DETAILED ACTION
This action is in response to the application filed on March 9, 2021. Claims 15-27 are
pending. Of such, claims 15-21 represent a device, claims 22-26 represent a method, and claim 27
represents a non-transitory computer program product directed to network function messaging.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 23-27 objected to because of the following informalities: 
Claim 23 is a dependent claim of claim 23, a claim can not depend on itself. 
Claims 24-26 depend on Claim 23 which if following the independent claim 15, would require claims 24-26 to depend on independent method claim 22. 
Claim 27 is missing a period at the end of the claim.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 15-22 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 15 recites the limitation “the memory" in line 4.  There is insufficient antecedent basis for this limitation in the claim.
Claim 15 recites the limitation “the second security edge proxy" in line 6.  There is insufficient antecedent basis for this limitation in the claim.
Claims 16-21 are dependent on claim 15 and rejected for their dependency.
Claim 22 recites the limitation “the first security edge proxy and the second security edge proxy" in line 3-4.  There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 27 is rejected under 35 U.S.C. 101 because the claimed invention is directed to
non-statutory subject matter.
Claim 27 does not fall within at least one of the four categories of patent eligible subject
matter because the claim is directed to a computer readable program product comprising executable program code. It is unclear what the computer readable program product refers to according to the specifications of the application. The broadest reasonable interpretation of a computer readable medium or product typically covers both forms of non-transitory media and transitory propagating signals per se in view of the ordinary and customary meaning of computer-readable media (for example, as defined by usage in issued patents and published patent applications), noting that the present specification does not explicitly define the term “computer readable program product”. A signal does not constitute statutory subject matter, because it is neither a process, a machine, an article of manufacture, nor a composition of matter, and therefore does not fall within any of the statutory classes of invention. See In re 
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 15-27 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated over ETSI (NPL ETSI TS 133 501 V15.5.0), hereinafter referred to as ETSI.
	Regarding Claim 15, ETSI discloses:
A first security edge proxy serving a first network function, comprising; a communication circuitry; a data storage; and a processing circuitry configured to cause, using the communication circuitry and the memory (on page 30, section 5.9.3.2, ETSI discloses “The SEPP shall act as a non-transparent proxy node. The SEPP shall protect application layer control plane messages between two NFs belonging to different PLMNs that use the N32 interface to communicate with each other” on page 30, section 5.9.3.2, ETSI further discloses “implementing separate certificate storages”): forming a transport layer security, TLS, protected first control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a TLS client and the  (on page 128, section 13.2.2.1, ETSI discloses “the SEPPs use the established TLS connection (henceforth referred to as N32-c connection)to negotiate the N32-f specific associated security configuration parameters required to enforce application layer security on HTTP messages exchanged between the SEPPs”); and forming a TLS protected second control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a TLS server and the second security edge proxy is a TLS client for the second control plane connection (on page 128, section 13.2.2.1, ETSI discloses “A second N32-c connection is established by the receiving SEPP to enable it to not only receive but also send HTTP Requests” on page 129, section 13.2.2.2, ETSI further discloses “The responding SEPP in the first N32-c connection shall now setup a second N32-c connection by establishing a mutually authenticated TLS connection with the peer SEPP”); wherein the forming of the TLS protected first control plane connection comprises forming a first shared secret (on page 128, section 13.2.2.1, ETSI discloses “The SEPPs independently export keying material associated with the first N32-c connection between them and use it as the pre-shared key for generating the shared session key required”); and the forming of the TLS protected second control plane connection comprises forming a second shared secret (on page 128, section 13.2.2.1, ETSI discloses “The SEPPs independently export keying material associated with the first N32-c connection between them and use it as the pre-shared key for generating the shared session key required”); and the processing circuitry is further configured to: obtain a first master key from the first shared secret (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” on page 137, section 13.2.4.4.1, ETSI further discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export.”); obtain a second master key from the second shared secret (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” on page 137, section 13.2.4.4.1, ETSI further discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export.”); form a first unique identifier representing a logical connection context information for message protection on a first logical connection that is associated with the first control plane connection (on page 136, section 13.2.4.3.1.2, ETSI discloses “N32-f message ID: Unique identifier (64-bit integer) representing a HTTP Request/Response transaction between two SEPPs. The N32-f message ID is generated by the sending SEPP and included in the HTTP Request sent over the N32 interface”); form a second unique identifier representing a logical connection context information for message protection on a second logical connection that is associated with the second control plane connection (on page 136, section 13.2.4.3.1.2, ETSI discloses “N32-f message ID: Unique identifier (64-bit integer) representing a HTTP Request/Response transaction between two SEPPs. The N32-f message ID is generated by the sending SEPP and included in the HTTP Request sent over the N32 interface”);  form, based on the first master key and the first unique identifier, a first session key for first logical connection encryption (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” and on page 137, section 13.2.4.4.1, ETSI discloses “The N32-f key hierarchy consists of two pairs of session keys and two pairs of IV salts, which are used in two different HTTP/2 sessions”); and form, based on the second master key and the second unique identifier, a second session key for second logical connection encryption  (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” and on page 137, section 13.2.4.4.1, ETSI discloses “The N32-f key hierarchy consists of two pairs of session keys and two pairs of IV salts, which are used in two different HTTP/2 sessions”).
