DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 11/08/2019.
Status of claims in the instant application:
Claims 1-20 are pending.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 11/08/2019 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Claim Interpretation
The claims of the instant application do not invoke interpretation under 35 USC 112(f).
It is in the Examiner’s opinion that claims of the instant application do not recite any abstract idea per “2019 Revised Patent Eligibility Guideline”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 3, 4, 5, 9, 10, 11, 12, 13, 14, 15, 16, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Pat. No.: US 9817605 B2 to Fellner et al. (hereinafter “Fellner”) in view of Pub. No.: US 20170346807 A1 to Blasi (hereinafter “Blasi”).
Regarding Claim 1. Fellner discloses A system (Fellner, FIG. 1, Col.3,ln.33-36: FIG. 1 is a block diagram of a first particular illustrative embodiment of a system including a data storage device, a host device, and a cloud storage system configured to store data associated with content of the data storage device …) comprising:
a plurality of processing devices arranged as a collection (Fellner, FIG. 1, Col.4,ln.1-7: … FIG. 1 is a block diagram of a particular illustrative embodiment of a system 100 including a cloud storage system 150, a host device 130, and one or more data storage devices (processing devices) , such as a first data storage device 102 and a second data storage device 108. The system 100 may enable storage of and access to data associated with content stored in the one or more data storage devices …), each processing device 5storing a storage token comprising a unique ID value associated with the corresponding processing device (Fellner, FIG. 1, Col.8,ln.38-53: …  Each of the data storage devices 102, 108 may include or be associated with an identifier and a user-identifier. The identifier, such as a media device identifier, may be unique to each data storage device. For example, the identifier may be assigned to the data storage device by a manufacturer of the data storage device. In FIG. 1, the data storage devices 102 and 108 have the identifiers “ID_1” and “ID_2,” respectively. The user-identifier (e.g., user-identifiers 121 and 123) may be set (e.g., selected) by a user of the data storage device when the data storage device is introduced to a client application, such as the client application 134, or when the data storage device is registered with the cloud storage system 150. The user-identifier may be an alphanumeric string that is meaningful to the user and that is relatively easy for the user to remember. In FIG. 1, the user-identifier 121 is “Work-01” and the user-identifier 123 is “Home.” …); and
However Fellner does not explicitly teach, but Blasi from same or similar field of endeavor teaches:
“an edge computing device coupled between the plurality of processing devices and an external network, the edge computing device configured to perform a network authentication of the edge computing device over the external 10network with a remote server using an edge token, and to perform a local authentication of the collection using the storage tokens of the respective processing devices, the local authentication not utilizing the external network or the remote server (Blasi, Abstract, Para [0021, 0015]: … Technologies for token-based access authorization to an application program interface (API) include an access management server  (edge computing device) to receive a service request message from an application executed by a remote computing device. The service request message includes a digitally signed license token (storage token) previously generated by the access management server and distributed to the remote computing device (processing device). The service request message also includes a request from the executed application to access data or a service of the resource server via an exposed API. The access management server verifies the digital signature of the digitally signed license token and generates a digitally signed Security Assertion Markup Language (SAML) token (edge token). The digitally signed SAML token is transmitted to the resource server (remote server) for verification and local caching. The resource server receives the service request message and determines whether access to the requested data or service is authorized based on the locally-cached SAML token …  Referring now to FIG. 1, in one embodiment, a system 100 for provisioning and using a signed custom token for authentication and authorization of distributed computing resources includes an access management server 110 in communication with a remote computing device 130 and a resource server 140 via one or more communication network(s). It should be appreciated that although the system 100 includes a single remote computing device 130 and a single resource server 140 in the illustrative embodiment, the system 100 can include any number of remote computing devices 130 and resource servers 140, in other embodiments …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Blasi into the teachings of Fellner because it discloses that “a service, or a computing device (e.g., the remote computing device 130) associated with an entity (e.g., an ISV or another type of entity) requesting access to data or a service provided by a resource server 140 via one or more exposed APIs. As such, the license identifier 322 generated by the access management server 110 can be configured to uniquely identify the digitally signed license token 300 that is to be generated for use by the requesting entity and associated computing devices and applications (Blasi, Para [0037])”.
