DETAILED ACTION
This Final Office Action is in response to amendment filed on 03/10/2022. Claims 1-20 have been amended. Claims 1-20 remain pending in the application. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings filed on 07/09/2019 are accepted.

Examiner’s Note
Examiner communicated with the applicant’s representative, Mr. Dominic Kotab (Registration No.42762) on 06/06/2022, regarding potential examiner’s proposed amendments. The applicant’s representative informed the  examiner that the applicant would like to receive an office action before discussing amendments.
Response to Arguments
Applicant stated, in Page 9-11, with respect to claim 1 “Claim 1 has been amended to further differentiate the claim from the cited references… disclosing that a database administrator sends an encrypted request for an encryption or decryption key, and that a cloud-based data management system may be a hardware system, as in Block, and disclosing that a validation module validates a query sent from a user, and a separate encryption module conditionally encrypts the query, as in Bent, fails to teach:... More specifically, Block only generally discloses that a database administrator sends an encrypted request for a key, and Bent only generally discloses that separate modules validate and conditionally encrypt a query sent from a user, which does not teach: 
"receiving at a first encryption daemon implemented within a first storage system an unencrypted key request from a second encryption daemon implemented within a second storage system that is separate from the first storage system; implementing, by the first encryption daemon, a secure communications channel between the first encryption daemon and an encryption key server; encrypting, by the first encryption daemon, the unencrypted key request to create an encrypted key request; sending the encrypted key request from the first encryption daemon to the encryption key server, utilizing the secure communications channel; receiving, from the encryption key server at the first encryption daemon, an encrypted response, utilizing the secure communications channel; decrypting, by the first encryption daemon, the encrypted response to obtain the requested key; and sending the requested key from the first encryption daemon to the second encryption daemon" (emphasis added), as specifically claimed by applicant… Applicant respectfully asserts that at least the third element of the prima facie case of obviousness has not been met, since the prior art excerpts, as relied upon by the Examiner, fail to teach or suggest all of the claim limitations, as noted above. Thus, a notice of allowance or specific prior art showing of each of the foregoing claim elements, in combination with the remaining claimed features, is respectfully requested.” 
Examiner respectfully disagrees. Examiner submits that Block in view of Knas and Bent disclose all the above limitations. Particularly, Block illustrates in Figure 2 and the pertinent paragraphs the database processes 255 included in a Database Admin 250, corresponding to the second daemon and second storage system, respectively, sending key requests to a key broker 245 included in a cryptography Admin 240, corresponding to the first daemon and first storage system, respectively, where in turn, the key broker 245 sends the key request to a key server 120, through a secure TLS channel 214 established between the key broker 245, i.e. first encryption daemon, and the key server 120, as disclosed in [0028]. Block discloses encrypting the key request at the database processes’ end, i.e. second daemon, i.e. the key broker receiving the key request in already encrypted form, and further discloses that the key broker 245 signs the key request utilizing its private key, and further discloses establishing a secure communication channel by the key broker, as disclosed in [0028], however, Block does not disclose that the key request is received “unencrypted” at the key broker, where the key broker encrypts the key request before transmission to the key server 120. However, Bent illustrates in Figure 1 three entities, where a query/request is transmitted from the first entity 110, construed as a second daemon,  in an unencrypted form, to a second shared entity 130, construed as a first daemon, where the second entity 130 encrypts the query/request before transmitting the encrypted query/request to the third entity 150. This is disclosed by Bent in [0004, 001, 0030]. Bent explicitly discloses the sending of a request in an unencrypted form, where the request is encrypted by a second entity. Examiner further submits that irrespective of the validation and conditional encryption argued above by the applicant, Bent still discloses the above feature, where the second entity encrypts the received unencrypted request from the first entity, where the second entity performs an encrypted on the unencrypted request before transmitting the encrypted request to the third entity. Therefore, it would have been obvious to modify Block to incorporate the teaching of Bent to add the above feature, and the motivation/reason for doing so is to utilize a security layer at a shared entity, for an organization with local area network such that it protects the organization within its network, e.g. higher security domain from external network nodes, as recognized by (Bent [0019]). 
	
Applicant further stated, in Page 12, with respect to claims 17-19 “Claims 17-19 stand rejected under 35 U.S.C. 103 as being allegedly unpatentable over Block in view of Knas and Bent. Applicant respectfully disagrees with the rejection for similar reasons as those argued hereinabove with respect to Claim 1.”
	With respect to claim 17, examiner respectfully disagrees. Please see rationale above and detailed rationale and motivations in rejecting claim 1 below.
	With respect to claims 18-19, examiner submits that in light of the current amendments to claims 18-19, newly found prior arts are relied upon in rejecting claims 18-19. Please see detailed rationales and motivations below.

With respect to the arguments in the applicant’s remarks, Page 12-15, regarding claim 20: Examiner submits that Block in view of Bent disclose the previously cited limitations as described in the USC 103 rejection for claim 20, and further described in the rationale above for claim 1. Examiner further submits that the arguments pertaining to the newly added limitations are considered moot since newly found prior arts are relied upon to teach the newly added limitations. Please see detailed rationales and motivations below in rejecting claim 20 below.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 4-6, 8-10, 12-14 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Block et. al. (US 20180013549 A1), hereinafter Block in view of Knas (US 10735193 B1), hereinafter Knas and further in view of Bent et. al. (US 20180060604 A1), hereinafter Bent.

