DETAILED ACTION
This Non-Final Office Action is in response to the request for continued examination filed on 01/27/2020.  	Claims 1-20 are being considered on the merits.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/27/2020 has been entered.
Response to Arguments
3.	Applicant's arguments filed 12/29/2021 have been fully considered but they are not persuasive. Applicant argues that regarding independent claims 1, 9 and 17, Britt in view of Takahashi fails to teach “decrypting the encrypted data using a private key of the programmable switch to obtain decrypted data; and sending the decrypted data from the programmable switch to the IoT device” 
With respect to this argument, as disclosed below, Britt in paragraph [0113] discloses decrypting an encrypted packet using the private key of the IoT hub (programmable switch). Paragraph [0111] discloses verifying and extracting an encrypted device blob using the hub’s security module and sending the extracted blob to an IoT device. Futhermore, paragraph [0132] discloses receiving an encrypted packet at the IoT hub, decrypting the packet using the IoT hub's private key and transmitting the IoT device packet to the IoT device. Therefore, as disclosed by Britt, the decrypted data is sent to the IoT device. 
“the method further comprising: performing online authentication of the IoT device via the programmable switch utilizing an additional cryptographic function implemented in the programmable switch”
With respect to this argument, as disclosed below, Britt in paragraph [0111] discloses verification of an IoT device utilizing an IoT hub (programmable switch). In paragraph [0116], programming logic on the IoT hub securely programs the SIM card to register/pair the IoT device with the IoT hub and IoT service. A public/private key pair used to encrypt outgoing data is randomly generated by the programming logic and stored in the IoT hub's secure storage and the private key may be stored within the programmable SIM. Once the SIM is programmed, the new IoT device may be provisioned with the IoT Service using the SIM as a secure identifier. Furthermore, the newly-added features of the amended claims are broader than the originally claimed limitations of claim 3. 
Therefore, the combination of Britt in view of Takahashi teach the claimed limitations of independent claims 1, 9 and 17 and thereby the dependent claims. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



s 1-5, 8-13 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. US 2017/0171196 A1 to Britt, (hereinafter, “Britt”), in view of US Pub. No. US 2017/0118180 A1 to Takahashi, (hereinafter, “Takahashi”).

As per claims 1, 9 and 17, Britt teaches a method, a programmable switch, and a computer program product that is tangibly stored on a non-transitory computer- readable medium and contains computer-executable instructions that, when executed, cause a computer to implement a method for encryption and decryption, respectively, comprising: 
a processing unit (Britt, para. [0054] “As illustrated in FIG. 2, an exemplary embodiment of an IoT device 101 includes a memory 210 for storing program code and data 201-203 and a low power microcontroller 200 for executing the program code and processing the data.”); and a memory coupled to the processing unit and storing instructions that, when executed by the processing unit, perform the following actions: 
receiving, at a programmable switch, encrypted data directed to an Internet of Things (IoT) device, the encrypted data being encrypted using a public key of the programmable switch (Britt, para. [0106] “when a new IoT hub 110 (programmable switch) is set up, its public key is provided to the IoT service 120 and when a new IoT device 101 is set up, it's public key is provided to both the IoT hub 110 and the IoT service 120.” [0108] By way of example, in one embodiment, when the IoT service 120 needs to transmit a command or data to an IoT device 101 (e.g., a command to unlock a door, a request to read a sensor, data to be processed/displayed by the IoT device, etc) the security logic 1013 encrypts the data/command using the public key of the IoT device 101 to generate an encrypted IoT device packet. In one embodiment, it then encrypts the IoT device packet using the public key of the IoT hub 110 to generate an IoT hub packet and transmits the IoT hub packet to the IoT hub 110.”); 
(Britt, para. [0111] “When sending a message to a device 101 the service 120 could first encrypt/MAC with this device installation key, then encrypt/MAC that with the hub's session key. The hub 110 would then verify and extract the encrypted device blob and send that to the device.” . And para. [0117] “The techniques described above with respect to FIG. 11 provide enormous flexibility when providing new IoT devices to end users. Rather than requiring a user to directly register each SIM with a particular service provider upon sale/purchase (as is currently done), the SIM may be programmed directly by the end user via the IoT hub 110 and the results of the programming may be securely communicated to the IoT service 120. Consequently, new IoT devices 101 may be sold to end users from online or local retailers and later securely provisioned with the IoT service 120.”);
the method further comprising: performing online authentication of the IoT device via the programmable switch utilizing an additional cryptographic function implemented in the programmable switch (Britt, para. [0111] “to prevent a compromise on the hub security module 1012 a one-time (permanent) installation key may be negotiated between the device 101 and service 120 at installation time. When sending a message to a device 101 the service 120 could first encrypt/MAC with this device installation key, then encrypt/MAC that with the hub's session key. The hub 110 would then verify and extract the encrypted device blob and send that to the device.” and para. [0116] “the secure key storage on each IoT device 101 is implemented using a programmable subscriber identity module (SIM) 1101… In order to program the SIM with a set of one or more encryption keys, the user takes the programmable SIM card 1101 out of the SIM interface 500 and inserts it into a SIM programming interface 1102 on the IoT hub 110 (programmable switch)…a public/private key pair may be randomly generated by the programming logic 1125 and the public key of the pair may then be stored in the IoT hub's secure storage device 411 while the private key may be stored within the programmable SIM 1101…Once the SIM 1101 is programmed, the new IoT device 101 may be provisioned with the IoT Service 120 using the SIM as a secure identifier (e.g., using existing techniques for registering a device using a SIM). Following provisioning, both the IoT hub 110 and the IoT service 120 will securely store a copy of the IoT device's public key to be used when encrypting communication with the IoT device 101.”)