Regarding Claim  152. The combination of Fellner-Blasi discloses the system of claim 1, Blasi further discloses, “wherein the network authentication of the edge computing device comprises a data exchange across the external network with the remote server (Blasi, Para [0051]: … In flow 416, the resource server 140 verifies the integrity or authenticity of the received SAML token based on the digital signature appended thereto (e.g., embedded within a SAML token signature element). To do so, the resource server 140 can decrypt the digital signature of the SAML token using the public key that corresponds to the private key used by the access management server (edge computing device) 110 to initially generate the digital signature. By decrypting the digital signature of the SAML token, the resource server (remote server) 140 can, in some embodiments, obtain a previously-generated hash value of the SAML token. In such embodiments, the resource server 140 can generate a new hash value of the SAML token and verify that the newly-generated hash value matches the previously-generated hash value obtained from decrypting the digital signature of the SAML token. In flow 418, in response to verifying the integrity and authenticity of the received SAML token, the resource server 140 can locally cache the SAML token and the associated entitlements …), and wherein the local authentication of the collection does not include a data exchange across the external network with the remote server (Blasi, Para [0048]: … At flow 408, the access management server (edge computing device) 110 generates a new hash value of the unencrypted payload portion 320 of the digitally signed license token 300. To do so, the access management server 110 can apply a hashing algorithm (e.g., SHA-256, SHA-512, etc.) to the unencrypted payload portion 320 of the received digitally signed license token 300 to generate the new hash value. At flow 410, the access management server 110 compares the previously-generated hash value obtained by decrypting the digital signature 340 with the new hash value generated from the unencrypted payload portion 320 of the received license token 300. If the newly-generated hash value matches the previously-generated hash value, then the payload portion 320 of the digitally signed license token 300 was not modified prior to being received (or intercepted) by the access management server 110. In that way, the access management server 110 can verify the integrity or authenticity of the license token 330 provided by the requesting entity (e.g., the ISV application 132) …).”
The motivation to further combine Blasi remains same as in claim 1.
Regarding Claim  203. The combination of Fellner-Blasi discloses the system of claim 1, Blasi further discloses, “wherein both the edge token and the storage tokens incorporate at least a portion of a client token associated with a client device (Blasi, Para [0038, 0050]: … In block 204, the access management server 110 determines a unique key 326 (e.g., a license key, an API key, etc.) to embed within the digitally signed license token 300 that is to be generated for the requesting entity (e.g., the ISV and/or the ISV application 132). The unique key 326 can be embodied as a string of characters and can be unique to the requesting entity …  in response to determining that the newly-generated hash value of the unencrypted payload portion 320 of the received digitally signed license token 300 matches the previously-generated hash value of the unencrypted payload portion 320 obtained via decryption of the digital signature 340, the access management server 110 generates a signed Security Assertion Markup Language (SAML) token for authorizing the ISV application 132 (or other application or service) to access the exposed APIs of the resource server 140. In the illustrative embodiment, the signed SAML token generated by the access management server 110 includes one or more entitlements corresponding to the requesting entity (e.g., the ISV or other entity) and/or the ISV application 132 …).”
The motivation to further combine Blasi remains same as in claim 1.
