DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application 16/849275 filed on 04/15/2020.
Claims 1-21 have been examined and are pending in this application. 

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 04/15/2020, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-21 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter.

Regarding claim 15; claim 15 recites a computer program per se because the claimed “A computer program product” is not stored on any memory device or non-transitory computer-readable storage medium. . See Warmerdam, 33 F.3d at 1361, 31 USPQ2d at 1760.  It’s noted that the claim recites “computer readable program code to be executed by one or more processors when retrieved from a non-transitory computer readable medium,” (emphasis added); That means the computer program product is not always stored on a non-transitory computer readable storage medium. The Examiner respectfully suggests that the claim be further amended to either “A computer program product including computer readable program codes stored on a non-transitory computer readable storage medium for performing stateless mutual authentication …” or “A computer program product including computer readable program codes stored on a non-transitory computer readable storage device for performing stateless mutual authentication …”  to make the claim statutory under 35 USC 101.
Regarding claims 16-21; Claims 16-21 are also rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the 

Claims 1-2, 8-9 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Bracewell et al. (“Bracewell,” US 2004/0098609) in view of Kim (US 10826875) and HUAPAYA et al. (“Huapaya,” US 2020/0177563).

Regarding claim 1: Bracewell discloses a computer-implemented method for performing stateless mutual authentication in a trusted network space, the method comprising:
generating, by a server computing system, a universally unique identifier (UUID) (Bracewell: ¶0058 server computer system 211 also includes login element validator 216 [...] login element validator 216 can also generate unique session identifiers (e.g., Globally Unique Identifiers ("GUIDs") [i.e. UUID]) for client computer systems), the UUID to be encrypted using a private key associated with the first application to generate a first digital signature (Bracewell: ¶0082 login element validator 216 can generate a digital signature [] login element validator 216 can derive a signature key [] a combination of a most current key in a rotating key store; ¶0083 KMOST CURRENT ROTATING  represents the most current key in private rotating key store 231);
generating, by the server computing system, a first session key associated with the first application, the first digital signature to be encrypted using the first session key to generate a first encrypted digital signature (Bracewell: ¶0037 in response to receiving user credentials, the server generates a unique session identifier for the client. The server derives a digital signature for the user credentials based on the most current key [i.e. session key] in a rotating key store and the unique session identifier. The server then encrypts the digital signature and the user credentials based on an encryption key derived from most current key in a rotating key store and the unique session identifier; ¶0086 Formula 4);
encrypting, by the server computing system, the first session key (Bracewell: ¶0085 login element validator 216 can also derive an encryption key [] by hashing a combination of a most current key [i.e. session key] in a rotating key store); and
transmitting, by the server computing system, the UUID, the first encrypted digital signature, and the first encrypted session key to the second application (Bracewell: ¶0088 act 309 can include the server computer system sending encrypted information that represents at least a portion of the user credentials and a time-dependent signature to the client computer system [] login element validator 216 can send message 255, which includes, GUID 274 and encrypted credentials 275, to client computer system 201).
Bracewell does disclose encrypted session key but does not explicitly disclose using a public key associated with a second application to generate a first encrypted session key, wherein the first application and the second application are deployed with a Platform as a Service (PaaS) associated with the server computing system in the trusted network space.
However, Kim discloses using a public key associated with a second application to generate a first encrypted session key, wherein the first application and the second application are deployed with a Platform as a Service (PaaS) associated with the server computing system in the trusted network space (Kim: col. 13 lines 40-42 the ephemeral symmetric key can be encrypted using the public key transmitted from within provider environment 510; col. 9 lines 38-41 a provider environment can include networks and/or devices controlled (wholly or partially) by a provider, for example, a service provider of a Platform as a Service (PaaS) service).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kim with the system/method of Bracewell to include generate a first encrypted session key, wherein the first application and the second application are deployed with a Platform as a Service (PaaS) associated with the server computing system in the trusted network space.
One would have been motivated to providing systems and methods for securely communicating requests within a computing infrastructure (Kim: col. 1 lines 6-8).
Bracewell in view of Kim does not explicitly disclose to enable the second application to authenticate the first application.
However, Huapaya discloses to enable the second application to authenticate the first application (Huapaya: ¶0142 once the mobile application 110 authenticates successfully the HME 102, the mobile application 110 and the HME 102 authenticates 422 successfully mutually).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Huapaya with the system/method of Bracewell and Kim to include enable the second application to authenticate the first application.
One would have been motivated to providing a method for mutual symmetric authentication between a first application and a second application (Huapaya:¶0001).