Britt teaches all the limitations of claims 1, 9 and 17 above, however fails to explicitly teach but Takahashi teaches:

wherein the private key is set based at least in part on input from the IoT device and associated in the programmable switch with a designated source address (Takahashi, para. [0056] “each of the encrypted packets has a respective tag to identify an original entry port (e.g., a port of high-speed I/O interface 208), keys or key addresses associated with each of the encrypted packets is decrypted by one of the cryptographic modules to provide corresponding decrypted packets, and the first programmable input/output interface 208 is further configured to use the respective tag to route each decrypted packet back to its original entry port.” And para. [0118] “Each of the security devices 1204 is configured for cryptographic processing and receives incoming data from at least one data source 1202. Each of the key managers is associated with a user (e.g., corporation or an individual). For example, a given user may control an external key manager that provides keys to one of the security devices 1204 for cryptographic processing of that user's data. A switch 1206 receives the incoming data from data source 1202 and routes the incoming data to one of the security devices. For example, switch 1206 may route the data to the security device that corresponds to the user that sent the data for storage.” And para. [0131] “The packet input engine 1402 performs header detections, or modifications, and will authenticate and associate the customer's data. Once the data is authenticated and identified, packet input engine 1402 will address the unique specific customer's key in input key cache 1410.”); and 
wherein the decrypting of the encrypted data using the private key is triggered responsive to a determination by the programmable switch that the encrypted data was received from the source address (Takahashi, para. [0120] “Switch 1208 is used to route the encrypted data from the security device to encrypted data storage 204. When data is read from common encrypted data storage 204, switch 1208 routes the data to the appropriate security device 1204 for decryption processing.” And para. [0131] “The packet input engine 1402 performs header detections, or modifications, and will authenticate and associate the customer's data. Once the data is authenticated and identified, packet input engine 1402 will address the unique specific customer's key in input key cache 1410.” And para. [0132] “Key loader controller 1414 loads and verifies keys and addresses from the packet input engine 1402… The key loader controller 1414 and the respective input or output key cache is designed to ensure the proper key is associated with the data that will be encrypted or decrypted.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Takahashi’s secure encryption into Britt’s system and method for secure device provisioning, with a motivation to provide security processing for incoming data (e.g., data packets) in a multi-tenancy or other architecture (e.g., using one or more security devices) (Takahashi, para. [0008]). 
As per claims 2, 10 and 18, the combination of Britt and Takahashi teaches the method of claim 1, the programmable switch of claim 9 and the computer program product of claim 17, respectively, wherein the encrypted data is received from user equipment, and the decrypted data contains an execution command, the method further comprising: 
(Britt, para. [0120] “as illustrated in FIG. 12A each IoT device 101 or SIM 401 may be packaged with a barcode or QR code 1501 uniquely identifying the IoT device 101 and/or SIM 1001. In one embodiment, the barcode or QR code 1201 comprises an encoded representation of the public key for the IoT device 101 or SIM 1001. Alternatively, the barcode or QR code 1201 may be used by the IoT hub 110 and/or IoT service 120 to identify or generate the public key (e.g., used as a pointer to the public key which is already stored in secure storage)…the IoT hub 110 is equipped with a barcode reader 206 for reading the barcode and providing the resulting data to the security logic 1012 on the IoT hub 110 and/or the security logic 1013 on the IoT service 120.”); 
encrypting the execution result using a public key of the user equipment; and sending the encrypted execution result to the user equipment (Britt, para. [0137] “an SSL connection or other secure channel may be established between the IoT service 120 and the IoT hub 110. The IoT hub 110 (which does not have the ability to decrypt the message in one embodiment) transmits the encrypted message to the IoT device at 1603 (e.g., over a Bluetooth Low Energy (BTLE) communication channel). The encryption engine 1661 on the IoT device 101 may then decrypt the message using the secret and process the message contents. In an embodiment which uses the secret to generate a key stream, the encryption engine 1661 may generate the key stream using the secret and a counter value and then use the key stream for decryption of the message packet.” And para. [0138] “The message itself may comprise any form of communication between the IoT service 120 and IoT device 101. For example, the message may comprise a command packet instructing the IoT device 101 to perform a particular function such as taking a measurement and reporting the result back to the client device 611 or may include configuration data to configure the operation of the IoT device 101.” And para. [0139] “If a response is required, the encryption engine 1661 on the IoT device 101 uses the secret or a derived key stream to encrypt the response and transmits the encrypted response to the IoT hub 110 at 1604, which forwards the response to the IoT service 120 at 1605. The encryption engine 1660 on the IoT service 120 then decrypts the response using the secret or a derived key stream and transmits the decrypted response to the client device 611 at 1606 (e.g., over the SSL or other secure communication channel).”).

