DETAILED ACTION
Responsive to the Applicant reply filed on01/13/2022, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in following.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendment filed 01/13/2022 has been entered. Claims 1, 2 ,7, 11, 12 and 17 have been amended. Claims 1-20 remain pending in the application.

Response to Arguments
Applicants arguments, see amended claims 1 and 11 and Applicant’s Remarks, Page 8-9, regarding the newly added limitation “a second cryptographic context.” have been fully considered but they are not persuasive. Bollay (US 20110231651 A1) teaches, in para. 0022, an SSL protocol using a series of SSL handshakes. The SSL protocol uses a series of SSL handshakes (i.e. an SSL handshake protocol) to initiate an SSL session. An SSL session is associated with additional secret data that enables the SSL session (e.g. pre-master secret, random data, server's public and private keys [considered as “first/second cryptographic contexts” respectively] and/or client's public and private keys). For such reason, the arguments are not persuasive. Please refer to the 35 U.S.C. § 103 section below for the detailed rejection.


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1 and 11 are rejected under 35 U.S.C. 112(a), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. In this case, Applicant’s amendment filed 01/13/2022 are reproduced below.
“the first cryptographic context and the second cryptographic context existing prior to establishment of the end-to-end cryptographic context”
The examiner carefully reviewed a specification of the current application. However, examiner noticed that the specification may not contain the underlined features above. For example, the examiner cam see that the specification explicitly states, in para. 0016 and 0022, “The first cryptographic context may exist prior to establishment of the end-to-end cryptographic context”. However, the specifications recites that the “second cryptographic context” is shared after “upon successful negotiation” of the end-to-end cryptographic context according paragraph 0138. With respect to the “second cryptographic context”, paragraphs , 0138, 0142 and 0158 were carefully reviewed but the 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 5, 8, 11, 14, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kadyk et al. (US 6996841 B2) in view of Bollay (US 20110231651 A1).
Regarding claim 1, (Currently Amended) Kadyk discloses a system for establishing an end-to-end cryptographic context, the system comprising (Fig. 5): 
a service node executing on a first device that is intermediary between a client and a server, in communication with at least one network device separate from the first device and arranged intermediary between the first device and the server, the server providing a service to the client via the service node and the at least one network device, the service node configured to ([col. 12, ln. 45-48] FIG. 5 illustrates an exemplary method for negotiating a secure end-to-end connection between a client system 502 [“client”] and a server [“server”] or cascaded proxy system 506 a [“network device”], using a proxy system 504 as an intermediary [“service node”]): 
obtain information to validate the service ([Fig. 5, 510; col. 13, ln. 17-20] The step for authenticating includes acts such as the client 502 [“client”] receiving an authenticate challenge and sending proper authentication credentials to proxy 504 [“service node”]); 
[col. 13, ln. 30-32] Once the client is authenticated, the client-proxy connection can be made insecure by performing the act of setting the encryption used by the connection to a null cipher as shown at reference 540 [“transmit a message”]. The step for negotiating a secure end-to-end connection between client 502 and sever or cascaded proxy 506 a [“first network device”] continues at reference 520 b. With the client having been authenticated, the proxy 504 [“service node”] performs the act of forwarding the request for a secure end-to-end connection to the server or cascaded proxy 506 a [“first network device”]).
Although Kadyk teaches, column 13, ln. 16-32, a step for authenticating a user at client 502 to proxy 504 is indicated prior to reference 520 b [“establish, responsive to validating the service, an end-to-end cryptographic context”], it does not explicitly discloses “establish, responsive to validating the service, an end-to-end cryptographic context between the service node and the server through the at least one network device, the at least one network device including a first network device that shares a first cryptographic context with the service node, the first cryptographic context existing prior to establishment of the end- to-end cryptographic context.”  
In a same field of endeavor, Bollay discloses the system, wherein establish, responsive to validating the service, an end-to-end cryptographic context between the service node and the server through the at least one network device, the at least one network device including a first network device that shares a first cryptographic context with the service node and a second cryptographic context with a second network device of the at least one network device, the first cryptographic context and the second cryptographic context existing prior to establishment of the end-to-end cryptographic context([0086-0090] Process 500 may be implemented by server-side TMD 110 [“service node”]. Process 500 begins, after a start block, at block 502, by receiving a private key [“first cryptographic ”] associated with the first server device [“first network device”]. In response to the “CLIENT HELLO”, the first server device [“first network device”] may send a “SERVER HELLO” message, a “SERVER CERTIFICATE” message enabling the client device [“second network device”] to identify the first server device, a “SERVER KEY EXCHANGE” message including the first server device's public key [“second cryptographic context”]. Upon completion of this exchange of handshake messages[“prior to establishment”], the client device and the first server device have established an end-to-end encrypted session [“establishment of the end-to-end cryptographic context”]);
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Kadyk with the teachings of Bollay to include a first cryptographic context and a second cryptographic context existing prior to establishment of the end-to-end cryptographic context. One of ordinary skill in the art would have been motivated to make this modification because an SSL session may be further associated with additional secret data that enables the SSL session (e.g. pre-master secret, random data, server's public and private keys and/or client's public and private keys [or cryptographic contexts]). The SSL protocol also includes an SSL re-handshake procedure for renegotiating an SSL session [0022]. 

