DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/28/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1 is/are rejected under 35 U.S.C. 103 as being unpatentable over MUTHUKUMARAN et al., US-20210124818-A1 (hereinafter “MUTHUKUMARAN ‘818”) in view of Goel et al., US- 20170126414-A1 (hereinafter “Goel ‘414”).
Per claim 1 (independent):
MUTHUKUMARAN ‘818 discloses: An integrated circuit, comprising: a secure hardware environment configured to record a unique hardware key and comprising: 
a first logic circuit configured to generate a unique derived key from said unique hardware key and at least one piece of information, wherein said at least one piece of information relates to one or more of an execution context and a use of a secret key
(FIG. 1, [0033], throttling user access to secure devices or secure data based on throttling policies (an execution context) linked to or associated with user access keys (a use of a secret key) … device components 102 (such as the hardware components within a System-on-a-Chip (SoC; an integrated circuit); FIG. 3, [0043], the hardware key manager 106 of FIG. 1 for enrolling user credentials and generating certain keys … obtains a HUK 301 (a unique hardware key) … An input device inputs initial user credentials 302, such as a newly-chosen password, which are associated with a particular security context (where the security context may define, e.g., privileges and access control settings with the security environment of the device; the execution context) … then generates or derives a wrapping key 308 (a unique derived key) from the user credentials 302 (the execution context) and the HUK 301 (the unique hardware key)  … a key generation component 310 controlled by the key manager generates a user root key 312 (a secret key).)
a first encryption device configured to perform a symmetric encryption operation of said secret key using said unique derived key (FIG. 3, [0043], The key manager applies the user root key 312 (the secret key) and the wrapping key 308 (the unique derived key) to a key wrapping component or function 314 (via a symmetric encryption operation) … generates and outputs a wrapped (encrypted) user key 318, which is then stored at 320 for eventual use with a newly-entered user credential; [0045], Any suitable key wrapping procedure … based on Advanced Encryption Standard (AES) algorithm … key wrapping constructions are a class of symmetric encryption algorithm.).
MUTHUKUMARAN ‘818 does not disclose but Goel ‘414 discloses: to deliver an encrypted secret key outside the secure hardware environment which results from performance of the symmetric encryption operation (FIG. 5, [0031], the authentication phase for IC chip validation … IC chip 502 (the secure hardware environment) includes PUF 516, AES-128 module 514 (the symmetric encryption operation), …  and public chip ID 518 … verifier 506, IC chip 502 sends encrypted key E(KM, KA (encrypted secret key)) and PublicChipID 518 to verifier 506 (outside of the secure hardware environment) in message 522.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MUTHUKUMARAN ‘818 with the transmission of encrypted unique key KA along with a PublicChipID from an IC chip to a verifier as taught by Goel ‘414 because it would authenticate an IC chip in a more secure way by sending the encrypted unique key of a chip to a verifier. Additionally, Goel ‘414 is analogous to the claimed invention because it teaches a device for providing for authentication of an IC chip that uses a PUF without requiring the verifier to have access to a key database (See [0004]).

Claim(s) 2-3 is/are rejected under 35 U.S.C. 103 as being unpatentable over MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello et al., US-20160173282-A1 (hereinafter “Circello ‘282”). 
Per claim 2 (dependent on claim 1):
MUTHUKUMARAN ‘818 in view of Goel ‘414 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
MUTHUKUMARAN ‘818 in view of Goel ‘414 does not disclose but Circello ‘282 discloses: The integrated circuit according to claim 1, wherein the secure hardware environment further comprises a second encryption device configured to perform a further symmetric encryption operation of binary data using the secret key (FIG. 2A, [0017], an electronic device 220 that includes a processing system integrated circuit 102 and an external memory 130 … multiple unencrypted software images 202A-D (binary data) are used to form a complete or full encrypted software image 132; [0018], A first software image 202A (the binary data) is encrypted by encryption engine 204A (a second encryption device; AES (See FIG. 2A), i.e., a symmetric encryption operation) using a first secret key 206A (the secret key) to form a first encrypted software image 208A; [0019], a first key blob 211A includes the first secret key 206A and is encrypted by key wrap engine 214A (another encryption device) using a first key-encryption key (KEK) 212A.);
to deliver encrypted binary data outside the secure hardware environment which results from performance of the further symmetric encryption operation ([0018], A first software image 202A is encrypted by encryption engine 204A (the second encryption device) using a first secret key 206A to form a first encrypted software image 208A (encrypted binary data) … The resulting full encrypted software image 132 is stored in the external memory 130 (outside the secure hardware environment) within the electronic device 220.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MUTHUKUMARAN ‘818 in view of Goel ‘414 with the encryption of software images and secret keys used for scrambling the software images via two different encryption engines as taught by Circello ‘282 because it would help to protect software images by scrambling the software images and secret keys via two different encryption schemes. Additionally, Circello ‘282 is analogous to the claimed invention because it teaches methods and systems disclosing key management for on-the-fly hardware decryption within an integrated circuit (See [0012]).