Regarding Claim 4. The combination of Fellner-Blasi discloses the system of claim 1, Fellner further discloses, “wherein the edge token and the storage tokens are respectively generated during a registration process with the remote server from a client 25token associated with a user of the client device, the client device coupled to the processing devices via the edge computing device and the external network (Fellner; col.6,ln.59-67; col.7,ln.1-12; col.5,ln.45-67; col.6,ln.1-6:  The client application 134 may be configured to register a data storage device, such as the first data storage device 102 or the second data storage device 108 with the cloud storage system 150, to generate directory information corresponding to a data storage device, and/or to initiate an update to the data structure 154. For example, when the host device 130 is coupled to a data storage device, the client application 134 may request and receive an identifier (e.g., a unique media device identifier) of the data storage device. The client application 134 may send the identifier to the cloud storage system 150 (e.g., to the network application 152) to determine if the data storage device is registered with the cloud storage system 150. If the data storage device is registered, the host device 130 may receive directory information associated with the registered data storage device from the cloud storage system 150 … If the data storage device is not registered, the host device 130 may receive a message 194 from the cloud storage system 150 indicating that the data storage device is unregistered. In response to the message 194, the client application 134 may register the particular data storage device. … Additionally or alternatively, the network application 152 may be configured to perform a search operation on the data structure 154 to identify one or more entries or to perform a look-up operation to identify a particular entry in the data structure 154. For example, the network application 152 may perform the search operation or the look-up operation based on a request received from the host device 130. To enable the network application 152 to search the entries of the data structure 154 or to look-up a particular entry of the data structure 154, the data structure 154 may be indexed to be searched by an identifier value, by a user-identifier value, and/or by a data value associated with the directory information. Based on the search operation or the look-up operation, the network application 152 may generate a result and may send the result (such as via a message) to the host device 130. Examples of performing searches and look-ups of directory information are further described with reference to FIG. 2 … The network application 152 may also be configured to generate and maintain one or more user accounts associated with the cloud storage system 150. For example, a user may use the host device 130 to create an account with the cloud storage system 150. The user account may include a user profile (e.g., contact information, demographic information, etc.) and may be associated with a set of entries included in the data structure 154. Alternately, the data structure 154 may be specific to the user, and the cloud storage system 150 may store such data structures for each registered user …; ).”
Regarding Claim 5. The combination of Fellner-Blasi discloses the system of claim 1, Blasi further discloses, “wherein the edge computing device performs the local authentication of the collection [by accessing a table as a data structure in a keystore 30memory that associates the storage tokens] with the respective processing devices (Blasi, Para[0015, 0017, 0033]: … Referring now to FIG. 1, in one embodiment, a system 100 for provisioning and using a signed custom token for authentication and authorization of distributed computing resources includes an access management server 110 in communication with a remote computing device 130 and a resource server 140 via one or more communication network(s). It should be appreciated that although the system 100 includes a single remote computing device 130 and a single resource server 140 in the illustrative embodiment, the system 100 can include any number of remote computing devices 130 and resource servers 140, in other embodiments … to facilitate authentication and authorization of the ISV application 132 or, more generally, the remote computing device 130, a digitally signed license token is generated by the access management server 110 and provisioned to the ISV for use in connection with the ISV application 132 and/or the remote computing device 130. In the illustrative embodiment, the digitally signed license token generated and provisioned by the access management server 110 has a custom or proprietary token format configured to be used by the ISV application 132 and/or the remote computing device 130 as a root, primary, or shared secret credential for system-to-system authentication … The resource server 140 is configured to provide services and/or data to the remote computing device 130 and/or ISV application 132 via one or more exposed APIs. Prior to providing such services and data, the remote computing device 130 and/or the ISV application 132 can be required to be authenticated and authorized by the access management server 110 and/or the resource server 140… ).”
The motivation to further combine Blasi remains same as in claim 1.