	Regarding Claim 16, ETSI discloses:
 (on page 139, section 13.2.4.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in "aad") and JWE Authentication Tag ( "tag")”).
	Regarding Claim 17, ETSI discloses:
	The first security edge proxy of claim 16, wherein the processing circuitry is further configured to form a second initialization vector randomizer for the decryption of the second logical connection request from the second security edge proxy (on page 139, section 13.2.4.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in "aad") and JWE Authentication Tag ( "tag")”).
	Regarding Claim 18, ETSI discloses:
	The first security edge proxy of claim 15, wherein: the first logical connection is protected by application layer security; the second logical connection is protected by application layer security (on page 129, section 13.2.2.2, ETSI discloses “any further N32-c communication that may occur over time while application layer security is applied to N32-f, or any further N32-c and N32-f communication, if TLS is used to protect N32-f.”); and the application layer security employs different cipher suites for the first and second logical connections (on page 129, section 13.2.2.2, ETSI discloses “The responding SEPP shall compare the received cipher suites to its own supported cipher suites and shall
select, based on its local policy, a cipher suite, which is supported by both initiating SEPP and responding SEPP”).
	Regarding Claim 19, ETSI discloses:
 (on page 134, section 13.2.4.1, ETSI discloses “Encryption of IEs shall take place end to end between cSEPP and pSEPP.”); and the processing circuitry is further configured to cause decrypting, using the second shared secret, second control data received over the second control plane connection (on page 131, section 13.2.2.4.1, ETSI discloses “During transfer of application data over N32-f, the SEPP shall include the N32-f context ID in a separate IE in the metadata part of the JSON structure, see clause 13.2.4.2. The receiving SEPP shall use this information to apply the correct key and parameters during decryption and validation” and on page 139, section 13.2.4.7, ETSI further discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object”).
	Regarding Claim 20, ETSI discloses:
	The first security edge proxy of claim 19, wherein the application layer security employs JSON Web Encryption, JWE (on page 137, section 13.2.4.4.0, ETSI discloses “The SEPP shall use JSON Web Encryption (JWE) as specified in RFC 7516 [59] for the protection of reformatted HTTP messages between the SEPPs”).
	Regarding Claim 21, ETSI discloses:
The first security edge proxy of claim 15, wherein the first master key may be formed using a TLS exporter function associated with the first control connection (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.”); and the second master key may be formed using a TLS exporter function associated with the second control connection (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.”).
