DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
In response to objection to the specification, see remarks page 8, filed 02/02/2022, the specification objection to claims 1, 3, 11-13, and 16 has been withdrawn in light of claims amendment.

In response to claim objection to the title, see remarks page 9, filed 02/02/2022, the claim objection has been withdrawn in light of claims amendment.

In response to 35 USC 112, see remarks page 9, filed 02/02/2022, the previous 35 USC 112 rejection has been withdrawn in light of claims amendment. However, there new issues to be resolved as indicated below.

In response to 35 USC 103, filed 02/02/2022, regarding claims 1 and 16, applicant argues Amin fails to teach “detecting a removable storage device has been received; determining if a validation token is stored on the removable storage device at the time the removable storage device was received”.
The examiner respectfully disagrees. Amin teaches “detecting a removable storage device has been received”. Amin discloses “inserting his/her USB storage device into the client machine [III. Proposed Protocol, section A, Page 3]”. Amin shows that by inserting the USB, the USB is being received. 

Amin teaches “determining if a validation token is stored on the removable storage device at the time the removable storage device was received”. Amin discloses “AS stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device… user computes 𝐵𝑃𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖) and finally stores it in USB storage device [III. Proposed Protocol, section A, Page 3]. inserting his/her USB storage device into the client machine and inputs ID’, P’, B’. Then the device computes S’. S’ matches with S [III. Proposed Protocol, section B, Page 3]”. Amin shows that the validation token is stored on the removable storage at the time USB was inserted. A determination is made when the stored validation token is used.
Claims 1-4, 9-10 and 20 fall together as accordingly as they do not cure the deficiencies of the independent claims. 

In response to 35 USC 103, filed 02/02/2022, regarding claims 1 and 16, applicant argues Amin fails to teach “responsive to determining that the validation token is stored on the removable storage device at the time the removable storage device was received, obtaining a first content hash and a first set of device security data from the validation token based on the validation token, wherein the first content hash and the first set of device security data are part of the validation token at the time the removable storage device was received”.
The examiner respectfully disagrees. Amin teaches “responsive to determining that the validation token is stored on the removable storage device at the time the removable storage device was received, obtaining a first content hash and a first set of device security data from the validation token based on the validation token, wherein the first content hash and the first set of device security data are part of the validation token at the time the removable storage device was received”. Amin discloses “the device computes user identity PID’ = h(ID ║σ'). Masked password MPW’ = h(P’║ID’) [III. Proposed Protocol, section B, Page 3]. E=h(h(PID x) ║MPW), S=h(PID ║x) ⊕MPW; stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device [III. Proposed Protocol, section A, Page 3]. inserting his/her USB storage device into the client machine and inputs ID’, P’, B’. Then the device computs S’. S’ matches with S [III. Proposed Protocol, section B, Page 3]”. Amin shows that the stored validation token is being used. The validation token containing the hash and security data. The validation token stored in the USB is being used. 
Claims 1-4, 9-10 and 20 fall together as accordingly as they do not cure the deficiencies of the independent claims. 

In response to 35 USC 103, filed 02/02/2022, regarding claims 1 and 16, applicant argues Amin fails to teach “obtaining a second content hash based on hashing content stored on the removable storage device at the time the removable storage device was received”.
The examiner respectfully disagrees. Amin teaches “obtaining a second content hash based on hashing content stored on the removable storage device at the time the removable storage device was received. Amin discloses “the device computes user identity PID = h(ID ║σ) (Interpreted as second content hash). Masked password MPW [III. Proposed Protocol, section A, Page 2]. E=h(h(PID x) ║MPW), S=h(PID ║x) ⊕MPW; stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device [III. Proposed Protocol, section A, Page 3]”. Amin shows inserting the USB. The USB containing the validation token that contains the hash and security data. Therefore, Amin does show a hash that was stored in the USB at the time the USB was received.
Claims 1-4, 9-10 and 20 fall together as accordingly as they do not cure the deficiencies of the independent claims. 

In response to 35 USC 103, filed 02/02/2022, regarding claims 1 and 16, applicant argues Amin fails to teach “denying the removable storage device access to the information processing system based on at least one of the first and second content hashes failing to match; granting the removable storage device access to the information processing system based on the first and second content hashes matching”.
The examiner respectfully disagrees. Amin teaches “denying the removable storage device access to the information processing system based on at least one of the first and second content hashes failing to match; granting the removable storage device access to the information processing system based on the first and second content hashes matching”. Amin discloses “S’ matches with S. If it is not matched the user is not corrected, the session is then terminated. If it is matched the user is corrected, which it grants access by not terminating the session [III. Proposed Protocol, section B, Page 3]”. Amin shows matching the first and second hash in order to determine if the USB has access or not.
Claims 1-4, 9-10 and 20 fall together as accordingly as they do not cure the deficiencies of the independent claims. 

