DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present application, filed on December 9, 2020, is accepted.
Claims 1 – 20 are being considered on the merits.

Drawings
The drawings, filed on December 9, 2020, are accepted.

Specification
The specification, filed on December 9, 2020, is accepted.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 2, 5, 8 – 9, 12, 15 – 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over US 9037856 B2 to Bestler et al., (hereinafter, “Bestler”) in view of US 9195851 B1 to Chandra.
Regarding claim 1, Bestler teaches a computer-implemented method, comprising: encrypting, by a host in communication with a storage system, a write data chunk using a first encryption key to generate an encrypted data chunk; [Bestler, col. 5 lines 66 – 67 to col. 6 lines 1 – 2 discloses an encrypted compressed chunk payload 403 is generated by the originating client/proxy 410. This may be accomplished by the originating client/proxy 410 encrypting the compressed chunk payload 402 using the chunk key 404.] encrypting, by the host, the first encryption key with a second encryption key to generate a first encrypted key; [Bestler, col. 6 lines 3 – 9 discloses an encrypted key 405 may be generated by the originating client/proxy 410 encrypting the chunk key 404 specifically for the first chunk server 420 to be able to decrypt it. The first chunk server 420 stores the encrypted compressed chunk payload 403 and the encrypted key 405 (as encrypted specifically for the first chunk server 420).], but Bestler does not teach encrypting, by the host, the first encryption key with a third encryption key to generate a second encrypted key; and transmitting, by the host, at least one of the encrypted data chunk, the first encrypted key, and the second encrypted key to the storage system.  
However, Chandra does teach encrypting, by the host, the first encryption key with a third encryption key to generate a second encrypted key; [Chandra, col. 3 lines 35 – 51 discloses a security client of the second remote client creates a second SU-key. The security client encrypts the second SU-key using the public key (that has been previously received from the security server), and sends the encrypted second SU-key along with the request to the storage system. In response to the request, the security server decrypts the second SU-key using the private key... The storage system retrieves from storage the encrypted data and corresponding encrypted first SU-key. In such an embodiment, the security server decrypts the retrieved first SU-key using the server key, and re-encrypts the first SU-key using the second SU-key received as part of the request. The security server does not decrypt and re-encrypt the retrieved data, thus avoiding wasting computational resources. The storage system then sends the encrypted data and re-encrypted first SU-key (e.g., using the second SU-key) to the second remote client.] and transmitting, by the host, at least one of the encrypted data chunk, the first encrypted key, and the second encrypted key to the storage system. [Chandra, col. 3 lines 12 – 14 discloses in one embodiment, the first remote client sends the encrypted data and encrypted first SU-key to the storage system. Col. 3 lines 34 – 40 discloses a security client of the second remote client creates a second SU-key. The security client encrypts the second SU-key using the public key (that has been previously received from the security server), and sends the encrypted second SU-key along with the request to the storage system. In response to the request, the security server decrypts the second SU-key using the private key.]
Therefore, it would have been obvious to one of ordinary skill within the art before effective filling date to combine Chandra’s system with Bestler’s system, with a motivation for at-rest encryption of the data is offloaded to remote client 101. At-rest encryption of the first SU-key, however, is performed by security server 116 using the server key, which is only available to storage system 104. In order to access the data, the server key is required. Thus, an embodiment of the present invention provides the same level of security protection as a conventional storage system without having to waste computational resources in decrypting the data, and then re-encrypting it prior to storage. Note further that the data is encrypted using a SU-key, which is short-lived. Thus, even if remote client 101 is compromised, only data that was stored during the short duration of when the compromised SU-key was utilized is at risk of being accessed by an unauthorized source. [Chandra, col. 9 lines 5 – 18]

