DETAILED ACTION
This communication is in response to Applicant’s amendment filed on December 07, 2021. Claims 10 and 20 have been canceled, claims 1, 8, 9, 11, 18 and 19 have been amended, and claims 21-22 have been added new. Claims 1-9, 11-19 and 21-22 are pending and are directed towards system and method for SECURE REPROGRAMMING OF EMBEDDED PROCESSING SYSTEM. Examiner acknowledges Applicant’s amendment to specification and claims, and therefore withdraws the previous office action’s objections to the specification, the claims, the 35 USC § 112(b) rejection, and the 35 USC § 102. However, due to the change in scope of the claims in the amendment, a new rejection under 35 USC § 103 is presented herein. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed on December 07, 2021 with respect to 35 U.S.C. 102 and 103 rejections have been fully considered but they are moot in view of the new grounds of rejections. Applicant’s argument have been addressed in the rejections below.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


	Claims 21 and 22 recite the limitation “when a correct key exists in the embedded processing system” which is vague and not clear. It is not understood what is the correct key, or what is the rule of the correct key in detecting the authentication failure.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-6, 8-9, 11-16 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. U.S. Patent Pub. No. 2021/0012008 A1 (hereinafter “Kim”) in view of Skertic et al. U.S. Patent Pub. No. 2020/0204374 A1 (hereinafter “Skertic”).
 
As per claim 1, Kim teaches an embedded processing system (a device 100. Kim, Fig. 1 element 100) comprising: 
processing circuitry (CPU. Kim Fig. 1 element 110); 
a memory system (Memory and RAM. Kim, Fig. 1 elements 130 and 140); and 
a reprogramming control (MTP [security module]. Kim, Fig. 1 element 120) configured to: 
authenticate a user associated with a reprogramming operation of the embedded processing system (The security module 120 may include functions such as authentication. Kim, para [0037]) (a mutual authentication process between a gateway of a manager and a device. Kim, para [0026] and Fig. 2) (initiating a device managed by an authorized manager. Kim, para [0012]) (the authorized manager is a person authorized to drive the device or update the firmware, a person who has been delegated the management of firmware, etc. from a manufacturer of the device or its manufacturer, and also a person who purchases the device from the manufacturer or receives and uses the device. Kim, para [0013]); 
receive an encrypted configuration item (loading the encrypted firmware image. Kim, para [0012]); 
decrypt and authenticate the encrypted configuration item as a decrypted and authenticated configuration item (confirming integrity of the encrypted firmware image [authenticate]… decrypting encrypted firmware included in the encrypted firmware image by using the decrypted symmetric key[decrypt]. Kim, para [0012]) responsive to authenticating the user ([the decryption and authentication are done after] initiating a device managed by an authorized manager. Kim, para [0012]); and 
store the decrypted and authenticated configuration item in the memory system (copying the encrypted firmware update image to a memory in which the existing encrypted firmware image is stored when the integrity of the encrypted firmware update image is confirmed. Kim, para [0020]).
Kim does not explicitly teach wherein the embedded processing system is a controller of a gas turbine engine, and the encrypted configuration item comprises an application configured to control operation of the gas turbine engine; and wherein the processing circuitry is configured to execute the application to control the gas turbine engine after the decrypted and authenticated configuration item is stored in the memory system.
However, Skertic teaches wherein the embedded processing system is a controller of a gas turbine engine, and the encrypted configuration item comprises an application configured to control operation of the gas turbine engine (a processing system for controlling a gas turbine engine, the processing system may include a first electronic component, the first electronic component being configured to: generate a request to initiate a trusted communication session with a second electronic component. Skertic, para [0012]) (decrypting the encrypted message, at the engine control module, with a public key associated with the vendor to obtain a decrypted hash; ensuring the decrypted hash matches a stored hash in the engine control module to thereby authenticate the operational data. Skertic, para [0014])
(controlling by the second electronic component, a fuel valve based on metrics reported by the first electronic component during the trusted communication session. Skertic, para [0011]) (If authentic, then the receiver may execute a control based on data contained in the message at block 234. For example, if the sender is a smart sensor 110 then the receiver may accept sensor measurements contained in the message as accurate readings at block 234. If the sender is a central control module 130 and the receiver is a smart actuator 120, then the receiver may perform an activity contained in the message (e.g., increase or decreasing rotational speed). Skertic, para [0037]) ( Processors are configured to perform a certain function, method, or operation at least when one of the one or more of the distinct processors is capable of executing code, stored on memory embodying the function, method, or operation. Processors may be configured to perform any and all functions, methods, and operations disclosed herein. Skertic, para [0091]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Kim in view of Skertic’s teaching. One would be motivated to do so, to securely authenticate and control the operation of the gas turbine engine. (Skertic, para [0002])