Regarding claim 4, (Original) the combination of Kadyk and Bollay discloses the system of claim 1, wherein the service node is configured to validate the service using information about a parameter uniquely associated with the service, the information obtained through one or more packets from the client ([Kadyk: col. 13, ln. 09-15] Reference 520 a marks the initiation of a step for negotiating a secure end-to-end connection between client 502 and server or cascaded proxy 506 a. The step for negotiating a secure end-to-end connection may begin with the act of client 502 sending proxy 504 a request for the secure end-to-end connection).

Regarding claim 5, (Original) the combination of Kadyk and Bollay discloses the system of claim 1, wherein the service node is configured to validate the service by authenticating the service ([Kadyk: col. 13, ln 16-20] A step for authenticating a user at client 502 to proxy 504 is indicated at reference 530. The step for authenticating includes acts such as the client 502 receiving an authenticate challenge and sending proper authentication credentials to proxy 504).

Regarding claim 8, (Original) the combination of Kadyk and Bollay discloses the system of claim 1, wherein the service node is configured to transmit the encrypted message to the first network device, to cause the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device, without decrypting or re-encrypting the traffic at the first network device ([Bollay: 0101]  the server-side TMD may ignore the ensuing renegotiation between the client device and the first server device, such that the server-side TMD ceases to decrypt and modify content sent over the end-to-end encrypted connection. Instead, the server-side TMD may route data sent over the renegotiated encrypted connection to the first server device as it would any other network connection).

Regarding claim 11, (Currently Amended) A method for establishing an end-to-end cryptographic context, comprising (Fig. 5): 
receiving, by a service node executing on a first device that is intermediary between a client and a server, information to validate a service that the server provides to the client via the service node and at least one network device separate from the first device and arranged, intermediary between the first device and the server ([col. 12, ln. 45-48] FIG. 5 illustrates an exemplary method for negotiating a secure end-to-end connection between a client system 502 [“client”] and a server [“server”] or cascaded proxy system 506 a [“network device”], using a proxy system 504 as an intermediary [“service node”]); 
transmitting, by the service node, a message to the first network device encrypted using the first cryptographic context, to inform the first network device to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device ([col. 13, ln. 30-32] Once the client is authenticated, the client-proxy connection can be made insecure by performing the act of setting the encryption used by the connection to a null cipher as shown at reference 540 [“transmit a message”]. The step for negotiating a secure end-to-end connection between client 502 and sever or cascaded proxy 506 a [“first network device”] continues at reference 520 b. With the client having been authenticated, the proxy 504 [“service node”] performs the act of forwarding the request for a secure end-to-end connection to the server or cascaded proxy 506 a [“first network device”]).
Although Kadyk teaches, column 13, ln. 16-32, a step for authenticating a user at client 502 to proxy 504 is indicated prior to reference 520 b [“establish, responsive to validating the service, an end-to-end cryptographic context”], it does not explicitly discloses “establishing, by the service node responsive to validating the service, an end-to- end cryptographic context between the service node and the server through the at least one network device, the at least one network device including a first network device that shares a first cryptographic context with the service node and a second cryptographic context with a second network device of the at least one network device, the first cryptographic context and the second cryptographic context existing prior to establishment of the end-to-end cryptographic context.”
In a same field of endeavor, Bollay discloses the system, wherein establishing, by the service node responsive to validating the service, an end-to- end cryptographic context between the service node and the server through the at least one network device, the at least one network device including a first network device that shares a first cryptographic context with the service node and a second [0086-0090] Process 500 may be implemented by server-side TMD 110 [“service node”]. Process 500 begins, after a start block, at block 502, by receiving a private key [“first cryptographic context”] associated with the first server device [“first network device”]. In response to the “CLIENT HELLO”, the first server device [“first network device”] may send a “SERVER HELLO” message, a “SERVER CERTIFICATE” message enabling the client device [“second network device”] to identify the first server device, a “SERVER KEY EXCHANGE” message including the first server device's public key [“second cryptographic context”]. Upon completion of this exchange of handshake messages[“prior to establishment”], the client device and the first server device have established an end-to-end encrypted session [“establishment of the end-to-end cryptographic context”]);
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Kadyk with the teachings of Bollay to include a first cryptographic context and a second cryptographic context existing prior to establishment of the end-to-end cryptographic context. One of ordinary skill in the art would have been motivated to make this modification because an SSL session may be further associated with additional secret data that enables the SSL session (e.g. pre-master secret, random data, server's public and private keys and/or client's public and private keys [or cryptographic contexts]). The SSL protocol also includes an SSL re-handshake procedure for renegotiating an SSL session [0022].

