Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is in response to application filed 02/08/2022.
Claims 1-20 are pending in this application.

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.  Applicant asserts that the prior art of record fail to disclose “generating a message that includes the position in the unique encryption code and the corresponding set of values at that position for use for a receiver of the packet to verify a sender of the message”.  Examiner respectfully disagrees. Fishman discloses a string is selected by reading from the CD card 11 until “key length” (of at least 512) bytes have been accumulated. This is depicted as the 16-character string 403, “OP90127823840UOU”. The string is shifted a “key shift” number of bytes, that is rotated a “key shift” number of bytes in order, as in a shift register, to produce a string of the same length. Depicted is a seven-character shift to produce 16-character string 404, “823840UOUOP90127”.  The data is parsed and split, then using the SHA-1 algorithm, a first 160-bit key or token is produced as a message digest (hash result), represented by key or token (“5XW467 . . . UL29284S) (i.e. generating message with selected position and values (e.g. hash of selected string) of encryption code).  This first key or token is sent 110 by a client-side application (i.e. the generated message is sent) to authentication server 30 for matching in step 310.  The sever 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3-6, 8, 13-19 are rejected under 35 U.S.C. 103 as being unpatentable over Fishman et al. (US 2004/0139028 A1) in view of Ravinutala et al. (US 2016/0381015 A1).
Regarding claim 1, Fishman discloses a computer-implemented method comprising:
selecting a position in the unique encryption code (fig. 5, [0030]:  the data is retrieved beginning at the key offset, shown by the arrow in information block 402, pointing to the first character of the third row, "O". In a preferred embodiment, a string is selected by reading from the CD card 11 until "key length" (of at least 512) bytes have been accumulated. This is depicted as the 16-character string 403, "OP90127823840UOU". The string is shifted a "key shift" number of bytes, that is rotated a "key shift" number of bytes in order, as in a shift register, to produce a string of the same length. Depicted is a seven-character shift to produce 16-character string 404, "823840UOUOP90127". These client 10 steps 103 are performed in parallel as steps 103' by server 30); 
identifying a corresponding set of values at that position in the unique encryption code (fig. 5, [0030]-[0031]:  the data string resulting from steps 103 is parsed, split in half, as illustrated by strings 405 ("823840U0") and 406 ("UOP90127"). The upper half is then concatenated with the user's password (illustrated by 407) and passed through a one-way hash algorithm to produce effectively a one-use token bound to the unique storage device 11 information and the password 3, but from which neither can be reproduced. (A variation of this embodiment would allow a selection from alternative one-way hash algorithms for a given session.) Using the SHA-1 algorithm, a first 160-bit key or token is produced as a message digest (hash result), represented by key or token 408 ("5XW467 . . . UL29284S). These client 10 steps 106 are performed in parallel as steps 106' by server 30); and 
generating a message that includes the position in the unique encryption code and the corresponding set of values at that position for use for a receiver of the packet to verify a sender of the message (fig. 5, [0032]:  This first key or token is sent 110 by a client-side application to authentication server 30 for matching in step 310. Upon a match of the first key, as represented as a match of keys 408 and 408', the process is repeated in reverse with the authentication server 30 creating a second one-use token or key 409' by applying the SHA-1 algorithm to the lower half 406' of the randomly selected and shifted information from the CD card image in data base 31 concatenated with the user's password 407'. (This process is optional; while enhancing the strength of the authentication, a single one-use token, such as represented in FIG. 1 by token 13, may be used.) The authentication server 30 sends 311 the second one-use 160-bit key back to the client 10 for matching 111. The client will have generated an identical key (represented by 409) and will attempt a match. If both sets of keys match, the user is authenticated and allowed to proceed with web-based use, granted access to restricted desktop software, or is given unique information such as a one-use token or a certificate for authentication to an ASE 20).
However, Fishman does not disclose generating a unique encryption code using at least a secret key, a secret text, and an encryption module having an encryption type.
 ([0025]:  the authentication type field 304 of the authentication request 412 may include a predetermined value indicating what type of authentication is requested by the source network device (e.g. the network device 402). Exemplary types of authentication may include clear text, a cryptographic hash (e.g., MD5, secure hash algorithm (SHA)), a symmetric encryption (e.g., data encryption standard (DES), advanced encryption standard (AES)), or an asymmetric encryption. If the authentication type is clear text, in one non-limiting embodiment, the authentication field 306 may include a request for example, a request for password, a pre-configured security question, a request for an authentication key, etc. In another embodiment, if the authentication type is clear text and only the password (or authentication key) is requested, the authentication field 306 may be undefined (e.g., the content of this field need not to be examined by the recipient)).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Fishman to comprise “generating a unique encryption code using at least a secret key, a secret text, and an encryption module having an encryption type” taught by Ravinutala.
One of ordinary skilled in the art would have been motivated because it would have enabled to authenticate a network device as peer VTEP in a VXLAN environment (Ravinutala, [0014]).  