Regarding claim 1 (Currently Amended), Block teaches a computer-implemented method (Block [0003] “The method, computer program product and system execute operations for managing user-controlled security keys in cloud-based scenarios.”, [0020] “FIG. 2 is an illustration of a system 200 for managing user-controlled security keys in cloud-based scenarios”), comprising: 
receiving at a[[n]] first encryption daemon implemented within a first storage system [an unencrypted] key request from a second encryption daemon implemented within a second storage system that is separate from the first storage system (Block [0026] “…the database administrator 250 and/or the database processes 255 may request a decryption or encryption key (or keys) from the key server 120. In various implementations, a cryptography administrator 240 on the host side 220 may be used. In some aspects, the cryptography administrator 240 may be a dedicated, Linux-based user…The cryptography administrator 240 may receive a request for a key and/or may provide the response which includes the key through a key access protocol 247…the key access protocol 247 may be a runtime protocol that allows secure transfer of the key to the database processes 255 for encryption and/or decryption of data in the column store 260.”, [0027] “As illustrated, the cryptography administrator 240 may include a key broker 245. The key broker 245 may act as a proxy between the key server 120 and the database administrator 250.”, where the cryptography administrator 240, which include the key broker 245 as a dedicated, Linux-based user and consists of a computer device as disclosed in [0034] and Figure 3 corresponds to the first encryption daemon in a first storage system, consistent with the encryption daemons as disclosed in the specification of the instant application in e.g. [0066-0067] to be a device with software and hardware, 
Cryptography admin 240 and key broker 245 corresponds to the storage system and first daemon, respectively, where the cryptography admin 240 stores and access files, as disclosed in [0027]  and, database admin 250, which includes  database processor 255 correspond to the second storage and second daemon, respectively, where 250 is separate from 240.
the database admin 250 corresponds to a storage system, which is disclosed to be a computing apparatus/hardware as disclosed in [0034] and illustrated in Figure 3);
implementing, by the first encryption daemon, a secure communications channel between the encryption daemon and an encryption key server (Block discloses [0027] “…the cryptography administrator 240 may include a key broker 245. The key broker 245 may act as a proxy between the key server 120 (i.e. encryption key server) and the database administrator 250. The key broker 245 can be a broker that signs requests for encryption/decryption keys….the key broker 245 may open a local socket which cannot be accessed from outside of the system 200. As necessary, the key broker 245 can request a key from the key server 120, store a response from the key server 120 transiently in memory, and/or can provide the response to the database processes 255 through the key access protocol 247.”, [0028] “…the key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).”); 
encrypting, [by the first encryption daemon], the [unencrypted] key request to create an encrypted key request (Block [0026] “…the key request provided to the cryptography administrator 240 via the key access protocol 247 may be encrypted by the database administrator 250 and/or the database processes 255 using the key server's public key 290. In some aspects, this encryption step may help to prevent third parties (e.g., not the customer or the host) from decrypting the request, and/or may allow the key server 120 to trust the source of the request.”, [0027] “The key broker 245 can be a broker that signs requests for encryption/decryption keys. In some aspects, the key broker 245 may open a local socket which cannot be accessed from outside of the system 200.”, [0030-0031] “…the key server 120 may verify the authenticity of the request by checking the signature of the request (e.g., by checking one or both of the database processes' public key 218, and the key broker's public key 290). Once the signature is verified, the key server 120 may decrypt the request, and determine which key should be provided in a response.”);
sending the encrypted key request from the first encryption daemon to the encryption key server, utilizing the secure communications channel (Block discloses [0026] “…the key request provided to the cryptography administrator 240 via the key access protocol 247 may be encrypted by the database administrator 250 and/or the database processes 255 using the key server's public key 290.”, [0027] “…the cryptography administrator 240 may include a key broker 245. The key broker 245 may act as a proxy between the key server 120 (i.e. encryption key server) and the database administrator 250. The key broker 245 can be a broker that signs requests for encryption/decryption keys….the key broker 245 may open a local socket which cannot be accessed from outside of the system 200. As necessary, the key broker 245 can request a key from the key server 120, store a response from the key server 120 transiently in memory, and/or can provide the response to the database processes 255 through the key access protocol 247.”); 
receiving, from the encryption key server at the first encryption daemon, an encrypted response, utilizing the secure communications channel (Block [0027] “…the key broker 245 may open a local socket which cannot be accessed from outside of the system 200. the key broker 245 can request a key from the key server 120, store a response from the key server 120 transiently in memory, and/or can provide the response to the database processes 255 through the key access protocol 247…the response stored transiently at the key broker 245 may include a requested key, encrypted with the database processes' public key 218.”, [0028] “…the key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).”); 
decrypting, [by the first encryption daemon], the encrypted response to obtain the requested key (Block T[0030] “The key server 120 may then generate the response with the identified key, and encrypt the response using the database processes' public key 218. Additionally or alternatively, the key server 120 may sign the response using the key server's private key. Once generated, the key server 120 may provide the response with the key to the cryptography administrator 240 through the key transfer protocol 214.”, [0031] “when the response containing the key reaches the key broker 245, it may be encrypted with the database processes' public key 218 and signed with the key server's private key. The key broker 245 may verify the signature of the response, and upon verification, provide the requested keys to the database processes 255. The database processes 255 may decrypt the response (e.g., using its own private key), and obtain the security keys, which may be temporarily held in working memory (e.g., as transient keys 265) for use in encrypting and/or decrypting data.”); and 
sending the [requested key] (encrypted requested key) from the first encryption daemon to the second encryption daemon (Block [0027] “…the response stored transiently at the key broker 245 may include a requested key, encrypted with the database processes' public key 218.”, [0030] “…The key server 120 may then generate the response with the identified key, and encrypt the response using the database processes' public key 218.”, where the response comprising the encrypted requested key to be sent to the database, i.e. storage device 250, through the proxy 240 as disclosed in [0027], i.e. encryption daemon, [0031] “the response providing the key may be both encrypted and signed…the response containing the key reaches the key broker 245, it may be encrypted with the database processes' public key 218 and signed with the key server's private key. The key broker 245 may verify the signature of the response, and upon verification, provide the requested keys to the database processes 255. The database processes 255 may decrypt the response (e.g., using its own private key), and obtain the security keys, which may be temporarily held in working memory (e.g., as transient keys 265) for use in encrypting and/or decrypting data.”).
Block discloses the aforementioned limitations, and further discloses 
the key request is encrypted by the database administrator 250, and signed by the key broker 245, corresponding to the first encryption daemon, where the signature by the key broker 245 is made by encrypting the request by the key broker’s private key, such that the signature is verified by the key server by decrypting the request using the key broker’s public key as disclosed in [0030], and the key broker 245 may open a local socket which cannot be accessed from outside of the system 200, key transfer protocol may use transport layer security (TLS), the key broker further verify the response, signed by the key server’s private key, by decrypting the signature using the key server’s public key as disclosed in [0031], accordingly, the encrypted requested key is sent to the database processor 255, where the encrypted requested key is decrypted at the database storage, however, Block does not explicitly disclose 
the key request is received by the proxy cryptographic admin 240 and broker 245, i.e. first encryption daemon, in unencrypted form and is then being encrypted by the key broker  245, first encryption daemon.
decryption of the encrypted response that include the requested key is performed at the proxy key broker  245 to produce the requested key before sending it to the database storage device, on the other hand, the decryption at the proxy is part of the TLS protocol, it would produce a response that include an encrypted requested key, encrypted with the public key of the database processes as disclosed in [0027]. Emphasis in Italic.
Knas discloses decrypting, by the first encryption daemon, the encrypted response to obtain the requested key, sending the requested key from the first encryption daemon to the second encryption daemon (Knas discloses the analytic server, corresponding to the first encryption daemon, where it retrieves the encrypted requested key, and perform the decryption on the requested key and then transmitting the decrypted requested key, Figure 5 (512-516) illustrates the analytic server receiving encrypted key segments, decrypting the key segments to generate blockchain key and transmitting the key to the client device , Col. 21 line 18-31 “At step 516, the analytics server may generate a block-chain key string based on the division method used. Upon decrypting the encrypted key segments based on the received encryption methods (step 514), the analytics server may append the key segments in accordance with the first encryption method (e.g. , append the strings associated with each key segment ) in order to generate a blockchain key…The analytics server may then display the blockchain key on the graphical user interface associated with the user's computing device or otherwise transmit the blockchain key to the user computing device or any other computing device selected by the user.”, where the key is received by the server from the node peers, then the key is decrypted by the analytic server before transmitted to the client device to decrypt data stored in the client device as disclosed in Col. 17 line 65-67).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block to incorporate the teaching of Knas to utilize the above feature, with the motivation of regrouping the key segments that will form the encryption key, as recognized by (Knas Col. 21 line 18-31).
Block in view of Knas discloses the above limitations, where Block discloses the key request being received by the key broker 245, i.e. first encryption daemon, in encrypted form, where the key request is further signed by the key broker 245 and then sent to the key server 120, however, Block in view of Knas do not disclose that that a request is received unencrypted and then encrypted by the proxy, i.e. first encryption daemon. Emphasis in italic below.
Bent discloses receiving at the first encryption daemon an unencrypted request and encrypting, by the first encryption daemon, the unencrypted request (Bent illustrates in Figure 1 a computer system in a higher security domain 110 sending a plain text query/request to a computer system in lower security domain 150, via a device in first shared security domain 130, i.e. first encryption daemon, which performs an encryption on the query/request then passing the encrypted query/request to the entity in the lower security domain 150,
[0004] “a computer system is provided for a first entity in a higher security domain to query a second entity in a lower security domain.”,
[0019] In computer security, an example shared security zone (e.g. 130, 170 of FIG. 1), sometimes referred to as a perimeter network, is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network… The purpose of a shared security zone is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the shared security zone, rather than any other part of the network.”,
[0030] “If the optional step of validation is not carried out, or the plain text query 112 is successfully validated at 306, then, at 308, query encryption module 132 in the first shared security zone 130 encrypts the plain text query 112 using an FHE scheme to produce an encrypted plain text query…At 310, the encrypted plain text query is passed by the query encryption module 132 to the FHE matching application 152 in the lower security domain 150.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas to incorporate the teaching of Bent to utilize the above feature, with the motivation of using a security layer for an organization with local area network such that it protects the organization within its network, e.g. higher security domain from external network nodes, as recognized by (Bent [0019]).

