Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority 
This application claims priority to U.S. Provisional Patent Application No. 62/587,654, filed on Nov. 17, 2017, entitled “Methods And Apparatus To Protect Extra-Enclave Communications”, the disclosure of which is hereby incorporated herein by reference.
DETAILED ACTION
	This Office Action is in response to an amendment application filed on 10/26/2021. In the application, claims 1-20 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejection under 35 U.S.C. § 103
	Applicant’s amendments to claims have been reviewed by the examiner and appear to overcome the existing reference of NPL # 1. 
However, after review, examiner notes that amended limitation “after obtaining the SAVR from the TPAS, generate a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK” is disclosed by 3rd reference of NPL # 3. 
NPL # 3, discloses creating [modified certificate] certificate containing public key and hash of the enclave which is measurement of the enclave software (MRE) (See NPL # 3; Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verfied as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found. The quote part of the modified certificate is verified by using CPUK to confirm the signature is valid and comparing the expected values of EK and MRE contained in the certificate to the values contained in the quote).
Claim Objections
Claims 2-7, 9-14 and 16-20 are objected to because of the following informalities:  
Dependent claims 2-7, 9-14 and 16-20 preamble recites “A data processing system”, “At least one non-transitory machine-accessible medium” and “A method”. Since these are dependent claims, the preamble must not begin with “A or At”, instead dependent claims preamble should start with “The” and should be written as “The data processing system”, “The least one non-transitory machine-accessible medium” and “The method” accordingly. Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Non-Patent Literature (NPL) titled “Innovative technology for CPU based attestation and sealing” hereinafter referred as NPL # 1  with publication date of June 2013 in view of Miele et al., (US20180241572A1) w.e.f.d. of 05/19/2017 in view of Non-Patent Literature (NPL) title “PANOPLY: Low-TCB Linux Applications with SGX Enclaves” hereinafter referred as NPL # 2 with publication date of February 2017 and further in view of Non-Patent Literature (NPL) titled “Trusted Execution Development: Designing a Secure, High-Performance Remote Attestation Protocol” hereinafter referred as NPL # 3 with publication date of October 2016.
Regarding claim 1, NPL # 1 discloses:
A data processing system with technology for protecting extra-enclave communications, the data processing system comprising: random access memory (RAM) (See NPL # 1, Abstract: The container is referred to as an enclave which is a portion of the random access memory (RAM) in the system); a processor in communication with the RAM, wherein the processor, when powered on (See NPL # 1, section 1.1 Software Lifecycle: 1. Enclave Launch), is capable of 
(a) allocating a portion of the RAM to an enclave (See NPL # 1, Page # 1, Section 1.1 Software Lifecycle: 1. Enclave Launch of the enclave environment to protect the service provider’s software is equivalent to allocating a portion of the RAM for the server application. Also see Section 1.1 Software Lifecycle: 3. Provisioning & 4. Sealing/Unsealing which discloses launching enclave in a secure environment with attestation and encrypted environment which is equivalent to low privilege level), 
(b) creating an enclave that comprises the portion of the RAM (See NPL # 1, Page # 1, see Section 1.1 Software Lifecycle: 3. Provisioning which discloses launching enclave in a secure environment with attestation), and 
(c) protecting the RAM in the enclave from access by software that executes at a high privilege level (see NPL # 1, Page # 4; SEALING: recites when an enclave is instantiated, the hardware provides protections (confidentiality and integrity) to its data, when it is maintained within the boundary of the enclave which is construed as data inside the enclave is protected from the software which is executing outside the enclave and interpreted as “software which executes at high privilege level”);
a machine-accessible medium responsive to the processor; and instructions in the machine-accessible medium which, when executed by the processor, enable the server application to:
generate, from within the enclave, a public/private key pair for the enclave, wherein the public/private key pair comprises a secure enclave public key (SEPK) and a secure enclave private key (See section 3.2.3; enclave generates a manifest that includes a response to the challenge and an ephemerally generated public key to be used by the challenger for communicating secrets back to the enclave);
obtain a platform attestation report (See Page # 3, FIG. 3; Intra-Platform Attestation Example) for the enclave from the processor, wherein the platform attestation report includes attestation data from the processor attesting to integrity of the enclave (See Page # 3; section 3.2.3; # 7 for verification of the integrity of enclave), wherein the attestation data comprises a hash of the SEPK (See NPL # 1; Page # 4; See 3.2.3; # 3-5; recites: “The enclave generates a manifest that includes a response to the challenge and an ephemerally generated public key to be used by the challenger for communicating secrets back to the enclave. It then generates a hash digest of the manifest and includes it as User Data for the EREPORT instruction that will generate a REPORT that binds the manifest to the enclave, as described in section 3.2. The enclave then sends the REPORT to the application. The application forwards the REPORT to the Quoting Enclave for signing. The Quoting Enclave retrieves its Report Key using the EGETKEY instruction and verifies the REPORT. The Quoting enclave creates the QUOTE structure and signs it with its EPID key. The Quoting Enclave returns the QUOTE structure to the application”);
after obtaining the platform attestation report for the enclave from the processor, using the platform attestation report to obtain a signed attestation verification report (SAVR) from a third-party attestation server (TPAS) (i.e., getting attestation assertion from Intel® SGX; See FIG. 2), wherein the SAVR includes a copy of the SEPK (Refer to at least number 2 in sections 1.1, 1.2, and number 7 in 3.2.3 of Anati with respect to attestation and associated verification (e.g., FIG. 4 of Anati)).