Fellner further discloses, “a table as a data structure in a keystore 30memory that associates the storage tokens (Fellner, FIG. 1; Col.4,ln.45-67; Col.5,ln.1-7: … The cloud storage system 150 (e.g., a cloud-based service) may be configured to maintain a record (e.g., a database) of data storage devices, such as the data storage devices 102, 108. The cloud storage system 150 may include a network application 152 and a data structure 154. The network application 152 may be executed by one or more computing devices, such as servers, that are included in or coupled to the cloud storage system 150. The data structure 154 may be configured as a table or other data structure to track one or more entries. Although the data structure 154 is illustrated as being a single data structure, the data structure 154 may be distributed throughout the cloud storage system 150, such as distributed throughout multiple network-based storage devices or servers included in or coupled to the cloud storage system 150, as described further with reference to FIG. 2 … Each entry (e.g., row) of the data structure 154 may correspond to a data storage device. Each entry may include an identifier (e.g., a unique media device identifier), a user-identifier (e.g., an identifier that is user-selectable and unique to a user), and directory information (e.g., a log file), as illustrative, non-limiting examples. To illustrate, a first entry of the data structure 154 may correspond to the first data storage device 102 and may include a first identifier (ID_1), a first user-identifier (Work-01), and first directory information (<log 1>). A second entry of the data structure 154 may correspond to the second data storage device 108 and may include a second identifier (ID_2), a second user-identifier (Home), and second directory information (<log 2>) …)”
Regarding Claim 9. The combination of Fellner-Blasi discloses the system of claim 1, Blasi further discloses, “wherein the edge computing device locally authenticates the collection by forwarding a first query to each of the processing devices, and evaluating a corresponding response from each of the processing devices generated 20using the storage token associated with each of the processing devices (Blasi, Para [0038-0040, 0050]: … the access management server 110 determines a unique key 326 (e.g., a license key, an API key, etc.) to embed within the digitally signed license token 300 that is to be generated for the requesting entity (e.g., the ISV and/or the ISV application 132). The unique key 326 can be embodied as a string of characters and can be unique to the requesting entity … In block 208, the access management server 110 generates the license token 300 for the requesting entity (e.g., the ISV or the ISV application 132). The license token 300 includes header data 310 and a payload 320. The header data 310 includes data and fields that define the structure of the license token 300 … in response to determining that the newly-generated hash value of the unencrypted payload portion 320 of the received digitally signed license token 300 matches the previously-generated hash value of the unencrypted payload portion 320 obtained via decryption of the digital signature 340, the access management server 110 generates a signed Security Assertion Markup Language (SAML) token for authorizing the ISV application 132 (or other application or service) to access the exposed APIs of the resource server 140. In the illustrative embodiment, the signed SAML token generated by the access management server 110 includes one or more entitlements corresponding to the requesting entity (e.g., the ISV or other entity) and/or the ISV application 132 …).”
The motivation to further combine Blasi remains same as in claim 1.
Regarding Claim 10. The combination of Fellner-Blasi discloses the system of claim 1, Fellner further discloses, “wherein the processing devices comprise data storage devices each having a data storage device controller circuit and a non-volatile memory (NVM) to store user data supplied by the edge computing device (Fellner, FIG. 2: … element 220 of FIG. 2 – Controller; element 240 of FIG. 2 - non-volatile memory (NVM)  …).”
Regarding Claim 11. The combination of Fellner-Blasi discloses the system of claim 1, Blasi further discloses, “wherein the edge computing device comprises a crypto circuit that applies a cryptographic function to cryptographically protect the storage tokens and the edge token in a keystore memory of the edge computing device (Blasi, Para [0003, 0035]: … The method further includes decrypting, by the access management server, the digital signature of the digitally signed license token with a corresponding public key of the cryptographic key pair to obtain the previously-generated hash value of the unencrypted payload portion of the digitally signed license token. Additionally, the method includes generating, by the access management server, a new hash value of the unencrypted portion of the digitally signed license token. The method also includes determining, by the access management server, whether the new hash value of the unencrypted portion of the digitally signed license token matches the previously-generated hash value of the unencrypted portion of the digitally signed license token. The method further includes generating, by the access management server, a digitally signed Security Assertion Markup Language (SAML) token in response to a determination that the new hash value matches the previously-generated hash value. The digitally signed SAML token includes one or more entitlements defining access rights of the remote computing device … The global access cache 160 (keystore) can be embodied as any type of computing device capable of performing the functions described herein. As such, the global access cache 160 can include devices and structures commonly found in computing devices such as processors, memory devices, communication circuitry, and data storages, which are not shown in FIG. 1 for clarity of the description. As discussed herein, the global access cache 160 can be configured to store, cache, and/or manage one or more SAML tokens received from the access management server 110 in connection with an access request from the ISV application 132. In some embodiments, one or more entitlements can be stored in association with each of the SAML tokens managed by the global access cache 160. The entitlements granularly define the access rights of the ISV application 132 or, more generally, the corresponding ISV (or other entity) with respect to the resource server 140 and/or the services and data provided thereby …)”.
