Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-4, 9, 12, 14-15, and 17-20 is/are rejected under 35 U.S.C. 102(a)(2) as being antedated by United States Patent No.: US 10,192,072 B1 (Galvin, Jr. et al.).

As Per Claim 1: Galvin, Jr. et al. teaches: A system for tokenizing information in a cloud environment, the system comprising:
- at least one processor; and
- at least one non-transitory memory containing instructions that, when executed by the at least one processor, cause the system to perform operations comprising: 
	(Galvin, Jr. et al., Column 15, Lines 22-33 “The representative hardware layer 704 comprises one or more processing units 706 having associated executable instructions 708. Executable instructions 708 represent the executable instructions of the software architecture 702, including implementation of the methods, modules, subsystems, and components, and so forth of FIGS. 1-7. Hardware layer 704 also includes memory and/or storage modules 710, which also have executable instructions 708. Hardware layer 704 may also comprise other hardware as indicated by other hardware 712 which represents any 

- receiving input to be tokenized;
	(Galvin, Jr. et al., Column 7, Lines 30-38 “Referring now to the input file process 302, the input system 102 may receive an input file 307. The input file 307 may include input records, for example, may correspond to the input file 118 shown in FIG. 1. At operation 320, the input system 102 may get an input record from the input file 307. Although the workflow flow 300 has the input system 102 operating on one input record at a time, in some examples, the input system 102 may operate on multiple input records in parallel.”).

- obtaining a keyed hash function;
- using the keyed hash function at a storage tokenizer, generating a storage token for the input;
	(Galvin, Jr. et al., Column 7 Line 56 – Column 8 Line 3, “At operation 326, the input system 102 may tokenize the input record, for example, by generating token data to replace sensitive data, for example, as illustrated in FIG. 1. Tokenized data may be generated in any suitable manner. In some examples, the input system 102 may apply a hash algorithm to sensitive data to generate corresponding token data. In some examples, the input system may utilize an external token utility, such as the HPE Secure Stateless Tokenization utility available from Hewlett Packard Enterprise. Other suitable tokenization utilities that may be used include, the CardVault® utility available from 3Delta Systems, Inc., the Cloud Data Protection utility available from Blue Coat Systems, Inc., the Tokenization utility available from Bluefin Payment Systems, the CardConnect utility from CardConnect LLC, etc.”).

- creating an encrypted database entry linking the generated token to the received input;

	(Galvin, Jr. et al., Column 2 Line 55 – Column 3 Line 3, “The systems and methods described herein may provide advantages over alternative configurations. For example, utilizing the tables described may enable the identification of record fields in different formats and from different sources. For example, if records were to be received in a common format, the processing system could be used with a purpose-designed database that applies encryption or other protection technology to specific database columns that correspond to record fields storing sensitive information. In contrast, the systems and methods described herein may be useful for common format records as well as records in different formats from different sources. In some examples, the systems and methods may be used for a processing system that receives records from a number of different systems, such as different legacy systems, different customer systems, etc.”).
	Additional teaching on the token record in the token table/database can be seen in (Galvin, Jr. et al., Column 3 Line 20 – Column 4 Line 2).

- setting an expiry for the storage token; and
	(Galvin, Jr. et al., Column 3 Lines 27-54, “A source setup table 108 may comprise data describing which record fields of input records include sensitive data. For example, the source setup table 108 may include source setup records. A source setup record may identify the record fields of an input record and may indicate which, if any, record fields of an input record include sensitive data that is to be tokenized. A token table 112 may include token records describing tokens introduced into input records by the input 

- when the storage token is received before the expiry, providing the linked input in response.
	(Galvin, Jr. et al., Column 8 Line 64 – Column 9 Line 17, “If the processed file does not include token data, the output system 104 may proceed to provide the output file 350 via an output channel 352, described in more detail below. If the processed file does include token data, the output system 104 may, at operation 346, verify token data at the processed file, for example, by comparing data units from record fields indicated by the target setup record to include sensitive data with entries in the token table 112. For example, when the relevant record fields were tokenized at the input file process, the corresponding token data may have been written to the token table 112 as described. If, at operation 346, the token table includes a copy of the data units indicated by the target setup record to be token data, it may provide another indication that the data units are, indeed, token data. In some examples, as described herein, the token records at the token table 112 may expire after an expiration time. If the output file process 304 is 