NPL # 1 fails to disclose:
allocating the portion in the enclave to a server application; creating a portion in the enclave allocated to the server application; after obtaining the SAVR from the TPAS, at the server application, generate a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK; and utilize the public key certificate for 
However, NPL # 2, discloses:
	allocating the portion in the enclave (see NPL # 2, Page # 4, Section III. Solution Micro-container or micron code that is enclave-bound) to a server application (i.e. PANOLPY API, see NPL # 2, Page # 4, III. Solution) that is to execute at low privilege level (see NPL # 2, Page # 4, III. Solution: Microns do have their private address space, which is isolated in enclaves, and can share an arbitrary amount of public address space with the host process. By default, the code and data of the micron-based logic is allocated in private memory. There exists an explicit PANOPLY API by which micron can communicate with code outside); 
creating a portion in the enclave allocated to the server application (see NPL # 2, Page # 5, Fig. 3 Overview of codename architecture. All the regions within an enclave are trusted, the regions shaded as black are untrusted, grey shaded regions are newly added / modified as a part of codename system 
FIG. 3 [Wingdings font/0xE0]
    PNG
    media_image1.png
    267
    449
    media_image1.png
    Greyscale

& Fig. 4 System Overview. PANOPLY takes in the original program and the partitioning scheme as input. It first divides the application into enclaves and then enforces inter-micron flow integrity, to produce PANOPLY application
FIG. 4 [Wingdings font/0xE0]
    PNG
    media_image2.png
    219
    538
    media_image2.png
    Greyscale
).
It would have been obvious to one of the ordinary to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the NPL # 1 reference and include an enclave which contains isolated application which has low privileges, as disclosed by NPL # 2.
The motivation to have an enclave which contains isolated application which has low privileges is to enforce useful low-level guarantees using SGX — for instance, protection of certain cryptographic keys in memory, verifiable execution of code snippets, and authenticated data delivery (See NPL # 2, Page # 1, second column and second paragraph).
The combination of NPL # 1 & NPL # 2 fails to disclose:
	after obtaining the SAVR from the TPAS, at the server application, generate a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK; and utilize the public key certificate for the server application, which includes the SAVR and the hash of the SEPK, to establish a transport layer security (TLS) communication 
However, NPL # 3 discloses:
	after obtaining the SAVR from the TPAS, at the server application, generate a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK (See Page # 30; Certificate Structure discloses creating [modified certificate] certificate containing public key and hash of the enclave which is measurement of the enclave software (MRE); Also see Page # 31; Guarantees: Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verfied as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found. The quote part of the modified certificate is verified by using CPUK to confirm the signature is valid and comparing the expected values of EK and MRE contained in the certificate to the values contained in the quote), and  
(ii) the attestation data, which includes the hash of the SEPK (See Page # 30; Certificate Structure: The SGX information includes a public Intel key (CPUK) and a group member key (CPUK−1) owned by the attesting CPU. The CPU can use CPUK−1 to sign a quote from an enclave that it is running. The quote includes a measurement of the enclave software (MRE) that is a hash of the enclave’s startup characteristics); and
See NPL # 3, Page # 14, Section 4.1.3 discloses when the enclave is created a measurement or hash is created which verifies the enclave’ identity), to establish (i.e. Guarantees; See Page # 31; 2nd last paragraph) a transport layer security (TLS) communication channel between the server application in the enclave and a client application outside of the enclave (see NPL # 3, Page # 27-28, Sections 6.1.1 Secure Connections & 6.1.2 Secure Computation: describes performing TLS handshake process between the enclave and the unprotected application; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found).
 	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the NPL # 1, NPL # 2 and Miele references and conduct communications between the enclaves through Transport Layer Security (TLS) communication protocol, as disclosed by NPL # 3. 