In response to 35 USC 103, filed 02/02/2022, regarding claims 1, 11, and 16, applicant argues the combination of Amin-Chen fails to teach “second set device verification data”.
The examiner respectfully disagrees. Chen teaches “second set device verification data”. Chen discloses “the authentication server compares this identification with the stored IDm (taught as the second set of device security data, IDm is stored in the removable storage media that was inserted to the access host) [Section 2.1, Page 4355]. Whether the unique identification is in the certified IDm library or not, in order to judge whether the removable storage media is legitimate media [4.1 System architecture, Pages 4359-4360]”. Chen shows a comparison of the read IDm with the stored IDm. These IDm’s are stored in the USB.
Claims 1-4, 9-10, 12, 13, 15, and 20 fall together as accordingly as they do not cure the deficiencies of the independent claims. 
In response to 35 USC 103, filed 02/02/2022, regarding claim 11 applicant argues the combination of Amin-Chen fails to teach “storing device security data associated with the removable storage device in the validation file; and tokenizing the validation file to generate a token that is stored on the removable storage device”.
Chen teaches “storing device security data associated with the removable storage device in the validation file; and tokenizing the validation file to generate a token that is stored on the removable storage device”. Chen discloses “the authentication server compares this identification with the stored IDm (taught as the second set of device security data, IDm is stored in the removable storage media that was inserted to the access host) [Section 2.1, Page 4355]. Whether the unique identification is in the certified IDm library or not, in order to judge whether the removable storage media is legitimate media. Generates the signature SIGas,m of the removable storage media. Reading signature file module reads the signature successfully. Verifies the received message [4.1 System architecture, Pages 4359-4360]. The access host reads the digital signature in removable storage media and gets user id and password presented by the user [2.2 Analysis of authentication scheme based on the schnorr protocol, Page 4356]”. Chen shows storing the device security data with the USB. The signature contains the device security data. The signature is in the reading signature file module.
Chen further teaches “tokenizing the validation file to generate a token that is stored on the removable storage device”. Chen discloses “AS stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token, Ei/Si is the validation file) into the USB storage device… user computes 𝐵𝑃𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖) and finally stores it in USB storage device [III. Proposed Protocol, section A, Page 3]”. Chen shows that the validation file becomes the validation token stored in the USB.
In response to 35 USC 103, filed 02/02/2022, regarding claims 5-7 and 17-19, applicant argues the combination of Amin-Chen-Bacastow fails to teach “validation token comprises access data”.
The examiner respectfully disagrees. Bacastow teaches “validation token comprises access data”. Bacastow discloses “additional secret information be transmitted from the portable USB storage device to a designated server via the internet or intranet. This secret information may be in the form of a digital certificate, token, or other secret information stored on (or created from) the portable USB storage device that uniquely identifies the portable USB storage device from any other otherwise similar or identical device [0013]. The software installed on the portable USB storage device is configured to allow access during specific times (date, time of day, day of the week, etc.) [0042]”. Bacastow shows that the token comprises access data. The secret information is the specific time that allows access.

In response to 35 USC 103, filed 02/02/2022, regarding claim 8, applicant argues the combination of Amin-Chen-Kohno fails to teach “audit id is an identifier of the information processing system performing the operations of claim 1 and 8”.
The examiner respectfully disagrees. Amin and Chen teach claim 1. Kohno further teaches claim 8. Kohno discloses “each protected file F is associated with a unique identifier called the audit ID and illustrated as ID.sub.F. [0049]. Strong audit guarantees for encrypted file systems even if an optional first layer of defense, such as encryption with a password or cryptographic token [0109]”. Kohno shows a system that has audit id as an identifier.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-10 and 16-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Amended claims 1 and 16 recites “detecting a removable storage device has been received”. 
The newly amended claims impose a function in the method performed on the information system to “detect” [whether] the storage device has been received. However, the specification devoid any description as to how the system “detects” receiving the storage device. The specification in paragraph [0034] merely recites with respect to FIG. 3., [0034] “Starting at step 302, the authorization system 114 receives a removable storage device 130”. There is no more explanation found as to any detection performed by the system. Fig. 3, similarly in box 302, repeats the same “receives a removable storage device”. This limitation introduces new matter. 
The amended claim also recites “determines if a validation token is stored on the removable storage device at the time the removable storage device was received”. The specification does indicate that the removable storage device detected being received and then upon such detection “time” determines if a validation token is stored on the removable storage device. However, there is no support of at what point in time a removable storage device was received.  Similarly, as indicated above, the specification merely in paragraph [0034] recites “the authorization system receives a removable storage device”. This limitation introduces new matter.
Claims 2-10 and 17-20 fall together as they do not cure the deficiencies of independent claims 1 and 16. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-10, 12-13 and 16-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Regarding claims 1 and 16, recite “detecting a removable storage device has been received”. It is unclear whether the information processing system or an entity not claim is receiving the removable storage device. The claim language lacks clarity of how the removable storage device is being detecting. The claim appears to recite “detecting [,by the information processing system, whether] a removable storage device has been received”. However, there is no support of detecting a removable storage device that was received as shown above in 35 USC 112a. Thus, one or ordinary skill in the art would not be able to draw a clear boundary between what is and is not covered by the claim.
Claims 2-10 and 17-20 fall together as they do not cure the deficiencies of independent claims 1 and 16.