Regarding claim 17 (Currently Amended), claim 17 discloses similar limitations, but different statutory category, to claim 1, therefore, all the rationale and motivations applied to claim 1 is also applied to claim 17.

Regarding claim 4 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein the first storage system and the second storage system are included within a storage matrix (Block illustrates in Figure 2, the host side 220, corresponding to a storage matrix, to include the database admin 250, second storage system, cryptography admin 240, i.e. first storage system, where the host side 220 is utilized for users/customers to provide them with cloud-based services, [0021] “a customer may refer to a user who has been provided access to cloud-based services (e.g., services 225 on the host side 220)” and further provide them with data from database processes as described in [0023] and further cited paragraphs in claim 1 above, consistent with the description of storage matrix described only once in the specification of the instant application, [0066] “plurality of storage systems within a storage infrastructure (e.g., a storage matrix, etc.). In another example, the storage system may provide cloud-based storage to one or more clients.”).

Regarding claim 5 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein the [unencrypted] key request is received from the second encryption daemon hardwired connection between the first encryption daemon and the second encryption daemon (Block discloses, as described above in claim 1, the key request and first and second encryption daemons, and further discloses using a wired connection between computing systems, [0005] “Such multiple computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g. the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.”, further disclosed in [0035]).
Block in view of Knas do not disclose sending unencrypted query/request.
Bent discloses sending unencrypted query/request. Rationale and motivation in claim 1 apply.

Regarding claim 6 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein the [unencrypted] key request is received from the second encryption daemon (Block discloses the requests transmitted from the database admin 250 to the key server 120 through the proxy cryptographic admin 240 as disclosed in [0027] and Figure 2 is performed via a wired or wireless network/connection as disclosed in [0005] “ Such multiple computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g. the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.”, and [0035] “Apparatus 300 may include a network interface 340 to a wired network or a wireless network, such as the network 110 of FIG. 1 or the network 299 of FIG. 2. Wireless networks may include WiFi, WiMax, and cellular networks (2G/3G/4G/5G), and/or any other wireless network.”, where 247 and 214 are secured protocols as disclosed in e.g. [0026-0028], where local area network corresponds to internal network).  
Block in view of Knas do not disclose sending unencrypted query/request.
Bent discloses sending unencrypted query/request. Rationale and motivation in claim 1 apply.

Regarding claim 8 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein first encryption daemon stores public key certificates for a plurality of different encryption key servers (Block [0021] “The customer side 210 may contain one or more of the user devices 108 of FIG. 1 and one or more key servers 120… one key server 120 may be used by only one user device 108”, where, in the case of more than on user device, there will be more than one key server, where the key request process described in above claim 1, is performed, on demand, whenever a request is made, as disclosed in [0028], whenever a request is made by one user device as illustrated in Figure 4 (410) and [0037], where the key broker 245 verifies the response signed by the private key of the key server as disclosed in [0029, 0031]  by utilizing the public key of the key server, if there key servers for each requesting user device to perform the process of making the requests, then the key broker 245 verify the responses with the respective public key of each key server involved in the request).

Regarding claim 9 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein the first encryption daemon has a first public key certificate, and the second encryption daemon has a second public key certificate separate from the first public key certificate(Block Figure 2 (216) corresponds to the key broker’s public key, i.e. first encryption daemon, and (218) corresponds to the second encryption daemon), as further disclosed in [0027, 0029]).

Regarding claim 10 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein the first encryption daemon communicates with the encryption key server over an external Ethernet network connection (Block discloses that the requests transmitted from the database admin 250 to the key server 120 through the proxy key broker 245, i.e. first encryption daemon, as disclosed in [0027] and Figure 2 is performed via a wired local area network connection, [0005] “Computer implemented methods consistent with one or more implementations of the current subject matter can be implemented by one or more data processors residing in a single computing system or multiple computing systems. Such multiple computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g. the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.”, where the wired network  may be “local area network” as disclosed in [0014], where the local area network corresponds to the external Ethernet connecting customer side 210 with a separate the host side 220 as illustrated in Figure 2, where the communication between 210 and 220 is achieved through an external network).  

Regarding claim 12 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein implementing the secure communications channel includes performing, by the first encryption daemon, a Transport Layer Security (TLS) handshake with the encryption key server (Block [0028] “the cryptography administrator 240 may communicate with the key server 120 according to a key transfer protocol 214. The key transfer protocol 214 can allow the secure transfer of the key and/or a request for the key between the key server 120 and the key broker 245 on demand. In some aspects, the key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).”, where the TLS requires a handshake communication).