The motivation to further combine Blasi remains same as in claim 1.
Regarding Claim 12. Fellner discloses A method (Fellner, Abstract: … A method performed in a host device includes receiving an input based on a user-visible code associated with a data storage device. The user-visible code corresponds to an identifier of the data storage device  …) comprising:
registering, via an external network, each of an edge computing device and a plurality of local processing devices with a remote server, the edge computing device coupled between the local processing devices and the 5external network (Fellner, FIG. 1, Col.2,ln.1-26: … The host device may be configured to couple (e.g., physically or wirelessly) to the data storage device. The host device (edge computing device) may include an application to determine whether the data storage device is registered with the cloud storage system. For example, the host device may receive an identifier (e.g., a media digital identifier) from the data storage device and may send the identifier to the cloud storage system. If the host device receives a message from the cloud storage system indicating that the data storage device is not registered, the host device may register the data storage device using the application …);
However Fellner does not explicitly teach Blasi from same or similar field of endeavor teaches:
“performing a network authentication of the registered edge computing device via the external network using an edge token generated during the registration of the edge computing device (Blasi, Abstract: The access management server verifies the digital signature of the digitally signed license token and generates a digitally signed Security Assertion Markup Language (SAML) token. The digitally signed SAML token is transmitted to the resource server for verification and local caching. The resource server receives the service request message and determines whether access to the requested data or service is authorized based on the locally-cached SAML token …); and
performing a local authentication of the local processing devices by the edge 10computing device without accessing the external network, the local authentication using unique storage tokens associated with the respective local processing devices and generated during the registration of the local processing devices (Blasi, Abstract: Technologies for token-based access authorization to an application program interface (API) include an access management server to receive a service request message from an application executed by a remote computing device. The service request message includes a digitally signed license token previously generated by the access management server and distributed to the remote computing device. The service request message also includes a request from the executed application to access data or a service of the resource server via an exposed API. The access management server verifies the digital signature of the digitally signed license token and generates a digitally signed Security Assertion Markup Language (SAML) token. The digitally signed SAML token is transmitted to the resource server for verification and local caching …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Blasi into the teachings of Fellner because it discloses that “a service, or a computing device (e.g., the remote computing device 130) associated with an entity (e.g., an ISV or another type of entity) requesting access to data or a service provided by a resource server 140 via one or more exposed APIs. As such, the license identifier 322 generated by the access management server 110 can be configured to uniquely identify the digitally signed license token 300 that is to be generated for use by the requesting entity and associated computing devices and applications (Blasi, Para [0037])”.
Regarding Claim  1513. The combination of Fellner-Blasi discloses the method of claim 12, Blasi further discloses, “wherein the edge token and each of the storage tokens are generated responsive to a client token associated with a client device configured to interact with data associated with the local processing devices (Blasi, Para [0009, 0017, 0021]: … FIG. 2 is a simplified flow diagram of at least one embodiment of a method that may be executed by the access management server of FIG. 1 for generating and provisioning a signed custom token …).”
The motivation to further combine Blasi remains same as in claim 12.
Regarding Claim 14. The combination of Fellner-Blasi discloses the method of claim 13, Blasi further discloses, “wherein the client token comprises an encryption 20key used to encrypt data stored by the local processing devices (Blasi, Para [0043]: … the access management server 110 generates a digital signature 340 for the license token 300 based at least in part on, or otherwise as a function of, the data and fields embedded within the payload 320 of the license token 300. To do so, in some embodiments, the access management server 110, in block 224, generates a hash of the unencrypted (e.g., cleartext) data and fields embedded within the payload 320 of the license token. In the illustrative embodiment, the access management server 110 utilizes a SHA-256 or a SHA-512 hashing algorithm to generate the hash of the unencrypted payload 320. Additionally, in block 226, the access management server 110 encrypts the hash of the payload 320 with an RSA or an AES encryption algorithm (e.g., an RSA private key, an AES shared secret, etc.) to generate the digital signature 340. It should be appreciated that the access management server 110 can use any other type of hashing algorithm and/or encryption algorithm to generate the digital signature 340 …).”