	Regarding Claim 22, ETSI discloses:
	A method, wherein the method is performed in a security edge proxy, the method comprising: forming a transport layer security, TLS, protected first control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a TLS client and the second security edge proxy is a TLS server for the first control plane connection(on page 128, section 13.2.2.1, ETSI discloses “the SEPPs use the established TLS connection (henceforth referred to as N32-c connection)to negotiate the N32-f specific associated security configuration parameters required to enforce application layer security on HTTP messages exchanged between the SEPPs”); and forming a TLS protected second control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a TLS server and the second security edge proxy is a TLS client server for the second control plane connection (on page 128, section 13.2.2.1, ETSI discloses “A second N32-c connection is established by the receiving SEPP to enable it to not only receive but also send HTTP Requests” on page 129, section 13.2.2.2, ETSI further discloses “The responding SEPP in the first N32-c connection shall now setup a second N32-c connection by establishing a mutually authenticated TLS connection with the peer SEPP”); wherein the forming of the TLS protected first control plane connection comprises forming a first shared 4Docket No. NC307444-US-PCT Customer No. 73658 secret (on page 128, section 13.2.2.1, ETSI discloses “The SEPPs independently export keying material associated with the first N32-c connection between them and use it as the pre-shared key for generating the shared session key required”); and the forming of the TLS protected second control plane connection comprises forming a second shared secret (on page 128, section 13.2.2.1, ETSI discloses “The SEPPs independently export keying material associated with the first N32-c connection between them and use it as the pre-shared key for generating the shared session key required”); the method further comprising: obtaining a first master key from the first shared secret (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” on page 137, section 13.2.4.4.1, ETSI further discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export.”); obtaining a second master key from the second shared secret (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” on page 137, section 13.2.4.4.1, ETSI further discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export.”); forming a first unique identifier representing a logical connection context information for message protection on a first logical connection that is associated with the first control plane connection (on page 136, section 13.2.4.3.1.2, ETSI discloses “N32-f message ID: Unique identifier (64-bit integer) representing a HTTP Request/Response transaction between two SEPPs. The N32-f message ID is generated by the sending SEPP and included in the HTTP Request sent over the N32 interface”); forming a second unique identifier representing a logical connection context information for message protection on a second logical connection that is associated with the second control plane connection (on page 136, section 13.2.4.3.1.2, ETSI discloses “N32-f message ID: Unique identifier (64-bit integer) representing a HTTP Request/Response transaction between two SEPPs. The N32-f message ID is generated by the sending SEPP and included in the HTTP Request sent over the N32 interface”); forming, based on the first master key and the first unique identifier, a first session key for first logical connection encryption (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” and on page 137, section 13.2.4.4.1, ETSI discloses “The N32-f key hierarchy consists of two pairs of session keys and two pairs of IV salts, which are used in two different HTTP/2 sessions”); and forming, based on the second master key and the second unique identifier, a second session key for second logical connection encryption  (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” and on page 137, section 13.2.4.4.1, ETSI discloses “The N32-f key hierarchy consists of two pairs of session keys and two pairs of IV salts, which are used in two different HTTP/2 sessions”).
	Regarding Claim 23, ETSI discloses:
	The method of claim 23, further comprising forming a first initialization vector randomizer for the encryption of the first logical connection request to the second security edge proxy (on page 139, section 13.2.4.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in "aad") and JWE Authentication Tag ( "tag")”).
	Regarding Claim 24, ETSI discloses:
	The method of claim 23, further comprising forming a second initialization vector randomizer for the decryption of the second logical connection request from the second security edge proxy (on page 139, section 13.2.4.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in "aad") and JWE Authentication Tag ( "tag")”).
	Regarding Claim 25, ETSI discloses:
	The method of claim 23, further comprising: protecting the first logical connection by application layer security; protecting the second logical connection by application layer security (on page 129, section 13.2.2.2, ETSI discloses “any further N32-c communication that may occur over time while application layer security is applied to N32-f, or any further N32-c and N32-f communication, if TLS is used to protect N32-f.”); and employing different application layer security cipher suites for the  (on page 129, section 13.2.2.2, ETSI discloses “The responding SEPP shall compare the received cipher suites to its own supported cipher suites and shall
select, based on its local policy, a cipher suite, which is supported by both initiating SEPP and responding SEPP”).
