DETAILED ACTION
	This office action is in response to the application filed on 6/30/2020 in which claims 1-18 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sood et al. (US20170161501A1) in view of Singaravelu et al. (US20190253264A1).
As to claims 1, 7, and 13, Sood teaches a method for creating a virtualized network function instance (VNFI), comprising: (abstract Technologies for bootstrapping virtual network functions in a network functions virtualization (NFV) network architecture)
generating, by a hardware-mediated execution enclave (HMEE) in a network functions virtualization (NFV) system, a private-public key pair, wherein a to-be-instantiated VNFI is deployed in the NFV system, and the HMEE and a to-be-instantiated first virtualized network function component (VNFC) are deployed in the ([0029] the TEE supports 204 provide hardware-reinforced security for the trusted execution environment [0058] To do so, each VBS agent 448, 450, 452 is configured to create a public/private key pair (i.e., a public key and a private key) [0045] the NFV security services controller 102 may additionally include a trusted execution environment (TEE) 422 in which the VBS 420 may reside [0048] The NFV infrastructure 108 includes all of the hardware and software components of the computing nodes 110 from which the VNF instances may be deployed. [0054] each of the VNF instances may include one or more VNF components (VNFCs) [0096] wherein the TEE is located on a platform on which the VNF instance is instantiated.)
sending, by the HMEE, a public key in the private-public key pair to a security control device; ([0067] the TEE can attest to the identity and configuration of the VBS agent (e.g., running correct VBS agent, configured by the correct launch parameters, the VBS agent generated the public key being requested. Additionally, remote attestation can be implemented to detect possible security threats, such as network packet tampering, network packet corruption, malicious content within network packets, etc. [0064] the VBS agent verification module 532 may be configured to verify an authenticity of a public key of the VNF instance of the VBS agent, received from the VBS agent during execution of the VBS capture protocol.)
receiving, by the HMEE, an encrypted security credential from the security control device, ([0065] The VBS agent security credential module 534 is configured to provide a valid security credential (e.g., a certificate, a signed hash result, etc.) for the VBS agent being registered during execution of the VBS capture protocol. To do so, the VBS agent security credential module 534 may be configured to create or retrieve a valid security credential in response to the VBS agent verification module 532 having verified the authenticity of the security quote and the public key of the VNF instance, as well as having validated the liveness of the messages)
But does not specifically teach:
wherein the encrypted security credential is obtained by encrypting a security credential of a package of the first VNFC based on the public key; 
decrypting, by the HMEE, the encrypted security credential based on a private key in the private-public key pair, to obtain the security credential; and 
decrypting the package of the first VNFC based on the security credential. 
However Singaravelu teaches wherein the encrypted security credential is obtained by encrypting a security credential of a package of the first VNFC based on the public key; decrypting, by the HMEE, the encrypted security credential based on a private key in the private-public key pair, to obtain the security credential; and 
decrypting the package of the first VNFC based on the security credential. 
(Section 8.1.4 [0139]-[0173] describe the secure environment engine authenticating a received package by verifying the security credentials from the public key using the private key.)
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the virtualized network function system of Sood with the methods from Singaravelu in order to provision confidentiality, integrity and privacy for NFV operation and also should facilitate strong authentication mechanism to secure the services and credentials of the systems.
As to claims 2, 8, and 14, Sood in view of Singaravelu teaches the method according to claim 1, wherein an instantiated second VNFC is deployed in the VNFI, and the sending, by the HMEE, of the public key in the private-public key pair to the security control device comprises: sending, by the HMEE, the public key in the private-public key pair to the security control device by using the second VNFC, and the receiving, by the HMEE, of the encrypted security credential from the security control device comprises: receiving, by the HMEE, the encrypted security credential from the security control device by using the second VNFC. ([0054] Further, each of the VNF instances may include one or more VNF components (VNFCs) (not shown). It should be appreciated that the VNF instances 440 may be embodied as any suitable virtual network functions; similarly, the VNFCs may be embodied as any suitable VNF components. The VNFCs are processes and/or instances that cooperate to deliver the functionality of one or more VNF instances 440. For example, in some embodiments, the VNFCs may be sub-modules of the VNF instances 440.)
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to repeat the instantiation process for a second VNFC as done with the first VNFC in order to include more VNFCs in a VNF instance and provide a service chain.