As per claim 2, modified Bestler teaches the method of claim 1, further comprising: generating, by the host, a fingerprint of the write data chunk; and transmitting, by the host, the fingerprint to the storage system. [Bestler, col. 7 lines 9 – 34 discloses a single pass may be taken over the chunk payload 503 to produce both a fingerprint (chunk identifier) 514 and an encrypted chunk payload 515. The fingerprint 514 may be generated by applying a cryptographic hash to the unencrypted (optionally compressed) chunk payload 503. The encrypted (optionally compressed) chunk payload 515 may be encrypted using the chunk key 511. The Chunk Put operation may then be initiated with a packet 520 that is sent from the Client/Proxy to the Chunk Server. The initiating chunk put packet 520 may include the fingerprint 514 and also request modifier which include the transaction ID 501 and the chunk metadata 502. The fingerprint 514 identifies the chunk that is being put. In a preferred embodiment, the fingerprint 514 is the target specified in an HTTP/REST Manifest Put request. The Chunk Server, upon receiving the initiating packet, determines in step 521 whether it (or any of its federated chunk servers) already has a chunk stored with the fingerprint 514. If a chunk with that fingerprint 514 is already stored, then the Chunk Server will return an acknowledgement for the Chunk Put operation to the Client/Proxy. The acknowledgement packet 522 may indicate that the chunk already exists, and, therefore, the client need take no further action. The chunk server may then add a back-reference 554 for the fingerprint-identified chunk.]

Regarding claim 5, modified Bestler teaches the method of claim 1, comprising: generating, by the host, a data package for transmission to the storage system [Bestler, col. 7 lines 55 – 59 discloses When the Client/Proxy provides the chunk payload packets 550 (which deliver the encrypted chunk payload 515), it will also include the encrypted chunk key 512. The encrypted chunk key 512 is encrypted by the Client/Proxy specifically for the target Chunk Server to decrypt.], but Bestler does not teach further the data package including at least one of the encrypted data chunk, the first encrypted key, and the second encrypted key. 
However, Chandra does teach the data package including at least one of the encrypted data chunk, the first encrypted key, and the second encrypted key. [Chandra, col. 3 lines 12 – 14 discloses in one embodiment, the first remote client sends the encrypted data and encrypted first SU-key to the storage system. Col. 3 lines 34 – 40 discloses a security client of the second remote client creates a second SU-key. The security client encrypts the second SU-key using the public key (that has been previously received from the security server), and sends the encrypted second SU-key along with the request to the storage system. In response to the request, the security server decrypts the second SU-key using the private key.]
Therefore, it would have been obvious to one of ordinary skill within the art before effective filling date to combine Chandra’s system with Bestler’s system, with a motivation for at-rest encryption of the data is offloaded to remote client 101. At-rest encryption of the first SU-key, however, is performed by security server 116 using the server key, which is only available to storage system 104. In order to access the data, the server key is required. Thus, an embodiment of the present invention provides the same level of security protection as a conventional storage system without having to waste computational resources in decrypting the data, and then re-encrypting it prior to storage. Note further that the data is encrypted using a SU-key, which is short-lived. Thus, even if remote client 101 is compromised, only data that was stored during the short duration of when the compromised SU-key was utilized is at risk of being accessed by an unauthorized source. [Chandra, col. 9 lines 5 – 18]

Regarding claim 8 – 9 and 15 – 16, they recite features similar to features within claims 1 – 2, therefore, they are rejected in a similar manner.

Regarding claim 12 and 19, they recite features similar to features within claims 5, therefore, they are rejected in a similar manner.