Regarding claim 13 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein the first encryption daemon: verifies an identity of the encryption key server [prior to requesting the key] (Block  [0004] “…the request for the secret key is encrypted with a public key for the server.”, [0026] “…the key request provided to the cryptography administrator 240 via the key access protocol 247 may be encrypted by the database administrator 250 and/or the database processes 255 using the key server's public key 290.”, [0027-0028] discloses that the key broker 245 as part of the cryptographic admin 240, i.e. daemon device, signs the request and open a local socket which cannot be accessed from outside of the system when communicating the request with the key server, [0029] “…the key server 120 may sign a response providing a key to the key broker 245, with a private key of the key server 120, and the key broker 245 in turn verifies the authenticity of the key server 120.”), and 
encrypts (by the second daemon) the [unencrypted] key request to create the encrypted key request utilizing a public key for the encryption key server (Block [0026] “…the key request provided to the cryptography administrator 240 via the key access protocol 247 may be encrypted by the database administrator 250 and/or the database processes 255 using the key server's public key 290.”, Block further discloses that the communication between the proxy cryptographic admin 240 side, corresponding to the encryption daemon and the key server is secure and encrypted using TLS as disclosed in [0028] “The key transfer protocol 214 can allow the secure transfer of the key and/or a request for the key between the key server 120 and the key broker 245 on demand. In some aspects, the key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).”).
Block discloses encrypting the request with the public key of the key server, and the key broker 245 as part of the cryptographic admin 240, i.e. daemon device, signs the request and open a local socket which cannot be accessed from outside of the system when communicating the request with the key server, which implies the key broker has knowledge of where to transfer the request, and the key server signs the response such that the key broker 245 can ascertain and verify the identity of the key server when receiving the response, however, Block does not explicitly disclose that the verifying of the identity of the key server is prior to the requesting of the key.
Knas discloses identifying the key server prior to sending the request (Knas explicitly discloses identifying nodes that store key segments and accordingly instruct the nodes transmit the key segments, Col. 20 line 50-56 “the analytics server may instruct one or more network nodes to transmit the encrypted key segments. Based on the received key records, the analytics server may identify one or more network nodes that have stored the encrypted key segments. The analytics server may then generate and transmit an instruction to the network nodes to transmit the encrypted key segments.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block to incorporate the teaching of Knas to utilize the above feature, with the motivation of regrouping the key segments that will form the encryption key, as recognized by (Knas Col. 21 line 18-31) and identify the nodes that store the respective key segments.
Block discloses Communications between the database and the key server, through the proxy key broker 245, corresponding to the first encryption daemon is encrypted, where the request is signed by proxy key broker 245 , and the transport layer security (TLS) is used, however, the encryption of the unencrypted request by the first encryption daemon is not explicitly disclosed by Block in view of Knas. 
Bent discloses the unencrypted/plaintext request encrypted by the first encryption daemon as described in claim 1. Rational and motivation in claim 1 apply.

Regarding claim 14 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein [the first encryption daemon] decrypts the encrypted response utilizing a private key corresponding to a public key used to encrypt the encrypted response (Block [0030] “The key server 120 may then generate the response with the identified key, and encrypt the response using the database processes' public key 218. Additionally or alternatively, the key server 120 may sign the response using the key server's private key.”, [0031] “…when the response containing the key reaches the key broker 245, it may be encrypted with the database processes' public key 218 and signed with the key server's private key. The key broker 245 may verify the signature of the response, and upon verification, provide the requested keys to the database processes 255. The database processes 255 may decrypt the response (e.g., using its own private key), and obtain the security keys”, Block further discloses that the communication between the proxy cryptographic admin 240 side, corresponding to the encryption daemon and the key server is secure and encrypted using TLS, where the use of secure TLS protocol indicates the use of key pair encryption in the above communication). 
Block does not disclose the cryptographic admin 240 and its associated key broker 245 decrypting the encrypted response. Knas discloses the, analytic server, i.e. first encryption daemon decrypting the encrypted response as described in claim 1. Rational and motivation in claim 1 apply.

Regarding claim 16 (Currently amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein the first encryption daemon runs on a standalone device (Block discloses the cryptography administrator 240, which include the key broker 245 as a dedicated, Linux-based user and consists of a computer device as disclosed in [0034] and Figure 3 corresponds to the encryption daemon), 
the encrypted response includes the requested key that has been encrypted by the encryption key server (Block [0027] “the response stored transiently at the key broker 245 may include a requested key, encrypted with the database processes' public key 218.”, [0029] “…the key server 120 may sign a response providing a key to the key broker 245, with a private key of the key server 120, and the key broker 245 in turn verifies the authenticity of the key server 120.”, [0030] “The key server 120 may then generate the response with the identified key, and encrypt the response using the database processes' public key 218. Additionally or alternatively, the key server 120 may sign the response using the key server's private key. Once generated, the key server 120 may provide the response with the key to the cryptography administrator 240 through the key transfer protocol 214.”), and
[the first encryption daemon] decrypts[[ing]] the encrypted response yields the requested key (Block [0031] “…when the response containing the key reaches the key broker 245, it may be encrypted with the database processes' public key 218 and signed with the key server's private key. The key broker 245 may verify the signature of the response, and upon verification, provide the requested keys to the database processes 255. The database processes 255 may decrypt the response (e.g., using its own private key), and obtain the security keys”, another layer of encryption is further used where [0028] the “key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).” where TLS indicates the encryption/decryption using key pair).  
Block does not disclose the first encryption daemon decrypting the encrypted response yields the requested key. Knas discloses analytic server, i.e. the first encryption daemon, decrypting the encrypted response yields the requested key as described in claim 1. Rationale and motivation in claim 1 apply.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Block et. al. (US 20180013549 A1), hereinafter Block in view of Knas (US 10735193 B1), hereinafter Knas, Bent et. al. (US 20180060604 A1), hereinafter Bent, and further in view of Skrenta et. al. (US 20130159251 A1), hereinafter Skrenta.

Regarding claim 18 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1 [unencrypted] key request includes an intercepted key request [from a storage device of the second storage system](Block Figure 2 illustrates a key request received/intercepted by the key broker 245, fist encryption daemon, as disclosed in [0026-0027], from the transient keys 265 [0031] “memory (e.g., as transient keys 265)”, i.e. storage device, which part of the database admin 250, i.e. second storage system).
Block in view of Knas do not disclose sending unencrypted query/request.
Bent discloses sending unencrypted query/request. Rationale and motivation in claim 1 apply.
Block discloses the database admin 250 corresponding to the second storage system, which includes data processes 255 corresponding to the second daemon, which obtains the key request from the database admin, i.e. second storage system, however, Block in view of Knas, Bent do not disclose that the request is obtained/received/intercepted, by the database processes, from a storage device within the database admin 250.
Skrenta discloses an intercepted request from a storage device of the second storage system (Skrenta illustrates in Figure 9 node 910, i.e. second storage system, where a reader daemon 914, i.e. storage device, sends a request/query, to get data, to a RAM daemon, within the node 910 as disclosed in [0193] “A request to get data 912 is received at Node 1 910. The get data request 912 corresponds to a request to get a row from the database such as cluster 810. When the request is made, the row key is first hashed to determine which buckets the row appears in. The get data request 912 is received by a reader daemon 914 in Node 1 910”, [0194] “The reader daemon 914 first checks the cache 916 to determine whether the requested data 912 is already stored in the cache 916…the reader daemon 914 may include a RAM cache (not shown) in addition to cache 916, or the node 910 may include a RAM cache daemon, configured to store data from buckets for responding to queries faster.”, where node 910 correspond so the second storage system, an alternative interpretation includes bucket daemon 924, i.e. second daemon, intercepts a request 924 from Reader daemon 914, i.e. storage device, where the bucket daemon processes the request through 948 in Disk 944, as disclosed in [0194-0196], where the second storage system comprising 910 and 940).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas and Bent to incorporate the teaching of Skrenta to utilize the above feature, with the motivation of faster access and responses, as recognized by (Skrenta [0194]).


