Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-16 are presented for examination.
This is a first action on the merits based on Applicant’s claims submitted 9/30/2019.                     

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/09/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Applicant is respectfully reminded of the duty to disclose 37 C.F.R. 1.56 all pertinent information and material pertaining to the patentability of applicant’s claimed invention, by continuing to submitting in a timely manner PTO-1449, Information Disclosure Statement (IDS) with the filing of applicant’s application or thereafter.

Claim Rejections - 35 U.S.C. 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:


Claim 1-2, 9-10 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
In Claim 1 and 9, the limitation reading “wherein the MIC was generated…” and in claims 2 and 10, the limitation reading “comparing the MIC provided…”, the underlined term, “the MIC”, lacks proper antecedent basis.  The underlined term has not been previously positively recited.  Previous recited terms refer to “a first message integrity code (MIC)” and “a second MIC”.  Therefore, it is not clear as to what is “the MIC” referencing to.  Appropriate correction is required. 
In claims 2 and 10, the limitation reciting “the new client device with the respective PMK key of the located…” lacks proper antecedent basis.  The underlined term has not been positively recited previously.  Therefore, it is not clear as to what this underlined term is referencing to.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.
s 1-3, 5-6, 8-11, 13-14, 16 rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 9674892 B1, hereinafter “Li”) in view of Cam-Winget et al. (EP1958365 B1, hereinafter “Cam”).

Regarding claim 1, Li teaches:
1. A method comprising: 
receiving, [by an authentication server (fig. 5, server 510)] from an access point (fig. 5, access point 520) associated with a wireless network (col. 2 lines 28-29; network devices such as wireless access points are used in wireless networks for communication, as presented also in the background of this invention) or a wireless local area network (LAN) controller that manages the access point (fig. 5), an authentication request comprising a first message integrity code (MIC) of a client- specific pre-shared key (col 9 lines 30-32: “The client responds with a second message 534 including an S-Nonce and a MIC created using a PMK derived from the preshared key.”) to establish an encrypted communication channel between a client of a plurality of clients and the access point (col. 4 lines 9-11: “[keys] which will be used to encrypt future communications with the network”), wherein the MIC was generated using a pair- wise master key (PMK) known to the client (col. 4 line 42- col. 5 line 5; “the second message from a client that includes a S-Nonce and MIC, an embodiment of a wireless access point or other network device will select one of the preshared keys or PMKs from its stored list… The wireless access point or other network device then uses all or a portion of the derived PTK to calculate its own MIC, referred to herein as a verification MIC… If the verification MIC matches the MIC included by the client in the second message, then the wireless access point or other network device has successfully identified the preshared key and corresponding PMK and PTK used by the client… The wireless access point or other network device can then communicate with the client using the PTK derived from the selected preshared key or PMK”; Examiner notes that the underlined portion infers that the PMK used to generate MIC was known to the client) and one or more attributes comprising a media access control (MAC) address of the access point, a nonce value of the access point, a MAC address of the client (col. 6 lines 53-57: “preshared key may be associated with one or more specific client devices, for example using one or more MAC addresses or other unique client device identifiers” i.e. the preshared key is associated to the MAC address) and a nonce value of the client; and 
responsive to receipt of the authentication request, validating the first MIC by: 
receiving, [by the authentication server], the one or more attributes from the access point or the wireless LAN controller (col. 10 lines 11-16: “upon successfully identifying a client's assigned PSK, a wireless access point or other network device forwards the client's MAC address or other identifier, such as a user name, to a roaming cache data structure accessible to other wireless access points or other devices”; i.e. MAC address of the client is sent to access point and in return access point forwards the MAC address to another entity; Examiner notes that the MAC address can be supplied to another entity to perform verification); 
determining, [by the authentication server], a second MIC (i.e. verification MIC- see reference below from col. 4 lines 42-col. 5 line 5)  based on the client- specific pre-shared key of the client known to the authentication server (i.e. preshared key or PMK stored in the access point or other network device’s list) and the one or more received attributes (col. 6 lines 53-57: “preshared key may be associated with one or more specific client devices, for example using one or more MAC addresses), wherein the client-specific pre-shared key known to the authentication server is extracted from a key database comprising a plurality of entries (i.e. network device’s stored list – see reference below from col. 4 lines 42-col. 5 line 5), each entry (i.e. list in roaming cache) including any or a combination of a MAC address of a specific client of the plurality of clients (i.e. client MAC addresses), a service set identifier (SSID) of the access point, a client-specific pre-shared key assigned [by the authentication server] to the specific client and a PMK known to the authentication server (i.e. network device) (i.e. PSK or PMKs) (col. 10 lines 17-18: “associates client identifiers, such as client MAC addresses or user names, with PSKs or PMKs” and col. 10 lines 36-39: “the network device may identify this client's PSK or PMK using the roaming cache, rather than traversing the list of all PSKs or PMKs to compare validation MICs. ”; Examiner notes that such cache contains its own version of keys that need to be verified with the keys used by the client device, so it is known to the network device [server]) ; and 
validating, [by the authentication server], the client-specific pre-shared key to be authentic when the first MIC matches with the second MIC (col. 4 lines 42-col. 5 line 5: “the second message from a client that includes a S-Nonce and MIC, an embodiment of a wireless access point or other network device will select one of the preshared keys or PMKs from its stored list… The wireless access point or other network device then uses all or a portion of the derived PTK to calculate its own MIC, referred to herein as a verification MIC… If the verification MIC matches the MIC included by the client in the second message, then the wireless access point or other network device has successfully identified the preshared key and corresponding PMK and PTK used by the client…”; Examiner notes that this portion infers that the network device contains its own version of keys that need to be verified with the keys used by the client device).
	Li teaches the entry with combination of MAC address of client and the PSK known to the network device [server], as shown above (See col. 10 lines 17-18 and col. 10 lines 36-39).  This reference teaches entry is stored in a memory structure, roaming cache, accessible by the access point or another network device, and contains the combination between the MAC address of the plurality of clients and the PMK known to the network device [server].  Although Li is silent on where the cache is located, it teaches that the network device has access to it, which could be either internal or remote.  Inferring perhaps that the cache is located remote from the network device.  It could have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have a cache residing the network device, since it has been held that forming in one piece an article, which has formerly been formed in two pieces and put together, involves only routine skill in the art.
Additionally, Li teaches that an access point or other network device performs the verification of the second MIC, however, Cam teaches that an authentication can be performed equally between an access point or an authentication server (claim limitation reciting “by an/the authentication server”) (Cam: par 28: “Of course, alternate embodiments of the present system and method may be configured utilizing other authenticator and supplicant components. For example, it will be appreciated that the authenticator may be an access point, switch, authentication server or the like”).
Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have implemented an authentication with an authentication server, as taught by Cam, to Li’s invention.  The motivation to do this would be in order to provide a way, in the case the authentication server is co-located with the access point, to provide authentication over great distances from a remote location disposed to the authentication server (Cam: par 38). 