The motivation to further combine Blasi remains same as in claim 13.
Regarding Claim 15. This claim contains all the same or similar limitations as claim 2, and hence similarly rejected as claim 2.
Regarding Claim 16. This claim contains all the same or similar limitations as claim 5, and hence similarly rejected as claim 5.
Regarding Claim 18. The combination of Fellner-Blasi discloses the method of claim 12, Fellner further discloses, “wherein each of the local processing devices is 10characterized as a solid-state drive (SSD) comprising NAND flash memory (Fellner, FIG. 2; col.11,ln.57-67: … The controller 220 may be coupled to the non-volatile memory 204 via a bus 214, an interface, another structure, or a combination thereof. The non-volatile memory 204 may include a flash memory (e.g., a NAND flash memory or a NOR flash memory) … the data storage device may be a portable device configured to be selectively coupled to one or more external devices. For example, the data storage device may be a removable device such as a Universal Serial Bus (USB) flash drive or a removable memory card, as illustrative examples. In a particular embodiment, a non-volatile memory of the data storage device, such as the non-volatile memory 204 of FIG. 2, includes a flash memory (e.g., NAND, NOR, Multi-Level Cell (MLC) …).”
Regarding Claim 19. Fellner A storage device (Fellner, FIG. 1: elements 102, 108 in FIG. 1), comprising:
a non-volatile memory (NVM) (Fellner, FIG. 2: … element 220 of FIG. 2 – Controller; element 240 of FIG. 2 - non-volatile memory (NVM)  …);
a keystore memory (Fellner, FIG. 1; Col.4,ln.45-67; Col.5,ln.1-7: … The cloud storage system 150 (e.g., a cloud-based service) may be configured to maintain a record (e.g., a database) of data storage devices, such as the data storage devices 102, 108. The cloud storage system 150 may include a network application 152 and a data structure 154 … The data structure 154 may be configured as a table or other data structure to track one or more entries … Each entry (e.g., row) of the data structure 154 may correspond to a data storage device. Each entry may include an identifier (e.g., a unique media device identifier), a user-identifier (e.g., an identifier that is user-selectable and unique to a user), and directory information (e.g., a log file), as illustrative, non-limiting examples. To illustrate, a first entry of the data structure 154 may correspond to the first data storage device 102 and may include a first identifier (ID_1), a first user-identifier (Work-01), and first directory information (<log 1>). A second entry of the data structure 154 may correspond to the second data storage device 108 and may include a second identifier (ID_2), a second user-identifier (Home), and second directory information (<log 2>) …; Examiner’s note: identifiers are interpreted as keys); and
a controller circuit (Fellner, FIG. 2: element 220 in FIG. 2 – controller ) configured to store a storage token in the keystore memory 5responsive to a registration process in which the controller circuit communicates, via an external network, with a remote server to register the storage device with a selected client (Fellner; col.6,ln.59-67; col.7,ln.1-12; col.5,ln.45-67; col.6,ln.1-6: … During operation of the system 200, the server 260 may receive a registration request 288 including registration information from the first host device 280. The registration request 288 may be associated with registering the data storage device 202 with the cloud storage system 150. The registration information may include the log file 240 (e.g., the identifier 242, the user-identifier 244, and/or the directory information 246). Based on the registration request 288, the server 260 may initiate (e.g., send an instruction to) the network-based storage device 270 to generate an entry in the data structure 276 that corresponds to the data storage device 202. The entry may include the registration information …  The client application 134 may be configured to register a data storage device, such as the first data storage device 102 or the second data storage device 108 with the cloud storage system 150, to generate directory information corresponding to a data storage device, and/or to initiate an update to the data structure 154. For example, when the host device 130 is coupled to a data storage device, the client application 134 may request and receive an identifier (e.g., a unique media device identifier) of the data storage device. The client application 134 may send the identifier to the cloud storage system 150 (e.g., to the network application 152) to determine if the data storage device is registered with the cloud storage system 150. If the data storage device is registered, the host device 130 may receive directory information associated with the registered data storage device from the cloud storage system 150 … If the data storage device is not registered, the host device 130 may receive a message 194 from the cloud storage system 150 indicating that the data storage device is unregistered. In response to the message 194, the client application 134 may register the particular data storage