Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communication received 6/3/2020. Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/3/2020 and 1/14/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 9 are rejected under 35 U.S.C. 103 as being unpatentable over US 20190068564 to Putatunda et al., hereinafter Putatunda. Putatunda is cited in IDS dated 1/14/2022.
Regarding claim 1, Putatunda discloses 
A system for managing distribution of digital security keys, the system comprising: a network terminal access point (TAP) configured to intercept a packet on a computer network ([0024]: tap element or probe (Fig. 2, 203) intercepts traffic and make copies of encrypted record (packet) ) ; a network monitoring device comprising a key datastore and configured to receive the intercepted packet and decrypt the intercepted packet when a corresponding decryption key is stored in the key datastore (Fig. 1 [0024]: EAV device 105 receives encrypted packet from tap; [0028][0030][0038]: EAV decrypts packet with key obtained from server 106; although Putatunda does not explicitly teach the EAV comprising a key datastore, Putatunda discloses the EAV receiving decryption keys from the server, the keys are implicitly stored in a memory considered as the key datastore) ; a secure keystore configured to store decryption keys([0022]: server 106 maintains a key store database including key pairs) ; a key broker configured to: receive metadata corresponding to the intercepted packet ([0027][0028] server 106 is the broker, receives query from EAV, the query including session-based identification information associated with tapped packets); retrieve from the secure keystore, based on the metadata, a decryption key corresponding to the intercepted packet; and provide the decryption key to the network monitoring device for storage in the key datastore ([0029] server 106 retrieves decryption key matching the session information and provides it to EAV, which stores it implicitly in memory).  

Regarding claim 3, Putatunda discloses the system of claim 1, wherein the key broker is further configured to store tracking data corresponding to both the network monitoring device and the decryption key provided to the network monitoring device ([0026][0037]: server records list of subscribed/designated EAV devices and private/public key, session identification information and time information). 
 
Regarding claim 9, Putatunda discloses the system of claim 1, wherein the key broker is further configured to: receive a request from the network monitoring device; and provide the decryption key in response to the request ([0028]: EAV send request for key, and receive key)

Claims 2 and 7 are rejected under 35 USC 103 as being unpatentable over Putatunda, in view of US 20170237777 to Joch et al., hereinafter Joch.

Regarding claim 2, Putatunda discloses the system of claim 1, further comprising:; and wherein the key broker is further configured to: store the metadata in a tracking database ([0022]: key store stores session information (metadata) in key store).  Putatunda discloses the EAV sending the metadata to the key broker ([0022]: key store database in server map session identifiers to key pairs, the session identifiers monitored by EAV) but does not explicitly teach: an intrusion detection system configured to: collect the metadata, corresponding to packets to be decrypted, based on a server name indication (SNI) field retrieved from network traffic, or a common name (CN) field, or a subject alternative name (SAN) field of a security certificate retrieved from network traffic; and send the metadata to the key broker. In an analogous art, Joch discloses an analyzer receiving traffic data from taps (Fig. 1, [0036]), the analyzer inspects unencrypted metadata and header using a service identifier module, an example of metadata being Server Name Indication (SNI) ([0038][0052][0053]), and store the results of data collection into the analysis data [0048])).   It would have been obvious to a skilled artisan before the instant application was filed to include in the monitoring device of Putatunda a module interpreted as an IDS, that collects metadata such as SNI, as taught by Joch, and sends the metadata to the key broker because it would allow using that information to determine hostname requested by the client and identify the particular service associated with the hostname (Joch [0053]).

Regarding claim 7, Putatunda discloses the system of claim 1, but does not disclose wherein the metadata comprises domain information and/or an unencrypted destination corresponding to the packet. In an analogous art, Joch discloses inspecting metadata and headers that are unencrypted ([0052]), the unencrypted information including IP address of the media server (destination of the packet), therefore Joch teaches the limitation. It would have been obvious to a skilled artisan before the instant application was filed to include in the metadata unencrypted destination corresponding to the packet as taught by Joch, because collecting source/destination information from unencrypted header and metadata is standard in network traffic monitoring and would allow determining the media service associated with the IP address (Joch [0053]).