Regarding claim 14, (Original) it is a method claim that corresponds to the claim 4. Therefore, the claim is rejected for at least the same reasons as the system of claim 4.

Regarding claim 15, (Original) it is a method claim that corresponds to the claim 5. Therefore, the claim is rejected for at least the same reasons as the system of claim 5.

Regarding claim 18, (Original) it is a method claim that corresponds to the claim 8. Therefore, the claim is rejected for at least the same reasons as the system of claim 8.


Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Kadyk et al. (US 6996841 B2) in view of Bollay (US 20110231651 A1) as applied to independent claims 1 above, further in view of MaZur et al. (US 20160127414 A1 hereinafter MaZur) in view of Blom et al. (US 20110093609 A1 hereinafter Blom).
Regarding claim 2, (Original) the combination of Kadyk and Bollay discloses the system of claim 1, wherein the service node is configured to (Fig. 5): 
transmit to the first network device a first handshake message encrypted using the first cryptographic context ([Bollay: 0028] An encrypted session is associated with a master secret, also known as, a session key; [0087-0088] At block 502, by receiving a private key associated with the first server device. At block 504, a first set of handshake messages associated with an encrypted session are intercepted).
However, the combination does not teach “cause the first network device to decrypt the encrypted first handshake message using the first cryptographic context, and to encrypt the decrypted first handshake message using a second cryptographic context shared with a second network device of the at least one network device, for transmission to the second network device; receive a second handshake message from the first network device encrypted using the first cryptographic context; decrypt the encrypted second handshake message using the first cryptographic context.” 
[0036] Cryptographic protocols such as SSL are often based on public key cryptographic systems, such as the RSA (Rivest, Shamir and Adelman) encryption algorithm; [0040] FIG. 4 illustrates the basic operation of a known man-in-the-middle (MITM) device 400 for intercepting, decrypting and inspecting secure network communications according to a known technique; [0042] In step 3, a brand new SSL connection is configured and setup inside the appliance. This is a server facing connection that is initiated by the Xss. The Xss then generates a new client hello (referred to here as ClientHello2 to distinguish it from the ClientHello in step 1. … As a result, there are two (2) distinct connections, one between the client 402 and Xcs 408, and the other between Xss 406 and the server 404), and sends the (new) client hello to the server); 
receive a second handshake message from the first network device encrypted using the first cryptographic context ([0042] following an initial TCP handshake (not shown), the client 402 generates the SSL/TLS session initiation request (the Client Hello) to begin the SSL/TLS handshake to the server. … At step 2, the Xcs component reads the client hello, interprets the data, and responds to the client 402, typically with a server hello, a certificate, and a server done message); 
decrypt the encrypted second handshake message using the first cryptographic context ([0040] FIG. 4 illustrates the basic operation of a known man-in-the-middle (MITM) device 400 for intercepting, decrypting and inspecting secure network communications according to a known technique).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Kadyk and Bollay with the teachings of MaZur to decrypt the it may enable the appliance to extract itself from man-in-the-middle (MITM) processing during a client-server handshake and without interrupting that connection [0004].
Although MaZur discloses “basic operation of a known man-in-the-middle (MITM) device 400 for intercepting, decrypting and inspecting secure network communications” (Emphasis added), it does not explicitly teach “establish the end-to-end cryptographic context using information in at least one of (Fig. 4): the decrypted first handshake message or the decrypted second handshake message.”
In a same field of endeavor, Blom further discloses the system, wherein establish the end-to-end cryptographic context using information in at least one of (Fig. 4): the decrypted first handshake message or the decrypted second handshake message ([Fig. 12-13; 0083] The intermediate node 1 has a receiver 6 for receiving at least one secured media stream via SRTP session(s). A first transmitting function 9 is provided for sending the second secured media stream using an SRTP session to the receiver node 5, and a second transmitting function 10 is provided for sending the end-to-end context identifier and the hop-by-hop context identifier to the receiver node 5; [0084] a receiving node 5, provided with a first receiver 12 for receiving the context identifiers. A second receiver 13 is provided for receiving the secured multiplexed protected media stream using an SRTP session, and a processor 14 is provided for using the context identifiers to demultiplex the received protected media stream. A further media handling function 15 is provided for decrypting [“decrypted handshake messages”] and otherwise handling the demultiplexed protected media streams).
At the time of filing it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Kadyk, Bollay and MaZur with the teachings of Blom to include the receiving node 5 [service node] provided with a processor 14 is provided for using the context identifiers to demultiplex the received protected media stream. A further media handling function 15 is provided for decrypting [0084].