	The motivation to conduct communications between the enclaves through Transport Layer Security (TLS) communication protocol is to prevent network traffic eavesdropping, data tampering, or message forgery.
Regarding claim 2, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:

utilize the SEPK and the hash of the SEPK in the public key certificate to verify that the SAVR pertains to a same instance of the enclave as the instance to which the client is establishing the TLS communication channel (See NPL # 3, Page # 14, Section 4.1.3 discloses when the enclave is created a measurement or hash is created which verifies the enclave’ identity; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found); and
utilize the SAVR from the TPAS in the public key certificate to verify (i) that the SAVR represents a valid signing certificate chain and (ii) that the SAVR was signed by a trusted TPAS (see NPL # 3, Page # 27-28, Sections 6.1.1 Secure Connections & 6.1.2 Secure Computation: describes performing TLS handshake process between the enclave and the unprotected application ; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found).
Regarding claim 3, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A data processing system according to claim 1, wherein the instructions, when executed, further enable the server application to:
generate, in the enclave, a private key and a corresponding public key for the server application; and wherein: the platform attestation report comprises a hash value derived from the public key of the server application; and the public key certificate comprises the hash value (see NPL # 1, Page # 4, section 3.2.3 Example Remote Attestation Process steps 1-3 where enclave generates a manifest that includes a response to the challenge and an ephemerally generated public key to be used by the challenger for communicating secrets back to the enclave. It then generates a hash digest of the manifest and includes it as User Data for the EREPORT instruction that will generate a REPORT that binds the manifest to the enclave).
Regarding claim 4, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A data processing system according to claim 1, wherein the operation of generating the public key certificate for the server application comprises:
formatting the public key certificate with an X.509 format; and including the attestation data in the public key certificate as an X.509 extension (NPL # 2, Page # 27 Section 6 Approach: discloses modifying a TLS certificate; Page # 30, Section Certificate Structure and section Handshake Process: After that, the server also sends its modified certificate, containing the public certificate for the Enclave Key (EK), the expected value of the TLS Enclave’s measurement (first MRE), and the quote (second MRE and EK), and the remainder of the certificate chain (represented by the PK signed by CA−1 ) to the client for authentication).
Regarding claim 5, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:

the instructions in the machine-accessible medium, when executed by the processor, implement the server application and a server launch module; and the operations of (a) allocating the portion of the RAM to the server application (See NPL # 1, Page # 1, Section 1.1 Software Lifecycle: 1. Enclave Launch of the enclave environment to protect the service provider’s software is equivalent to allocating a portion of the RAM for the server application; See Page # 1, FIG. 1 for Application in Enclave v1; Also see Section 1.1 Software Lifecycle: 3. Provisioning & 4. Sealing/Unsealing which discloses launching enclave in a secure environment with attestation and encrypted environment which is equivalent to low privilege level) and 
(b) creating the enclave that comprises the portion of the RAM allocated to the server application are performed by the server launch module (See NPL # 1, Page # 1, see Section 1.1 Software Lifecycle: 3. Provisioning which discloses launching enclave in a secure environment with attestation).
Regarding claim 6, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A data processing system according to claim 1, wherein:
the machine-accessible medium further comprises a developer's enclave certificate for the enclave, wherein the developer's enclave certificate comprises a predetermined developer's measurement of the enclave and a digital signature of the developer, based on the predetermined developer's measurement of the enclave; and the processor, when powered on, is capable of using the developer's enclave certificate to evaluate trustworthiness of the server application before allowing the server application to execute in the enclave (NPL # 1, Page # 3, section 3.1 Intra-Platform Enclave Attestation
Regarding claim 7, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A data processing system according to claim 1, wherein the operation of utilizing the public key certificate for the server application to establish the TLS communication channel comprises:
at the server application, receiving a client-hello message from the client application; and automatically sending the public key certificate for the server application to the client application, in response to receiving the client-hello message (NPL # 3; Page # 34-36; section 6.4 Alternative Attestation Model: discloses a method where a client would complete the TLS handshake with a server and, once a connection has been established, the client would then challenge the server to attest its software; see along with this section Figure 20: Handshake Process with TLS Handshake and Standard Remote Attestation).
