DETAILED ACTION
This action is in response to the initial claims filed 4/29/2020.  Claims 1-20 are pending.  Independent claims 1, 12 and 19 and corresponding dependent claims are directed towards a management controller, computing device and method for hashing values using salts and peppers.  Claims 19-20 are allowed.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings are objected to because: Fig. 2 item 216 is not described in the specification.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
The disclosure is objected to because of the following informalities: [0031] l. 4 “Request for Comments (RFC) 2104” for correct RFC number; [0040] l. 1 “212” should be “214” per Fig. 2; [0040] l. 2 “214” should be “216” per Fig. 2; and [0043] ll. 4-5 “further server-generated hash value” should read as “further computing device-generated hash value” per [0043]-[0043] and Fig. 3.	Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. § 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-6, 9-18 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter.
As to claim 1, the claimed invention is drawn to a “management controller” comprising a “communication interface” and a “management processor”.  Which can be broadly interpreted as various types of software (software modules, virtualized hardware, data, programming code, etc.).  Thus, it is not clear whether the claimed elements of the “management controller” are tangibly-embodied structural features, or software, per se.  As such the invention does not fall within at least one of the four categories of patent eligible subject matter recited in 35 U.S.C § 101 (process, machine, manufacture or composition of matter).
Claims 2-6 and 9-11 further fail to recite any positive structural limitations to overcome the 35 U.S.C. §101 issues of claim 1 discussed above, and are also rejected.
As to claim 12, the claimed invention is drawn to a “computing device” comprising a “communication interface” and a “processor”.  Which can be broadly interpreted as various types of software (software modules, virtualized hardware, data, programming code, etc.).  Thus, it is not clear whether the claimed elements of the “computing device” are tangibly-embodied structural features, or software, per se.  As such the invention does not fall within at least one of the four categories of patent eligible subject matter recited in 35 U.S.C § 101 (process, machine, manufacture or composition of matter). 
Claims 13-18 further fail to recite any positive structural limitations to overcome the 35 U.S.C. §101 issues of claim 12 discussed above, and are also rejected.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5, 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Rathineswaran et al. (US 2018/0041499 A1), published Feb. 8, 2018, in view of Yedidi et al. (US 2017/03456797 A1), published Nov. 30, 2017.

As to claim 1, Rathineswaran substantially discloses a management controller (Rathineswaran Fig. 1 item 110 management controller; [0006] baseboard management controller (BMC)) comprising:	a communication interface to communicate with a computing device, wherein the management controller is separate from a processor of the computing device (Rathineswaran Fig. 1 showing management controller 110 in communication with computing device 150); and	a management processor (Rathineswaran Fig. 1 item 112 processor) to:		receive, from the computing device, an input value (Rathineswaran Fig. 2 item 205; [0055] computing device sends credential information for a user to BMC),		generate a hash value (Rathineswaran Fig. 2 item 220; [0057] generate hash information of password), and		send the hash value to the computing device (Rathineswaran Fig. 2 item 220; [0057] send password hash information to computing device).	Rathineswaran fails to disclose receiving a first hash value that is based on a first hash function applied on an input value and a salt, and generating a second hash value based on applying a second hash function on the first hash value and a pepper.	Yedidi describes a method for detecting compromised credentials.	With this in mind, Yedidi discloses receiving a first hash value that is based on a first hash function applied on an input value (Yedidi [0046]-[0047] receive hash values of passwords) and a salt (Yedidi [0039] hash values generated using user-specific salt value), and generating a second hash value based on applying a second hash function on the first hash value (Yedidi [0047] hashing password hash values again using another hashing algorithm) and a pepper (Yedidi [0040] hash values generated using pepper value).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the password hashing using salt and pepper values of Yedidi with the BMC password hashing authentication of Rathineswaran, such that the password is hashed with a salt, then rehashed with a pepper, as it would advantageously ensure that password hash values are different from other user accounts that may have the same password (Yedidi [0039] for using salt values) and ensure that malicious users who gain access to hash values is not able to recreate user’s password (Yedidi [0040] for using pepper values)). 
As to claim 2, Rathineswaran and Yedidi disclose the invention as claimed as described in claim 1, including wherein the first hash function is the same as the second hash function, or the first hash function is different from the second hash function (Yedidi [0047] hashing password hash values again using another hashing algorithm).

