DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the amendment dated on December 15, 2021.
Claims 1, 4-7, 9-13, 15, 18 and 20-21 are allowed.


Allowable Subject Matter
Claims 1, 4-7, 9-13, 15, 18 and 20-21 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance.
Independent Claim 1 is allowable based on the amendment presented on December 15, 2021.
Specifically, the independent Claim 1 now recites limitations as follows:

“A method of managing access to an asset using a separate physical cryptographically-secure key device, the method comprising: storing a public cryptographic key as an unalterable record in a memory accessible by an access configuration controller of the asset, the access configuration controller controlling the access to the asset using the public cryptographic key, the public cryptographic key being cryptographically paired 

The cited reference Ernest Brickell (US PGPUB. # US 2018/0324158) discloses, an access verification public key 211 is embedded in non volatile memory in the access control module 210. In one embodiment, the access verification public key is an external access entity verification public key 262. In another embodiment, the access verification public key 211 in the external entity accessible device 200 is a verification public key of a certificate authority that issues certificates for a plurality of external access entity verification public keys 262. In another embodiment, there are multiple access verification public (Fig. 2(211), ¶28). In action A 3.4 in FIG. 3, the device 200 processes the received signed access request 269 in the access control module 210. In step 3.4.1, the access control module 210 checks the validity of the signed access request 269. The access control module 210 checks that the digital signature on the request 269 is valid using the access verification public key 211. This check may involve checking the digital signatures of digital certificates in a certificate hierarchy when the access verification public key 211 is the public key of a certificate authority. If this digital signature is valid. (Fig. 3(3.4.1), ¶36). In Step 3.4.4, the authorized access payload 220 is sent from the access control module 210 to an appropriate recipient module on device 200. In step 3.5.1, the module that receives the authorized access payload 220 processes the authorized access payload 220, and performs the instructions in the authorized access payload 220. (Fig. 3(3.4.4., 3.5.1), ¶38). The external access entity 266 is obligated to obtain legal authorization before using the capability to access the device 200. In step 3.3.1, the external access entity 266 prepares an access request 268 containing an access payload 263 and the unique device identifier 212 of the targeted device 200. In some embodiments, the external access entity device 260 generates an access encryption key pair, specifically, a public access encryption key 264 and a private access decryption key 265. The public access encryption key 264 is included in the access payload 263. The external access entity device 260 digitally signs this request 268 with the external access entity signature private key 261. In one embodiment, the signed access request 269 is (Fig. 2(251), ¶35). The external entity accessible device 200 includes an access control module 210 that is used to control the access of external entities according to the external access policy 213 of the device 200, and to provide proof to a policy enforcing network access point or other entity of the external access capabilities and policy of the device 200. (Fig. 2(213), ¶24). In step 3.2.4, the device manufacturer stores in nonvolatile memory in the device 200 a description of the external access policy 213 of device 200. In some embodiments, the external access policy 213 is not stored on the device 200, but is stored elsewhere, and an identifier for the external access policy 213 is stored on the device 200. In some embodiments, this identifier for the external access policy 213 is identified in the certificate 216 for the device verification key 215. The external access policy 213 describes the types of payloads 220 that are allowed on the device 200. In one embodiment, the external access policy 213 allows any payload 220 that can be executed on the device 200. In some embodiments, the external access policy 213 describes what types of unlocking capabilities are available to an authorized external access entity 266. In some embodiments, the external access policy 213 describes the capabilities of the firmware or software that can be launched by an authorized external access entity 266. In some embodiments, the external access policy 213 describes what cryptographic keys are allowed to be requested in payloads 220. The external access policy 213 also describes the (Fig. 3(3.2.4), ¶31). In Step 3.4.4, the authorized access payload 220 is sent from the access control module 210 to an appropriate recipient module on device 200. In step 3.5.1, the module that receives the authorized access payload 220 processes the authorized access payload 220, and performs the instructions in the authorized access payload 220. The following paragraphs describe several embodiments implemented by modules in the device 200 that receive an authorized access payload 220. For each of these modules, processing the instructions in the authorized access payload 220 sometimes results in information that needs to be sent securely back to the external access entity 266. In Step 3.5.2, this information is encrypted using the public access encrypt key 264 and sent to the external access entity device 260. he authorized access payload 220 is sent to the device unlocking module 231, and the payload 220 contains instructions to modify the functionality of the device unlocking module 231 to allow an external access entity 266 to feasibly unlock the device 200 without knowing the device unlocking password chosen by the user of the device 200. In some embodiments, the authorized access payload 220 is sent to a firmware or software launch module 232, and payload 220 contains instructions to the firmware or software launch module 232 to launch different firmware or software than the module 232 normally would launch, or to modify the firmware or software that is launched on the device 200. The authorized access payload 220 is sent to a device memory controller module 233, and payload 220 contains instructions to (Fig. 3(3.4.4, 3.5.1), ¶38-¶40).