Claim 1 recites the limitation "at the time" in line 3.  There is insufficient antecedent basis for this limitation in the claim.
Claims 2-10 and 17-20 fall together as they do not cure the deficiencies of independent claims 1 and 16.

Claim 16 recites the limitation "at the time" in lines 7-8.  There is insufficient antecedent basis for this limitation in the claim.
Claims 2-10 and 17-20 fall together as they do not cure the deficiencies of independent claims 1 and 16.

Claim 12 recites the limitation "the storage device security data" in line 2. Claim 11 recites storing device security device security data. Unclear if there is two different device security data. There is insufficient antecedent basis for this limitation in the claim.

Claim 13 recites the limitation "the storage device security data" in lines 1-2. Claim 11 recites storing device security device security data. Unclear if there are two different device security data. There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 11-13, and 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, 2015, hereinafter Amin) in view of Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen).

Re. claim 1, Amin discloses a method, on an information processing system, comprising: detecting a removable storage device has been received (Amin discloses inserting his/her USB storage device into the client machine [III. Proposed Protocol, section A, Page 3], inserting the USB is taught as detecting that the removable storage being received); 
determining if a validation token is stored on the removable storage device at the time the removable storage device was received (Amin discloses AS stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device… user computes 𝐵𝑃𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖) and finally stores it in USB storage device [III. Proposed Protocol, section A, Page 3]. inserting his/her USB storage device into the client machine and inputs ID’, P’, B’. Then the device computs S’. S’ matches with S [III. Proposed Protocol, section B, Page 3], the validation token is stored on the removable storage at the time USB was inserted. It is determined to have the validation token being stored since it was used);
responsive to determining that the validation token is stored on the removable storage device at the time the removable storage device was received (Amin discloses AS stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device… user computes 𝐵𝑃𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖) and finally stores it in USB storage device [III. Proposed Protocol, section A, Page 3]. inserting his/her USB storage device into the client machine and inputs ID’, P’, B’. Then the device computs S’. S’ matches with S [III. Proposed Protocol, section B, Page 3]), obtaining a first content hash and a first set of security data from the validation token, wherein the first content hash and the first set of security data are part of the validation token at the time the removable storage device was received (the device computes user identity PID’ = h(ID ║                        
                            σ
                            '
                        
                    ). Masked password MPW’ = h(P’║ID’) [III. Proposed Protocol, section B, Page 3]. E=h(h(PID x) ║MPW), S=h(PID ║x) ⊕MPW; stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device [III. Proposed Protocol, section A, Page 3], obtaining hash and security data from the validation token. The validation token stored in the USB that was inserted);
obtaining a second content hash based on hashing content stored on the removable storage device at the time the removable storage device was received (the device computes user identity PID = h(ID ║                        
                            σ
                        
                    ) (Interpreted as second content hash). Masked password MPW [III. Proposed Protocol, section A, Page 2]. E=h(h(PID x) ║MPW), S=h(PID ║x) ⊕MPW; stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device [III. Proposed Protocol, section A, Page 3], hash value already stored in the validation token in the USB); 
denying the removable storage device access to the information processing system based on at least one of the first and second content hashes failing to match (S’ matches with S. If it is not matched the user is not corrected, the session is then terminated. If it is matched the user is corrected, which it grants access by not terminating the session (as stated above where S contains hash content and sets of verification data) [III. Proposed Protocol, section B, Page 3]); and 
granting the removable storage device access to the information processing system based on the first and second content hashes matching (S’ matches with S. If it is not matched the user is not corrected, the session is then terminated. If it is matched the user is corrected, which it grants access by not terminating the session (as stated above where S contains hash content and sets of verification data) [III. Proposed Protocol, section B, Page 3]).  
Although Amin teaches a token with at least three variables, Chen does not explicitly teach but Chen teaches a first set of device security data from the validation token are part of the validation token at the time the removable storage device was received (Chen teaches read the IDm of the removable storage media [Section 2.1, Page 4355]. Getting the user ID and password in addition to the unique identification IDm (unique identification of removable storage media) [Section 3.2.2, Page 4359]); 
obtaining, from the removable storage device, a second set of device security data stored on the removable storage device at the time the removable storage device was received (the authentication server compares this identification with the stored IDm (taught as the second set of device security data, IDm is stored in the removable storage media that was inserted to the access host) [Section 2.1, Page 4355]. Whether the unique identification is in the certified IDm library or not, in order to judge whether the removable storage media is legitimate media [4.1 System architecture, Pages 4359-4360]); 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Amin to include a first set of device security data from the validation token are part of the validation token at the time the removable storage device was received; obtaining, from the removable storage device, a second set of device security data stored on the removable storage device at the time the removable storage device was received as described by Chen. One of ordinary skill in the art would have been motivated for the purpose of trusting the device in order to have access, improves security by verifying the legality of the device (Chen [Section 2.1, Page 4355-4356]).