As Per Claim 2: The rejection of claim 1 is incorporated and further Galvin, Jr. et al. teaches:
- the keyed hash function is obtained from a key management system.
	(Galvin, Jr. et al., Column 7 Line 56 – Column 8 Line 3, “At operation 326, the input system 102 may tokenize the input record, for example, by generating token data to replace sensitive data, for example, as illustrated in FIG. 1. Tokenized data may be generated in any suitable manner. In some examples, the input system 102 may apply a hash algorithm to sensitive data to generate corresponding token data. In some examples, the input system may utilize an external token utility, such as the HPE Secure Stateless Tokenization utility available from Hewlett Packard Enterprise. Other suitable tokenization utilities that may be used include, the CardVault® utility available from 3Delta Systems, Inc., the Cloud Data Protection utility available from Blue Coat Systems, Inc., the Tokenization utility available from Bluefin Payment Systems, the CardConnect utility from CardConnect LLC, etc.”).

As Per Claim 3: The rejection of claim 2 is incorporated and further Galvin, Jr. et al. teaches:
- receiving, at a different processor of the cloud environment, a second input to be tokenized; obtaining, for the different processor, the keyed hash function from the key management system; and using the keyed hash function, generating, at the different processor, a second storage token for the input, wherein the second storage token generated by the different processor is the same as the storage token generated by the at least one processor.
	(Galvin, Jr. et al., Column 7 Line 56 – Column 8 Line 3, “At operation 326, the input system 102 may tokenize the input record, for example, by generating token data to replace sensitive data, for example, as illustrated in FIG. 1. Tokenized data may be generated in any suitable manner. In some 

As Per Claim 4: The rejection of claim 1 is incorporated and further Galvin, Jr. et al. teaches:
- receiving an identification; and storing the identification along with the storage token in an application database.
	The operations for the database can be seen in (Galvin, Jr. et al., Column 13 line 20 – Column 14 Line 48).

As Per Claim 9: The rejection of claim 1 is incorporated and further Galvin, Jr. et al. teaches:
- the system comprises or is in communication with a network tokenizer.
	(Galvin, Jr. et al., Column 7 Line 56 – Column 8 Line 3, “At operation 326, the input system 102 may tokenize the input record, for example, by generating token data to replace sensitive data, for example, as illustrated in FIG. 1. Tokenized data may be generated in any suitable manner. In some examples, the input system 102 may apply a hash algorithm to sensitive data to generate corresponding token data. In some examples, the input system may utilize an external token utility, such as the HPE Secure Stateless Tokenization utility available from Hewlett Packard Enterprise. Other suitable tokenization utilities that may be used include, the CardVault® utility available from 3Delta Systems, Inc., the Cloud Data Protection utility available from Blue Coat Systems, Inc., the Tokenization utility available from Bluefin Payment Systems, the CardConnect utility from CardConnect LLC, etc.”).

As Per Claim 12: The rejection of claim 1 is incorporated and further Galvin, Jr. et al. teaches:
- the input comprises a network token generated by the network tokenizer.
	(Galvin, Jr. et al., Column 7 Line 56 – Column 8 Line 3, “At operation 326, the input system 102 may tokenize the input record, for example, by generating token data to replace sensitive data, for example, as illustrated in FIG. 1. Tokenized data may be generated in any suitable manner. In some examples, the input system 102 may apply a hash algorithm to sensitive data to generate corresponding token data. In some examples, the input system may utilize an external token utility, such as the HPE Secure Stateless Tokenization utility available from Hewlett Packard Enterprise. Other suitable tokenization utilities that may be used include, the CardVault® utility available from 3Delta Systems, Inc., the Cloud Data Protection utility available from Blue Coat Systems, Inc., the Tokenization utility available from Bluefin Payment Systems, the CardConnect utility from CardConnect LLC, etc.”).