Regarding claim 2: Bracewell in view of Kim and Huapaya the method of claim 1.
Bracewell further discloses wherein the UUID, the first encrypted digital signature and the first encrypted session key are transmitted in a header of a message generated by the first application (Bracewell: ¶0018 client can submit credentials, for example, using Secure Sockets Layer ("SSL") to secure an HTTP post; ¶0077 method 500 includes an act of configuring the communication filter in accordance with selected and identified communication properties (act 504). Act 504 can include a server computer system configuring the communication filter to process HTTP communication with the client in accordance with any selected communication properties and identified other relevant properties supported by the client).  

Regarding claim 8: Bracewell discloses a system for performing stateless mutual authentication in a trusted network space associated with a Platform as a Service (PaaS) comprising:
one or more processors (Bracewell: fig. 1); and
a non-transitory computer readable medium storing a plurality of instructions (Bracewell: fig. 1), which when executed, cause the one or more processors of a server computing system to:
generate a universally unique identifier (UUID) (Bracewell: ¶0058 server computer system 211 also includes login element validator 216 [...] login element validator 216 can also generate unique session identifiers (e.g., Globally Unique Identifiers ("GUIDs") [i.e. UUID]) for client computer systems), the UUID to be encrypted using a Bracewell: ¶0082 login element validator 216 can generate a digital signature [] login element validator 216 can derive a signature key [] a combination of a most current key in a rotating key store; ¶0083 KMOST CURRENT ROTATING  represents the most current key in private rotating key store 231);
generate a first session key associated with the first application, the first digital signature to be encrypted using the first session key to generate a first encrypted digital signature (Bracewell: ¶0037 in response to receiving user credentials, the server generates a unique session identifier for the client. The server derives a digital signature for the user credentials based on the most current key [i.e. session key] in a rotating key store and the unique session identifier. The server then encrypts the digital signature and the user credentials based on an encryption key derived from most current key in a rotating key store and the unique session identifier; ¶0086 Formula 4);
encrypt the first session key (Bracewell: ¶0085 login element validator 216 can also derive an encryption key [] by hashing a combination of a most current key [i.e. session key] in a rotating key store); and
transmit the UUID, the first encrypted digital signature, and the first encrypted session key to the second application (Bracewell: ¶0088 act 309 can include the server computer system sending encrypted information that represents at least a portion of the user credentials and a time-dependent signature to the client computer system [] login element validator 216 can send message 255, which includes, GUID 274 and encrypted credentials 275, to client computer system 201).

However, Kim discloses using a public key associated with a second application to generate a first encrypted session key, wherein the first application and the second application are deployed with a Platform as a Service (PaaS) associated with the server computing system in the trusted network space (Kim: col. 13 lines 40-42 the ephemeral symmetric key can be encrypted using the public key transmitted from within provider environment 510; col. 9 lines 38-41 a provider environment can include networks and/or devices controlled (wholly or partially) by a provider, for example, a service provider of a Platform as a Service (PaaS) service).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kim with the system/method of Bracewell to include generate a first encrypted session key, wherein the first application and the second application are deployed with a Platform as a Service (PaaS) associated with the server computing system in the trusted network space.
One would have been motivated to providing systems and methods for securely communicating requests within a computing infrastructure (Kim: col. 1 lines 6-8).
Bracewell in view of Kim does not explicitly disclose to enable the second application to authenticate the first application.
Huapaya: ¶0142 once the mobile application 110 authenticates successfully the HME 102, the mobile application 110 and the HME 102 authenticates 422 successfully mutually).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Huapaya with the system/method of Bracewell and Kim to include enable the second application to authenticate the first application.
One would have been motivated to providing a method for mutual symmetric authentication between a first application and a second application (Huapaya:¶0001).