Claims 3 is rejected under 35 U.S.C. 103 as being unpatentable over Block et. al. (US 20180013549 A1), hereinafter Block in view of Knas (US 10735193 B1), hereinafter Knas, Bent et. al. (US 20180060604 A1), hereinafter Bent, and further in view of Hashimoto (US 20080098194 A1), hereinafter Hashimoto.

Regarding claim 3, (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, 
Block discloses the first storage system as described in claim 1, however, Block in view of Knas and Bent do not teach the below feature.
Hashimoto discloses wherein the first storage system includes a disk cache controller that controls data writes and reads to one or more hardware storage drives (Hashimoto discloses in [0079] “The storage system 120 includes physical resources such as channel boards (0) 121A and (1) 121B, an internal network 131, disk boards (0) 132A and (1) 132B, disk cache boards (0) 142A and (1) 142B, system power control units 146A and 146B, batteries 147A and 147B, and one or more physical disk drives 148.”, [0128] “The disk caches (0) 144A and (1) 144B are memories for temporarily storing data read/written in the physical disk drive 148. By temporarily storing data in the disk cache 144, access performance from the server system 100 to the storage system 120 is improved. The disk cache controller 143A controls writing/reading of data in/from the disk caches (0) 144A and (1) 144B.”, Figure 1E illustrates disk cache boards (0) 142A and (1) 142B comprising disk cache controllers 143A and 143B, respectively).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas and Bent to incorporate the teaching of Hashimoto to include disk cache controller, with the motivation of improving the storage system, as recognized by (Hashimoto [0128]).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Block et. al. (US 20180013549 A1), hereinafter Block in view of Knas (US 10735193 B1), hereinafter Knas, Bent et. al. (US 20180060604 A1), hereinafter Bent, Bergman (US 20150341386 A1), hereinafter Bergman, and further in view of Hashimoto (US 20080098194 A1), hereinafter Hashimoto.

Regarding claim 11, (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, 
Block discloses wherein: the first storage system first encryption daemon, to manage the [unencrypted] key request, manages a security handshake with the encryption key server as well as the receipt of the encrypted response from the encryption key server (Block discloses implementing secure communication channel between the key broker 245, i.e. first encryption daemon, and the key server 120, as illustrated by Figure 2 (214), in order to manage the transfer the key request and receipt of the encrypted response in a secure manner as disclosed in [0026-0027 and 0030-0031], where the secure communication channel 214 is disclosed in [0028] “As further illustrated, the cryptography administrator 240 may communicate with the key server 120 according to a key transfer protocol 214. The key transfer protocol 214 can allow the secure transfer of the key and/or a request for the key between the key server 120 and the key broker 245 on demand. In some aspects, the key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).”, where the transport layer security (TLS)  in 214 between the key broker 245 and key serve 120 involves performing a handshake in order to establish the secure communication channel utilizing TLS) , and 
the [unencrypted] key request is received from the second encryption daemon using a hardwired connection between the first encryption daemon and the second encryption daemon (Block discloses, as described above in claim 1, the key request and first and second encryption daemons, and further discloses using a wired connection between computing systems, [0005] “Such multiple computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g. the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.”, further disclosed in [0035]).
Block in view of Knas do not disclose sending unencrypted query/request.
Bent discloses sending unencrypted query/request. Rationale and motivation in claim 1 apply.
Block in view of Knas and Bent do not disclose disk cache controller.
Hashimoto discloses wherein: the first storage system includes a disk cache controller (Hashimoto discloses in [0079] “The storage system 120 includes physical resources such as channel boards (0) 121A and (1) 121B, an internal network 131, disk boards (0) 132A and (1) 132B, disk cache boards (0) 142A and (1) 142B, system power control units 146A and 146B, batteries 147A and 147B, and one or more physical disk drives 148.”, [0128] “The disk caches (0) 144A and (1) 144B are memories for temporarily storing data read/written in the physical disk drive 148. By temporarily storing data in the disk cache 144, access performance from the server system 100 to the storage system 120 is improved. The disk cache controller 143A controls writing/reading of data in/from the disk caches (0) 144A and (1) 144B.”, Figure 1E illustrates disk cache boards (0) 142A and (1) 142B comprising disk cache controllers 143A and 143B, respectively).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas and Bent to incorporate the teaching of Hashimoto to include disk cache controller, with the motivation of improving the storage system, as recognized by (Hashimoto [0128]).
Block discloses the key broker, first encryption daemon, implementing a security protocol using TLS with the key server 120, in order to establish a secure communication channel, where TLS requires handshaking for establishing communication, where the key requests and responses are communicated through the above secured communication channel. However, Block in view of Knas, Bent and Hashimoto do not disclose the feature of including spawning and new thread in the below limitations.
Bergman discloses implementing the secure communications channel includes spawning, by the first encryption daemon, a new thread to manage the request, wherein the new thread manages a security handshake (Bergman illustrates in Figure 2 a child/new thread for a secure layer request to manage/execute a security handshake, [0024] “If the connection request comprises a secure layer request (202), then CDN 100 initiates (203) a new thread of execution for security the handshake process. The new thread can be a child thread or subset thread of the application process or data thread of operation 201. For example, when CDN 100 receives a content request, which includes a SSL or TLS connection request, then a new thread can be initiated from a pool or group of available threads, or may be spawned if no threads are available to handle the handshaking associated with that SSL/TLS connection request. Once the handshake process is complete (204), then the processing of the handshake thread returns (205) to the application process or data thread that initiated the handshake thread. In some instances, the handshaking thread may return to the pool of available threads for future handshaking processes. In other occurrences, when enough idle threads are already available, the handshaking thread may terminate.”, [0044] “As further illustrated in FIG. 6, any number of secure layer connection requests
may be received by content delivery node 620. Accordingly, once another request is identified in data thread 622, content delivery node 620 is configured to initiate or spawn a second handshaking thread 625.”, where the spawned handshaking thread corresponding to a new thread).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas, Bent and Hashimoto to incorporate the teaching of Bergman to utilize the above feature, with the motivation of enhancing the handshaking process, as recognized by (Bergman [0015]).

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Block et. al. (US 20180013549 A1), hereinafter Block in view of Knas (US 10735193 B1), hereinafter Knas, Bent et. al. (US 20180060604 A1), hereinafter Bent, Bergman (US 20150341386 A1), hereinafter Bergman and Dasar et. al. (US 20180331913 A1), hereinafter Dasar.