Regarding claim 2, the combination of Li and Cam teach:
2. The method of claim 1, responsive to a first connection between the access point and a new client device in which there is not yet an association between a MAC address of the new client device and a second client-specific pre-shared key assigned by the authentication server to the new client device (Li: col. 3 lines 64- col. 4 lines 3; i.e. upon a client connecting or associating to an access point): 
locating, by the authentication server, an entry of the plurality of entries containing the second client-specific pre-shared key by comparing the MIC provided by the new client device to the client-specific pre-shared keys of those entries of the plurality of entries not yet bound to a particular MAC address (Li: col. 10 lines 36-39: “the network device may identify this client's PSK or PMK using the roaming cache, rather than traversing the list of all PSKs or PMKs to compare validation MICs. ”; Examiner notes that such cache contains its own version of keys that need to be verified with the keys used by the client device, so it is known to the network device [server]); and 
assigning the second client-specific pre-shared key as the client-specific pre-shared key for the new client device by binding the MAC address of the new client device with the respective PMK key of the located entry containing the second client-specific pre- shared key (Li: col. 10 lines 17-18: “associates client identifiers, such as client MAC addresses or user names, with PSKs or PMKs” and col. 10 lines 36-39: “the network device may identify this client's PSK or PMK using the roaming cache, rather than traversing the list of all PSKs or PMKs to compare validation MICs. ”; Examiner notes that this portion infers that an assignment between the pre-shared key and the client device’s MAC address).

Regarding claim 3, the combination of Li and Cam teach:
3. The method of claim 2, wherein the new client is subsequently authenticated by the authentication server based on the second client-specific pre-shared key (Li: col. 4 lines 42-col. 5 line 5; i.e. verification of MICs on each client).





Regarding claim 5, the combination of Li and Cam teach:
5. The method of claim 1, wherein the first message integrity code (MIC) is generated based on deriving a pair-wise transient key (PTK) from the PMK at the client device (Li: col. 4 lines 4-27; i.e. client generates the PTK from PMK).

Regarding claim 6, the combination of Li and Cam teach:
6. The method of claim 1, wherein the second MIC is generated based on deriving the PTK from the PMK at the authentication server (Li: col. 4 lines 42-col. 5 line 5: “the second message from a client that includes a S-Nonce and MIC, an embodiment of a wireless access point or other network device will select one of the preshared keys or PMKs from its stored list…”; Examiner notes that this portion infers that the network device contains its own version of keys that need to be verified with the keys used by the client device).