Regarding claim 12, (Currently Amended) it is a method claim that corresponds to the claim 2. Therefore, the claim is rejected for at least the same reasons as the system of claim 2.


Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Kadyk et al. (US 6996841 B2) in view of Bollay (US 20110231651 A1) as applied to independent claims 1 above, further in view of L'Heureux et al. (US 20140259147 A1 hereinafter L'Heureux).
Regarding claim 3, (Original) the combination of Kadyk and Bollay teaches all elements of the current invention as stated above except “using information about a pre-shared key (PSK), or validating ownership of a public key associated with the service.”
In a same field of endeavor, L’Heureux further discloses the system of claim 1, wherein the service node is configured to validate the service by at least one of: using information about a pre-shared key (PSK), or validating ownership of a public key associated with the service ([0154] One example of a challenge could be to recall the packet with a particular sequence number, and hashing that with a preshared secret. In this way, the queried device would have to both maintain a history of conversation with other devices, and be able to present a preshared key).
At the time of filing, it would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Kadyk and Bollay with devices spoofing or impersonating the identity of others would not be able to respond with the correct data, and their rogue nature could be revealed [0154].

Regarding claim 13, (Original) it is a method claim that corresponds to the claim 3. Therefore, the claim is rejected for at least the same reasons as the system of claim 3.


Claims 6, 7, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kadyk et al. (US 6996841 B2) in view of Bollay (US 20110231651 A1) as applied to independent claims 1 above, further in view of Blom et al. (US 20110093609 A1 hereinafter Blom).
Regarding claim 6, (Original) the combination of Kadyk and Bollay discloses the system of claim 1. Although Bollay teaches “The step for negotiating a secure end-to-end connection between client 502 and sever or cascaded proxy 506 a continues at reference 520 b”, it does not explicitly discloses “the service node is configured to transmit the encrypted message to the first network device, to cause the first network device to decrypt the message using the first cryptographic context, and to receive an indication from the decrypted message, that the first network device is to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device.” 
Blom further discloses the system of claim 1, wherein the service node is configured to transmit the encrypted message to the first network device, to cause the first network device to decrypt the message using the first cryptographic context, and to receive an indication from the decrypted message, that the first network device is to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device ([Fig. 12-13; 0083-0084] A receiving node 5, provided with a first receiver 12 for receiving the context identifiers. A second receiver 13 is provided for receiving the secured multiplexed protected media stream using an SRTP session, and a processor 14 is provided for using the context identifiers to demultiplex the received protected media stream. A further media handling function 15 [included in the receiving node] is provided for decrypting and otherwise handling the demultiplexed protected media streams; [0076] Mapping information between Context Identifiers C, SSRCs and contexts (as well as other information such as codec types) is typically sent from the intermediate node 1 to the receiver 5 before any SRTP/SRTCP is sent; [0079] The intermediate node determines end-to-end and hop-by-hop Context identifiers (based on eSSRC and/or C-values) [See details in par. 0065], the Context identifiers identifying the secured media stream).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Kadyk, Bollay with the teachings of Blom to transmit the encrypted message to the first network device, to cause the first network device to decrypt the message using the first cryptographic context, and to receive an indication from the decrypted message, that the first network device is to pass traffic that is encrypted using the end-to-end cryptographic context through the first network device. One of ordinary skill in the art would have been motivated to make this modification because the receiving node 5 [service node] provided with a processor 14 is provided for using the context identifiers to demultiplex the received protected media stream. A further media handling function 15 is provided for decrypting [0084].