As per claim 2, Kim and Skertic teach the embedded processing system of claim 1, wherein the reprogramming control is further configured to authenticate the user based on one or more user credentials received from a reprogramming system and user authentication data stored in the embedded processing system (the gateway 200 [reprogramming system] merges the received NONCE of the device 100 with the NONCE of the gateway 200, signs the merged NONCE with its secret key or private key, and then transmits the signed secret key [user credentials] to the device 100. Then, the device 100 verifies the signature sent from the gateway 200 using the public key of the gateway 200. Kim, para [0046]) (the security module may include a public key of the manager [user authentication data stored in the embedded system] and an encryption key or a private key of the security module. Kim, para [0017]).

As per claim 3, Kim and Skertic teach the embedded processing system of claim 2, wherein the reprogramming control is further configured to receive a transaction indicator associated with the encrypted configuration item (the authorized manager is a person authorized to drive the device or update the firmware [“update” is the transaction indicator], a person who has been delegated the management of firmware, etc. from a manufacturer of the device or its manufacturer, and also a person who purchases the device from the manufacturer or receives and uses the device. Kim, para [0013]) (a method of updating a device using an encrypted firmware update image provided by an authorized manager. Kim, para [0020]).

As per claim 4, Kim and Skertic teach the embedded processing system of claim 3, wherein authentication of the user is based on the transaction indicator (the authorized manager is a person authorized to drive the device or update the firmware [“update” is the transaction indicator], a person who has been delegated the management of firmware, etc. from a manufacturer of the device or its manufacturer, and also a person who purchases the device from the manufacturer or receives and uses the device. Kim, para [0013]), the one or more user credentials received from the reprogramming system, and the user authentication data (the gateway 200 [reprogramming system] merges the received NONCE of the device 100 with the NONCE of the gateway 200, signs the merged NONCE with its secret key or private key, and then transmits the signed secret key [user credentials] to the device 100. Then, the device 100 verifies the signature sent from the gateway 200 using the public key of the gateway 200. Kim, para [0046]) (the security module may include a public key of the manager [user authentication data stored in the embedded system] and an encryption key or a private key of the security module. Kim, para [0017]).

As per claim 5, Kim and Skertic teach the embedded processing system of claim 1, wherein the reprogramming control is further configured to receive transmitted cryptographic information comprising one or more encryption parameters associated with the encrypted configuration item (the encrypted firmware image may include a header, a symmetric key [encryption parameter] encrypted by an encryption key of the security module 120, and firmware encrypted by the symmetric key. Kim, para [0059]).

As per claim 6, Kim and Skertic teach the embedded processing system of claim 5, wherein the reprogramming control is further configured to use the transmitted cryptographic information and stored cryptographic information to decrypt the encrypted configuration item (When the integrity of the encrypted firmware image is confirmed, the device 100 may decrypt the encrypted symmetric key encrypted by using a unique secret key or a private key of the security module 120 and obtain a symmetric key for decrypting the firmware. The algorithm used for decrypting the symmetric key may be RSA 2048 and an RSA key used for decryption may be a key generated by the device 100 itself [stored cryptographic information] through the security module 120. Kim, para [0064]).