Claim 8 is rejected under 35 USC 103 as being unpatentable over Putatunda, in view of US 20150082035 to Medvinsky, hereinafter Medvinsky.
Regarding claim 8, Putatunda discloses the system of claim 1, but does not disclose wherein the secure keystore comprises an offline storage device.  In an analogous art, Medvinsky discloses storing encryption keys in an offline storage (0037), teaching the limitation. It would have been obvious to a skilled artisan before the instant application was filed to include an offline storage device in the keystore as taught by Medvinsky because it would protect the keys from online attacks from different malicious applications, increasing security.

Claims 4-5, 10-11, 13-14, 16-17, 19-20 are rejected under 35 USC 103 as being unpatentable over Putatunda, in view of US 20190097791 to Hersans et al., hereinafter Hersans.

Regarding claim 4, Putatunda discloses the system of claim 1, but does not explicitly teach: wherein the key broker is further configured to store a lease time corresponding to the decryption key.  In an analogous art, Hersans discloses  an encryption key stored with a time-to-live (TTL) parameter, invalidate encryption key at expiration time [0030]; It would have been obvious to a skilled artisan before the instant application was filed to include in the key broker or server in Putatunda a TTL parameter or lease time corresponding to the decryption key because it would allow an easy roll-over of expired keys, because it would facilitate managing the keys in the key store.

Regarding claim 5, Putatunda n view of Hersans discloses the system of claim 4, wherein the key broker is further configured to remove the decryption key from the network monitoring device in response to expiration of the lease time (Hersans [0025][0037]).

Regarding claim 10, Putatunda discloses:
A method of managing decryption keys in a network environment, the method comprising: receiving, by a processor, metadata related to an encrypted network packet intercepted from network traffic ([0027][0028] server 106 is the broker, receives query from EAV, the query including session-based identification information associated with tapped packets); retrieving, based on the metadata, a decryption key from a secure keystore; providing the retrieved decryption key to a network monitoring device ([0029] server 106 retrieves decryption key matching the session information and provides it to EAV, which stores it implicitly in memory); storing tracking data corresponding to both the network monitoring device and the decryption key provided to the network monitoring device ([0026][0037]: server records list of subscribed/designated EAV devices and private/public key, session identification information and time information; 
Putatunda does not explicitly teach the rest of the limitations about the updating.  
In an analogous art, Hersans discloses  an encryption key stored with a time-to-live (TTL) parameter; Hersans discloses updating the decryption key provided to the network monitoring device ([0030]:  invalidate encryption key at expiration time); and updating the tracking data in response to the updating of the decryption key ([0037]: destroy the key at expiration time meaning the TTL associate with the user is destroyed too); It would have been obvious to a skilled artisan before the instant application was filed to include in the key broker or server in Putatunda a TTL parameter or lease time corresponding to the decryption key because it would allow an easy roll-over of expired keys, and would facilitate managing the keys in the key store.

Regarding claim 11, Putatunda in view of Hersans discloses the method of claim 10, wherein the storing of the tracking data comprises storing an identifier of the decryption key and an identifier of the network monitoring device (Putatunda [0026][0037]: server records list of subscribed/designated EAV devices and private/public key, session identification information and time information).  

Regarding claim 13, Putatunda in view of Hersans discloses the method of claim 10, wherein the storing of the tracking data comprises storing a lease time corresponding to the decryption key; and wherein the updating of the decryption key comprises removing the decryption key from the network monitoring device in response to expiration of the lease time (Hersans [0030][0037]).  