Claims 3 – 4, 10 – 11, and 17 – 18 are rejected under 35 U.S.C. 103 as being unpatentable over US 9037856 B2 to Bestler et al., (hereinafter, “Bestler”) in view of US 9195851 B1 to Chandra in further view of US 11374773 B2 to Kreft.
Regarding claim 3, modified Bestler teaches the method of claim 2, but modified Bestler does not teach further comprising: encrypting, by the host, the fingerprint of the write data chunk. 
However, Kreft does teach further comprising: encrypting, by the host, the fingerprint of the write data. [Kreft, col. 6 lines 59 – 67 disclose a method for generating a software module (i.e. TRUSTLET) is provided. An entity block to be included to the software module is provided. The entity block can be considered executable piece of software/firmware (e.g. providing a given functionality). A fingerprint of the entity block using a hash function is generated. The fingerprint allows the verification of the integrity of the entity block. The fingerprint is then encrypted using the private key of a public key pair, to thereby generate a digital signature of the entity block. The entity block is then combined with the encrypted fingerprint to form an integrity protected entity block.]
Therefore, it would have been obvious to one of ordinary skill within the art before effective filling date to combine Kreft’s system with Bestler’s system, with a motivation to encrypt the fingerprint and random secret key, respectively, are assumed to be provided in form of a certificate originating from the Root Certification Authority. This means the public keys are signed by a Root Certification Authority using a private signing key (part) of a signing key-pair, the public key (part) of which is provided immune against counterfeit in the hardware to execute the software module. [Kreft, col. 32 lines 51 – 58]

Regarding claim 4, modified Bestler teaches the method of claim 3, but modified Bestler does not teach wherein the fingerprint is encrypted using a fourth encryption key. 
However, Kreft does teach wherein the fingerprint is encrypted using a fourth encryption key. [Kreft, col. 32 lines 10 – 13 disclose the fingerprint could be encrypted with the private key of the key-pair using a Digital Signature Algorithm (DSA), or an Elliptic Curve Digital Signature Algorithm (ECDSA), DSA, and ECDSA. ]
Therefore, it would have been obvious to one of ordinary skill within the art before effective filling date to combine Kreft’s system with Bestler’s system, with a motivation to encrypt the fingerprint and random secret key, respectively, are assumed to be provided in form of a certificate originating from the Root Certification Authority. This means the public keys are signed by a Root Certification Authority using a private signing key (part) of a signing key-pair, the public key (part) of which is provided immune against counterfeit in the hardware to execute the software module. [Kreft, col. 32 lines 51 – 58]

Regarding claim 10 – 11 and 17 – 18, they recite features similar to features within claims 3 - 4, therefore, they are rejected in a similar manner.

Claims 6 – 7, 13 – 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 9037856 B2 to Bestler et al., (hereinafter, “Bestler”) in view of US 9195851 B1 to Chandra in further view of US 20140143823 A1 to Manchester et al., (hereinafter, “Manchester”).
Regarding claim 6, modified Bestler does teach the method of claim 5, but modified Bestler does not teach wherein the data package is generated for transmission to the storage system based on a network characteristic of a communications network. 
However, Manchester does teach wherein the data package is generated for transmission to the storage system based on a network characteristic of a communications network. [Manchester, para. 74 discloses the encoder resource 140 or other suitable resource can be configured to analyze the segments of content to determine bandwidth requirements to transmit the segments of content on different bit rate data streams in a network environment. The encoder resource 140 dynamically adjusts a number of different bit rate data streams into which the segments of content are encoded based at least in part on the bandwidth requirements associated with the segments.]
Therefore, it would have been obvious to one of ordinary skill within the art before effective filling date to combine Manchester’s system with modified Bestler’s system, with a motivation for efficient encoding, the encoder resource 140 encodes the segment up to an appropriate bit rate depending on the bandwidth requirements of the original segment being encoded. [Manchester, para. 128]

Regarding claim 7, modified Bestler teaches the method of claim 6, but modified Bestler does not teach wherein the network characteristic is a bandwidth of the communications network between the host and the storage system, and wherein the bandwidth is below a bandwidth threshold.  
However, Manchester does teach wherein the network characteristic is a bandwidth of the communications network between the host and the storage system, [Manchester, para. 162 lines discloses the data stream 115-1 can be a so-called adaptive bit rate data stream in which the level of quality of data transmitted to the communication device 160-1 varies depending on one or more parameters such as available network bandwidth in network 190, ability of a decoder in the communication device to store and/or process the adaptive bit rate data stream, etc.] and wherein the bandwidth is below a bandwidth threshold. [Manchester, para. 128 discloses analyzing the segments of content to determine bandwidth requirements to transmit the segments of content on different bit rate data streams; encoding the segments of content in accordance with multiple different bit rates; and dynamically adjusting a number of different bit rate data streams into which the segments of content are encoded based at least in part on the bandwidth requirements associated with the segments.] 
Therefore, it would have been obvious to one of ordinary skill within the art before effective filling date to combine Manchester’s system with modified Bestler’s system, with a motivation for efficient encoding, the encoder resource 140 encodes the segment up to an appropriate bit rate depending on the bandwidth requirements of the original segment being encoded. [Manchester, para. 128]

Regarding claim 13 – 14, it recites features similar to features within claims 6 – 7, therefore, it is rejected in a similar manner.