As per claim 8, Kim and Skertic teach the embedded processing system of claim 1, wherein the decrypted and authenticated configuration item is authenticated by one or more asymmetric cryptographic methods (a Diffie-Hellman (DH) algorithm may be used and ECDSA may be used for key generation. Kim, para [0049]) using unique key pairs (the gateway 200 may transmit its ECDSA public key to the device 100. The device 100 may generate a secret key having the received ECDSA public key of the gateway 200 and an ECDSA secret key of the device 100 and to be used for the encryption communication. Kim, para [0051]-[0052]) that result in an authentication failure based on an incorrect key, a missing key, or software that is tampered with resulting in an authentication failure (The device 100 confirms whether the encrypted firmware image is forged or falsified during the booting process using the security module. Kim, para [0057])( If the integrity of the firmware image is not confirmed during the initialization or if an error occurs in the process of decrypting with the unique encryption key stored in the security module 120, the device 100 stops the initiation process to prevent the forgery-suspected firmware from being executed in the device. Kim, para [0066]).

As per claim 9, Kim and Skertic teach the embedded processing system of claim 1, wherein the reprogramming control is further configured to encrypt a configuration item extracted from the memory system and transfer the configuration item to a communication system that is external to the embedded processing system (When the firmware is encrypted using the generated symmetric key, the AES 128 key may also be encrypted to prevent leakage of the symmetric key. Kim, para [0076]) (RSA2048 may be used to encrypt the AES128 key. An encryption key to be used for the RSA 2048 is generated according to the security module 120 of the device 100 respectively and the manager may encrypt the symmetric key AES 128 key that encrypted the firmware, by using the encryption key distributed by the device. Kim, para [0077]).

As per claim 11, Kim teaches a method comprising: 
authenticating, by a reprogramming control of an embedded processing system, a user associated with a reprogramming operation of the embedded processing system (The security module 120 may include functions such as authentication. Kim, para [0037]) (a mutual authentication process between a gateway of a manager and a device. Kim, para [0026] and Fig. 2) (initiating a device managed by an authorized manager. Kim, para [0012]) (the authorized manager is a person authorized to drive the device or update the firmware, a person who has been delegated the management of firmware, etc. from a manufacturer of the device or its manufacturer, and also a person who purchases the device from the manufacturer or receives and uses the device. Kim, para [0013]); 
receiving an encrypted configuration item at the embedded processing system (loading the encrypted firmware image. Kim, para [0012]); 
decrypting and authenticating, by the reprogramming control, the encrypted configuration item as a decrypted and authenticated configuration item (confirming integrity of the encrypted firmware image [authenticate]… decrypting encrypted firmware included in the encrypted firmware image by using the decrypted symmetric key[decrypt]. Kim, para [0012]) responsive to authenticating the user ([the decryption and authentication are done after] initiating a device managed by an authorized manager. Kim, para [0012]); and 
(copying the encrypted firmware update image to a memory in which the existing encrypted firmware image is stored when the integrity of the encrypted firmware update image is confirmed. Kim, para [0020]).
Kim does not explicitly teach wherein the embedded processing system is a controller of a gas turbine engine, and the encrypted configuration item comprises an application configured to control operation of the gas turbine engine; and executing the application, by the embedded processing system, to control the gas turbine engine after the decrypted and authenticated configuration item is stored in the memory system.
However, Skertic teaches wherein the embedded processing system is a controller of a gas turbine engine, and the encrypted configuration item comprises an application configured to control operation of the gas turbine engine (a processing system for controlling a gas turbine engine, the processing system may include a first electronic component, the first electronic component being configured to: generate a request to initiate a trusted communication session with a second electronic component. Skertic, para [0012]) (decrypting the encrypted message, at the engine control module, with a public key associated with the vendor to obtain a decrypted hash; ensuring the decrypted hash matches a stored hash in the engine control module to thereby authenticate the operational data. Skertic, para [0014]); and
executing the application, by the embedded processing system, to control the gas turbine engine after the decrypted and authenticated configuration item is stored in the memory system (controlling by the second electronic component, a fuel valve based on metrics reported by the first electronic component during the trusted communication session. Skertic, para [0011]) (If authentic, then the receiver may execute a control based on data contained in the message at block 234. For example, if the sender is a smart sensor 110 then the receiver may accept sensor measurements contained in the message as accurate readings at block 234. If the sender is a central control module 130 and the receiver is a smart actuator 120, then the receiver may perform an activity contained in the message (e.g., increase or decreasing rotational speed). Skertic, para [0037])( Processors are configured to perform a certain function, method, or operation at least when one of the one or more of the distinct processors is capable of executing code, stored on memory embodying the function, method, or operation. Processors may be configured to perform any and all functions, methods, and operations disclosed herein. Skertic, para [0091]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Kim in view of Skertic’s teaching. One would be motivated to do so, to securely authenticate and control the operation of the gas turbine engine. (Skertic, para [0002])