As to claim 4, Rathineswaran and Yedidi disclose the invention as claimed as described in claim 1, including wherein the management controller is a baseboard management controller (Rathineswaran Fig. 1 item 110 management controller; [0006] baseboard management controller (BMC)).

As to claim 5, Rathineswaran and Yedidi disclose the invention as claimed as described in claim 1, including wherein the communication interface is to communicate with the computing device over a secure connection (Rathineswaran [0049] secure connection between BMC and Computing device).

As to claim 7, Rathineswaran and Yedidi disclose the invention as claimed as described in claim 1, including comprising:	a hardware hash engine to apply the second hash function (Rathineswaran Fig. 1 item 122 Authentication Module; [0031] module as hardware; [0057] authentication modules generates hash information; Yedidi [0047] hashing password hash values again using another hashing algorithm),	wherein the management processor is to use the hardware hash engine to generate the second hash value (Rathineswaran [0044]-[0045] processor on BMC controls BMC to perform corresponding tasks).

As to claim 8, Rathineswaran and Yedidi disclose the invention as claimed as described in claim 1, including comprising:	a storage separate from a storage of the computing device, the storage of the management controller to store the pepper (Yedidi [0040] pepper value stored separately at content management system).

As to claim 9, Rathineswaran and Yedidi disclose the invention as claimed as described in claim 1, including wherein each of the first hash function and the second hash function is a cryptographic hash function (Yedidi [0041] cryptographic hash function; [0048] SHA 1-3, MD5).
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Rathineswaran et al. (US 2018/0041499 A1), published Feb. 8, 2018, in view of Yedidi et al. (US 2017/03456797 A1), published Nov. 30, 2017, in view of Ponnusamy et al. (US 2017/0228237 A1), published Aug. 10, 2017.
As to claim 3, Rathineswaran and Yedidi substantially disclose the invention as claimed as described in claim 1, failing to explicitly disclose wherein the management controller is to perform remote access of the computing device, and trigger remote reboot of the computing device.	Ponnusamy describes configuring a bootable network target for boot in a single reboot.	With this in mind, Ponnusamy discloses wherein the management controller is to perform remote access of the computing device, and trigger remote reboot of the computing device (Ponnusamy [0005] management controller issues instruction to reboot host system via network interface).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the remote booting by a management controller of Ponnusamy with the BMC authentication system of Rathineswaran and Yedidi, such that the management controller is capable of rebooting the computing device, as it would advantageously increase the speed of rebooting target devices (Ponnusamy [0003]).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Rathineswaran et al. (US 2018/0041499 A1), published Feb. 8, 2018, in view of Yedidi et al. (US 2017/03456797 A1), published Nov. 30, 2017, in view of Bridges et al. (US 2020/0228322 A1), filed Jan. 8 2019.
As to claim 6, Rathineswaran and Yedidi substantially disclose the invention as claimed as described in claim 1, failing to explicitly disclose comprising a random number generator to generate a random number, wherein the pepper comprises the random number.	Bridges describes methods for securing data.	With this in mind, Bridges discloses a random number generator to generate a random number, wherein the pepper comprises the random number (Bridges [0107] pepper values randomly generated).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the random pepper generation of Bridges with the BMC hash authentication of Rathineswaran and Yedidi, such that the pepper values used for hashing are randomly generated, as it would advantageously increase security to hashes as it would add further hash data possibilities resulting in increased difficulty in analysis (Bridges [0107]).
Claims 10-18 are rejected under 35 U.S.C. 103 as being unpatentable over Rathineswaran et al. (US 2018/0041499 A1), published Feb. 8, 2018, in view of Yedidi et al. (US 2017/03456797 A1), published Nov. 30, 2017, in view of Windell et al. (US 9,881,147 B1), issued Jan. 30, 2018.
As to claim 10, Rathineswaran and Yedidi substantially disclose the invention as claimed as described in claim 1, including wherein the input value comprises a user credential (Rathineswaran [0055] computing device sends credential information for a user to BMC).	Rathineswaran and Yedidi fail to explicitly disclose a user credential used to gain access to the computing device.	Windell describes a method related to security credentials.	With this in mind, Windell discloses a user credential to gain access to the computing device (Windell c. 1 ll. 45-47 user enters password to access computer system; Claim 1 comparison of hash of entered password against stored hash to determine access grant).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the login access control of Windell with the BMC password authentication of Rathineswaran and Yedidi, such that hashing with salt and BMC pepper as in Rathineswaran and Yedidi is used in a user login for the computer system of Windell, as it would advantageously reduce the effectiveness of brute force attacks (Windell c. 1 ll. 53-60).