Regarding claim 8, NPL # 1 discloses:
At least one non-transitory machine-accessible medium comprising computer instructions for protecting extra-enclave communications, wherein the computer instructions, in response to being executed on a data processing system, enable the data processing system to:
allocate a portion of the RAM to an enclave (See NPL # 1, Page # 1, Section 1.1 Software Lifecycle: 1. Enclave Launch of the enclave environment to protect the service provider’s software is equivalent to allocating a portion of the RAM for the server application. Also see Section 1.1 Software Lifecycle: 3. Provisioning & 4. Sealing/Unsealing which discloses launching enclave in a secure environment with attestation and encrypted environment which is equivalent to low privilege level), 
See NPL # 1, Page # 1, see Section 1.1 Software Lifecycle: 3. Provisioning which discloses launching enclave in a secure environment with attestation), and 
protect the RAM in the enclave from access by software that executes at a high privilege level (see NPL # 1, Page # 4; SEALING: recites when an enclave is instantiated, the hardware provides protections (confidentiality and integrity) to its data, when it is maintained within the boundary of the enclave which is construed as data inside the enclave is protected from the software which is executing outside the enclave).
NPL # 1 fails to disclose:
allocate the portion in the enclave to a server application; create a portion in the enclave allocated to the server application; a machine-accessible medium responsive to the processor; and instructions in the machine-accessible medium which, when executed by the processor, enable the server application to: after obtaining the SAVR from the TPAS, at the server application, generate a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK; after obtaining the platform attestation report for the enclave from the processor, use the platform attestation report to obtain a signed attestation verification report (SAVR) from a third-party attestation server (TPAS), wherein the SAVR includes a copy of the SEPK; after obtaining the SAVR from the TPAS, at the server application, generate a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK; and utilize the public key certificate for 
However, NPL # 2, discloses:
	allocate the portion in the enclave (see NPL # 2, Page # 4, Section III. Solution Micro-container or micron code that is enclave-bound) to a server application (i.e. PANOLPY API, see NPL # 2, Page # 4, III. Solution) that is to execute at low privilege level (see NPL # 2, Page # 4, III. Solution: Microns do have their private address space, which is isolated in enclaves, and can share an arbitrary amount of public address space with the host process. By default, the code and data of the micron-based logic is allocated in private memory. There exists an explicit PANOPLY API by which micron can communicate with code outside); 
create a portion in the enclave allocated to the server application (see NPL # 2, Page # 5, Fig. 3 Overview of codename architecture. All the regions within an enclave are trusted, the regions shaded as black are untrusted, grey shaded regions are newly added / modified as a part of codename system 
FIG. 3 [Wingdings font/0xE0]
    PNG
    media_image1.png
    267
    449
    media_image1.png
    Greyscale

& Fig. 4 System Overview. PANOPLY takes in the original program and the partitioning scheme as input. It first divides the application into enclaves and then enforces inter-micron flow integrity, to produce PANOPLY application
FIG. 4 [Wingdings font/0xE0]
    PNG
    media_image2.png
    219
    538
    media_image2.png
    Greyscale
).
It would have been obvious to one of the ordinary to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the NPL # 1 reference and include an enclave which contains isolated application which has low privileges, as disclosed by NPL # 2.
The motivation to have an enclave which contains isolated application which has low privileges is to enforce useful low-level guarantees using SGX — for instance, protection of certain cryptographic keys in memory, verifiable execution of code snippets, and authenticated data delivery (See NPL # 2, Page # 1, second column and second paragraph).
The combination of NPL # 1 & NPL # 2 fails to disclose:
	a machine-accessible medium responsive to the processor; and instructions in the machine-accessible medium which, when executed by the processor, enable the server application to: after obtaining the SAVR from the TPAS, at the server application, generate a 
However, Miele discloses:
	a machine-accessible medium responsive to the processor; and instructions in the machine-accessible medium which, when executed by the processor, enable the server application to:
	generate, from within the enclave (i.e., client application which is residing in the enclave generating public/private key pair for the enclave; See FIG. 4 & FIG. 6), a public/private key pair for the enclave, wherein the public/private key pair comprises a secure enclave public key (SEPK) and a secure enclave private key (See FIG. 6; [0054] Starting on the client side, at 602, an SGX enclave may generate a public-private key pair (SK, PK) using known public-private key cryptography techniques);
i.e., SGX Enclave Report containing hash / the report and the cryptographic hash; See [0048]) for the enclave from the processor, wherein the platform attestation report includes attestation data from the processor attesting to integrity of the enclave, wherein the attestation data comprises a hash of the SEPK (i.e., hash H of PK) ([0048] an SGX enclave 404 may generate an SGX report containing a cryptographic hash of the data using any well-known cryptographic hashing algorithm, such as SHA-1 or SHA-256, for example. Client application 402 may generate a linkable quote on the SGX report, which may be signed by a Quoting Enclave (QE) (not shown) which may, in turn, generate a quote that contains the report and the cryptographic hash; [0054] At 604, the SGX enclave may compute a cryptographic hash H of PK, using known cryptographic hash techniques, such as SHA-1 or SHA-256, for example. At 606, the SGX enclave may create an SGX report R containing hash H);