Re. claim 11, Amin discloses a method, on a computing device, for authorizing a removable storage device for use on one or more information processing systems, the method comprising: identifying a set of files on a removable storage device (Amin discloses computes (𝜎𝑖, 𝜂) = 𝐺𝑒𝑛(𝐵𝑖) provides user identity 𝑃𝐼𝐷𝑖 = ℎ(𝐼𝐷𝑖 ∥ 𝜎𝑖), masked password 𝑀𝑃𝑊𝑖 =ℎ(𝑃𝑖 ∥ 𝐼𝐷𝑖) and the biometric template 𝐵𝑖 [Section III, Section A, Page 2]); 
hashing the set of files to create a set of hashing data (𝑋𝑖 = ℎ(𝑃𝐼𝐷’∥ 𝑎 ∥ 𝐹𝑛 ∥ 𝑊𝑖 ∥ 𝑀𝑃𝑊′) and sends 𝑀1 = ⟨𝑃𝐼𝐷’,𝑖,𝐾𝑖, 𝐹𝑛,𝑋𝑖, 𝑆𝑖⟩ to the AS through open channel, [Section III, Section b, Page 3]);
storing the set of hashing data within a validation file on the removable storage device (𝑌𝑖 = ℎ(”0” ∥ 𝑃𝐼𝐷𝑖 ∥ 𝑎∗ ∥ 𝐹𝑛 ∥ 𝑏 ∥ 𝑛 ∥ 𝑊∥ 𝑀𝑃𝑊 ), AS sends 𝑀2 = ⟨𝐿𝑖, 𝐶, 𝑌𝑖⟩ to the USB storage device [Section III, Section b, Page 3]); and 
tokenizing the validation file to generate a token that is stored on the removable storage device (AS stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token, Ei/Si is the validation file) into the USB storage device… user computes 𝐵𝑃𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖) and finally stores it in USB storage device [III. Proposed Protocol, section A, Page 3]).  
Although Amin teaches storing security data in USB in the validation file, Chen does not explicitly teach but Chen teaches storing device security data associated with the removable storage device in the validation file (the authentication server compares this identification with the stored IDm (taught as the second set of device security data, IDm is stored in the removable storage media that was inserted to the access host) [Section 2.1, Page 4355]. Whether the unique identification is in the certified IDm library or not, in order to judge whether the removable storage media is legitimate media. Generates the signature SIGas,m of the removable storage media. Reading signature file module reads the signature successfully. Verifies the received message [4.1 System architecture, Pages 4359-4360]. The access host reads the digital signature in removable storage media and gets user id and password presented by the user [2.2 Analysis of authentication scheme based on the schnorr protocol, Page 4356]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Amin to include storing device security data associated with the removable storage device in the validation file as described by Chen. One of ordinary skill in the art would have been motivated for the purpose of trusting the device in order to have access, improves security by verifying the legality of the device (Chen [Section 2.1, Page 4355-4356]).

Re. claim 12, Amin-Chen teach the method of claim 11, Chen furthers teaches further comprising: obtaining the device security data directly from the removable storage device (Chen teaches getting the user ID and password in addition to the unique identification IDm (unique identification of removable storage media) [Section 3.2.2, Page 4359]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Amin to include obtaining the device verification data directly from the removable storage device as described by Chen. One of ordinary skill in the art would have been motivated for the purpose of trusting the device in order to have access, improves security by verifying the legality of the device (Chen [Section 2.1, Page 4355-4356]).