Regarding claim 9: Claim 2 is similar in scope to claim 9, and is therefore rejected under similar rationale.  

Regarding claim 15: Bracewell discloses a computer program product for performing stateless mutual authentication in a trusted network space associated with a Platform as a Service (PaaS) comprising computer- readable program code to be executed by one or more processors when retrieved from a non- transitory computer-readable medium, the program code including instructions to:
 SFDC Docket No. 4683USgenerate a universally unique identifier (UUID) (UUID) (Bracewell: ¶0058 server computer system 211 also includes login element validator 216 [...] login element validator 216 can also generate unique session identifiers (e.g., Globally Unique Identifiers ("GUIDs") [i.e. UUID]) for client computer systems), the UUID to be encrypted using a Bracewell: ¶0082 login element validator 216 can generate a digital signature [] login element validator 216 can derive a signature key [] a combination of a most current key in a rotating key store; ¶0083 KMOST CURRENT ROTATING  represents the most current key in private rotating key store 231);
generate by the server computing system, a first session key associated with the first application, the first digital signature to be encrypted using the first session key to generate a first encrypted digital signature (Bracewell: ¶0037 in response to receiving user credentials, the server generates a unique session identifier for the client. The server derives a digital signature for the user credentials based on the most current key [i.e. session key] in a rotating key store and the unique session identifier. The server then encrypts the digital signature and the user credentials based on an encryption key derived from most current key in a rotating key store and the unique session identifier; ¶0086 Formula 4);
encrypt the first session key (Bracewell: ¶0085 login element validator 216 can also derive an encryption key [] by hashing a combination of a most current key [i.e. session key] in a rotating key store); and 
transmit the UUID, the first encrypted digital signature, and the first encrypted session key to the second application (Bracewell: ¶0088 act 309 can include the server computer system sending encrypted information that represents at least a portion of the user credentials and a time-dependent signature to the client computer system [] login element validator 216 can send message 255, which includes, GUID 274 and encrypted credentials 275, to client computer system 201).

However, Kim discloses using a public key associated with a second application to generate a first encrypted session key, wherein the first application and the second application are deployed with a Platform as a Service (PaaS) associated with the server computing system in a trusted network space (Kim: col. 13 lines 40-42 the ephemeral symmetric key can be encrypted using the public key transmitted from within provider environment 510; col. 9 lines 38-41 a provider environment can include networks and/or devices controlled (wholly or partially) by a provider, for example, a service provider of a Platform as a Service (PaaS) service).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kim with the system/method of Bracewell to include generate a first encrypted session key, wherein the first application and the second application are deployed with a Platform as a Service (PaaS) associated with the server computing system in the trusted network space.
One would have been motivated to providing systems and methods for securely communicating requests within a computing infrastructure (Kim: col. 1 lines 6-8).
Bracewell in view of Kim does not explicitly disclose to enable the second application to authenticate the first application.
However, Huapaya discloses to enable the second application to authenticate the first application (Huapaya: ¶0142 once the mobile application 110 authenticates successfully the HME 102, the mobile application 110 and the HME 102 authenticates 422 successfully mutually).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Huapaya with the system/method of Bracewell and Kim to include enable the second application to authenticate the first application.
One would have been motivated to providing a method for mutual symmetric authentication between a first application and a second application (Huapaya:¶0001).

Regarding claim 16: Claim 16 is similar in scope to claim 2, and is therefore rejected under similar rationale.  