As to claim 11, Rathineswaran and Yedidi substantially disclose the invention as claimed as described in claim 1, including wherein the management processor is to further:	receive, from the computing device, a third hash value that is based on the first hash function applied on a further input value (Rathineswaran Fig. 2 item 205; [0055] computing device sends credential information for a user to BMC; Yedidi [0046]-[0047] receive hash values of passwords; [0050] for user credential hash comparison) and the salt (Yedidi [0039] hash values generated using user-specific salt value),	generate a fourth hash value based on applying the second hash function on the third hash value (Rathineswaran Fig. 2 item 220; [0057] generate hash information; Yedidi [0047] hashing password hash values again using another hashing algorithm; [0050] for user credential hash comparison) and the pepper (Yedidi [0040] hash values generated using pepper value), and	send the fourth hash value to the computing device (Rathineswaran Fig. 2 item 220; [0057] send password hash information to computing device).	Rathineswaran and Yedidi fail to explicitly disclose comparison of a hash value by the computing device to a second hash value for authorization of access of the computing device.	Windell discloses a user credential to gain access to the computing device (Windell c. 1 ll. 45-47 user enters password to access computer system; Claim 1 comparison of result hash of entered password against stored hash to determine access grant).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the login access control of Windell with the BMC password authentication of Rathineswaran and Yedidi, such that hashing with salt and BMC pepper as in Rathineswaran and Yedidi is used in a user login for the computer system of Windell, as it would advantageously reduce the effectiveness of brute force attacks (Windell c. 1 ll. 53-60).