Regarding claim 14, Putatunda in view of Hersans discloses the method of claim 10, further comprising: receiving a request, comprising the metadata, from the network monitoring device; wherein the retrieving comprises retrieving, in response to the request, the decryption key from the secure keystore (Putatunda [0027][0028] server 106 is the broker, receives query from EAV, the query including session-based identification information associated with tapped packets); wherein the providing of the retrieved decryption key comprises storing the decryption key on a key datastore of the network monitoring device (Putatunda Fig. 1 [0024]: EAV device 105 receives encrypted packet from tap; [0028][0030][0038]: EAV decrypts packet with key obtained from server 106; although Putatunda does not explicitly teach the EAV comprising a key datastore, Putatunda discloses the EAV receiving decryption keys from the server, the keys are implicitly stored in a memory considered as the key datastore).  

Regarding claim 16, the claim recites substantially the same content as claim 10 and is rejected as claim 10.
Regarding claim 17, the claim recites substantially the same content as claim 11 and is rejected as claim 11.
Regarding claim 19, the claim recites substantially the same content as claim 13 and is rejected as claim 13.
Regarding claim 20, the claim recites substantially the same content as claim 14 and is rejected as claim 14.

Claim 15 is rejected under 35 USC 103 as being unpatentable over Putatunda, in view of Hersans and further view of Joch.
Regarding claim 15, Putatunda in view of Hersans discloses the method of claim 10, but does not teach wherein the metadata comprises one or more of: domain information, an unencrypted portion of a network packet, or an identifier of a security certificate corresponding to the decryption key. In an analogous art, Joch discloses inspecting metadata and headers that are unencrypted ([0052]), the unencrypted information including IP address of the media server (destination of the packet), therefore Joch teaches the limitation. It would have been obvious to a skilled artisan before the instant application was filed to include in the metadata unencrypted destination corresponding to the packet as taught by Joch, because collecting source/destination information from unencrypted header and metadata is standard in network traffic monitoring and would allow determining the media service associated with the IP address (Joch [0053]).


Allowable Subject Matter
Claims 6, 12 and 18 recite allowable subject matter.
Regarding claim 6, Putatunda discloses the system of claim 1, but does not teach: wherein the key broker is further configured to remove the decryption key from the network monitoring device based on a decryption key storage limit of the network monitoring device and a priority of the decryption key.
Hersans discloses removing encryptions keys from all available drives ([0025][0037]), however, neither Putatunda or any other prior art of the record discloses the key broker is further configured to remove the decryption key from the network monitoring device based on a decryption key storage limit of the network monitoring device and a priority of the decryption key. Therefore, claim 6 is found allowable.
Regarding claim 12, Putatunda in view of Hersans discloses the method of claim 10, wherein the updating of the decryption key comprises updating the decryption key in response to a change in the network traffic (Putatunda [0028] the decryption key is associated with the session, and would suggest a new session would correspond to a new key); Putatunda or Hersans or any other prior art of the record does not teach:
and wherein the updating of the decryption key further comprises updating the decryption key based on storage limits of the network monitoring device.  Therefore, claim 12 is allowable.
Regarding claim 18, Putatunda in view of Hersans discloses the non-volatile computer-readable device of claim 16.  Putatunda or Hersans or any other prior art of the record does not teach: the updating of the decryption key comprises updating the decryption key, in response to a change in the network traffic, based on storage limits of the network monitoring device. Therefore, claim 12 is allowable.
Claims 6, 12 and 18 are being objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Giblin 20210243168 discloses a publish-subscribe system where consumer receive encrypted message, checks encryption policy to determine if decryption is necessary, receives decryption key and decrypt the message.
Mayblum et al 8590057  discloses a server receives encryption or decryption key request identifying sender of the request, retrieves the key and provide it to the recipient device.
Mikami et al 20090060195 disclose a server manage encryption key in different volumes, map vol id , encrypt key, key update time.
Diesburg et al “TrueErase: Per-File Secure Deletion for the Storage Data Path”, ACM, 2012, p. 439-448 disclose : erase encryption keys from various storage devices ...
Shah et al “Analyzing the Impact of GDPR on Storage Systems” , 2019, Usenix,, 7 pages: deleting encryption keys from a given database and all existing databases respectively.
Singhal et al “Managing Data Retention Policies at Scale”, IEEE, 397-406: encryption key deletion and retention polices.


 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        4/9/2022