Regarding claim 7, (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, wherein: the first encryption daemon has a first public key certificate, the second encryption daemon has a second public key certificate separate from the first public key certificate (Block Figure 2 (216) corresponds to the key broker’s public key, i.e. first encryption daemon, and (218) corresponds to the second encryption daemon), as further disclosed in [0027, 0029] ),
the first storage system and the second storage system are included within a storage matrix (Block illustrates in Figure 2, the host side 220, corresponding to a storage matrix, to include the database admin 250, second storage system, cryptography admin 240, i.e. first storage system, where the host side 220 is utilized for users/customers to provide them with cloud-based services, [0021] “a customer may refer to a user who has been provided access to cloud-based services (e.g., services 225 on the host side 220)” and further provide them with data from database processes as described in [0023] and further cited paragraphs in claim 1 above, consistent with the description of storage matrix in the specification of the instant application, [0066] “plurality of storage systems within a storage infrastructure (e.g., a storage matrix, etc.). In another example, the storage system may provide cloud-based storage to one or more clients.”), 
the [unencrypted] key request is received from the second encryption daemon using a hardwired connection between the first encryption daemon and the second encryption daemon (Block discloses, as described above in claim 1, the key request and first and second encryption daemons, and further discloses using a wired connection between computing systems, [0005] “Such multiple computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g. the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.”, further disclosed in [0035]), 
implementing the secure communications channel includes, by the first encryption daemon, to manage the [unencrypted] key request, manages a security handshake with the encryption key server as well as the receipt of the encrypted response from the encryption key server (Block discloses implementing secure communication channel between the key broker 245, i.e. first encryption daemon, and the key server 120, as illustrated by Figure 2 (214), in order to manage the transfer the key request and receipt of the encrypted response in a secure manner as disclosed in [0026-0027 and 0030-0031], where the secure communication channel 214 is disclosed in [0028] “As further illustrated, the cryptography administrator 240 may communicate with the key server 120 according to a key transfer protocol 214. The key transfer protocol 214 can allow the secure transfer of the key and/or a request for the key between the key server 120 and the key broker 245 on demand. In some aspects, the key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).”, where the transport layer security (TLS)  in 214 between the key broker 245 and key serve 120 involves performing a handshake in order to establish the secure communication channel utilizing TLS), 
P201806655US01/TUC1P568- 3 -the encrypted response includes the requested key that has been encrypted by the encryption key server (Block [0027] “…the key broker 245 may open a local socket which cannot be accessed from outside of the system 200. the key broker 245 can request a key from the key server 120, store a response from the key server 120 transiently in memory, and/or can provide the response to the database processes 255 through the key access protocol 247…the response stored transiently at the key broker 245 may include a requested key, encrypted with the database processes' public key 218.”, [0028] “…the key transfer protocol 214 may be implemented according to http or https. Specifically, the key transfer protocol may use transport layer security (TLS).”), and 
the [first encryption daemon] decrypts the encrypted response to obtain the requested key (Block T[0030] “The key server 120 may then generate the response with the identified key, and encrypt the response using the database processes' public key 218. Additionally or alternatively, the key server 120 may sign the response using the key server's private key. Once generated, the key server 120 may provide the response with the key to the cryptography administrator 240 through the key transfer protocol 214.”, [0031] “when the response containing the key reaches the key broker 245, it may be encrypted with the database processes' public key 218 and signed with the key server's private key. The key broker 245 may verify the signature of the response, and upon verification, provide the requested keys to the database processes 255. The database processes 255 may decrypt the response (e.g., using its own private key), and obtain the security keys, which may be temporarily held in working memory (e.g., as transient keys 265) for use in encrypting and/or decrypting data.”).
Block does not disclose the below limitation.
Knas discloses decrypting, by the first encryption daemon, the encrypted response to obtain the requested key as described in claim 1. Rationale and motivation in claim 1 apply.
Block in view of Knas do not disclose sending unencrypted query/request.
Bent discloses receiving unencrypted query/request. Rationale and motivation in claim 1 apply.
Block in view of Knas and Bent do not disclose the below limitations.
Bergman discloses implementing the secure communications channel includes spawning, by the first encryption daemon, a new thread to manage the request, wherein the new thread manages a security handshake (Bergman illustrates in Figure 2 a child/new thread for a secure layer request to manage/execute a security handshake, [0024] “If the connection request comprises a secure layer request (202), then CDN 100 initiates (203) a new thread of execution for security the handshake process. The new thread can be a child thread or subset thread of the application process or data thread of operation 201. For example, when CDN 100 receives a content request, which includes a SSL or TLS connection request, then a new thread can be initiated from a pool or group of available threads, or may be spawned if no threads are available to handle the handshaking associated with that SSL/TLS connection request. Once the handshake process is complete (204), then the processing of the handshake thread returns (205) to the application process or data thread that initiated the handshake thread. In some instances, the handshaking thread may return to the pool of available threads for future handshaking processes. In other occurrences, when enough idle threads are already available, the handshaking thread may terminate.”, [0044] “As further illustrated in FIG. 6, any number of secure layer connection requests may be received by content delivery node 620. Accordingly, once another request is identified in data thread 622, content delivery node 620 is configured to initiate or spawn a second handshaking thread 625.”, where the spawned handshaking thread corresponding to a new thread).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas, Bent and Hashimoto to incorporate the teaching of Bergman to utilize the above feature, with the motivation of enhancing the handshaking process, as recognized by (Bergman [0015]).
Block discloses plurality of key servers 120 utilized to retrieve request keys, by a plurality of user devices, as descried in [0021] and in claim 1, Block further illustrates that the key broker, verify the signed response, signed with the key servers’ private keys, from the key servers, [0029, 0031], where the key broker 245 holds the public keys associated with the private keys of the key servers in order to verify the singed responses. However, Block in view of Knas, Bent and Bergman do not explicitly disclose the key broker requesting the public keys from the key servers in the below limitations.
Dasar discloses the first encryption daemon requests and obtains public keys for each of a plurality of different encryption key servers in response to determining that the first encryption daemon is in communication with the plurality of different encryption key servers (Dasar [0021] “The GMS forwards the encrypted inventory to the management console to enable the management console to request a public key of each server for secure communication using asymmetric key cryptography.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas, Bent and Bergman to incorporate the teaching of Dasar to utilize the above feature, with the motivation of establishing a secure communication with the servers, as recognized by (Dasar [0021]).

Claim 15 (Currently Amended) includes similar limitations recited in claim 7. Therefore claim 15 is rejected with the same rationale and motivations as described in claim 7.

Claims 2 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Block et. al. (US 20180013549 A1), hereinafter Block in view of Knas (US 10735193 B1), hereinafter Knas, Bent et. al. (US 20180060604 A1), hereinafter Bent, and further in view of Shastri et. al. (US 20070112957 A1), hereinafter Shastri.