Per claim 3 (dependent on claim 2):
MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello ‘282 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
MUTHUKUMARAN ‘818 discloses: The integrated circuit according to claim 2, wherein the secure hardware environment further comprises a first decryption device configured to perform a decryption operation of an encrypted secret key using said unique derived key and to deliver a secret key resulting from performance of the operation decryption (FIG. 6, [0053], credential verification based on successful unwrapping (decrypting) of a previously-wrapped user root key (an encrypted secret key) that may be performed by the hardware key manager 106 of FIG. 1. The hardware unique key 602 is again obtained by the key manager 106 and user credentials for 604 are input by the user … The same key derivation function or component 606 of the key manager 106 used during the enrollment then processes the user credential 604 and the hardware unique key 602 to generate a (candidate) wrapping key 608 (the unique derived key); [0054], A key unwrap function or component 614 of the key manager 106 then attempts to unwrap (decrypting) the wrapped user key 612 (the encrypted secret key) using the wrapping key 608.).

Claim(s) 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello ‘282 as applied to claim 3 above, and further in view of Yang et al., US-9735962-B1 (hereinafter “Yang ‘962”).
Per claim 4 (dependent on claim 3):
MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello ‘282 discloses the elements detailed in the rejection of claim 3 above, incorporated herein by reference.
MUTHUKUMARAN ‘818 in view of Goel ‘414 does not disclose but Circello ‘282 discloses: The integrated circuit according to claim 3, wherein the second encryption device is also configured to perform an encryption operation of non-encrypted binary data using the secret key and to deliver encrypted binary data resulting from performance of the encryption operation (FIG. 2A, [0017], an electronic device 220 that includes a processing system integrated circuit 102 and an external memory 130 … multiple unencrypted software images 202A-D (binary data) are used to form a complete or full encrypted software image 132; [0018], A first software image 202A (the binary data) is encrypted by encryption engine 204A (the second encryption device) using a first secret key 206A (the secret key) to form a first encrypted software image 208A … The resulting full encrypted software image 132 is stored (delivered) in the external memory 130 within the electronic device 220; [0019], a first key blob 211A includes the first secret key 206A and is encrypted by key wrap engine 214A (another encryption device) using a first key-encryption key (KEK) 212A.).
Circello ‘282 does not teach that the first secret key (i.e. the secret key) used for encrypting data is delivered by a decryption unit. Yang ‘962 discloses: perform an encryption operation of non-encrypted binary data using the secret key delivered by the first decryption device ([Col. 1], ll. 39 – [Col. 2], ll. 15, for securing encryption keys in a data storage system based on three layer key wrapping … The encryption accelerator encrypts host data stored in a memory of the storage processor … ii) decrypting the encrypted key encryption key … to obtain a plaintext key encryption key (to be delivered by the first decryption device), iii) decrypting the encrypted data encryption key, using the plaintext key encryption key, to obtain a plaintext data encryption key (the secret key), iv) encrypting the set of host data (non-encrypted binary data) … v) deleting … plaintext key encryption key, and plaintext data encryption key).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello ‘282 with the three layer wrapping of keys used for encrypting a set of host data in a storage processor where the encrypted data encryption key (the secret key) is to be decrypted before it is used as taught by Yang ‘962 because it would reduce a system vulnerability by less exposing unencrypted data encryption key. Additionally, Yang ‘962 is analogous to the claimed invention because it teaches securing encryption keys in a data storage system using three layer key wrapping (See Abstract).