As Per Claim 14: The rejection of claim 12 is incorporated and further Galvin, Jr. et al. teaches:
- the network token is generated by the network tokenizer from sensitive information.
	(Galvin, Jr. et al., Column 7 Line 56 – Column 8 Line 3, “At operation 326, the input system 102 may tokenize the input record, for example, by generating token data to replace sensitive data, for example, as illustrated in FIG. 1. Tokenized data may be generated in any suitable manner. In some examples, the input system 102 may apply a hash algorithm to sensitive data to generate corresponding token data. In some examples, the input system may utilize an external token utility, such as the HPE Secure Stateless Tokenization utility available from Hewlett Packard Enterprise. Other suitable tokenization utilities that may be used include, the CardVault® utility available from 3Delta Systems, Inc., the Cloud Data Protection utility available from Blue Coat Systems, Inc., the Tokenization utility available from Bluefin Payment Systems, the CardConnect utility from CardConnect LLC, etc.”).

As Per Claim 15: The rejection of claim 14 is incorporated and further Galvin, Jr. et al. teaches:
- the network tokenizer is in communication with the at least one processor, and wherein the operations further comprise: receiving the storage token; obtaining the network token from the storage tokenizer; routing the network token to the network tokenizer; and obtaining the sensitive information from the network token.
	(Galvin, Jr. et al., Column 9, Lines 18-39, “At operation 348, the output system 104 may de-tokenize the processed records. For example, token data at various record fields may be replaced with corresponding token data that was removed at operation 326 by the input system 102. In some examples, de-tokenizing may include a call to a token utility, such as the HPE Secure Stateless Tokenization utility available from Hewlett Packard Enterprise. The result may be an output file 350, which may correspond to the output file 124 shown in FIG. 1. The output file 350 may be provided to a subsequent system via an output channel 352. The output channel 352 may be any suitable communication channel including, for example, an e-mail, a File Transfer Protocol (FTP) transfer, secure or SSH File Transfer Protocol (S/FTP), Hypertext Transfer Protocol (HTTP), secure or SSH Hypertest Transfer Protocol (HTTP/S), Connect:Direct (also know as Network Data Mover or NDM), Message Queue (MQ), Remote Copy (RCP), Society for Worldwide Interbank Financial Telecommunication network (SWIFTNet), etc. The data protection database 107 shown in FIG. 3 omits the source maintenance table 117 and the target maintenance table 119, although these tables 117, 119 may be included in various examples.”).

As Per Claim 17: The rejection of claim 12 is incorporated and further Galvin, Jr. et al. teaches:
- the network tokenizer generates the network token using reversible tokenization.
	(Galvin, Jr. et al., Column 2 Lines 37-54, “In various examples, the security system may utilize various tables to identify sensitive data during tokenization and to identify data tokens after processing 

As Per Claim 18: The rejection of claim 12 is incorporated and further Galvin, Jr. et al. teaches:
- obtaining a key corresponding to a key used by the network tokenizer to generate the network token; using the corresponding key, decoding the network token; and generating the storage token using the keyed hash function.
	(Galvin, Jr. et al., Column 7 Line 56 – Column 8 Line 3, “At operation 326, the input system 102 may tokenize the input record, for example, by generating token data to replace sensitive data, for example, as illustrated in FIG. 1. Tokenized data may be generated in any suitable manner. In some examples, the input system 102 may apply a hash algorithm to sensitive data to generate corresponding token data. In some examples, the input system may utilize an external token utility, such as the HPE Secure Stateless Tokenization utility available from Hewlett Packard Enterprise. Other suitable tokenization utilities that may be used include, the CardVault® utility available from 3Delta Systems, Inc., the Cloud Data Protection utility available from Blue Coat Systems, Inc., the Tokenization utility available from Bluefin Payment Systems, the CardConnect utility from CardConnect LLC, etc.”).


As Per Claim 19: Claim 19 is substantially a restatement of the system of claim 1 as a method and is rejected under substantially the same reasoning.

As Per Claim 20: Claim 20 is substantially a restatement of the system of claim 1 as a non-transitory computer-readable storage medium and is rejected under substantially the same reasoning.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

Claims 5-8, 10-11, and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 10,192,072 B1 (Galvin, Jr. et al.) in view of Designing a redundant backup solution (Posey).