As to claims 3 and 15, Sood in view of Singaravelu teaches the method according to claim 2, wherein the method further comprises: receiving, by the HMEE, an instantiation complete message from the second VNFC. (fig. 9 and fig. 10 [0082] At block 926, the registration request message response received by the VBS agent is signed by the VBS 420 using the private key of the VBS 420. [0088] At message flow 1016, the VBS 420 securely transmits a registration response message to the VBS agent. The registration response message includes a set of authorized VNFCs (if applicable))
As to claims 4, 9, and 16, Sood in view of Singaravelu teaches the method according to claim 1, wherein the method further comprises: sending, by the HMEE, an identifier of the first VNFC to the security control device. (fig. 9 and fig. 10 [0082] At block 926, the registration request message response received by the VBS agent is signed by the VBS 420 using the private key of the VBS 420. [0088] At message flow 1016, the VBS 420 securely transmits a registration response message to the VBS agent. The registration response message includes a set of authorized VNFCs (if applicable))
As to claims 5 and 17, Sood in view of Singaravelu teaches the method according to claim 1, wherein the method further comprises: sending, by the HMEE, a hash of the public key to the security control device. (fig . 11 steps 1108 and 1110 [0077] At message flow 822, the VBS agent retrieves a security quote from the TEE 476. [0090] Referring now to FIG. 11, in use, a trusted execution environment (e.g., the TEE 476 of FIG. 4) may execute a method 1100 for performing a TEE quoting operation for a VBS agent (e.g., the VBS agent 448, the VBS agent 450, or the VBS agent 452 of FIG. 4).)
As to claims 6 and 18, Sood in view of Singaravelu teaches the method according to claim 1, wherein the method further comprises: sending, by the HMEE, one or more of a host identifier and/or or a hash of code to the security control device, wherein the host identifier is an identifier of a host on which the HMEE is installed, and ([0090] the TEE applies the hash function to an identifier that is unique to a platform (i.e., a unique platform identifier) on which the VNF instance is instantiated to generate a hash result. [0045] the VBS 420 may still be run in a TEE)
As to claim 10, Sood in view of Singaravelu teaches the method according to claim 7, wherein the method further comprises: receiving, by the security control device, a hash of the public key from the HMEE; and ([0090] the TEE applies the hash function to an identifier that is unique to a platform (i.e., a unique platform identifier) on which the VNF instance is instantiated to generate a hash result. [0045] the VBS 420 may still be run in a TEE)
verifying, by the security control device, the public key based on the received public key and the received hash of the public key, ([0085] At message flow 1008, the VBS 420 verifies the security quote signed by the TEE 476 that was received from the VBS agent. At message flow 1010, the VBS 420 performs a series of whitelist checks to verify that the VBS 420 is configured correctly.)
wherein the encrypting, by the security control device, of the security credential based on the public key comprises: encrypting, by the security control device, the security credential based on the public key when based on a determination that the public key is verified. ([0087] At message flow 1014, the VBS 420 creates or retrieves a valid security credential (e.g., a security certificate, a signed hash result, etc.) upon verification of the security credential request. [0064] the VBS agent verification module 532 may be configured to verify an authenticity of a public key of the VNF instance of the VBS agent, received from the VBS agent)
As to claim 11, Sood in in view of Singaravelu teaches the method according to claim 7, wherein the method further comprises: authenticating, by the security control device, the HMEE, wherein the sending, by the security control device, of the encrypted security credential to the HMEE comprises: sending, by the security control device, the encrypted security credential to the HMEE based on a determination that the HMEE is authenticated. ([0064] the VBS agent verification module 532 is be configured to verify an authenticity of a security quote received from a VBS agent [0065] the VBS agent security credential module 534 may be configured to create or retrieve a valid security credential in response to the VBS agent verification module 532 having verified the authenticity of the security quote and the public key of the VNF instance,)
As to claim 12, Sood in view of Singaravelu teaches the method according to claim 11, wherein the authenticating, by the security control device, of the HMEE comprises: receiving, by the security control device, one or more of a host identifier and/or or a hash of code from the HMEE, wherein the host identifier is an identifier of a host on which the HMEE is configured, and the code is code executed by the HMEE; and authenticating, by the security control device, the HMEE based on at least one of the host identifier and/or or the hash of the code, wherein the security control device prestores one or more of an identifier of an authenticated host and/or or code allowed to be executed. ([0090] the TEE applies the hash function to an identifier that is unique to a platform (i.e., a unique platform identifier) on which the VNF instance is instantiated to generate a hash result. [0045] the VBS 420 may still be run in a TEE [0064] the VBS agent verification module 532 is be configured to verify an authenticity of a security quote received from a VBS agent; the VBS agent verification module 532 may be configured to perform a whitelist check to verify a configuration of the VBS 420 based on one or more provisioning parameters received by the VBS 420, or the security controller 102, during a secure provisioning of the VBS 420.)




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELTON S WILLIAMS whose telephone number is (571)272-9933. The examiner can normally be reached 8-4 Mon-Fri.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Marsha Banks Harold can be reached on 5712727905. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-



/Elton Williams/Examiner, Art Unit 2465