on the media in an encrypted form).
The combination of BASKARAN and Bolotin fails to explicitly teach the access controller is configured to calculate the cryptographic key based on the user key, however Benson form analogous art teaches 
and the access controller is configured to calculate the cryptographic key based on the user key (Benson on [Col 11 line 12-20] teaches derived key 334 is derived from keys stored at SPR).
(Benson on [Col 1 line 50-60]).

Regarding claim 15 the combination of BASKARAN, Bolotin, Le Saint and Benson teaches all the limitations of claim 1 above, Benson further teaches wherein the further response is to a further challenge generated based on the authorization data associated with the user device (Benson on [Col 8 line 25-35] teaches the public key 150 is used to generate a challenge that is used to authenticate the security device based on response).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Benson into the combined teaching of BASKARAN, Bolotin and Le Saint by generating challenge based on calculated key. One would be motivated to do so in order to improve security of device by performing authentication on the device to unlock the device (Benson on [Col 1 line 50-60]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436