Re. claim 13, Amin-Chen teach the method of claim 12, Chen furthers teaches wherein the device verification data comprises at least a unique identifier of the removable storage device (Chen teaches getting the user ID and password in addition to the unique identification IDm (unique identification of removable storage media) [Section 3.2.2, Page 4359]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Amin to include device verification data comprises at least a unique identifier of the removable storage device as described by Chen. One of ordinary skill in the art would have been motivated for the purpose of trusting the device in order to have access, improves security by verifying the legality of the device (Chen [Section 2.1, Page 4355-4356]).

 Re. claim 15, Amin-Chen teach the method of claim 11, Amin further teaches wherein identifying the set of files on the removable storage device comprises: determining that the removable storage device fails to comprise at set of files (Amin discloses S’ matches with S. if it is matched the user is corrected, which it grants access by not terminating the session (as stated above where S contains hash content and sets of device verification data) [III. Proposed Protocol, section B, Page 3]); and generating the set of files utilizing random data (random sequence generators in key agreement, authentication protocols and so on [Section II, Page 2]. the device computes user identity PID’ = h(ID ║σ'). Masked password MPW’ [III. Proposed Protocol, section B, Page 3]).  

Re. claim 16, Amin discloses an information processing system comprising: memory (Amin discloses memory [Section III part d. Page 3]); 
detects a removable storage device has been received (Amin discloses inserting his/her USB storage device into the client machine [III. Proposed Protocol, section A, Page 3], inserting the USB is taught as detecting that the removable storage being received); 
determines if a validation token is stored on the removable storage device at the time the removable storage device was received (Amin discloses AS stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device… user computes 𝐵𝑃𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖) and finally stores it in USB storage device [III. Proposed Protocol, section A, Page 3]. inserting his/her USB storage device into the client machine and inputs ID’, P’, B’. Then the device computs S’. S’ matches with S [III. Proposed Protocol, section B, Page 3], the validation token is stored on the removable storage at the time USB was inserted. It is determined to have the validation token being stored since it was used); 
responsive to the validation token being stored on the removable storage device at the time the removable storage was received (Amin discloses AS stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device… user computes 𝐵𝑃𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖) and finally stores it in USB storage device [III. Proposed Protocol, section A, Page 3]. inserting his/her USB storage device into the client machine and inputs ID’, P’, B’. Then the device computs S’. S’ matches with S [III. Proposed Protocol, section B, Page 3]), Attorney Docket No. 480-PO 11237 NextEra Docket No. 092705obtains a first content hash and a first set of security data from the validation token, wherein the first content hash and the first set of security data are part of the validation token at the time the removable storage device was received (the device computes user identity PID’ = h(ID ║                        
                            σ
                            '
                        
                    ). Masked password MPW’ = h(P’║ID’) [III. Proposed Protocol, section B, Page 3]. E=h(h(PID x) ║MPW), S=h(PID ║x) ⊕MPW; stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device [III. Proposed Protocol, section A, Page 3], obtaining hash and security data from the validation token. The validation token stored in the USB that was inserted); 
obtains a second content hash based on hashing content currently stored on the removable storage device at the time the removable storage device was received (the device computes user identity PID = h(ID ║                        
                            σ
                        
                    ) (Interpreted as second content hash). Masked password MPW [III. Proposed Protocol, section A, Page 2]. E=h(h(PID x) ║MPW), S=h(PID ║x) ⊕MPW; stores ⟨𝐸𝑖, 𝑆𝑖⟩  (interpreted as validation token) into the USB storage device [III. Proposed Protocol, section A, Page 3], hash value already stored in the validation token in the USB); 
denies the removable storage device access to the information processing system based on at least one of the first and second content hashes failing to match (S’ matches with S. If it is not matched the user is not corrected, the session is then terminated. If it is matched the user is corrected, which it grants access by not terminating the session (as stated above where S contains hash content and sets of verification data) [III. Proposed Protocol, section B, Page 3]); 
and grants the removable storage device access to the information processing system based on the first and second content hashes matching (S’ matches with S. If it is not matched the user is not corrected, the session is then terminated. If it is matched the user is corrected, which it grants access by not terminating the session (as stated above where S contains hash content and sets of verification data) [III. Proposed Protocol, section B, Page 3]).  
Although Amin teaches a token with at least two variables, Chen does not explicitly teach but Chen teaches at least one processor (Chen CPU [Section 4.2, Page 4360]); 
and a security manager operatively coupled to the memory and the at least one processor (Chen teaches the signature module [Section 4.1, Page 4360]), wherein the security manager: a first set of device security data from the validation token are part of the validation token at the time the removable storage device was received (Chen teaches read the IDm of the removable storage media [Section 2.1, Page 4355]. Getting the user ID and password in addition to the unique identification IDm (unique identification of removable storage media) [Section 3.2.2, Page 4359]); 
obtains, from the removable storage device, a second set of device security data stored on the removable storage device at the time the removable storage device was received (the authentication server compares this identification with the stored IDm (taught as the second set of device security data, IDm is stored in the removable storage media that was inserted to the access host) [Section 2.1, Page 4355]. Whether the unique identification is in the certified IDm library or not, in order to judge whether the removable storage media is legitimate media [4.1 System architecture, Pages 4359-4360]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed by Amin to include at least one processor; and a security manager operatively coupled to the memory and the at least one processor, wherein the security manager: a first set of device security data from the validation token are part of the validation token at the time the removable storage device was received; obtains, from the removable storage device, a second set of device security data stored on the removable storage device at the time the removable storage device was received as described by Chen. One of ordinary skill in the art would have been motivated for the purpose of trusting the device in order to have access, improves security by verifying the legality of the device (Chen [Section 2.1, Page 4355-4356]).