after obtaining the platform attestation report for the enclave from the processor, use the platform attestation report to obtain a signed attestation verification report (SAVR) from a third-party attestation server (TPAS) (i.e., Attestation Service such as Intel Attestation Service (IAS); See [0046]), wherein the SAVR includes a copy of the SEPK ([0054] At 610, the client application may obtain remote attestation response RA on Q from IAS, for example, or using other attestation services in other embodiments. At 612, an application may broadcast RA and PK (Q, H, R may be included in RA) to one or more server applications residing on one or more respective servers, which each include a respective secure enclave, such as a SGX enclave);
after obtaining the SAVR from the TPAS, at the server application, generating a public key certificate (i.e., a public-key certificate was generated by a particular SGX enclave) for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the [0005] Techniques for remote enclave authentication are described. An attestation service, such as the Intel Attestation Service (IAS) may be used to attest that an enclave was successfully established on a Software Guard Extensions (SGX) enabled platform. Further, an IAS may, in embodiments, be used as a notary system to attest that a public-key certificate was generated by a particular SGX enclave and, therefore, may be trusted by other remote enclaves for authentication; [0019] an IAS may, in embodiments, be used as a notary system to attest that a public-key certificate was generated by a particular SGX enclave and, therefore, may be trusted by other remote enclaves for authentication), and 
(ii) the attestation data, which includes the hash of the SEPK ([0048] an SGX enclave 404 may generate an SGX report containing a cryptographic hash of the data using any well-known cryptographic hashing algorithm, such as SHA-1 or SHA-256, for example. Client application 402 may generate a linkable quote on the SGX report, which may be signed by a Quoting Enclave (QE) (not shown) which may, in turn, generate a quote that contains the report and the cryptographic hash; [0054] At 604, the SGX enclave may compute a cryptographic hash H of PK, using known cryptographic hash techniques, such as SHA-1 or SHA-256, for example. At 606, the SGX enclave may create an SGX report R containing hash H).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the NPL #1, NPL # 2 and Miele references and include techniques for remote enclave authentication through an attestation service, as disclosed by Miele.
The motivation to include techniques for remote enclave authentication through an attestation service is to leverage the attestation service as a notary system to attest that See Miele: [0005]).
The combination of NPL #1, NPL # 2 and Miele fails to disclose:
	utilize the public key certificate for the server application, which includes the SAVR and the hash of the SEPK, to establish a transport layer security (TLS) communication channel between the server application in the enclave and a client application outside of the enclave.
However, NPL # 3 discloses:
utilize the public key certificate for the server application, which includes the SAVR and the hash of the SEPK (See NPL # 3, Page # 14, Section 4.1.3 discloses when the enclave is created a measurement or hash is created which verifies the enclave’ identity), to establish a transport layer security (TLS) communication channel between the server application in the enclave and a client application outside of the enclave (see NPL # 3, Page # 27-28, Sections 6.1.1 Secure Connections & 6.1.2 Secure Computation: describes performing TLS handshake process between the enclave and the unprotected application ; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found).
 	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the NPL # 1, NPL # 2 and Miele 
The motivation to conduct communications between the enclaves through Transport Layer Security (TLS) communication protocol is to prevent network traffic eavesdropping, data tampering, or message forgery.
Regarding claim 9, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
At least one non-transitory machine-accessible medium according to claim 8, wherein the SAVR and the hash of the SEPK in the public key certificate enable the client application to:
utilize the SEPK and the hash of the SEPK in the public key certificate to verify that the SAVR pertains to a same instance of the enclave as the instance to which the client is establishing the TLS communication channel (See NPL # 3, Page # 14, Section 4.1.3 discloses when the enclave is created a measurement or hash is created which verifies the enclave’ identity; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found); and
utilize the SAVR from the TPAS in the public key certificate to verify (i) that the SAVR represents a valid signing certificate chain and (ii) that the SAVR was signed by a trusted TPAS (see NPL # 3, Page # 27-28, Sections 6.1.1 Secure Connections & 6.1.2 Secure Computation: describes performing TLS handshake process between the enclave and the unprotected application ; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found).
Regarding claim 10, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
At least one non-transitory machine-accessible medium according to claim 8, wherein the instructions, when executed, further enable the server application to:
generate, in the enclave, a private key and a corresponding public key for the server application; and wherein: the platform attestation report comprises a hash value derived from the public key of the server application; and the public key certificate comprises the hash value (NPL # 1, Page # 2, section 2.2 MRSIGNER – Sealing Identity; also see section 3.1 Intra-Platform Enclave Attestation for generating platform attestation report comprising has value).