Regarding claim 20, modified Bestler teaches the computer program product of claim 19, but modified Bestler does not teach wherein the data package is generated for transmission to the storage system based on a network characteristic of a communications network and wherein the network characteristic is a bandwidth of the communications network between the host and the storage system, and wherein the bandwidth is below a bandwidth threshold.
However, Manchester does teach wherein the data package is generated for transmission to the storage system based on a network characteristic of a communications network [Manchester, para. 74 discloses the encoder resource 140 or other suitable resource can be configured to analyze the segments of content to determine bandwidth requirements to transmit the segments of content on different bit rate data streams in a network environment. The encoder resource 140 dynamically adjusts a number of different bit rate data streams into which the segments of content are encoded based at least in part on the bandwidth requirements associated with the segments.] and wherein the network characteristic is a bandwidth of the communications network between the host and the storage system, [Manchester, para. 162 lines discloses the data stream 115-1 can be a so-called adaptive bit rate data stream in which the level of quality of data transmitted to the communication device 160-1 varies depending on one or more parameters such as available network bandwidth in network 190, ability of a decoder in the communication device to store and/or process the adaptive bit rate data stream, etc.] and wherein the bandwidth is below a bandwidth threshold. [Manchester, para. 128 discloses analyzing the segments of content to determine bandwidth requirements to transmit the segments of content on different bit rate data streams; encoding the segments of content in accordance with multiple different bit rates; and dynamically adjusting a number of different bit rate data streams into which the segments of content are encoded based at least in part on the bandwidth requirements associated with the segments.] 
Therefore, it would have been obvious to one of ordinary skill within the art before effective filling date to combine Manchester’s system with modified Bestler’s system, with a motivation for efficient encoding, the encoder resource 140 encodes the segment up to an appropriate bit rate depending on the bandwidth requirements of the original segment being encoded. [Manchester, para. 128]

Conclusion
Pertinent prior art made of record however not relied upon includes:
US 20190149332 A1 to Rivain et al.
“Examples of the present disclosure describe systems and methods relating to a zero-knowledge architecture between multiple systems. In an example, multiple systems may provide an application. User data of the application may be encrypted using a cryptographic key to restrict access to the user data. In some examples, the cryptographic key may not be provided to the multiple systems, thereby providing a zero-knowledge architecture. In order to ensure a user may access the cryptographic key, the cryptographic key may be encrypted using a second cryptographic key. The encrypted representation of the cryptographic key may be provided to a first system, while the second cryptographic key may be provided to a second system. As a result, a user computing device may retrieve both the encrypted representation of the cryptographic key and the second cryptographic key from the first and second systems, respectively, in order to encrypt/decrypt user data.”
US 9336092 B1 to Li
“Data chunks encrypted using an encryption key are backed up to a server. Each chunk is associated with plain and encryption signatures. The plain signature is based on an unencrypted version of a chunk. The encryption signature is based on an encrypted version of the chunk. A new data chunk is identified and a new plain signature for the new chunk is calculated. A request is made for a current key and the new chunk is encrypted using the current key to obtain a new encryption signature. The new encryption and plain signatures are sent to the server for comparison against the existing encryption and plain signatures. If the new encryption signature does not match an encryption signature of an existing chunk and the new plain signature matches a plain signature of the existing chunk, the new chunk is transmitted to the server to replace the existing chunk.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893. The examiner can normally be reached Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/P.P./Patent Examiner, Art Unit 2434                                                                                                                                                                                                        

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434