As per claims 3, 11 and 19, the combination of Britt and Takahashi teaches the method of claim 1, the programmable switch of claim 9 and the computer program product of claim 17, respectively, wherein performing online authentication of the IoT device via the programmable switch utilizing an additional cryptographic function implemented in the programmable switch comprises: 
authenticating the IoT device online by implementing an asymmetric encryption function for the IoT device in the programmable switch (Britt, para. [0081] “the user may program the control logic 412 on the IoT hub 110 to perform various automatic control functions with respect to the electronics equipment 430-432.” And para. [0128] “At 1301, a user receives a new IoT device with a blank SIM card and, at 1602, the user inserts the blank SIM card into an IoT hub. At 1303, the user programs the blank SIM card with a set of one or more encryption keys. For example, as mentioned above, in one embodiment, the IoT hub may randomly generate a public/private key pair and store the private key on the SIM card and the public key in its local secure storage. In addition, at 1304, at least the public key is transmitted to the IoT service so that it may be used to identify the IoT device and establish encrypted communication with the IoT device. As mentioned above, in one embodiment, a programmable device other than a "SIM" card may be used to perform the same functions as the SIM card in the method shown in FIG. 13.”).

As per claims 4, 12 and 20, the combination of Britt and Takahashi teaches the method of claim 3, the programmable switch of claim 11 and the computer program product of claim 19, respectively, wherein authenticating the IoT device online comprises: 
receiving a device identifier of the IoT device and a token for authentication from the IoT device; encrypting the device identifier and the token using a public key of an authentication server (Britt, para. [0120] “as illustrated in FIG. 12A each IoT device 101 or SIM 401 may be packaged with a barcode or QR code 1501 uniquely identifying the IoT device 101 and/or SIM 1001. In one embodiment, the barcode or QR code 1201 comprises an encoded representation of the public key for the IoT device 101 or SIM 1001. Alternatively, the barcode or QR code 1201 may be used by the IoT hub 110 and/or IoT service 120 to identify or generate the public key (e.g., used as a pointer to the public key which is already stored in secure storage)…the IoT hub 110 is equipped with a barcode reader 206 for reading the barcode and providing the resulting data to the security logic 1012 on the IoT hub 110 and/or the security logic 1013 on the IoT service 120.”); 
sending the device identifier and the token that are encrypted to the authentication server (Britt, para. [0121] “the data contained in the barcode or QR code 1201 may also be captured via a user device 135 (e.g., such as an iPhone or Android device) with an installed IoT app or browser-based applet designed by the IoT service provider. Once captured, the barcode data may be securely communicated to the IoT service 120 over a secure connection (e.g., such as a secure sockets layer (SSL) connection). The barcode data may also be provided from the client device 135 to the IoT hub 110 over a secure local connection (e.g., over a local WiFi or Bluetooth LE connection).” And para. [0124] “FIG. 12B illustrates one embodiment in which the barcode reader 206 on the IoT hub 110 captures the barcode/QR code 1201 associated with the IoT device 101…the barcode reader 206 reads the pairing code from the barcode/QR code 1201 and provides the pairing code to the local communication module 1280. Once the pairing code is received, it is stored in a secure storage containing pairing data 1285 and the IoT device 101 and IoT hub 110 are automatically paired. Each time the IoT hub is paired with a new IoT device in this manner, the pairing data for that pairing is stored within the secure storage 685. In one embodiment, once the local communication module 1280 of the IoT hub 110 receives the pairing code, it may use the code as a key to encrypt communications over the local wireless channel with the IoT device 101.”); and 