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin) in view of Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen) and in further view of Kakutani (US 20160065369).

Re. claim 2, Amin-Chen teach the method of claim 1, Although Amin-Chen discloses denying or granting access when the validation token is stored, Amin-Chen do not explicitly teach but Kakutani teaches further comprising: denying the removable storage device access to the information processing system based on determining that the validation token is not stored on the removable storage device (Katutani teaches determines that the TPM encryption key (interpreted as validation token) backup data is not stored in the USB memory [0149] (being denied access by going back to step S1114) Fig. 11).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen to include denying the removable storage device access to the information processing system based on determining that the validation token is not stored on the removable storage device as described by Katutani. One of ordinary skill in the art would have been motivated for the purpose of preventing the key to be executed. Disabling the user authentication and use of the key (Katutani [0009, 0151]).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin) in view of Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen) and in further view of Yeara (US 20150116084).

Re. claim 3, Amin-Chen teach the method of claim 1, Amin does not explicitly teach but Chen teaches wherein a first set of device verification data comprises decrypting the validation token (Chen teaches decrypts the IDM of the storage. AS: Dkey(Ekey(I DM )) [Section 2.1, Page 4355]).
Although Chen discloses decrypting the token to get the first set of device verification data, Amin-Chen do not explicitly teach but Yeara teaches obtaining the first content hash comprises decrypting the validation token (Yeara teaches the Token must be able to decrypt using your public key. Only can get back this value ( hash) if RSA is applied using the related public key, which must be in the USB Token currently connected [0040] (obtaining the hash value by decrypting the token using the public key)).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen to include obtaining the first content hash comprises decrypting the validation token as described by Yeara. One of ordinary skill in the art would have been motivated for the purpose of allowing the token to initialized successfully (Yeara [0040]).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin), Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen), Yeara (US 20150116084), and in further view of Chou et al. (US 20110197061, hereinafter Chou).

Re. claim 4, Amin-Chen-Yeara teach the method of claim 3, Yeara discloses validation token (USB Token) is decrypted by the public key, Amin-Chen-Yeara do not explicitly teach but Chou teaches wherein the validation token is decrypted using a private encryption key of the information processing system (Chou teaches if a user authenticates with the PKI Management system using a USB token which protects a private/public key pair the data can be retrieved by decrypting the sensitive data with the private key secured on the user's token [0077]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen-Yeara to include the validation token is decrypted using a private encryption key of the information processing system as described by Chou. One of ordinary skill in the art would have been motivated for the purpose of the sensitive data that is generated by a request is linked to and only accessible by the requesting user (Chou [0077]).

Claims 5-7 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin), Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen) and in further view of Bacastow et al. (US 20080005426, hereinafter Bacastow).

Re. claim 5, Amin-Chen teach the method of claim 1, Amin-Chen do not explicitly teach but Bacastow teaches wherein granting the removable storage device access to the information processing system further comprises: determining that the validation token comprises access data (Bacastow teaches additional secret information be transmitted from the portable USB storage device to a designated server via the internet or intranet. This secret information may be in the form of a digital certificate, token, or other secret information stored on (or created from) the portable USB storage device that uniquely identifies the portable USB storage device from any other otherwise similar or identical device [0013]. The software installed on the portable USB storage device is configured to allow access during specific times (date, time of day, day of the week, etc.) [0042]); 
determining, from the access data, a time value indicating when an authorization of the removable storage device for accessing the information processing system expires (if the date and time is validated the software on the portable USB storage device functions normally. If the date and time is not validated, the software on the portable USB storage device will not fully function and the information stored on the portable USB storage device cannot be accessed [0042]; 
and determining that the authorization of the removable storage device has not expired (If the date and time is validated the software on the portable USB storage device functions normally [0042]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen to include determining that the validation token comprises access data; determining, from the access data, a time value indicating when an authorization of the removable storage device for accessing the information processing system expires; and determining that the authorization of the removable storage device has not expired as described by Bacastow. One of ordinary skill in the art would have been motivated for the purpose of protect personal and corporate information from theft or accidental disclosure. And to fully protect information stored on USC (Bacastow [0004]).