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello ‘282 and Yang ‘962 as applied to claim 4 above, and further in view of Volkanov et al., US-10474831-B1 (hereinafter “Volkanov ‘831”).
Per claim 5 (dependent on claim 4):
MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello ‘282 and Yang ‘962 discloses the elements detailed in the rejection of claim 4 above, incorporated herein by reference.
MUTHUKUMARAN ‘818 in view of Goel ‘414 and Yang ‘962 does not disclose but Circello ‘282 discloses: The integrated circuit according to claim 4, wherein the secure hardware environment further comprises a key register configured to record the secret key and to enable transmission of the recorded secret key to the second encryption device in order to encrypt non-encrypted binary data (FIG. 2A, [0017], an electronic device 220 that includes a processing system integrated circuit 102 and an external memory 130 … multiple unencrypted software images 202A-D (binary data) are used to form a complete or full encrypted software image 132; [0018], A first software image 202A (the binary data) is encrypted by encryption engine 204A (the second encryption device) using a first secret key 206A (the secret key) to form a first encrypted software image 208A; [0019], The encrypted key blob(s) 134 are formed by encrypting multiple different key blobs 211A, 2118, 211C, and 211D (a key register) with each key blob 211A-D including one of the secret keys 206A-D.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MUTHUKUMARAN ‘818 in view of Goel ‘414 and Yang ‘962 with the transmission of the secret keys obtained from the key blobs to each encryption engine as taught by Circello ‘282 because it would separately protect those software images from discovery by applying a unique secret key for encryption of each individual software image [0020].
Circello ‘282 does not explicitly suggest that the secret keys 206A-D (the secret key) is provided by a decryption device or not. Volkanov ‘831 discloses: a key register configured to record the secret key generated by the first decryption device and to enable transmission of the recorded secret key for an encryption to non-encrypted data (FIG. 9, [Col. 15], ll. 51- [Col. 16], ll. 8, the cryptoprocessor (the first decryption device) may then decrypt 916 the encrypted key manifest to produce a decrypted key manifest (a key register); FIG. 10, [Col. 16], ll.22-57, data 1002 (non-encrypted data) is received at a storage service system 1004 … The computation server 1006 encrypts the data 1002 as it is received (also referred to herein as encrypting "on the fly") using a file system abstraction layer 1012 … performs encryption on the file using the decrypted keys 1010 (the recorded secret key) obtained from the decrypted key manifest, which is obtained from the cryptoprocessor 1008.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MUTHUKUMARAN ‘818 in view of Goel ‘414 and Circello ‘282 and Yang ‘962 with the encryption of data on the fly via a cryptoprocessor providing the decrypted key manifest as taught by Volkanov ‘831 because it would mitigate the effects of tampering by protecting the secret keys in the encrypted manifest [Col. 4], ll. 4-33. Additionally, Volkanov ‘831 is analogous to the claimed invention because it teaches that the cryptoprocessor may then verify the encrypted key manifest by, for example, verifying a signature or hash of the encrypted key manifest that is generated at provisioning time and stored in the cryptoprocessor (See [Col. 15], ll. 51-67).

Claim(s) 12-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Circello ‘282 in view of MUTHUKUMARAN ‘818. 
Per claim 12 (independent):
Circello ‘282 discloses: A method, comprising: encrypting a secret key in a secure hardware environment by: 
symmetric encrypting of the secret key using a KEK 
(FIG. 2A, [0017], an electronic device 220 that includes a processing system integrated circuit 102 and an external memory 130 … multiple unencrypted software images 202A-D are used to form a complete or full encrypted software image 132 … multiple key blobs 211A-D (a secret key) are also encrypted; [0019], a first key blob 211A includes the first secret key 206A (the secret key) and is encrypted by key wrap engine 214A (AES (See FIG. 2A), i.e. a symmetric encryption operation) using a first key-encryption key (KEK) 212A.).
Circello ‘282 does not teach how to generate the unique derived key used for the encryption of the secret key but instead, the KEK is used to encrypt the secret key. MUTHUKUMARAN ‘818 discloses: generating a unique derived key from a unique hardware key recorded in said secure hardware environment and at least one piece of information, wherein said at least one piece of information relates to one or more of an execution context and a use of the secret key; encrypting of the secret key (FIG. 1, [0033], throttling user access to secure devices or secure data based on throttling policies (execution context) linked to or associated with user access keys (a use of the secret key) … device components 102 (such as the hardware components within a System-on-a-Chip (SoC); FIG. 3, [0043], the hardware key manager 106 of FIG. 1 for enrolling user credentials and generating certain keys … obtains a HUK 301 (a unique hardware key) … An input device inputs initial user credentials 302, such as a newly-chosen password, which are associated with a particular security context (where the security context may define, e.g., privileges and access control settings with the security environment of the device; an execution context) … then generates or derives a wrapping key 308 (a unique derived key) from the user credentials 302 (the execution context) and the HUK 301 (the unique hardware key)  … a key generation component 310 controlled by the key manager generates a user root key 312 (a secret key) … The key wrapping component 314 generates and outputs a wrapped user key 318 (encrypting of the secret key).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Circello ‘282 with the derivation of a wrapping key based on a unique hardware key and user credentials associated with a security context as taught by MUTHUKUMARAN ‘818 because it would prevent brute force attacks on user credentials more efficiently by using a hardware-based mechanism and a security context [0031][0043]. Additionally, MUTHUKUMARAN ‘818 is analogous to the claimed invention because it teaches throttling user access to secure devices or secure data based on throttling policies linked to or associated with user access keys (See [0033]).