The reference by Kanakrajan et al. (US PGPUB. # US 2018/0139228) discloses, the communication may be encrypted. For example, node 202 may encrypt the communication using a private key. Node 202 may store this private key in a Trusted Platform Module (TPM) for security purposes. In this example, node 202 may send the encrypted communication to apparatus 100. As the encrypted communication reaches apparatus 100, processing unit 106 may decrypt the communication using the private key's corresponding public key. Processing unit 106 may store this public key in a TPM for security purposes. (¶34). As illustrated in FIG. 1, apparatus 100 may include a storage device 102 and a processing unit 106. Storage device 102 generally represents any type or form of volatile or non-volatile memory or storage medium capable of storing data and/or computer-readable instructions. In one example, storage (¶22).
Xavier Serret-Avila (US PGPUB. # US 2005/0235154) discloses, enabling a recipient of a cryptographically-signed electronic communication to verify the authenticity of the communication on-the-fly using a signed chain of check values, the chain being constructed from the original content of the communication, and each check value in the chain being at least partially dependent on the signed root of the chain and a portion of the communication. Fault tolerance can be provided by including error-check values in the communication that enable a decoding device to maintain the chain's security in the face of communication errors. In one embodiment, systems and methods are provided for enabling secure quasi-random access to a content file by constructing a hierarchy of hash values from the file, the hierarchy deriving its security in a manner similar to that used by the above-described chain. The hierarchy culminates with a signed hash that can be used to verify the integrity of other hash values in the hierarchy, and these other hash values can, in turn, be used to efficiently verify the authenticity of arbitrary portions of the content file. (Abstract).
Karpenko et al. (US PGPUB. # US 2015/0052064) discloses, a method of processing a remote transaction initiated by a mobile device. The method (Abstract).
Vincent Scarlata (US PAT. # US 7,711,960) discloses, a method control access to cryptographic keys and to attest to the approved configurations of computer platforms able to access these keys, which include trusted platform modules (TPMs) are contemplated. Embodiments include transformations, code, state machines or other logic to control access to a cryptographic key by creating an authorization blob locking authorization data to access the cryptographic key to platform configuration register (PCR) values of a TPM, the PCR values representing a configuration of a computing platform. Embodiments may also involve generating a first TPM cryptographic key bound to PCR values, receiving a second TPM cryptographic key owned by software, and receiving evidence of the identity of an upgrade service controlling the upgrading of the software. Embodiment may also include certifying the first TPM cryptographic key; certifying the second TPM cryptographic key; concatenating the first certification, the second certification, and the evidence of the identity of the upgrade service; and signing the concatenation. (Abstract).
Wheeler et al. (US PGPUB. # US 2003/0126439) discloses, a requesting entity seeking access to a controlled resource is authenticated by an access authentication component includes the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining a record including information pertaining to the account and being retrievable based on a unique identifier for the requesting entity, and associating a public key of a public-private key pair with the record; the requesting entity originating an electronic message and generating a digital signature using a private key of the key pair, and sending the digitally signed electronic message to the access authentication component with the unique identifier; authenticating the electronic message using the public key associated with the record identified by the unique identifier; and upon successful authentication, authenticating access to the controlled resource. Security information is considered in authenticating the requesting entity. (Abstract).
Sheikh et al. (US PGPUB. # US 2015/0189506) discloses, methods of protecting domains of a multimode wireless radio transceiver. For example, an apparatus may include a protection domain controller (PDC) to restrict access of a configuration software to a protection domain of a plurality of protection domains of a multimode wireless radio transceiver based on a security level of the configuration software, wherein the protection domain includes one or more radio configuration parameters of the multimode wireless radio transceiver. (Abstract).
However, each of the cited references or reference from the updated search, at least, fails to teach or suggest the limitations regarding “…the method comprising: storing a public cryptographic key as an unalterable record in a memory accessible by an access configuration controller of the asset, the access configuration controller controlling the access to the asset using the public cryptographic key…wherein access to the asset is managed according to one or more access authorization records stored in a storage system secured by the access configuration controller; and allowing, by the access configuration controller, access to the one or more access authorization records according to the access control change instruction, responsive to verification of the valid signing of the access control change instruction by the private cryptographic key using the public cryptographic key read from the memory”, in combination with the rest of the limitations recited in the independent claim(s).

None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim 1 under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Claims 10 is a system claim of above method claim 1 and Claim 15 is a tangible processor-readable storage media claim of above method claim 1, and therefore, they are also allowed.
Claims 4-7, 9 and 21 depend on the allowed claim 1, and therefore, they are also allowed.
Claims 11-13 and 14-16 depend on the allowed claim 10, and therefore, they are also allowed.
Claims 18 and 20 depend on the allowed claim 15, and therefore, they are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/DARSHAN I DHRUV/Primary Examiner, Art Unit 2498