Regarding claim 3, Fishman-Ravinutala discloses the computer-implemented method of Claim 1 wherein the step of generating a unique encryption code using at least a secret key, a secret text, and an encryption module having an encryption type further comprises: combining (Ravinutala, [0028]:  the source IP address or other identifying information (e.g., MAC address) of an authentication packet originator may be used as part of the input for the hash function or encryption algorithms (e.g., a password or an authentication key may be concatenated with the source IP/MAC address and the concatenation being used for hash/encryption). The same rationale applies as in claim 1.

Regarding claim 4, Fishman-Ravinutala discloses the computer-implemented method of Claim 3 wherein the additional data comprises the Media Access Control of the sender of the message (Ravinutala, [0028]:  MAC address of the packet originator).  The same rationale applies as in claim 3.

Regarding claim 5, Fishman-Ravinutala discloses the computer-implemented method of Claim 1.  Fishman discloses further comprising the steps of: responsive to receiving a reply message, identifying in the reply message a position and a corresponding set of values in a second unique encryption code ([0030]:  Upon receiving the acknowledgement and key values, the client 10 reads the CD card 11 or other physical storage media and retrieves the data specified by the server 30. The data is retrieved beginning at the key offset, shown by the arrow in information block 402, pointing to the first character of the third row, "O". In a preferred embodiment, a string is selected by reading from the CD card 11 until "key length" (of at least 512) bytes have been accumulated. This is depicted as the 16-character string 403, "OP90127823840UOU". The string is shifted a "key shift" number of bytes); and determining whether the values at the same position in the second unique encryption code match the ([0032]:  this first key or token is sent 110 by a client-side application to authentication server 30 for matching in step 310. Upon a match of the first key, as represented as a match of keys 408 and 408', the process is repeated in reverse with the authentication server 30 creating a second one-use token or key 409' by applying the SHA-1 algorithm to the lower half 406' of the randomly selected and shifted information from the CD card image in data base 31 concatenated with the user's password 407'. (This process is optional; while enhancing the strength of the authentication, a single one-use token, such as represented in FIG. 1 by token 13, may be used.) The authentication server 30 sends 311 the second one-use 160-bit key back to the client 10 for matching 111. The client will have generated an identical key (represented by 409) and will attempt a match. If both sets of keys match, the user is authenticated).
However, Fishman does not disclose generating the second unique encryption code using at least the secret key, the secret text, and the encryption module having the encryption type.
In an analogous art, Ravinutala discloses generating the second unique encryption code using at least the secret key, the secret text, and the encryption module having the encryption type ([0025]:  he authentication type field 304 of the authentication request 412 may include a predetermined value indicating what type of authentication is requested by the source network device (e.g. the network device 402). Exemplary types of authentication may include clear text, a cryptographic hash (e.g., MD5, secure hash algorithm (SHA)), a symmetric encryption (e.g., data encryption standard (DES), advanced encryption standard (AES)), or an asymmetric encryption. If the authentication type is clear text, in one non-limiting embodiment, the authentication field 306 may include a request for example, a request for password, a pre-configured security question, a request for an authentication key, etc. In another embodiment, if the authentication type is clear text and only the password (or authentication key) is requested, the authentication field 306 may be undefined (e.g., the content of this field need not to be examined by the recipient)).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Fishman to comprise “generating the second unique encryption code using at least the secret key, the secret text, and the encryption module having the encryption type” taught by Ravinutala.
One of ordinary skilled in the art would have been motivated because it would have enabled to authenticate a network device as peer VTEP in a VXLAN environment (Ravinutala, [0014]).  