As to claim 12, Rathineswaran substantially discloses a computing device (Rathineswaran Fig. 1 item 150 computing device; [0042]) comprising:	a communication interface to communicate with a management controller (Rathineswaran Fig. 1 showing computing device 150 in communication with management controller 110); and	a processor (Rathineswaran [0053] computing device processor) separate from the management controller (Rathineswaran Fig. 1 showing computing device and management controller separated by network) and to:		generate an input value (Rathineswaran [0055] credential entered on computing device),		send, to the management controller, the input value (Rathineswaran Fig. 2 item 205; [0055] computing device sends credential information for a user to BMC),		receive, from the management controller, a hash value (Rathineswaran Fig. 2 item 220; [0057] send password hash information to computing device).	Rathineswaran fails to explicitly disclose generating a first hash value that is based on a first hash function applied on an input value and a salt, sending the first hash value, a second hash value based on applying a second hash function on the first hash value and a pepper, and using the second hash value in granting access to the computing device.	Yedidi discloses generating a first hash value that is based on a first hash function applied on an input value (Yedidi [0046] other device generates hash value based on password) and a salt (Yedidi [0039] hash values generated using user-specific salt value), sending the first hash value (Yedidi [0046]-[0047] other device sends hash values of passwords to content management system), a second hash value based on applying a second hash function on the first hash value (Yedidi [0047] hashing password hash values again using another hashing algorithm) and a pepper (Yedidi [0040] hash values generated using pepper value).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the password hashing using salt and pepper values of Yedidi with the BMC password hashing authentication of Rathineswaran, such that the password is hashed with a salt, then rehashed with a pepper, as it would advantageously ensure that password hash values are different from other user accounts that may have the same password (Yedidi [0039] for using salt values) and ensure that malicious users who gain access to hash values is not able to recreate user’s password (Yedidi [0040] for using pepper values)).	Rathineswaran and Yedidi fail to explicitly disclose using the second hash value in granting access to the computing device.	Windell discloses using a stored hash value in granting access to the computing device (Windell c. 1 ll. 45-47 user enters password to access computer system; c. 6 ll. 9-11 hash is generated and stored for a password; Claim 1 comparison of result hash of entered password against stored hash to determine access grant).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the login access control of Windell with the BMC password authentication of Rathineswaran and Yedidi, such that hashing with salt and BMC pepper as in Rathineswaran and Yedidi is used in a user login for the computer system of Windell, as it would advantageously reduce the effectiveness of brute force attacks (Windell c. 1 ll. 53-60).
As to claim 13, Rathineswaran, Yedidi and Windell disclose the invention as claimed as described in claim 12, including wherein the generating of the first hash value and the sending of the first hash value are performed by machine-readable instructions executable on the processor in an operating system (OS) environment (Yedidi [0046] generating and sending of password hashes is performed by device or server; Fig. 5A computing system architecture; [0071]-[0073]; [0014] operating systems).
As to claim 14, Rathineswaran, Yedidi and Windell disclose the invention as claimed as described in claim 13, including wherein the processor is to:	receive a further user credential (Windell c. 1 ll. 45-47 user enters password to access computer system),	generate a third hash value that is based on the first hash function applied on the further user credential (Yedidi [0046]-[0047] generate hash values of passwords before sending; [0050] for user credential hash comparison) and the salt (Yedidi [0039] hash values generated using user-specific salt value),	send, to the management controller, the third hash value (Rathineswaran Fig. 2 item 205; [0055] computing device sends credential information for a user to BMCs; Yedidi [0046]-[0047] send hash values of passwords; [0050] for user credential hash comparison),	receive, from the management controller, a fourth hash value (Rathineswaran Fig. 2 item 220; [0057] send password hash information to computing device) based on applying the second hash function on the third hash value and (Rathineswaran Fig. 2 item 220; [0057] generate hash information; Yedidi [0047] hashing password hash values again using another hashing algorithm; [0050] for user credential hash comparison) and the pepper (Yedidi [0040] hash values generated using pepper value) the pepper (Yedidi [0040] hash values generated using pepper value), and	determine whether to grant access to the computing device based on the fourth hash value and the second hash value (Windell Claim 1 comparison of result hash of entered password against stored hash to determine access grant).
As to claim 15, Rathineswaran, Yedidi and Windell disclose the invention as claimed as described in claim 14, including wherein the processor is to:	compare the fourth hash value to the second hash value (Windell Claim 1 comparison of result hash of entered password against stored hash to determine access grant), and	in response to detecting that the fourth hash value matches the second hash value, grant access to the computing device responsive to the further user credential (Windell Claim 1 comparison of result hash of entered password against stored hash to determine access grant).
As to claim 16, Rathineswaran, Yedidi and Windell disclose the invention as claimed as described in claim 12, including wherein the processor is to:	receive the input value comprising a user credential (Rathineswaran Fig. 2 item 205; [0055] computing device sends credential information for a user to BMC).
As to claim 17, Rathineswaran, Yedidi and Windell disclose the invention as claimed as described in claim 16, including wherein the input value comprising the user credential is received as part of creating a user account at the computing device (Windell Claim 1 hash of password is generated for account and stored for use with the account), and wherein the processor is to further:	receive, as part of a process to access the computing device, a further user credential  (Windell c. 1 ll. 45-47 user enters password to access computer system),	use the second hash value for determining whether the further user credential matches the user credential  (Windell c. 1 ll. 45-47 user enters password to access computer system; Claim 1 comparison of result hash of entered password against stored hash to determine access grant).
As to claim 18, Rathineswaran, Yedidi and Windell disclose the invention as claimed as described in claim 12, including, wherein the processor is to:	generate a random number for use as the salt (Yedidi [0039] salt is a randomly generated value).

Allowable Subject Matter
Claims 19-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
Regarding claim 19 and its dependent claims, the prior art of record fails to disclose or fairly suggest, in combination, a method in which a baseboard management controller receives form a computing device over an existing secure connection a first hash based on a user credential and salt value as part of an account creation, generates a second hash using the first hash and a pepper, returns the second hash to the computing device to be used for authorizing user access to the computing device, in the specific manner and combination as recited in claim 19.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sanchez (US 11,321,448 B1) is related to authentication using hashes, salts, peppers and fried passwords.
Nanopoulos et al. (US 2005/0166263 A1) is related to salt and pepper hashing.
Fox et al. (US 2018/0013565 A1) is related to cryptographic hashing with a server side pepper value.
Lurey et al. (US 2021/0091938 A1) is related to hashing with a pepper value.
Dotan et al. (US 9,154,304 B1) is related to access control using tokens, salt values and pepper values.
Bridges et al. (US 2020/0228322 A1) is related to securing data using hashes, salts and peppers.
Gore et al. (US 2021/0056208 A1) is related to a firmware verification by a management controller using hash verification.
Owens et al. (US 2013/0096961 A1) is related to randomly generated pepper values.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654.  The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Eric W Shepperd/Primary Examiner, Art Unit 2492