device. … Additionally or alternatively, the network application 152 may be configured to perform a search operation on the data structure 154 to identify one or more entries or to perform a look-up operation to identify a particular entry in the data structure 154. For example, the network application 152 may perform the search operation or the look-up operation based on a request received from the host device 130. To enable the network application 152 to search the entries of the data structure 154 or to look-up a particular entry of the data structure 154, the data structure 154 may be indexed to be searched by an identifier value, by a user-identifier value, and/or by a data value associated with the directory information. Based on the search operation or the look-up operation, the network application 152 may generate a result and may send the result (such as via a message) to the host device 130. Examples of performing searches and look-ups of directory information are further described with reference to FIG. 2 … The network application 152 may also be configured to generate and maintain one or more user accounts associated with the cloud storage system 150. For example, a user may use the host device 130 to create an account with the cloud storage system 150. The user account may include a user profile (e.g., contact information, demographic information, etc.) and may be associated with a set of entries included in the data structure 154. Alternately, the data structure 154 may be specific to the user, and the cloud storage system 150 may store such data structures for each registered user …; ), [the controller circuit further configured to use the storage token responsive to a subsequent local authentication process with an edge computing device coupled between the storage device 10and the external network to authenticate the edge computing device as being authorized by the selected client].
However Fellner does not explicitly teach, but Blasi from same or similar field of endeavor teaches:
“the controller circuit further configured to use the storage token responsive to a subsequent local authentication process with an edge computing device coupled between the storage device 10and the external network to authenticate the edge computing device as being authorized by the selected client (Blasi, Abstract, Para [0005, 0021, 0015]: … the present disclosure is directed, in part, to an access management server for token-based access authorization to an application program interface (API). The access management server includes logic stored in memory, which when executed by a processor (controller circuit) of the access management server, causes the access management server to receive, from a remote computing device, a service request message requesting access to an API of a resource server … Technologies for token-based access authorization to an application program interface (API) include an access management server  (edge computing device) to receive a service request message from an application executed by a remote computing device. The service request message includes a digitally signed license token (storage token) previously generated by the access management server and distributed to the remote computing device (processing device). The service request message also includes a request from the executed application to access data or a service of the resource server via an exposed API. The access management server verifies the digital signature of the digitally signed license token and generates a digitally signed Security Assertion Markup Language (SAML) token (edge token). The digitally signed SAML token is transmitted to the resource server (remote server) for verification and local caching. The resource server receives the service request message and determines whether access to the requested data or service is authorized based on the locally-cached SAML token …  Referring now to FIG. 1, in one embodiment, a system 100 for provisioning and using a signed custom token for authentication and authorization of distributed computing resources includes an access management server 110 in communication with a remote computing device 130 and a resource server 140 via one or more communication network(s). It should be appreciated that although the system 100 includes a single remote computing device 130 and a single resource server 140 in the illustrative embodiment, the system 100 can include any number of remote computing devices 130 and resource servers 140, in other embodiments …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Blasi into the teachings of Fellner because it discloses that “a service, or a computing device (e.g., the remote computing device 130) associated with an entity (e.g., an ISV or another type of entity) requesting access to data or a service provided by a resource server 140 via one or more exposed APIs. As such, the license identifier 322 generated by the access management server 110 can be configured to uniquely identify the digitally signed license token 300 that is to be generated for use by the requesting entity and associated computing devices and applications (Blasi, Para [0037])”.
Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Pat. No.: US 9817605 B2 to Fellner et al. (hereinafter “Fellner”) in view of Pub. No.: US 20170346807 A1 to Blasi (hereinafter “Blasi”), as applied to claim 1 above, and further in view of Pat. No.: US 8024784 B1 to ISSA (hereinafter “ISSA”).
Regarding Claim 6. The combination of Fellner-Blasi discloses the system of claim 1, however it does not explicitly teach, but ISSA from same or similar field of endeavor teaches, “wherein the storage token stored by each of the processing devices is characterized as an internal token, and wherein each processing device further stores an external token comprising the internal token of a different one of the processing devices in the collection (ISSA, col.3,ln.35-64: … The token repository 120 is used to store tokens, such as the token 130. Note that although one token 130 is denoted and only three tokens are depicted for clarity, in general, a large number of tokens may exist at any given time in the network 100. FIG. 2 is a more detailed diagram of one embodiment of a token 130 in accordance with the present invention. Referring to FIGS. 1 and 2, the token 130 includes authentication information for the user and the peer 160. Thus, the token 130 includes a token identification 131, the peer name 133 of the peer 160, an encrypted username 134 and an encrypted password 135. The token identification 131 includes a unique identification for the token. The peer name indicates the peer 160 with which the token 130 is associated. The encrypted username 134 and encrypted password 135 are for the user that has been authenticated by the remote authentication server 110  …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of ISSA into the combined teachings of Fellner-Blasi because it discloses that “(20) using the method 200 and network 100, the peer owner can remotely and securely access the peer 160. Furthermore, this is accomplished without the expense of obtaining secure certificates and without the complexity of conventional systems, such as KERBEROS based systems (ISSA, col.6,ln.1-5)”.
Regarding Claim 7. The combination of Fellner-Blasi-ISSA discloses the system of claim 6, Blasi further discloses, “wherein the edge computing device performs the local authentication by retrieving each of the internal and external tokens from each of the processing devices (Blasi, Para [0005]: … the present disclosure is directed, in part, to a system for token-based authentication and access authorization to an application program interface (API). The system includes a remote computing device, an access management server, and a resource server. The access management server is configured to receive, from a remote computing device, a service request message requesting access to an API of a resource server. The service request message includes a digitally signed license token having an unencrypted payload portion and a first digital signature appended thereto. The first digital signature comprises a previously-generated hash value of the unencrypted payload portion encrypted with a private key of a cryptographic key pair. The access management server is further configured to decrypt the first digital signature of the digitally signed license token with a corresponding public key of the cryptographic key pair to obtain the previously-generated hash value of the unencrypted payload portion of the digitally signed license token. Additionally, the access management server is configured to generate a new hash value of the unencrypted portion of the digitally signed license token. The access management server is also configured to determine whether the new hash value of the unencrypted portion of the digitally signed license token matches the previously-generated hash value of the unencrypted portion of the digitally signed license token. The access management server is further configured to generate a digitally signed Security Assertion Markup Language (SAML) token in response to a determination that the new hash value matches the previously-generated hash value …).”
The motivation to further combine Blasi remains same as in claim 1.
Allowable Subject Matter
Claims 8, 17 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Reasons for allowance will be furnished upon allowance.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
PGPUB US 20200336322 A1, ASANGHANWA et al.: ASANGHANWA discloses a system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.
	PGPUB US 20160065563 A1, BROADBENT et al.: BROADBENT discloses a method, system, and apparatus for providing a client access to third-party resources by utilizing third-party access tokens via a network gateway. The method can prevent the third-party access tokens from being exposed directly to the client environment. The client receives a gateway security credential, which encapsulates the third-party access token in an encrypted form. The client provides the gateway access token to the network gateway where the third-party access token is decrypted and then used to access the third-party resource. Client requests to the network gateway are executed using a custom API. The gateway relays the client requests to the appropriate third-party resources using the third-party-specific API with the decrypted third-party access token. Gateway access tokens are short-lived and can be renewed according to the client-environment life cycle.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434