Regarding claim 7, (Currently Amended) the combination of Kadyk, Bollay and Blom discloses the system of claim 6, wherein the service node is configured to transmit the encrypted message to the first network device, to further cause the first network device to encrypt the decrypted message using the second cryptographic context shared with the second network device, for transmission to the second network device ([Bollay: 0062] a client device and a server device may exchange nonces in their respective. HELLO messages [See details Fig. 5 and related paras. Regarding “second ” as stated in claim 1], for use in generating the session key (also known as the master key). Additionally or alternatively, secret data 116 may include another nonce (distinct from the nonce's contained in HELLO messages) generated by the client device and digitally encrypted by the client device using the public key of the server device [“encrypt the decrypted message using the second cryptographic context”]).

Regarding claim 16, (Original) it is a method claim that corresponds to the claim 6. Therefore, the claim is rejected for at least the same reasons as the system of claim 6.

Regarding claim 17, (Currently Amended) it is a method claim that corresponds to the claim 7. Therefore, the claim is rejected for at least the same reasons as the system of claim 7.


Claims 9, 10, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kadyk et al. (US 6996841 B2) in view of Bollay (US 20110231651 A1) as applied to independent claims 1 above, further in view of MaZur et al. (US 20160127414 A1 hereinafter MaZur).
Regarding claim 9, (Original) the combination of Kadyk and Bollay teaches all elements of the current invention except “the service node is configured to receive an acknowledgment message from the first network device, the acknowledgment message responsive to the encrypted message and an acknowledgment message received by the first network device.”
MaZur further discloses the system of claim 1, wherein the service node is configured to receive an acknowledgment message from the first network device, the acknowledgment message responsive to the encrypted message and an acknowledgment message received by the first network device ([0047] As is well-known, the TLS standard (RFC 2246) requires that, as a final step in the handshaking process, both the client and server agree on a hash of all handshake messages. This hash is commonly known as the handshake message authentication code (HMAC) [“acknowledgment message”]. SSL/TLS instances implement the HMAC calculation/checking functions required to comply with the TLS standard. In the disclosed technique described above, HMAC integrity is achieved by propagating the original client hello (instead of a new client hello that would otherwise be generated), and by installing the original client hello in Xss).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Kadyk and Bollay with the teachings of MaZur to receive an acknowledgment message from the first network device, the acknowledgment message responsive to the encrypted message and an acknowledgment message received by the first network device. One of ordinary skill in the art would have been motivated to make this modification because TLS standard requires that, as a final step in the handshaking process, both the client and server agree on a hash of all handshake messages known as the handshake message authentication code (HMAC) [acknowledgment message] to ensure HMAC integrity [0047-0048].

Regarding claim 10, (Original) the combination of Kadyk, Bollay and MaZur discloses the system, wherein the service node is further configured to transmit to the first network device traffic that is encrypted using the end-to-end cryptographic context ([Kadyk: col. 13, ln. 38-43] reference 550 shows a step for encapsulating the secure end-to-end connection within the now insecure client-proxy connection. This means that the client and proxy do not establish a separate connection for exchanging data that is part of the secure end-to-end connection), responsive to receiving the acknowledgment message from the first network device ([MaZur: 0047] HMAC integrity is achieved by propagating the original client hello (instead of a new client hello that would otherwise be generated), and by installing the original client hello in Xss. By doing so, when the original TLS connection is resumed, the client and server HMAC will agree; in the case that the MITM process does not resume the original connection (but, rather, decides to keep inspecting the connection as in the prior art, the HMACs must also agree, and they do if the client hello is installed in the Xss).

Regarding claim 19, (Original) it is a method claim that corresponds to the claim 9. Therefore, the claim is rejected for at least the same reasons as the system of claim 9.

Regarding claim 20, (Original) it is a method claim that corresponds to the claim 10. Therefore, the claim is rejected for at least the same reasons as the system of claim 10.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
• HALDENBY et al. (US 20180097638 A1): FIG. 1 is a block diagram of a system 100 in accordance with some embodiments of the present disclosure. System 100 may be a computing environment including client devices 102, 104, intermediate devices 106, 108, one or more peer systems 160, and a communications network 120 connecting various components of system 100. Although two client devices 102, 104 and two intermediate devices 106, 108 are shown in this example, any number of client devices and/or intermediate devices may be present. Various components of computing environment 100 are configured to address problems associated with conventional end-to-end encrypted communication and certificate authorities by providing a system and method configured for secure.
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524. The examiner can normally be reached 9:00 AM- 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional 





/A.S./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CHAU LE/Primary Examiner, Art Unit 2493