Per claim 13 (dependent on 12):
Circello ‘282 in view of MUTHUKUMARAN ‘818 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
Circello ‘282 discloses: The method of claim 12, further comprising:  
encrypting binary data in said secure hardware environment by: symmetric encrypting of the binary data using the secret key so as to obtain encrypted binary data 
(FIG. 2A, [0017], an electronic device 220 that includes a processing system integrated circuit 102 and an external memory 130 … multiple unencrypted software images 202A-D (binary data) are used to form a complete or full encrypted software image 132; [0018], A first software image 202A is encrypted by encryption engine 204A (AES (See FIG. 2A), i.e. a symmetric encryption operation) using a first secret key 206A (the secret key) to form a first encrypted software image 208A (encrypted binary data).).

Per claim 14 (independent):
Circello ‘282 discloses: A method, comprising: decrypting an encrypted secret key in a secure hardware environment by:  
decrypting the encrypted secret key using the KEK 
(FIG. 2B, [0021], The key blob unwrap engine 114 receives the encrypted key blob(s) 134 (an encrypted secret key) and decrypts them using the KEKs 212 to obtain the secret key(s) 206 …The software decryption engine 116 decrypts the encrypted code 256 using the secret key(s) 206.).
Circello ‘282 does not teach how to generate the unique derived key used for decryption but instead, the KEK is used to decrypt the secret key. MUTHUKUMARAN ‘818 discloses: generating a unique derived key from a unique hardware key recorded in said secure hardware environment and at least one piece of information, wherein said at least one piece of information relates to one or more of an execution context and a use of the secret key; decrypting the encrypted secret key (FIG. 6, [0053], credential verification based on successful unwrapping (decrypting) of a previously-wrapped user root key (the encrypted secret key) that may be performed by the hardware key manager 106 of FIG. 1. The hardware unique key 602 (a unique hardware key) is again obtained by the key manager 106 and user credentials for 604 are input by the user … The same key derivation function or component 606 of the key manager 106 used during the enrollment then processes the user credential 604 and the hardware unique key 602 to generate a (candidate) wrapping key 608 (a unique derived key); [0054], A key unwrap function or component 614 of the key manager 106 then attempts to unwrap (decrypting) the wrapped user key 612 (the encrypted secret key) using the wrapping key 608 and the parameters or attributes 610 (an execution context and a use of the secret key) from the slot from the corresponding slot.; [0056], if unwrap operation succeeds, the provided user credential is valid and data can be successfully decrypted.). 

Per claim 15 (dependent on 14):
Circello ‘282 in view of MUTHUKUMARAN ‘818 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference.
Circello ‘282 discloses: The method of claim 14, further comprising: 
decrypting binary data in the secure hardware environment, wherein said binary data is encrypted using the secret key by:
decrypting the encrypted binary data using the recovered secret key 
(FIG. 2B, [0021], The key blob unwrap engine 114 receives the encrypted key blob(s) 134 (an encrypted secret key) and decrypts them using the KEKs 212 to obtain the secret key(s) 206 …The software decryption engine 116 decrypts the encrypted code 256 (the encrypted binary data) using the secret key(s) 206 (the recovered secret key).).
Circello ‘282 does not teach the secret key is recovered from the process of claim 14 starting from a unique hardware key. MUTHUKUMARAN ‘818 discloses: decrypting said encrypted secret key using said step of decrypting as recited in claim 14 so as to obtain a recovered secret key for use in data access (FIG. 6, [0053], credential verification based on successful unwrapping (decrypting) of a previously-wrapped user root key (the encrypted secret key) that may be performed by the hardware key manager 106 of FIG. 1. The hardware unique key 602 (a unique hardware key) is again obtained by the key manager 106 and user credentials for 604 are input by the user … The same key derivation function or component 606 of the key manager 106 used during the enrollment then processes the user credential 604 and the hardware unique key 602 to generate a (candidate) wrapping key 608 (a unique derived key); [0054], A key unwrap function or component 614 of the key manager 106 then attempts to unwrap (decrypting) the wrapped user key 612 (the encrypted secret key) using the wrapping key 608; [0056], if unwrap operation succeeds, the provided user credential is valid and data can be successfully decrypted.).

Allowable Subject Matter
Claim(s) 6-11 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332. The examiner can normally be reached Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA can be reached on (571)272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SANGSEOK PARK/Examiner, Art Unit 2499                                                                                                                                                                                                        /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499