Re. claim 6, Amin-Chen-Bacastow teach the method of claim 5, Bacastow further teaches wherein determining that the authorization of the removable storage device has not expired comprises: comparing the time value to a system clock of the information processing system (Bacastow teaches The USB flash storage device locally validates the date and time information obtained from the PC. If the date and time is validated the software on the portable USB storage device functions normally [42]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen to include comparing the time value to a system clock of the information processing system as described by Bacastow. One of ordinary skill in the art would have been motivated for the purpose of protect personal and corporate information from theft or accidental disclosure. And to fully protect information stored on USC (Bacastow [4]).

Re. claim 7, Amin-Chen-Bacastow teach the method of claim 1, Bacastow further teaches wherein denying the removable storage device access to the information processing system further comprises: determining that the validation token comprises access data (Bacastow teaches additional secret information be transmitted from the portable USB storage device to a designated server via the internet or intranet. This secret information may be in the form of a digital certificate, token, or other secret information stored on (or created from) the portable USB storage device that uniquely identifies the portable USB storage device from any other otherwise similar or identical device [13]. The software installed on the portable USB storage device is configured to allow access during specific times (date, time of day, day of the week, etc.) [0042]); 
determining, from the access data, a time value indicating when an authorization of the removable storage device for accessing the information processing system expires (Bacastow teaches the software installed on the portable USB storage device is configured to allow access based on a specific frequency. (one time, specific number of uses, uses within timeframe `velocity`) The USB flash storage device locally validates the frequency of use against the established limits for the device [0043]); 
and determining that the authorization of the removable storage device has expired (If the frequency of use is not validated, the software on the portable USB storage device will not fully function and the information stored on the portable USB storage device cannot be accessed [0043]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen to include determining that the validation token comprises access data; determining, from the access data, a time value indicating when an authorization of the removable storage device for accessing the information processing system expires; and determining that the authorization of the removable storage device has expired as described by Bacastow. One of ordinary skill in the art would have been motivated for the purpose of protect personal and corporate information from theft or accidental disclosure. And to fully protect information stored on USC (Bacastow [4]).

Re. claim 17, rejection of claim 16 is included and claim 17 is rejected with the same rationale as applied in claim 5.

Re. claim 18, rejection of claim 16 is included and claim 18 is rejected with the same rationale as applied in claim 6.

Re. claim 19, rejection of claim 16 is included and claim 19 is rejected with the same rationale as applied in claim 7. 

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin), Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen), and in further view of Kohno et al. (US 20130198522, Kohno).

Re. claim 8, Amin-Chen teach the method of claim 1, Amin-Chen do not explicitly teach but Kohno teaches further comprising: generating, based on detecting the removable storage device, an audit token comprising at least an identifier of the information processing system (Kohno teaches each protected file F is associated with a unique identifier called the audit ID and illustrated as ID.sub.F. [0049]. Strong audit guarantees for encrypted file systems even if an optional first layer of defense, such as encryption with a password or cryptographic token [0109]); 
and storing the audit token on the removable storage device (Other computing devices having memory configured to store data may also be protected by the auditing file system, such as a USB flash memory device, a removable disk such as a floppy disk or optical disk, a SIM card, a compact flash card, and/or the like [046]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen to include generating, based on detecting the removable storage device, an audit token comprising at least an identifier of the information processing system; and storing the audit token on the removable storage device as described by Kohno. One of ordinary skill in the art would have been motivated for the purpose of preventing malicious user to read/write data within protected files (Kohno [27]).


Claims 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin), Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen), Kohno et al. (US 20130198522, Kohno), and in further view of Chan et al. (US 20200186359, hereinafter Chan).

Re. claim 9, Amin-Chen-Kohno teach the method of claim 8, Although Kohno discloses audit token, Amin-Chen-Kohno do not explicitly teach but Chan teaches wherein the audit token further comprises: a token identifier of a most recent token stored on the removable storage device (Chan teaches the client 1302 generates a module request (the illustrated "get_module_req") to obtain the most recent version of the module 1310… the USB crypto token 1304 and includes an identifier of the token (token ID) [125] Figs 14A-14C); 
and a hash pointer comprising a hash of data within the most recent token (the hash includes a the pointer to the configuration [141]. _data--The hash of the modified software image, or to-be-signed data [145]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by the combination of Amin-Chen to include a token identifier of a most recent token stored on the removable storage device; and a hash pointer comprising a hash of data within the most recent token as described by Chan. One of ordinary skill in the art would have been motivated for the purpose of storing data for later use. Permitting future requests (Chan [136]).