Claims 3-7, 10-14, and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over Bracewell et al. (“Bracewell,” US 2004/0098609) in view of Kim (US 10826875), HUAPAYA et al. (“Huapaya,” US 2020/0177563) and Pham (US 2017 /0279602).

Regarding claim 3: Bracewell in view of Kim and Huapaya the method of claim 2.
Bracewell in view of Kim and Huapaya does not explicitly disclose wherein each of the first application and the second application is assigned a public key and a private key unrelated to a certificate authority (CA), and wherein the first application and the second application are configured to exchange their public keys.
Pham: ¶0031 first application and a second application can each generate public and private key pairs [unrelated to a certificate authority], and can exchange public keys).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Pham with the system/method of Bracewell, Kim and Huapaya to include each of the first application and the second application is assigned a public key and a private key and exchange their public keys.
One would have been motivated to providing methods, systems, and media for using dynamic public key infrastructure to send and receive encrypted messages (Pham:¶0002).

Regarding claim 4: Bracewell in view of Kim, Huapaya and Pham the method of claim 3.
Bracewell further discloses decrypting, by the server computing system, the first encrypted digital signature using the recovered session key to generate a second digital signature (Bracewell: ¶0095 credential validator 237 can decrypt encrypted information to reveal a Digital Signature; ¶0096 credential validator 237 can derive a validation key, which can be used to generate a validation digital signature).
Kim: col. 15 lines 3-5 agent software instance 535 can decrypt the public key encrypted-ephemeral symmetric key using the private key corresponding to the public key).
The motivation is the same that of claim 1 above.
SFDC Docket No. 4683US  
Regarding claim 5: Bracewell in view of Kim, Huapaya and Pham the method of claim 4.
Huapaya further discloses generating a Boolean value based on the second digital signature, the public key of the first application and the UUID (Huapaya: ¶0123 the mobile application 110 has received, as a security proof(s), the first derived symmetric key, the key generation parameter(s) and the UUIDx of the first master symmetric key, as data relating to a unique identifier relating to the first master symmetric key; ¶0129 once the message 44 is received by the HME 102, the HME 102 identifies 46 [] the first master symmetric key that has been used to generate the first derived symmetric key); and
verifying a result of the stateless mutual authentication based on the Boolean value (Huapaya: ¶0142 once the mobile application 110 authenticates successfully the HME 102, the mobile application 110 and the HME 102 authenticates 422 successfully mutually).
The motivation is the same that of claim 1 above.

Regarding claim 6: Bracewell in view of Kim, Huapaya and Pham the method of claim 5.
Huapaya further discloses wherein the first application is authenticated by the second application based on the Boolean value verified as successful (Huapaya: ¶0107 once the HME 102 has received, as a security proof(s), the first master symmetric key set (and/or the second master symmetric key set), the HME 102 may establish mutual authentication (and therefore trust) with the mobile application 110 (and/or any other mobile application) managed by the second HSM 108). 
The motivation is the same that of claim 1 above.

Regarding claim 7: Bracewell in view of Kim, Huapaya and Pham the method of claim 6.
Bracewell further discloses wherein the PaaS is associated with the trusted network space where Secure Sockets Layer/Transport Layer Security (SSL/TLS) termination is at a router, and wherein authentication of the first application by the second application is not based on an authentication mechanism supplied by the PaaS (Bracewell: ¶0081 a mutually authenticated connection, for example, using Transport Layer Security ("TLS") or Secure Sockets Layer ("SSL"), can be established between a client computer system and server computer system to reduce the likelihood or malicious processes or users "sniffing" packets and to reduce the likelihood of middle-man attacks). 
 
Regarding claims 10-14: Claims 10-14 are similar in scope to claims 3-7, respectively, and are therefore rejected under similar rationale. 

Regarding claims 17-21: Claims 17-21 are similar in scope to claims 3-7, respectively, and are therefore rejected under similar rationale.



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. 
Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 






/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439            


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439