	Regarding Claim 26, ETSI discloses:
	The method of claim 23, further comprising: encrypting, using the first shared secret, first control data for transmission over the first control plane connection (on page 134, section 13.2.4.1, ETSI discloses “Encryption of IEs shall take place end to end between cSEPP and pSEPP.”); and decrypting, using the second shared secret, second control data received over the second control plane connection (on page 131, section 13.2.2.4.1, ETSI discloses “During transfer of application data over N32-f, the SEPP shall include the N32-f context ID in a separate IE in the metadata part of the JSON structure, see clause 13.2.4.2. The receiving SEPP shall use this information to apply the correct key and parameters during decryption and validation” and on page 139, section 13.2.4.7, ETSI further discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object”).
	Regarding Claim 27, ETSI discloses:
A non-transitory computer program product comprising computer executable program code configured to perform: forming a transport layer security, TLS, protected first control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a TLS client and the second security edge proxy is a TLS server for the first control plane connection (on page 128, section 13.2.2.1, ETSI discloses “the SEPPs use the established TLS connection (henceforth referred to as N32-c connection)to negotiate the N32-f specific associated security configuration parameters required to enforce application layer security on HTTP messages exchanged between the SEPPs”); and forming a TLS protected second control plane connection  (on page 128, section 13.2.2.1, ETSI discloses “A second N32-c connection is established by the receiving SEPP to enable it to not only receive but also send HTTP Requests” on page 129, section 13.2.2.2, ETSI further discloses “The responding SEPP in the first N32-c connection shall now setup a second N32-c connection by establishing a mutually authenticated TLS connection with the peer SEPP”); wherein the forming of the TLS protected first control plane connection comprises forming a first shared secret (on page 128, section 13.2.2.1, ETSI discloses “The SEPPs independently export keying material associated with the first N32-c connection between them and use it as the pre-shared key for generating the shared session key required”); and the forming of the TLS protected second control plane connection comprises forming a second shared secret (on page 128, section 13.2.2.1, ETSI discloses “The SEPPs independently export keying material associated with the first N32-c connection between them and use it as the pre-shared key for generating the shared session key required”); the method further comprising: obtaining a first master key from the first shared secret (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” on page 137, section 13.2.4.4.1, ETSI further discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export.”); obtaining a second master key from the second shared secret (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” on page 137, section 13.2.4.4.1, ETSI further discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export.”); forming a first unique identifier representing a logical connection context information for message protection on a first logical connection that is associated with the first control plane connection (on page 136, section 13.2.4.3.1.2, ETSI discloses “N32-f message ID: Unique identifier (64-bit integer) representing a HTTP Request/Response transaction between two SEPPs. The N32-f message ID is generated by the sending SEPP and included in the HTTP Request sent over the N32 interface”); forming a second unique identifier representing a logical connection context information for message protection on a second logical connection that is associated with the second control plane connection (on page 136, section 13.2.4.3.1.2, ETSI discloses “N32-f message ID: Unique identifier (64-bit integer) representing a HTTP Request/Response transaction between two SEPPs. The N32-f message ID is generated by the sending SEPP and included in the HTTP Request sent over the N32 interface”); forming, based on the first master key and the first unique identifier, a first session key for first logical connection encryption  (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” and on page 137, section 13.2.4.4.1, ETSI discloses “The N32-f key hierarchy consists of two pairs of session keys and two pairs of IV salts, which are used in two different HTTP/2 sessions”);  and forming, based on the second master key and the second unique identifier, a second session key for second logical connection encryption (on page 129, section 13.2.2.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.4.4.1.” and on page 137, section 13.2.4.4.1, ETSI discloses “The N32-f key hierarchy consists of two pairs of session keys and two pairs of IV salts, which are used in two different HTTP/2 sessions”).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Xu et al. (US Publication Number 2021/0044569) discloses a method for sending signal messages through an IPS proxy from a first network element to another network element. 
He et al. (US Publication Number 2020/0344604) discloses a method for performing verification using a shared key to send a message between network elements. 
Saarinen et al. (US Publication Number 2021/0014680) discloses a method of wireless communication to transmit protected messages.
Lehtovirta et al. (US Publication Number 2021/0014284) discloses a security negotiation mechanism between security gateways.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHADI H KOBROSLI/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492