Regarding claim 2 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, 
Block discloses the database processes 255, corresponding to the second encryption daemon, the key server 120, and illustrates in Figure 2 that the database processes 255 is unable to directly connect to the key server 120, however, Block in view of Knas and Bent do not explicitly disclose that the second encryption daemon is unable to establish a secure communications channel with the encryption key server.
Shastri discloses wherein the second encryption daemon is unable to establish a secure communications channel with the encryption key server(Shastri  Figure 1  [0027] “As depicted, when a remote client 102 communicates with an external message server 110, the client 102 may choose to use one of two alternative types of communications connections; an unrestricted communication connection 103 or a virtual private network (VPN) connection 101… when a remote client communicates over an unrestricted communication connection 103 the client 102 is unprotected from various types of malicious network attacks”, where the unrestricted connection is unsecured connection as further disclosed in [0040] “…the connection may either be an unsecured communications connection or a VPN connection”, where as illustrated in Figure 1, the client system 102 is unable to establish a direct secure communication with the messaging server).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas and Bent to incorporate the teaching of Shastri to utilize the above feature, with the motivation of impede vulnerabilities and malicious attacks, as recognized by (Shastri [0006], [0031] and throughout).
Regarding claim 19 (Currently Amended), Block in view of Knas and Bent teaches the computer-implemented method of Claim 1, 
Block discloses the database processes 250, corresponding to the second encryption daemon, and key broker 245 corresponding to the first encryption daemon, and further discloses the key server 120, and key request, as described in claim 1, however, Block in view of Knas do not disclose the below limitations.
Bent discloses sending unencrypted query/request as described in claim 1. Rationale and motivation in claim 1 apply.
Block in view of Knas and Bent do not disclose the below limitations.
Shastri discloses wherein: the second encryption daemon stores metadata indicating that the first encryption daemon is capable of communicating with the encryption key server (Shastri Figure 1 [0027] “As depicted, when a remote client 102 communicates with an external message server 110, the client 102 may choose to use one of two alternative types of communications connections; an unrestricted communication connection 103 or a virtual private network (VPN) connection 101.”, [0032] “Still with FIG. 1, when the user agent 102 blocks data
 communications through the unsecured communications connection 103, the remote client 103 is left with only the option of communicating with the external message server 110 over the VPN connection 101. A VPN connection 101 is established whenever the remote client's 104 VPN client 106 successfully negotiates a communications connection with the VPN gateway 112 via communications tunneling.”, 
where the client is configured to select the only option, for communication with the server 110, through the VPN server, VPN gateway, i.e. first daemon, to communicate with the server 110, where the client 102 stores knowledge/information/metadata and instructions that instructs and indicates to the client 102 that when the unsecured connection 103 is blocked, then the client 102 is to establish communication through the VPN gateway 112 through the connection 101, consistent with the description of metadata described only once in the specification of the instant application in [0096] “the first encryption daemon 806A may store metadata indicating that the second encryption daemon 806B is capable of communicating with the encryption key server 808.P201806655US01/TUC1P568 Page 29 of 47”), and 
the second encryption daemon sends (communication) to the first encryption daemon in response to determining that the second encryption daemon is unable to establish a secure communications channel with the encryption key server (Shastri [0032] “Still with FIG. 1, when the user agent 102 blocks data communications through the unsecured communications connection 103, the remote client 103 is left with only the option of communicating with the external message server 110 over the VPN connection 101. A VPN connection 101 is established whenever the remote client's 104 VPN client 106 successfully negotiates a communications connection with the VPN gateway 112 via communications tunneling.”, 
when the client 102, i.e. second demon, which establishes direct and unsecured connection 103 with the messaging server 103 as disclosed in [0027], determines that the messaging server is of a restricted type or unauthorized attempts being detected, as disclosed in [0029, 0031], and the client is only able to communicate with the server 110 directly through the unsecured connection 103, i.e. unable to directly communicate with the server 110 through a secured manner, then the client is left with the “only option”, as disclosed above in [0032], to send the communication to the VPN gateway, i.e. first encryption daemon,
consistent with the encryption daemon disclosed in the specification of the instant application in e.g. [0066-0067] to be a device with software and hardware).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas and Bent to incorporate the teaching of Shastri to utilize the above feature, with the motivation of impede vulnerabilities and malicious attacks, as recognized by (Shastri [0006], [0031] and throughout).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Block et. al. (US 20180013549 A1), hereinafter Block in view of Bent et. al. (US 20180060604 A1), hereinafter Bent, Shastri et. al. (US 20070112957 A1), hereinafter Shastri, and further in view of Skrenta et. al. (US 20130159251 A1), hereinafter Skrenta.