Regarding claim 11, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
At least one non-transitory machine-accessible medium according to claim 8, wherein the operation of generating the public key certificate for the server application comprises:
formatting the public key certificate with an X.509 format; and including the attestation data in the public key certificate as an X.509 extension (NPL # 3, Page # 27 Section 6 Approach: discloses modifying a TLS certificate; Page # 30, Section Certificate Structure and section Handshake Process: After that, the server also sends its modified certificate, containing the public certificate for the Enclave Key (EK), the expected value of the TLS Enclave’s measurement (first MRE), and the quote (second MRE and EK), and the remainder of the certificate chain (represented by the PK signed by CA−1 ) to the client for authentication).
Regarding claim 12, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
At least one non-transitory machine-accessible medium according to claim 8, wherein:
the instructions in the machine-accessible medium, when executed by the processor, implement the server application and a server launch module; and the operations of (a) allocating the portion of the RAM to the server application and (b) creating the enclave that comprises the portion of the RAM allocated to the server application are performed by the server launch module (NPL # 1, Page # 1, section 1.1 Software Lifecycle: Enclave Launch and Page # 2, section 1.3 Intel SGX Instructions).
Regarding claim 13, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
At least one non-transitory machine-accessible medium according to claim 8, wherein:
the machine-accessible medium further comprises a developer's enclave certificate for the enclave, wherein the developer's enclave certificate comprises a predetermined developer's measurement of the enclave and a digital signature of the developer, based on the predetermined developer's measurement of the enclave; and the instructions, when executed by the processor, enable the data processing system to use the developer's enclave certificate to evaluate trustworthiness of the server application before allowing the server application to execute in the enclave (NPL # 1, Page # 3, section 3.1 Intra-Platform Enclave Attestation).
Regarding claim 14, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:

at the server application, receiving a client-hello message from the client application; and automatically sending the public key certificate for the server application to the client application, in response to receiving the client-hello message (NPL # 3; Page # 34-36; section 6.4 Alternative Attestation Model: discloses a method where a client would complete the TLS handshake with a server and, once a connection has been established, the client would then challenge the server to attest its software; see along with this section Figure 20: Handshake Process with TLS Handshake and Standard Remote Attestation).
Regarding claim 15, NPL # 1 discloses:
A method for protecting extra-enclave communications, the method comprising:
in a data processing system with a processor in communication with random access memory (RAM), allocating a portion of the RAM to an enclave (See NPL # 1, Page # 1, Section 1.1 Software Lifecycle: 1. Enclave Launch of the enclave environment to protect the service provider’s software is equivalent to allocating a portion of the RAM for the server application. Also see Section 1.1 Software Lifecycle: 3. Provisioning & 4. Sealing/Unsealing which discloses launching enclave in a secure environment with attestation and encrypted environment which is equivalent to low privilege level), 
creating an enclave that comprises the portion of the RAM (See NPL # 1, Page # 1, see Section 1.1 Software Lifecycle: 3. Provisioning which discloses launching enclave in a secure environment with attestation), and 
see NPL # 1, Page # 4; SEALING: recites when an enclave is instantiated, the hardware provides protections (confidentiality and integrity) to its data, when it is maintained within the boundary of the enclave which is construed as data inside the enclave is protected from the software which is executing outside the enclave).
NPL # 1 fails to disclose:
allocating the portion in the enclave to a server application; creating a portion in the enclave allocated to the server application; a machine-accessible medium responsive to the processor; and instructions in the machine-accessible medium which, when executed by the processor, enable the server application to: after obtaining the SAVR from the TPAS, at the server application, generating a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK; after obtaining the platform attestation report for the enclave from the processor, using the platform attestation report to obtain a signed attestation verification report (SAVR) from a third-party attestation server (TPAS), wherein the SAVR includes a copy of the SEPK; after obtaining the SAVR from the TPAS, at the server application, generating a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK; and utilizing the public key certificate for the server application, which includes the SAVR and the hash of the SEPK, to establish a transport layer security (TLS) communication channel between the server application in the enclave and a client application outside of the enclave.