receiving an authentication response message from the authentication server, the authentication response message being encrypted using the public key of the programmable switch (Britt, para. [0120] “as illustrated in FIG. 12A each IoT device 101 or SIM 401 may be packaged with a barcode or QR code 1501 uniquely identifying the IoT device 101 and/or SIM 1001. In one embodiment, the barcode or QR code 1201 comprises an encoded representation of the public key for the IoT device 101 or SIM 1001. Alternatively, the barcode or QR code 1201 may be used by the IoT hub 110 and/or IoT service 120 to identify or generate the public key (e.g., used as a pointer to the public key which is already stored in secure storage)…the IoT hub 110 is equipped with a barcode reader 206 for reading the barcode and providing the resulting data to the security logic 1012 on the IoT hub 110 and/or the security logic 1013 on the IoT service 120.” And para. [0125] “Similarly, on the IoT device 101 side, the local communication module 1590 stores pairing data within a local secure storage device 1595 indicating the pairing with the IoT hub. The pairing data 1295 may include the pre-programmed pairing code identified in the barcode/QR code 1201. The pairing data 1295 may also include pairing data received from the local communication module 1280 on the IoT hub 110 required for establishing a secure local communication channel (e.g., an additional key to encrypt communication with the IoT hub 110).”).

As per claims 5 and 13, the combination of Britt and Takahashi teaches the method of claim 4, the programmable switch of claim 12, respectively, wherein authenticating the IoT device online further comprises: 
decrypting the authentication response message using the private key of the programmable switch to obtain an authentication result (Britt, para. [0139] “If a response is required, the encryption engine 1661 on the IoT device 101 uses the secret or a derived key stream to encrypt the response and transmits the encrypted response to the IoT hub 110 at 1604, which forwards the response to the IoT service 120 at 1605. The encryption engine 1660 on the IoT service 120 then decrypts the response using the secret or a derived key stream and transmits the decrypted response to the client device 611 at 1606 (e.g., over the SSL or other secure communication channel).”); and 
based on a determination that the authentication result indicates that the IoT device has passed the authentication: 
granting an access right to the IoT device (Britt, para. [0237] “an IoT device may use an advertising channel to notify any IoT hubs within range that it is "connectable" so that an IoT hub may connect to it to transmit commands and/or data.”); 
storing the device identifier of the IoT device and a corresponding port (Britt, para. [0273] “FIG. 32 is a set of BTLE attributes 3205 and an attribute address decoder 3207. In one embodiment, the BTLE attributes 3205 may be used to establish the read and write ports as described above with respect to FIGS. 19-20. The attribute address decoder 3207 reads a unique ID code associated with each attribute to determine which attribute is being received/transmitted and process the attribute accordingly (e.g., identify where the attribute is stored within the secure wireless communication module 3218).”); and 
sending an indication of authentication success to the IoT device (Britt, para. [0242] “To address this limitation, one embodiment of the secure wireless communication module 2610 includes a connection manager 2611 which, upon detecting a successful connection with the secure wireless communication module 2651 of the IoT hub 111, causes the advertising control module 2612 to continue transmitting advertising beacons.”).

As per claims 8 and 16, the combination of Britt and Takahashi teaches the method of claim 1, the programmable switch of claim 9, respectively, further comprising: 
generating an asymmetric key using a processing unit in the programmable switch, the asymmetric key including the public key and private key of the programmable switch; and performing at least one of asymmetric encryption and asymmetric decryption using a programmable switch chip in the programmable switch (Britt, para. [0114] “A different set of keys may be used to encrypt communication from the IoT device 101 to the IoT hub 110 and to the IoT service 120. For example, using a public/private key arrangement, in one embodiment, the security logic 1002 on the IoT device 101 uses the public key of the IoT hub 110 to encrypt data packets sent to the IoT hub 110. The security logic 1012 on the IoT hub 110 may then decrypt the data packets using the IoT hub's private key.” And para. [0115] “While certain specific details are set forth above in the description above, it should be noted that the underlying principles of the invention may be implemented using various different encryption techniques. For example, while some embodiments discussed above use asymmetric public/private key pairs”).