As per claim 12, Kim and Skertic teach the method of claim 11, further comprising: authenticating the user based on one or more user credentials received from a reprogramming system and user authentication data stored in the embedded processing system (the gateway 200 [reprogramming system] merges the received NONCE of the device 100 with the NONCE of the gateway 200, signs the merged NONCE with its secret key or private key, and then transmits the signed secret key [user credentials] to the device 100. Then, the device 100 verifies the signature sent from the gateway 200 using the public key of the gateway 200. Kim, para [0046]) (the security module may include a public key of the manager [user authentication data stored in the embedded system] and an encryption key or a private key of the security module. Kim, para [0017]).

As per claim 13, Kim and Skertic teach the method of claim 12, further comprising: receiving a transaction indicator associated with the encrypted configuration item (the authorized manager is a person authorized to drive the device or update the firmware [“update” is the transaction indicator], a person who has been delegated the management of firmware, etc. from a manufacturer of the device or its manufacturer, and also a person who purchases the device from the manufacturer or receives and uses the device. Kim, para [0013]) (a method of updating a device using an encrypted firmware update image provided by an authorized manager. Kim, para [0020]).

As per claim 14, Kim and Skertic teach the method of claim 13, wherein authentication of the user is based on the transaction indicator (the authorized manager is a person authorized to drive the device or update the firmware [“update” is the transaction indicator], a person who has been delegated the management of firmware, etc. from a manufacturer of the device or its manufacturer, and also a person who purchases the device from the manufacturer or receives and uses the device. Kim, para [0013]), the one or more user credentials received from the reprogramming system, and the user authentication data (the gateway 200 [reprogramming system] merges the received NONCE of the device 100 with the NONCE of the gateway 200, signs the merged NONCE with its secret key or private key, and then transmits the signed secret key [user credentials] to the device 100. Then, the device 100 verifies the signature sent from the gateway 200 using the public key of the gateway 200. Kim, para [0046]) (the security module may include a public key of the manager [user authentication data stored in the embedded system] and an encryption key or a private key of the security module. Kim, para [0017]).

As per claim 15, Kim and Skertic teach the method of claim 11, further comprising: receiving transmitted cryptographic information comprising one or more encryption parameters associated with the encrypted configuration item (the encrypted firmware image may include a header, a symmetric key [encryption parameter] encrypted by an encryption key of the security module 120, and firmware encrypted by the symmetric key. Kim, para [0059]).

As per claim 16, Kim and Skertic teach the method of claim 15, further comprising: using the transmitted cryptographic information and stored cryptographic information to decrypt the encrypted configuration item (When the firmware is encrypted using the generated symmetric key, the AES 128 key may also be encrypted to prevent leakage of the symmetric key. Kim, para [0076]) (RSA2048 may be used to encrypt the AES128 key. An encryption key to be used for the RSA 2048 is generated according to the security module 120 of the device 100 respectively and the manager may encrypt the symmetric key AES 128 key that encrypted the firmware, by using the encryption key distributed by the device. Kim, para [0077]).

As per claim 18, Kim and Skertic teach the method of claim 11, wherein the decrypted and authenticated configuration item is authenticated by one or more asymmetric cryptographic methods (a Diffie-Hellman (DH) algorithm may be used and ECDSA may be used for key generation. Kim, para [0049]) using unique key pairs (the gateway 200 may transmit its ECDSA public key to the device 100. The device 100 may generate a secret key having the received ECDSA public key of the gateway 200 and an ECDSA secret key of the device 100 and to be used for the encryption communication. Kim, para [0051]-[0052]) that result in an authentication failure based on an incorrect key, a missing key, or software that is tampered with resulting in an authentication failure (The device 100 confirms whether the encrypted firmware image is forged or falsified during the booting process using the security module. Kim, para [0057])( If the integrity of the firmware image is not confirmed during the initialization or if an error occurs in the process of decrypting with the unique encryption key stored in the security module 120, the device 100 stops the initiation process to prevent the forgery-suspected firmware from being executed in the device. Kim, para [0066]).