Re. claim 20, Amin-Chen teach the information processing system of clam 16, Amin-Chen do not explicitly teach but Kohno teaches wherein the security manager further: generates, based on the removable storage device being detected, an audit token (Kohno teaches each protected file F is associated with a unique identifier called the audit ID and illustrated as ID.sub.F. [49]. Strong audit guarantees for encrypted file systems even if an optional first layer of defense, such as encryption with a password or cryptographic token [109]); 
and stores the audit token on the removable storage device  (Other computing devices having memory configured to store data may also be protected by the auditing file system, such as a USB flash memory device, a removable disk such as a floppy disk or optical disk, a SIM card, a compact flash card, and/or the like [46]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed by the combination of Amin-Chen to include generates, based on the removable storage device being detected, an audit token; and stores the audit token on the removable storage device as described by Kohno. One of ordinary skill in the art would have been motivated for the purpose of preventing malicious user to read/write data within protected files (Kohno [27]).
Although Kohno discloses audit token, Amin-Chen-Kohno do not explicitly teach but Chan teaches comprising at least: an identifier of the information processing system, a token identifier of a most recent token stored on the removable storage device (Chan teaches the client 1302 generates a module request (the illustrated "get_module_req") to obtain the most recent version of the module 1310… the USB crypto token 1304 and includes an identifier of the token (token ID) [125] Figs 14A-14C), 
and a hash pointer comprising a hash of data within the most recent token (the hash includes a the pointer to the configuration [141]. _data--The hash of the modified software image, or to-be-signed data [145]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed by the combination of Amin-Chen to include a token identifier of a most recent token stored on the removable storage device; and a hash pointer comprising a hash of data within the most recent token as described by Chan. One of ordinary skill in the art would have been motivated for the purpose of storing data for later use. Permitting future requests (Chan [136]).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin), Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen), Kohno et al. (US 20130198522, Kohno), Chan et al. (US 2020086359, hereinafter Chan), and in further view of Shi (US 20200412521).

Re. claim 10, Amin-Chen-Kohno-Chan teach the method of claim 9, Kohno discloses storing audit token, Amin-Chen-Kohno-Chan do not explicitly teach but Shi teaches wherein storing the audit token comprises: storing the audit token in a blockchain configuration with at least the validation token on the removable storage device (Shi teaches distributed ledger technology operations can include adding data to a blockchain, reading data from a blockchain, transferring (manually or autonomously) cryptocurrency (e.g., tokens) from one wallet to another wallet (e.g., sending, storing, receiving cryptocurrency tokens, or adding transactions to a blockchain), accessing or running DApps, mining (e.g., performing proof of work and/or proof of stake operations to validate transactions), perming light node operations, storing private keys, and/or any other distributed consensus operations on distributed ledger [17]. A transaction moving tokens out of a blockchain wallet can be signed with the private key associated with that wallet. Private keys can also be stored in hardware wallets (e.g., on a USB device) [3]).  
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed by the combination of Amin-Chen to include storing the audit token in a blockchain configuration with at least the validation token on the removable storage device as described by Shi. One of ordinary skill in the art would have been motivated for the purpose of securing the token (Shi [3]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Amin et al. (“Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device”, hereinafter Amin), Chen et al. (“A secure access authentication scheme for removable storage media”, hereinafter Chen), and in further view of Yurusov (US 20190243978).

Re. claim 14, Amin-Chen teach the method of claim 11, Amin-Chen do not explicitly teach but Yurusov teaches wherein tokenizing the validation file comprises: encrypting the validation file using a public key associated with at least one computing system for which the removable storage device is being authorized to access (Yurusov teaches a removable storage device is connected to system. System determines whether the public key stored on the removable storage device is valid using the private key stored in either the memory of system or in a key store or token store that is isolated from the system. The processor 4 may encrypt and/or decrypt one or more files using the public and/or private keys to validate the public key. [32]). 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed by the combination of Amin-Chen to include encrypting the validation file using a public key associated with at least one computing system for which the removable storage device is being authorized to access as described by Yeara. One of ordinary skill in the art would have been motivated for the purpose of enabling a second mode of operation. To eliminate the need to distribute multiple versions of the system (Yeara [3, 33]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ali et al. ("Seamless fusion of secure software and trusted USB token for protecting enterprise and Government data") discloses validating secure token hardware.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN A AYALA whose telephone number is (571)270-3912. The examiner can normally be reached Monday-Thursday 8AM-5PM; Friday:Variable EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/K.A./Examiner, Art Unit 2496                                                                                                                                                                                                        
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496