As Per Claims 5 and 6: The rejection of claim 1 is incorporated and further Galvin, Jr. et al. does not explicitly teach:
- the operations further comprise: synchronizing the encrypted database entry across one or more servers.
- wherein the operations further comprise: authenticating the one or more servers before synchronization.
	However Examiner is giving official notice that authenticating and synchronizing the database across servers is an obvious interchangeable variation readily implemented with expectations of success by one of ordinary skill in the art before the effective filing date of the claimed invention being a standard implementation of multiple servers, the use of multiple servers already more broadly noted by Galvin, Jr. et al. Further the authenticating is obvious to the point of common sense.
	(Galvin, Jr. et al., Column 2 Line 55 – Column 3 Line 3, “The systems and methods described herein may provide advantages over alternative configurations. For example, utilizing the tables described may enable the identification of record fields in different formats and from different sources. For example, if records were to be received in a common format, the processing system could be used with a purpose-designed database that applies encryption or other protection technology to specific database columns that correspond to record fields storing sensitive information. In contrast, the systems and methods described herein may be useful for common format records as well as records in different formats from 
	(Galvin, Jr. et al., Column 6, Lines 20-38, “The security system 101 may comprise any suitable computing device or devices such as, for example, one or more servers, at a single geographic location and/or distributed across multiple geographic locations. Similarly, the processing system 102 may comprise any suitable computing device or devices, such as, for example, servers, at a single geographic location and/or distributed across multiple geographic locations. In some examples, the security system 101 and processing system 104 may be executed by the same server or set of servers. FIG. 2 also shows input system 102 and output system 104. The systems 102, 104 may be implemented utilizing any suitable combination of hardware or software. In some examples, one or more of the systems 102, 104 is implemented by a dedicated server or other computing device, such as a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc. Also, in some examples, one or more of the systems 102, 104 may be implemented as software executed by one or more computing devices of the security system 101.”).
	This is also how redundant backups and safeguards are implemented. Such as implemented in Posey.

As Per Claim 7: The rejection of claim 1 is incorporated and further Galvin, Jr. et al. does not explicitly teach:
- the encrypted database entry is stored in an encrypted database, and the operations further comprise,
	(Galvin, Jr. et al., Column 2 Line 55 – Column 3 Line 3, “The systems and methods described herein may provide advantages over alternative configurations. For example, utilizing the tables described may enable the identification of record fields in different formats and from different sources. For example, if 

Galvin, Jr. et al. does not explicitly teach the following limitation however Posey in analogous art does teach the following limitation:
- when the encrypted database fails: retrieving entries of the encrypted database from one or more other servers; and rebuilding the encrypted database using the retrieved entries.
	(Posey, Section Redundant backup servers, “The next issue that should be considered when planning a redundant backup solution is your backup servers. In most cases, the backup server is a critical part of the overall backup infrastructure, so you don't want the backup server to become a single point of failure.
	The way in which a redundant backup server should be implemented varies considerably, based on your backup architecture. In many cases, however, you should not attempt to implement parallel backup servers that operate independently of one another. Doing so almost always results in backup consistency problems.
	If your organization is performing disk-based backups, then the best approach is usually to design a two-step backup process. The idea behind this technique is that one backup server protects your production servers. The second backup server protects the first backup server. That way, if the primary 
	It would have been an obvious interchangeable variation readily implemented with expectations of success by one of ordinary skill in the art before the effective filing date of the claimed invention, the use of redundancy safeguards is a well-established method of preserving critical data against unexpected incidents.

As Per Claim 8: Galvin, Jr. et al. and Posey do not expressly state:
- authenticating the one or more other servers before retrieving entries.
	However Examiner is giving official notice that authenticating here is a common sense statement to one of ordinary skill in the art before the effective filing date of the claimed invention similar to how a bank teller would not hand over money based on a vague statement of there being an account in a bank.