As per claim 19, Kim and Skertic teach the method of claim 11, further comprising: encrypting a configuration item extracted from the memory system; and transferring the configuration item to a communication system that is external to the embedded processing system (When the firmware is encrypted using the generated symmetric key, the AES 128 key may also be encrypted to prevent leakage of the symmetric key. Kim, para [0076]) (RSA2048 may be used to encrypt the AES128 key. An encryption key to be used for the RSA 2048 is generated according to the security module 120 of the device 100 respectively and the manager may encrypt the symmetric key AES 128 key that encrypted the firmware, by using the encryption key distributed by the device. Kim, para [0077]).

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. U.S. Patent Pub. No. 2021/0012008 A1 (hereinafter “Kim”) in view of Skertic et al. U.S. Patent Pub. No. 2020/0204374 A1 (hereinafter “Skertic”) and further in view of Strydom et al. U.S. Patent Pub. No. 2016/0125397 A1 (hereinafter “Strydom”).

As per claims 7 and 17, Kim and Skertic teach the embedded processing system and the method of claims 6 and 16. Kim does not explicitly teach wherein the transmitted cryptographic information is stored for a transaction duration within the embedded processing system and erased upon completion of a load transaction, and the stored cryptographic information is retained after completion of the load transaction.
However, Strydom teaches the transmitted cryptographic information is stored for a transaction duration within the embedded processing system and erased upon completion of a load transaction, and the stored cryptographic information is retained after completion of the load transaction (receiving the encrypted token [cryptographic information] from the third party; decrypting the encrypted token to extract the consumer reference token and the whole or portion of the data item which is not to be stored therefrom; querying the database to obtain the consumer credentials stored on the database; initiating a payment transaction using the consumer credentials stored [stored cryptographic information] on the database together with the data item which is not to be stored; and upon completion of the payment transaction, erasing the encrypted token transmitted to the third party and the combined portion of the data item which is not to be stored from all memory of the server computer. Strydom, para [0018]-[0022])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Kim and Skertic so that the transmitted cryptographic information is stored for a transaction duration within the . 

Claims 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. U.S. Patent Pub. No. 2021/0012008 A1 (hereinafter “Kim”) in view of Skertic et al. U.S. Patent Pub. No. 2020/0204374 A1 (hereinafter “Skertic”) and further in view of Sallam U.S. Patent Pub. No. 2012/0254982 A1.

As per claims 21 and 22, Kim and Skertic teach the embedded processing system of claims 1 and 11. Kim and Skertic do not explicitly teach wherein the reprogramming control is further configured to detect an authentication failure for a memory address range due to tampering of memory content in the memory address range when a correct key exists in the embedded processing system.
However, Sallam teaches wherein the reprogramming control is further configured to detect an authentication failure for a memory address range due to tampering of memory content in the memory address range when a correct key exists in the embedded processing system (Certain arithmetic instructions, bitwise instructions, or MOV instructions are all instructions that might cause a change in the content of a memory page or address range. By trapping such instructions, changes to a code section or data section may be recorded. If subsequent analysis shows that the code section or data section was modified as part of self-modifying malware, then the trapped and recorded instructions may be used to track the encryption algorithm used by the malware […], by keeping track of memory modifications, repair logic may be achieved by reversing the application of the instructions. Sallam, para [0176]) (Microcode security agent 706 may be configured to protect a memory address or a range of memory addresses from attempts to load, read, write, or execute attempts. Such memory may include sensitive data, or may be the initialization point for a restricted, sensitive, or protected function. Microcode security agent 706 may prevent access to such memory where there is no verification that the accessing software is safe or neutral. Sallam, para [0180]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Kim and Skertic in view of Sallam’s teachings. One would be motivated to do so, to enhance the security of the system. (Sallam, para [0180]) 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Respectfully Submitted

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492