5.	Claims 6-7 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Britt in view of Takahashi, as disclosed above, in further view of US Pub. No. US 2019/0253243 A1 to Zimmerman, (hereinafter, “Zimmerman”).

As per claims 6 and 14, the combination of Britt and Takahashi teaches the method of claim 1, the programmable switch of claim 9, respectively, however fails to explicitly teach but Zimmerman teaches, further comprising: 
sending, based on a determination that a request for a serverless list is received from the IoT device, the serverless list to the IoT device (Zimmerman, para. [0274] “Once device B is linked to the service, at 3303 the user is prompted to configure the device for their network. The user chooses "yes" from the mobile device app which receives a list of available devices from the service that are already configured for WiFi and are online. In one embodiment, the configured SSID is listed next to the device name to show the user which network it is on. In this example, device A is listed with the SSID of the WiFi network to which it is connected (e.g., "ZZ WiFi").”); 
receiving, from the IoT device, an encryption request for one or more packets associated with a destination address  (Zimmerman, para. [0275] “At 3304, the user chooses device A from the list. In response, a message is sent to device A specifying the device ID of the device to link to (i.e., device B) and the attribute ID device A should transmit after linking is complete. At 3305, device A receives the message and begins the linking process by sending a message (e.g., a session info message 3206 as previously described) that contains the source and destination addresses in the form of device IDs. This message may be sent over the standard messaging channel.”); and 
based on a determination that a given packet directed to the destination address is received from the IoT device, encrypting the given packet by the programmable switch  (Zimmerman, para. [0276] “At 3306 device B transmits a session info response message that contains the destination device ID. Thus, linking is performed in a similar manner to linking with the service, the primary difference being the new versions of the messages that contain source and destination addresses.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zimmerman’s system and method for (Zimmerman, para. [0093]). 

As per claims 7 and 15, the combination of Britt, Takahashi and Zimmerman teaches the method of claim 1, the programmable switch of claim 14, respectively, further comprising: 
receiving, from the IoT device, a decryption request for one or more packets associated with the source address; and based on a determination that a given packet from the source address is received, decrypting the given packet by the programmable switch (Britt, para. [0140] “The client device 611 then forwards the encrypted message to the IoT device 101 at 1613, and the encryption engine 1661 decrypts the message using the secret or the derived key stream. The IoT device 101 may then process the message as described herein. If a response is required, the encryption engine 1661 encrypts the response using the secret and transmits the encrypted response to the client device 611 at 1614, which forwards the encrypted response to the IoT service 120 at 1615. The encryption engine 1660 then decrypts the response and transmits the decrypted response to the client device 611 at 1616.” And para. [0144] Once the secret has been determined, it may be used by the encryption engines 1660 and 1661 to encrypt and decrypt data directly. Alternatively, in one embodiment, the encryption engines 1660-1661 send commands to the KSGMs 1640-1641 to generate a new key stream using the secret to encrypt/decrypt each data packet (i.e., a new key stream data structure is generated for each packet). In particular, one embodiment of the key stream generation module 1640-1641 implements a Galois/Counter Mode (GCM) in which a counter value is incremented for each data packet and is used in combination with the secret to generate the key stream. Thus, to transmit a data packet to the IoT service 120, the encryption engine 1661 of the IoT device 101 uses the secret and the current counter value to cause the KSGMs 1640-1641 to generate a new key stream and increment the counter value for generating the next key stream. The newly-generated key stream is then used to encrypt the data packet prior to transmission to the IoT service 120. In one embodiment, the key stream is XORed with the data to generate the encrypted data packet. In one embodiment, the IoT device 101 transmits the counter value with the encrypted data packet to the IoT service 120. The encryption engine 1660 on the IoT service then communicates with the KSGM 1640 which uses the received counter value and the secret to generate the key stream (which should be the same key stream because the same secret and counter value are used) and uses the generated key stream to decrypt the data packet.”).

Conclusion
6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20180309580 A1 – Authentication system to protect PII. 
US 20180167366 A1– Cryptographic mode programmability.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/ZOHA PIYADEHGHIBI TAFAGHODI/               Examiner, Art Unit 2437                                                                                                                                                                                         

	/ALI S ABYANEH/               Primary Examiner, Art Unit 2437