Regarding claim 6, Fishman-Ravinutala discloses the computer-implemented method of Claim 5 further comprising the steps of: responsive to determining that the values at the same position in the second unique encryption code match the corresponding set of values in the reply message, adding a MAC address of a remote device that generated the reply message to a networking table as a verified device (Ravinutala, [0027]: the network device 402 may determine that the authentication response 416 is satisfactory only when the authentication value matches what is expected, regardless of whether it is clear text, hash or encryption. Once the authentication response 416 is successfully checked, the network device 404 may be authenticated as a peer VTEP and the route indicated in the route update packet 408 may be accepted. In the embodiment that the peer table is used, the status of the network device 404 may be updated to authentication success in the peer table.  [0044]: If the security check passes, the peer status may be updated to authentication success at 916 and the peer VTEP may be installed as a trusted peer VTEP and its route (e.g., IP address, MAC/MAC-IP, etc.).  The same rationale applies as in claim 5.

Regarding claim 8, Fishman discloses a computer-implemented method comprising:
responsive to identifying an indicator in a message that indicates enhanced verification, in which the message is received at a receiving device and the message was sent from a sending device ([0029 the server 30 acknowledges and returns information to the client 10 on where to look on the CD card 11 for the appropriate authentication key data. This is performed in step 301 by server 30 using a server-global random number generator to randomly generate a key offset (location of start of a key string to be selected), a key length (size), and a key shift (positions shifted in a rotation). These values are transmitted to client 10 in step 302), performing the steps comprising: identifying in the message a position and a corresponding set of values that should exist at that position in a unique encryption code ([0030]:  Upon receiving the acknowledgement and key values, the client 10 reads the CD card 11 or other physical storage media and retrieves the data specified by the server 30. The data is retrieved beginning at the key offset, shown by the arrow in information block 402, pointing to the first character of the third row, "O". In a preferred embodiment, a string is selected by reading from the CD card 11 until "key length" (of at least 512) bytes have been accumulated. This is depicted as the 16-character string 403, "OP90127823840UOU"); and responsive to determining that the values at the same position in the unique encryption code match the corresponding set of values in the message [verified device] ([0032]:  The authentication server 30 sends 311 the second one-use 160-bit key back to the client 10 for matching 111. The client will have generated an identical key (represented by 409) and will attempt a match. If both sets of keys match, the user is authenticated and allowed to proceed with web-based use, granted access to restricted desktop software, or is given unique information such as a one-use token or a certificate for authentication to an ASE 20).
However, Fishman does not disclose generating the unique encryption code using at least a secret key, a secret text, and an encryption module having an encryption type; [in response the unique encryption code match] adding a MAC address of the sending device that generated the message to a networking table as a verified device for which data traffic may be sent to, received from, or both.  
In an analogous art, Ravinutala discloses generating a unique encryption code using at least a secret key, a secret text, and an encryption module having an encryption type ([0025]:  he authentication type field 304 of the authentication request 412 may include a predetermined value indicating what type of authentication is requested by the source network device (e.g. the network device 402). Exemplary types of authentication may include clear text, a cryptographic hash (e.g., MD5, secure hash algorithm (SHA)), a symmetric encryption (e.g., data encryption standard (DES), advanced encryption standard (AES)), or an asymmetric encryption. If the authentication type is clear text, in one non-limiting embodiment, the authentication field 306 may include a request for example, a request for password, a pre-configured security question, a request for an authentication key, etc. In another embodiment, if the authentication type is clear text and only the password (or authentication key) is requested, the authentication field 306 may be undefined (e.g., the content of this field need not to be examined by the recipient); [in response the unique encryption code match] adding a MAC address of the sending device that generated the message to a networking table as a verified device for which data traffic may be sent to, received from, or both ([0027]: the network device 402 may determine that the authentication response 416 is satisfactory only when the authentication value matches what is expected, regardless of whether it is clear text, hash or encryption. Once the authentication response 416 is successfully checked, the network device 404 may be authenticated as a peer VTEP and the route indicated in the route update packet 408 may be accepted. In the embodiment that the peer table is used, the status of the network device 404 may be updated to authentication success in the peer table.  [0044]: If the security check passes, the peer status may be updated to authentication success at 916 and the peer VTEP may be installed as a trusted peer VTEP and its route (e.g., IP address, MAC/MAC-IP, etc.)
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Fishman to comprise “generating the unique encryption code using at least a secret key, a secret text, and an encryption module having an encryption type; [in response the unique encryption code match] adding a MAC address of the sending device that generated the message to a networking table as a verified device for which data traffic may be sent to, received from, or both.” taught by Ravinutala.
One of ordinary skilled in the art would have been motivated because it would have enabled to authenticate a network device as peer VTEP in a VXLAN environment (Ravinutala, [0014]).  