However, NPL # 2, discloses:
	allocating the portion in the enclave (see NPL # 2, Page # 4, Section III. Solution Micro-container or micron code that is enclave-bound) to a server application (i.e. PANOLPY API, see NPL # 2, Page # 4, III. Solution) that is to execute at low privilege level (see NPL # 2, Page # 4, III. Solution: Microns do have their private address space, which is isolated in enclaves, and can share an arbitrary amount of public address space with the host process. By default, the code and data of the micron-based logic is allocated in private memory. There exists an explicit PANOPLY API by which micron can communicate with code outside); 
creating a portion in the enclave allocated to the server application (see NPL # 2, Page # 5, Fig. 3 Overview of codename architecture. All the regions within an enclave are trusted, the regions shaded as black are untrusted, grey shaded regions are newly added / modified as a part of codename system 
FIG. 3 [Wingdings font/0xE0]
    PNG
    media_image1.png
    267
    449
    media_image1.png
    Greyscale

& Fig. 4 System Overview. PANOPLY takes in the original program and the partitioning scheme as input. It first divides the application into enclaves and then enforces inter-micron flow integrity, to produce PANOPLY application

    PNG
    media_image2.png
    219
    538
    media_image2.png
    Greyscale
).
It would have been obvious to one of the ordinary to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the NPL # 1 reference and include an enclave which contains isolated application which has low privileges, as disclosed by NPL # 2.
The motivation to have an enclave which contains isolated application which has low privileges is to enforce useful low-level guarantees using SGX — for instance, protection of certain cryptographic keys in memory, verifiable execution of code snippets, and authenticated data delivery (See NPL # 2, Page # 1, second column and second paragraph).
The combination of NPL # 1 & NPL # 2 fails to disclose:
	a machine-accessible medium responsive to the processor; and instructions in the machine-accessible medium which, when executed by the processor, enable the server application to: after obtaining the SAVR from the TPAS, at the server application, generating a public key certificate for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK, and (ii) the attestation data, which includes the hash of the SEPK; after obtaining the platform attestation report for the enclave from the 
However, Miele discloses:
	
	at the server application, from within the enclave, generating (i.e., client application which is residing in the enclave generating public/private key pair for the enclave; See FIG. 4 & FIG. 6) a public/private key pair for the enclave, wherein the public/private key pair comprises a secure enclave public key (SEPK) and a secure enclave private key (See FIG. 6; [0054] Starting on the client side, at 602, an SGX enclave may generate a public-private key pair (SK, PK) using known public-private key cryptography techniques);
	at the server application, obtaining a platform attestation report (i.e., SGX Enclave Report containing hash / the report and the cryptographic hash; See [0048]) for the enclave from the processor, wherein the platform attestation report includes attestation data from the processor attesting to integrity of the enclave, wherein the attestation data comprises a hash of the SEPK (i.e., hash H of PK) ([0048] an SGX enclave 404 may generate an SGX report containing a cryptographic hash of the data using any well-known cryptographic hashing algorithm, such as SHA-1 or SHA-256, for example. Client application 402 may generate a linkable quote on the SGX report, which may be signed by a Quoting Enclave (QE) (not shown) which may, in turn, generate a quote that contains the report and the cryptographic hash; [0054] At 604, the SGX enclave may compute a cryptographic hash H of PK, using known cryptographic hash techniques, such as SHA-1 or SHA-256, for example. At 606, the SGX enclave may create an SGX report R containing hash H);
after obtaining the platform attestation report for the enclave from the processor, using the platform attestation report to obtain a signed attestation verification report (SAVR) from a third-party attestation server (TPAS) (i.e., Attestation Service such as Intel Attestation Service (IAS); See [0046]), wherein the SAVR includes a copy of the SEPK ([0054] At 610, the client application may obtain remote attestation response RA on Q from IAS, for example, or using other attestation services in other embodiments. At 612, an application may broadcast RA and PK (Q, H, R may be included in RA) to one or more server applications residing on one or more respective servers, which each include a respective secure enclave, such as a SGX enclave);
after obtaining the SAVR from the TPAS, at the server application, generating a public key certificate (i.e., a public-key certificate was generated by a particular SGX enclave) for the server application, wherein the public key certificate comprises (i) the SAVR, which includes the copy of the SEPK ([0005] Techniques for remote enclave authentication are described. An attestation service, such as the Intel Attestation Service (IAS) may be used to attest that an enclave was successfully established on a Software Guard Extensions (SGX) enabled platform. Further, an IAS may, in embodiments, be used as a notary system to attest that a public-key certificate was generated by a particular SGX enclave and, therefore, may be trusted by other remote enclaves for authentication; [0019] an IAS may, in embodiments, be used as a notary system to attest that a public-key certificate was generated by a particular SGX enclave and, therefore, may be trusted by other remote enclaves for authentication), and 
(ii) the attestation data, which includes the hash of the SEPK ([0048] an SGX enclave 404 may generate an SGX report containing a cryptographic hash of the data using any well-known cryptographic hashing algorithm, such as SHA-1 or SHA-256, for example. Client application 402 may generate a linkable quote on the SGX report, which may be signed by a Quoting Enclave (QE) (not shown) which may, in turn, generate a quote that contains the report and the cryptographic hash; [0054] At 604, the SGX enclave may compute a cryptographic hash H of PK, using known cryptographic hash techniques, such as SHA-1 or SHA-256, for example. At 606, the SGX enclave may create an SGX report R containing hash H).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the NPL #1, NPL # 2 and Miele references and include techniques for remote enclave authentication through an attestation service, as disclosed by Miele.