Regarding claim 8, the combination of Li and Cam teach:
8. The method of claim 1, wherein the client specific pre-shared key is discarded from the key database (Li: i.e. key is invalid) when the client device is disconnected (Li: i.e. revoked key causes disconnect from network) from the network (Li: col. 10 lines 1-7; i.e. keys once removed or marked invalid, are revoked and cannot be used to access the network).

Regarding claim 9, the claim limitations are set forth and rejected as discussed in claim 1.  Furthemore, Li also teaches the additional limitations as follows:
9. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of an authentication server, causes the one or more processors to perform a method comprising (Li: fig. 6):
Regarding claim 10, the claim limitations are set forth and rejected as discussed in claim 2.
Regarding claim 11, the claim limitations are set forth and rejected as discussed in claim 3.
Regarding claim 13, the claim limitations are set forth and rejected as discussed in claim 5.
Regarding claim 14, the claim limitations are set forth and rejected as discussed in claim 6.
Regarding claim 16, the claim limitations are set forth and rejected as discussed in claim 8.


Claim 4, 7, 12, 15 rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 9674892 B1, hereinafter “Li”) in view of Cam-Winget et al. (EP1958365 B1, hereinafter “Cam”) in further view of Official Notice.

Regarding claim 4,  the combination of Li and Cam teach:
4. The method of claim 1, wherein the authentication server operates as an external remote authentication dial-in user service (RADIUS) server, wherein said receiving, by the authentication server, the one or more attributes from the access point or the wireless LAN controller comprises receiving a web application programming interface (API) authentication call (Cam: par 21:”Software may also be implemented in various forms such as a stand-alone program, a function call, a servlet, an applet, driver code, instructions stored in a memory, part of an operating system or other type of executable instructions. It will be appreciated by one of ordinary skill in the art that the form of software may be dependent on, for example, requirements of a desired application, the environment it runs on, and/or the desires of a designer/programmer or the like”; Examiner notes that such portion of the reference infers that API call is in place in order to facilitate communication between different applications within the network, as it is also implied in the background, as known in the art [Cam: par 3: “access to a network can be restricted by any number of methods, including user logins and passwords, network identification of a unique identification number embedded within the network interface card, call-back schemes for dial-up access, and others. These conventional protection schemes are directed toward controlling the overall access to the network services and toward protecting the data transmissions”]) and responsive thereto performing a RADIUS-based authentication with the MAC address of the client serving as a username (Li: col. 6 lines 33-42; username identifies the client; col. 6 lines 43-57; MAC address is a unique client device identifier) and the first MIC serving as a password (Li: col. 5 lines 53- 60; i.e. PSK is the password).
	Li and Cam disclose the claimed invention except for explicitly stating that the username is the MAC address and the MIC is a password (see Li above).  It would have been an obvious matter of design choice to appoint a MAC address of the client as a username and to appoint the first MIC as a password since the applicant has not disclosed that explicitly setting the MAC address of the client as a username and explicitly setting the first MIC as a password solves any stated problem or is for any particular purpose and it appears that the invention would perform equally well with a username to be an identifier of the client device and a password to be the exclusive pre-shared key of the client because these are also distinct identifiers of a user that can be used to distinguish different users and therefore the RADIUS server can use the information to authenticate the clients.

Regarding claim 7, the combination of Li and Cam teach:
7. The method of claim 6, wherein the PTK is divided into a combination of 128-bit (Cam: par 35; i.e. PTK is 128-bits) key confirmation key (KCK), 128-bit (Cam: par 35; i.e. PTK is 128-bits) key encryption key (KEK), and 128-bit (Cam: par 35; i.e. PTK is 128-bits) temporary encryption key (TEK) (Li: col. 4 lines 16-20; PTK is divided in 4 different combination of keys).
	Li and Cam disclose four different PTK keys (see Li above), as disclosed in the claimed invention except for the fact that the key names are different.  It would have been an obvious matter of design choice to have named the keys as claimed in the invention since the applicant has not disclosed that these specific key names solves any stated problem or is for any particular purpose and it appears that the invention would perform equally well with EAPOL-MIC key, EAPOL-Encr key, Data-MIC key and Data-Encr key (Li: col. 4 lines 16-20), which in itself are also key encryption keys and data keys.
Regarding claim 12, the claim limitations are set forth and rejected as discussed in claim 4.
Regarding claim 15, the claim limitations are set forth and rejected as discussed in claim 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIZBETH TORRES-DIAZ whose telephone number is (571)272-1787.  The examiner can normally be reached on 9:00a-4:30p.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr, can be reached on (571)272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/LIZBETH TORRES-DIAZ/Examiner, Art Unit 2495                                                                                                                                                                                                        
/11 February 2022/
/ltd/