Regarding claim 13; the claim is interpreted and rejected for the same reason as set forth in claim 5.

Regarding claim 14, Fishman-Ravinutala discloses the computer-implemented method of Claim 13 wherein the step of generating a second unique encryption code using at least the secret (Ravinutala, [0028]:  the source IP address or other identifying information (e.g., MAC address) of an authentication packet originator may be used as part of the input for the hash function or encryption algorithms (e.g., a password or an authentication key may be concatenated with the source IP/MAC address and the concatenation being used for hash/encryption). The same rationale applies as in claim 8.

Regarding claim 15; the claim is interpreted and rejected for the same reason as set forth in claim 1.

Regarding claim 16; the claim is interpreted and rejected for the same reason as set forth in claim 3.

Regarding claim 17; the claim is interpreted and rejected for the same reason as set forth in claim 4.

Regarding claim 18; the claim is interpreted and rejected for the same reason as set forth in claim 5.

Regarding claim 19; the claim is interpreted and rejected for the same reason as set forth in claim 6.

Claims 2, 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over Fishman in view of Ravinutala, as applied in claim 1, in further view of Jain et al. (US 2017/0033924 A1).
Regarding claim 2, Fishman-Ravinutala discloses the computer-implemented method of Claim 1, wherein the sender is a VTEP device (Ravinutala, [0017]:  VTEP 102(1) encapsulates the Ethernet frame with a VxLAN encapsulation including VNI 10, and forwards the resulting encapsulated Ethernet packet as a VxLAN-encapsulated packet (VxLAN packet) to VTEP 100(2) over network 106).
However, Fishman-Ravinutala does not discloses wherein the message is an Address Resolution Protocol message.
In an analogous art, Jain discloses wherein the message is an Address Resolution Protocol message ([0047], [0055]:  the process performs ARP in order to receive the necessary address resolution information from the controller. Such information in some embodiments includes the VNI, the MAC address, and/or the VTEP of next hop).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Fishman-Ravinutala to comprise “wherein the message is an Address Resolution Protocol message” taught by Jain.
One of ordinary skilled in the art would have been motivated because it would have enabled a host machine to obtain the key of a L4 connection from a controller of the datacenter when performing ARP operations for destination IP address (Jain, [0047]).  

Regarding claim 9, Fishman-Ravinutala discloses the computer-implemented method of Claim 8 wherein the sending device and the receiving device are VTEP devices (Ravinutala, [0016]:  Network environment 100 includes VTEPs 102(1)-102(3) (also referred to as VTEP-1-VTEP-3, respectively) each connected to a communication network 106 through respective routers 104(1)-104(3)).  
However, Fishman-Ravinutala does not disclose wherein the message is an Address Resolution Protocol message.
In an analogous art, Jain discloses wherein the message is an Address Resolution Protocol message ([0047], [0055]:  the process performs ARP in order to receive the necessary address resolution information from the controller. Such information in some embodiments includes the VNI, the MAC address, and/or the VTEP of next hop).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Fishman-Ravinutala to comprise “wherein the message is an Address Resolution Protocol message” taught by Jain.
One of ordinary skilled in the art would have been motivated because it would have enabled a host machine to obtain the key of a L4 connection from a controller of the datacenter when performing ARP operations for destination IP address (Jain, [0047]).  

Regarding claim 10, Fishman-Ravinutala-Jain discloses the computer-implemented method of Claim 9 wherein the sending device and the receiving device each know the secret key and the secret text, and each knows or has access to an encryption module having the encryption type (Ravinutala, [0041]:  the network device 402 may use the received authentication packet to decide whether the network device 404 knows a shared secret (e.g., a password, an answer to a security question, an authentication key etc.). If the second network device is authenticated, it may be established as a trusted peer VTEP. If, however, the second network device fails the authentication, it may be treated as a rogue VTEP).  The same rationale applies as in claim 8.