The motivation to include techniques for remote enclave authentication through an attestation service is to leverage the attestation service as a notary system to attest that enclave authentication is performed by a trusted entity such as the attestation service (See Miele: [0005]).
The combination of NPL #1, NPL # 2 and Miele fails to disclose:

However, NPL # 3 discloses:
utilizing the public key certificate for the server application, which includes the SAVR and the hash of the SEPK (See NPL # 3, Page # 14, Section 4.1.3 discloses when the enclave is created a measurement or hash is created which verifies the enclave’ identity), to establish a transport layer security (TLS) communication channel between the server application in the enclave and a client application outside of the enclave (see NPL # 3, Page # 27-28, Sections 6.1.1 Secure Connections & 6.1.2 Secure Computation: describes performing TLS handshake process between the enclave and the unprotected application ; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found).
 	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the NPL # 1, NPL # 2 and Miele references and conduct communications between the enclaves through Transport Layer Security (TLS) communication protocol, as disclosed by NPL # 3. 

Regarding claim 16, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A method according to claim 15, further comprising:
at the client application, utilizing the SEPK and the hash of the SEPK in the public key certificate to verify that the SAVR pertains to a same instance of the enclave as the instance to which the client is establishing the TLS communication channel (See NPL # 3, Page # 14, Section 4.1.3 discloses when the enclave is created a measurement or hash is created which verifies the enclave’ identity; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found); and
at the client application, utilizing the SAVR from the TPAS in the public key certificate to verify (i) that the SAVR represents a valid signing certificate chain and (ii) that the SAVR was signed by a trusted TPAS (see NPL # 3, Page # 27-28, Sections 6.1.1 Secure Connections & 6.1.2 Secure Computation: describes performing TLS handshake process between the enclave and the unprotected application ; see Page # 30, Certificate Structure; also see Page # 31; Figure 17 shows how the client processes the certificate chain. When the client is initiated it gains access to CPUK and CA, loading them in from external files. At time Tconnect the client receives the modified certificate chain from the server. The public key certificate part of the modified certificate containing EK and signed by PK−1 is verified as a normal TLS certificate would be, following the chain of signatures until a root certificate the client trusts is found).
Regarding claim 17, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A method according to claim 15, further comprising:
generating, in the enclave, a private key and a corresponding public key for the server application; and wherein: the platform attestation report comprises a hash value derived from the public key of the server application; and the public key certificate comprises the hash value (NPL # 1, Page # 2, section 2.2 MRSIGNER – Sealing Identity; also see section 3.1 Intra-Platform Enclave Attestation for generating platform attestation report comprising has value).
Regarding claim 18, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A method according to claim 15, wherein the operation of generating the public key certificate for the server application comprises: 
formatting the public key certificate with an X.509 format; and including the attestation data in the public key certificate as an X.509 extension (NPL # 3, Page # 27 Section 6 Approach: discloses modifying a TLS certificate; Page # 30, Section Certificate Structure and section Handshake Process: After that, the server also sends its modified certificate, containing the public certificate for the Enclave Key (EK), the expected value of the TLS Enclave’s measurement (first MRE), and the quote (second MRE and EK), and the remainder of the certificate chain (represented by the PK signed by CA−1 ) to the client for authentication).
Regarding claim 19, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A method according to claim 15, wherein:
see NPL # 2, Page # 4, III. Solution & see NPL # 2, Page # 5, Fig. 3 & Fig. 4).
Regarding claim 20, the combination of NPL # 1, NPL # 2, Miele and NPL # 3 discloses:
A method according to claim 15, further comprising:
using a developer's enclave certificate to evaluate trustworthiness of the server application before allowing the server application to execute in the enclave, wherein the developer's enclave certificate comprises a predetermined developer's measurement of the enclave and a digital signature of the developer, based on the predetermined developer's measurement of the enclave (NPL # 1, Page # 3, section 3.1 Intra-Platform Enclave Attestation).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/S.M.A./       Patent Examiner, Art Unit 2432                                                                                                                                                                                                 
/SYED A ZAIDI/       Primary Examiner, Art Unit 2432