As Per Claim 10: The rejection of claim 1 is incorporated and further Galvin, Jr. et al. does not explicitly teach:
- the encrypted database entry is stored in an encrypted database, and the operations further comprise:
	(Galvin, Jr. et al., Column 2 Line 55 – Column 3 Line 3, “The systems and methods described herein may provide advantages over alternative configurations. For example, utilizing the tables described may enable the identification of record fields in different formats and from different sources. For example, if records were to be received in a common format, the processing system could be used with a purpose-designed database that applies encryption or other protection technology to specific database columns that correspond to record fields storing sensitive information. In contrast, the systems and methods described herein may be useful for common format records as well as records in different formats from different sources. In some examples, the systems and methods may be used for a processing system that 

Galvin, Jr. et al. does not explicitly teach the following limitation however Posey in analogous art does teach the following limitation:
- when the encrypted database is malfunctioning, distribute the keyed hash function to the network tokenizer and generate a token using the keyed hash function at the network tokenizer; and when the encrypted database is functioning, receive as the storage token, the token generated using the keyed hash function from the network tokenizer.
	(Posey, Section Redundant backup servers, “The next issue that should be considered when planning a redundant backup solution is your backup servers. In most cases, the backup server is a critical part of the overall backup infrastructure, so you don't want the backup server to become a single point of failure.
	The way in which a redundant backup server should be implemented varies considerably, based on your backup architecture. In many cases, however, you should not attempt to implement parallel backup servers that operate independently of one another. Doing so almost always results in backup consistency problems.
	If your organization is performing disk-based backups, then the best approach is usually to design a two-step backup process. The idea behind this technique is that one backup server protects your production servers. The second backup server protects the first backup server. That way, if the primary backup server were to fail, the secondary backup server can be used to rebuild the failed server and the data that it has backed up.”).
	If the primary database fails the tokenization will continue and the backup database will take over database funcitons. It would have been an obvious interchangeable variation readily implemented with expectations of success by one of ordinary skill in the art before the effective filing date of the claimed invention, the 

As Per Claim 11: The rejection of claim 10 is incorporated and further Galvin, Jr. et al. does not explicitly teach:
- authenticating the network tokenizer before distributing the keyed hash function.
	However Examiner is giving official notice that authenticating here is a common sense statement to one of ordinary skill in the art before the effective filing date of the claimed invention similar to how a bank teller would not hand over money based on a vague statement of there being an account in a bank.

As Per Claim 13: The rejection of claim 11 is incorporated and further Galvin, Jr. et al. teaches:
- when the encrypted database is malfunctioning, storing the input in a cache; and when the encrypted database is functioning, decoding the network token and storing an entry linking the storage token to the decoded input.
	(Galvin, Jr. et al., Column 2 Lines 37-54, “In various examples, the security system may utilize various tables to identify sensitive data during tokenization and to identify data tokens after processing for de-tokenization. A source setup table may store a plurality of source setup records. Each source setup record may correspond to a type of incoming record expected to be received by the security system. For example, a source setup record may indicate fields of an incoming data record that include sensitive data, if any, (and therefore should be replaced with token data). An audit data source may include various data describing a record and record field that is to be tokenized. A token data source may include token data that is incorporated into the incoming data records. A target setup table may include target setup records. Each target setup record may correspond to a type of processed record expected to be generated by the processing system, and may indicate record fields at the processed record that include token data and, therefore, are to be de-tokenized.”).
	Cache is the memory of the processor and will inherently store the input in all cases so that the computer system can function.

Claim 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 10,192,072 B1 (Galvin, Jr. et al.).

As Per Claim 16: The rejection of claim 14 is incorporated and further Galvin, Jr. et al. does not explicitly teach:
- the network tokenizer salts the sensitive information prior to generating the network token, and wherein the operations further comprise: obtaining the salt used by the network tokenizer; and removing the salt from the decoded network token before generating the storage token using the keyed hash function.
	However Examiner is giving official notice that the use of a salt is a well-established obvious interchangeable variation readily implemented with expectations of success by one of ordinary skill in the art before the effective filing date of the claimed invention the use of a salt be a basic security enhancement.

Additional Prior Art
HPE Secure Stateless Tokenization (HPE) provides additional background information on one of the keyed tokenization methods referred to for possible use in Galvin, Jr. et al.’s method.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170. The examiner can normally be reached 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/BENJAMIN A KAPLAN/Examiner, Art Unit 2434