Regarding claim 20 (Currently Amended), Block teaches a computer-implemented method (Block [0003] “The method, computer program product and system execute operations for managing user-controlled security keys in cloud-based scenarios.”, [0020] “FIG. 2 is an illustration of a system 200 for managing user-controlled security keys in cloud-based scenarios”), comprising: 
intercepting, by a second second storage system, [an unencrypted] key request [from a second storage device located within the second storage system](Block [0026] “…the database administrator 250 and/or the database processes 255 may request a decryption or encryption key (or keys) from the key server 120. In various implementations, a cryptography administrator 240 on the host side 220 may be used. In some aspects, the cryptography administrator 240 may be a dedicated, Linux-based user…The cryptography administrator 240 (i.e. encryption daemon) may receive a request for a key and/or may provide the response which includes the key through a key access protocol 247…the key access protocol 247 may be a runtime protocol that allows secure transfer of the key to the database processes 255 for encryption and/or decryption of data in the column store 260.”, [0027] “As illustrated, the cryptography administrator 240 may include a key broker 245. The key broker 245 may act as a proxy between the key server 120 and the database administrator 250.”, where the cryptography administrator 240, which include the key broker 245 as a dedicated, Linux-based user and consists of a computer device as disclosed in [0034] and Figure 3 corresponds to the first encryption daemon in a first storage system, 
consistent with the encryption daemon as disclosed in the specification of the instant application in e.g. [0066-0067] to be a device with software and hardware, 
database admin 250 and database processor 255 correspond to the second storage and second daemon, respectively.
the database admin 250 corresponds to a storage device, which is disclosed to be a computing apparatus/hardware as disclosed in [0034] and illustrated in Figure 3, as illustrated in Figure 2 247, the database admin 250 starts the request and sent through the database processes 255, i.e. second daemon); 
wherein the first encryption daemon is implemented within a first storage system that is separate from the second storage system (Block [0027] “As illustrated, the cryptography administrator 240 may include a key broker 245. The key broker 245 may act as a proxy between the key server 120 and the database administrator 250.”, where the cryptography administrator 240, which include the key broker 245 as a dedicated, Linux-based user and consists of a computer device as disclosed in [0034] and Figure 3 corresponds to the first encryption daemon in a first storage system), 
sending the [unencrypted] key request from the second encryption daemon to the first encryption daemon, utilizing a hardwired connection between the second encryption daemon and the first encryption daemon (Block [0026] “The cryptography administrator 240 may receive a request for a key and/or may provide the response which includes the key through a key access protocol 247”, [0027] “As illustrated, the cryptography administrator 240 may include a key broker 245. The key broker 245 may act as a proxy between the key server 120 and the database administrator 250. The key broker 245 can be a broker that signs requests for encryption/decryption keys.”, [0005] “Such multiple computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g. the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.”, further disclosed in [0035]); and 
receiving the requested key at the second encryption daemon from the first encryption daemon(Block [0027] “…the response stored transiently at the key broker 245 may include a requested key, encrypted with the database processes' public key 218.”, [0030] “…The key server 120 may then generate the response with the identified key, and encrypt the response using the database processes' public key 218.”, where the response comprising the encrypted requested key to be sent to the database, i.e. storage device 250, through the proxy 240 as disclosed in [0027], i.e. first encryption daemon, [0031] “the response providing the key may be both encrypted and signed…the response containing the key reaches the key broker 245, it may be encrypted with the database processes' public key 218 and signed with the key server's private key. The key broker 245 may verify the signature of the response, and upon verification, provide the requested keys to the database processes 255. The database processes 255 may decrypt the response (e.g., using its own private key), and obtain the security keys, which may be temporarily held in working memory (e.g., as transient keys 265) for use in encrypting and/or decrypting data.”).
Block discloses the aforementioned limitations and further discloses receiving a key request, however, Block does not disclose that the request is in unencrypted form.
Bent discloses receiving an unencrypted request/query ((Bent illustrates in Figure 1 a computer system in a higher security domain 110 sending a plain text query/request to a computer system in lower security domain 150, via a device in first shared security domain 130, i.e. first encryption daemon, which performs an encryption on the query/request then passing the encrypted query/request to the entity in the lower security domain 150,
[0004] “a computer system is provided for a first entity in a higher security domain to query a second entity in a lower security domain.”,
[0019] In computer security, an example shared security zone (e.g. 130, 170 of FIG. 1), sometimes referred to as a perimeter network, is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network… The purpose of a shared security zone is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the shared security zone, rather than any other part of the network.”, [0030] “If the optional step of validation is not carried out, or the plain text query 112 is successfully validated at 306, then, at 308, query encryption module 132 in the first shared security zone 130 encrypts the plain text query 112 using an FHE scheme to produce an encrypted plain text query…At 310, the encrypted plain text query is passed by the query encryption module 132 to the FHE matching application 152 in the lower security domain 150.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block to incorporate the teaching of Bent to utilize the above feature, with the motivation of using a security layer for an organization with local area network such that it protects the organization within its network, e.g. higher security domain from external network nodes, as recognized by (Bent [0019]).
Block in view of Bent disclose the aforementioned limitations, however, Block in view of Bent do not disclose the below limitations.
Shastri discloses determining, by the second encryption daemon, that the second encryption daemon is unable to establish second encryption daemon and an encryption key server (Shastri [0032] “Still with FIG. 1, when the user agent 102 blocks data communications through the unsecured communications connection 103, the remote client 103 is left with only the option of communicating with the external message server 110 over the VPN connection 101. A VPN connection 101 is established whenever the remote client's 104 VPN client 106 successfully negotiates a communications connection with the VPN gateway 112 via communications tunneling.”, 
when the client 102, i.e. second demon, which establishes unsecured connection 103 with the messaging server 103 as disclosed in [0027], determines that the messaging server 110 is of a restricted type or unauthorized attempts being detected, as disclosed in [0029, 0031], and the client is only able to communicate with the server 110 directly through the unsecured connection 103, i.e. unable to directly communicate with the server 110 through a secured manner, then the client is left with the “only option”, as disclosed above in [0032], to send the communication to the VPN gateway, i.e. first daemon, consistent with the encryption daemon disclosed in the specification of the instant application in e.g. [0066-0067] to be a device with software and hardware); 
P201806655US01/TUC1P568- 7 -identifying, by the second encryption daemon, metadata indicating that a first encryption daemon is capable of communicating with the encryption key server (Shastri Figure 1 [0027] “As depicted, when a remote client 102 communicates with an external message server 110, the client 102 may choose to use one of two alternative types of communications connections; an unrestricted communication connection 103 or a virtual private network (VPN) connection 101.”, [0032] “Still with FIG. 1, when the user agent 102 blocks data
 communications through the unsecured communications connection 103, the remote client 103 is left with only the option of communicating with the external message server 110 over the VPN connection 101. A VPN connection 101 is established whenever the remote client's 104 VPN client 106 successfully negotiates a communications connection with the VPN gateway 112 via communications tunneling.”, where the client is configured to select the only option, for secure communication with the server 110, through the VPN server, VPN gateway, i.e. first daemon, to securely communicate with the server 110, where the client 102 stores knowledge/information/metadata and instructions that instructs and indicates to the client 102 that when the unsecured connection 103 is blocked, then the client 102 is to establish communication through the VPN gateway 112 through the connection 101, consistent with the description of metadata described only once in the specification of the instant application in [0096] “the first encryption daemon 806A may store metadata indicating that the second encryption daemon 806B is capable of communicating with the encryption key server 808.P201806655US01/TUC1P568 Page 29 of 47”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas and Bent to incorporate the teaching of Shastri to utilize the above feature, with the motivation of impede vulnerabilities and malicious attacks, as recognized by (Shastri [0006], [0031] and throughout).
Block discloses the database admin 250 corresponding to the second storage system, which includes data processes 255 corresponding to the second daemon, which obtains the key request from the database admin, i.e. second storage system, however, Block in view of Bent and Shastri do not disclose that the request is obtained/received/intercepted, by the database processes, from a storage device within the database admin 250.
Skrenta discloses intercepting, by a second encryption daemon implemented within a second storage system, a request from a second storage device located within the second storage system (Skrenta illustrates in Figure 9 node 910, i.e. second storage system, where a reader daemon 914, i.e. storage device, sends a request/query, to get data, to a RAM daemon, within the node 910 as disclosed in [0193] “A request to get data 912 is received at Node 1 910. The get data request 912 corresponds to a request to get a row from the database such as cluster 810. When the request is made, the row key is first hashed to determine which buckets the row appears in. The get data request 912 is received by a reader daemon 914 in Node 1 910”, [0194] “The reader daemon 914 first checks the cache 916 to determine whether the requested data 912 is already stored in the cache 916…the reader daemon 914 may include a RAM cache (not shown) in addition to cache 916, or the node 910 may include a RAM cache daemon, configured to store data from buckets for responding to queries faster.”, where node 910 correspond so the second storage system, an alternative interpretation includes bucket daemon 924, i.e. second daemon, intercepts a request 924 from Reader daemon 914, i.e. storage device, where the bucket daemon processes the request through 948 in Disk 944, as disclosed in [0194-0196], where the second storage system comprising 910 and 940).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Block in view of Knas, Bent and Shastri to incorporate the teaching of Skrenta to utilize the above feature, with the motivation of faster access and responses, as recognized by (Skrenta [0194]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705. The examiner can normally be reached Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BASSAM A NOAMAN/Examiner, Art Unit 2497