Regarding claim 11, Fishman-Ravinutala-Jain discloses the computer-implemented method of Claim 9 wherein the step of generating the unique encryption code using at least a secret key, a secret text, and an encryption module having an encryption type comprises: Customer No. 8297623DC-118564.01 (20110-2386)PATENTcombining additional data with the secret text as an input when generating the unique encryption code, in which the additional data that is combined with the secret text is known according to a rule known to the sending device and the receiving device (Ravinutala, [0028]:  the source IP address or other identifying information (e.g., MAC address) of an authentication packet originator may be used as part of the input for the hash function or encryption algorithms (e.g., a password or an authentication key may be concatenated with the source IP/MAC address and the concatenation being used for hash/encryption.  [0033], [0044]:  Once the authentication packet 504 is successfully checked, the network device 404 may be authenticated as a peer VTEP and the route indicated in the route update packet 408 may be accepted.  The peer VTEP may be installed as a trusted peer VTEP and its route (e.g., IP address, MAC/MAC-IP, etc.) may be accepted (e.g. rule).  The same rationale applies as in claim 1.  

Claims 7, 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Fishman in view of Ravinutala, as applied in claim 1, in further view of Ocepek et al. (US 2004/0054926 A1).
Regarding claim 7, Fishman-Ravinutala discloses the computer-implemented method of Claim 1, further comprising the steps of: responsive to determining that the values at the same (Ravinutala, [0041],[0044]: If the second network device is authenticated, it may be established as a trusted peer VTEP. If, however, the second network device fails the authentication, it may be treated as a rogue VTEP. If the security check fails, the peer status may be updated to authentication failed at 918 and the peer VTEP may be deleted from a peer table and its route (e.g., IP address, MAC/MAC-IP, etc.) may be rejected).
However, Fishman-Ravinutala does not disclose adding the MAC address of the remote device to a blocked list or an untrusted device list; or both.
In an analogous art, Ocepek discloses adding the MAC address of the remote device to a blocked list or an untrusted device list; or both ([0059], [0079]:  each blocked client device 24-B.sub.1-l in blocked client list 152 is identified by IP address 168 and MAC address 170.  Upon receipt of the corresponding ARP reply via network interface driver 132, access blocking routine 122 determines whether the client device 24 at the queried IP address responds with the same MAC address as the blocked client MAC address 170 found in blocked client list 152).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Fishman-Ravinutala to comprise “adding the MAC address of the remote device to a blocked list or an untrusted device list; or both” taught by Ocepek.
One of ordinary skilled in the art would have been motivated because it would have enabled for controlling access by a client device to protected devices on a computer network (Ocepek, [0016]).  
(Ravinutala, [0041], [0044]: If the second network device is authenticated, it may be established as a trusted peer VTEP. If, however, the second network device fails the authentication, it may be treated as a rogue VTEP. If the security check fails, the peer status may be updated to authentication failed at 918 and the peer VTEP may be deleted from a peer table and its route (e.g., IP address, MAC/MAC-IP, etc.) may be rejected).
However, Fishman-Ravinutala does not disclose adding the MAC address of the sending device to a blocked list or an untrusted device list; or both.  
In an analogous art, Ocepek discloses adding the MAC address of the sending device to a blocked list or an untrusted device list; or both ([0059], [0079]:  each blocked client device 24-B.sub.1-l in blocked client list 152 is identified by IP address 168 and MAC address 170.  Upon receipt of the corresponding ARP reply via network interface driver 132, access blocking routine 122 determines whether the client device 24 at the queried IP address responds with the same MAC address as the blocked client MAC address 170 found in blocked client list 152).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Fishman-Ravinutala to comprise “adding the MAC address of the sending device to a blocked list or an untrusted device list; or both” taught by Ocepek.
(Ocepek, [0016]).  

Regarding claim 20; the claim is interpreted and rejected for the same reason as set forth in claim 7.

Additional References
	The prior art made of record and not relied upon is considered pertinent to applicants disclosure.
Arakawa et al., US 2003/0021418 A1: Cryptogram Communication System. 
Gao et al., US 2019/0036736 A1: Packet Processing Method, Device, and Packet Processing System.
Larignon, US 11,070,975 B2: Method and Device for Transmitting Encrypted Data Method and Device for Extracting Data.







Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUAN C TURRIATE GASTULO whose telephone number is (571)272-6707. The examiner can normally be reached Monday - Friday 8 am-4 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached on 571-272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available 





/J.C.T/Examiner, Art Unit 2446                                                                                                                                                                                                        
/GIL H. LEE/Primary Patent Examiner, Art Unit 2446