DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Independent claims 1,12, 14 were amended, claims 1-4, 5-24, 26 are pending.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 12, 14 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-7, 12-15, 20-22, 24, 26 are rejected under 35 U.S.C. 103 as being unpatentable over Enright (US 20060171537 A1) in view of Kroselberg(US US 20040210766 A1).

With regards to claim 1, Enright discloses, A method for providing at least one service within a network arrangement having comprising: 
- one or more capture devices (FIG 1 110 and associated text;[0010] A wireless supplicant 130 seeking credentials from AP 120 will also be configured to practice the credential provisioning methods described herein.); and
- one or more network access devices to which one or more capture devices can be respectively coupled (FIG 1 120 and associated text;[0010] Network 100 is an infrastructure network in that communications between nodes 110 are coordinated through an access point (AP) 120. Any suitable wireless networking protocol may be implemented on network 100 such as an 802.11 protocol. Within network 100, only AP 120 need be configured to practice the credential provisioning method described further herein. ); the method comprising: 
- providing cryptographic security on or above the a transport level of the communication protocol levels, which can be used in the network arrangement, for at least one first existing communication connection between one of the capture devices and one of the network access devices ([0011] The credentials supplied by AP 120 to wireless supplicant 130 allows the wireless supplicant to communicate with the AP 120 using an encryption protocol being enforced on network 100. Examples of suitable encryption protocols being enforced on network 100 include wired equivalent privacy (WEP), WiFi Protected Access Pre-Shared Key (WPA-PSK), and WPA-Radius.), which connection is used to monitor data captured by the capture device (FIG 2 205, 215 and associated text; [0021] If no request for credential provisioning is ever provided after a sufficient waiting period, the AP would abort the credential provisioning process and resume secure mode operation as discussed with respect to step 215. Note: AP data  access waiting time suggest it monitor wireless supplicant 130 ) and/or to control a further device within the network arrangement on a basis of the data captured by the capture device, First communication as Credential Provisioning in Open access Mode) , 
- generating and/or determining network access configuration data for at least one further, second communication connection, which is to be cryptographically protected below the transport level, between the capture device and the network access device ([0016] To prevent such unauthorized access, the provision of the password to and from wireless supplicant 130 should be encrypted. Any suitable encryption scheme may be utilized for this encryption. Network security is increased, however, if a shared secret encryption scheme is avoided. In this fashion, wireless supplicant 130 need not be configured with the shared secret, thereby easing burden on users and network administrators. [0017] A particularly convenient encryption scheme is the Secure Sockets Layer (SSL) protocol. Because SSL uses the TCP/IP protocol, wireless supplicant 130 will need an IP address as well as the IP address for AP 130 to establish an SSL "tunnel" for credential provisioning. Note: Credential Provisioning in Secure mode);
- providing the network access device with the generated and/or determined network access configuration data using the cryptographic security provided for the first communication connection ([0019] Encrypted messages are thus used to supply a password to and from wireless supplicant 130 for the authentication of the wireless supplicant's identity as well as to provision credentials to wireless supplicant 130 so that it may gain network access.), wherein necessary parameters of the second communication connection are locally determined by both the one or more capture devices and the one or more network access devices ([0017-18] Given the prevalence of Dynamic Host Configuration Protocol (DHCP) enabled APs, a particularly convenient way to obtain the IP address is to use DHCP messages. Thus, subsequent to open association with AP 120, wireless supplicant 130 may initiate the authentication process by broadcasting a DHCP Discover frame. AP 120 may respond with a DHCP Offer frame, which will contain the offer of an IP address to wireless supplicant 130. Wireless supplicant 130 may respond with a DHCP Request frame, which selects for the IP address offer. AP 120 then responds with a DHCP ACK frame, acknowledging the selection of the IP address by wireless supplicant 130……Wireless supplicant 130 may then process the DHCP ACK message to retrieve the IP address for AP 120. At this point, wireless supplicant 130 and AP 120 may proceed to use SSL to provide the password to wireless supplicant 130 upon the initial request for credential provisioning. Page 4; claim 8. The wireless network AP of claim 7, wherein the AP is a Dynamic Host Configuration Protocol (DHCP) server, the processor being further configured to supply the wireless supplicant with an IP address using the DHCP protocol to support the SSL encryption.  Note: As “locally” is not defined in the claim, examiner interpreted SSL connection setup(secure mode)  were between Supplicant 130 and AP 120 happen locally, parameter exchanged for SSL encryption );
- setting up at least network access intended for the at least one further, second communication connection in the network access device with the aid of these provided network access configuration data (FIG 2 225 and associated text; credential provisioned in secure mode); and 
- establishing said the at least one further, second communication connection between the capture device and the further network access which has been set up in the network access device with the an aid of the generated and/or determined network access configuration data, wherein one or more services can be provided via this further, second communication connection of the capture device ([0018] AP 120 may then provision wireless supplicant 130 with the necessary credentials using SSL such that wireless supplicant 130 gains network access in secure mode. Wireless supplicant 130 may then begin secure mode communication with AP 120 and thus network with other nodes 110. ). 

Enright does not exclusively but Kroselberg teaches, wherein the generated and/or determined network access configuration data are derived from a context of the first cryptographically protected communication connection, such that a security association established in the first cryptographically protected communication connection is used to derive the network access configuration data for the second communication connection ( [0020] The protocol according to IETF RFC 2409 has two phases. In a first phase, what is known as an IKE security association, in other words a cryptographically protected communication channel, is produced between two computers communicating with one another. On the basis of the IKE security association, a second phase can be subsequently executed, during which the actual IPsec security associations are generated. According to IETF RFC 2409, use of what is known as the "Diffie-Hellman Key Exchange" protocol, which necessitates complex asymmetrical cryptographic computations in the computers, is required in the first phase. pls see [0027-36] );It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Enright’s system with  teaching of Kroselberg  in order to provide secure network association in efficient way (Kroselberg [00034])

With regards to claim 2, 13, 20 Enright further discloses, wherein the cryptographic protection for the first communication connection is implemented by means of  TLS encryption or DTLS encryption ([0017] A particularly convenient encryption scheme is the Secure Sockets Layer (SSL) protocol. Because SSL uses the TCP/IP protocol, wireless supplicant 130 will need an IP address as well as the IP address for AP 130 to establish an SSL "tunnel" for credential provisioning. Note: Although the SSL protocol was deprecated with the release of TLS 1.0 in 1999, it is still common to refer to these related technologies as "SSL" or "SSL/TLS." ).

With regards to claim 3, 22 Enright further discloses, wherein the second communication connection is bound to the first communication connection ([0011] Regardless of the particular encryption(s) implemented on AP 120, its encrypted operation will be denoted herein as a "secure mode." In general, for wireless supplicant 130 to communicate in a secure mode with AP 120, wireless supplicant will need to be provisioned with credentials such as a security key, password, or X.509 certificates[0012] For ease of use, the credential provisioning may be initiated by a simple button press at the AP 120. The button press may be hardwired or software-enabled. After the button press, AP 120 leaves its secure mode of operation and enters an open access mode such that it will respond to any wireless supplicant requests for association. It will be appreciated that during this open access mode, AP 120 may continue to operate in a secure mode with nodes 110 that have already gained network access should AP 120 support operation under multiple SSIDs. Thus, even though wireless supplicant 130 may freely associate with AP 120 during open access mode operation, wireless supplicant must still be provisioned with network security parameters before it may gain secure network access.).

With regards to claim 7, 15 Enright discloses, wherein the further network access which has been set up is temporally limited and is no longer available after the time at which the first communication connection is terminated (Enright[0020] However, if an additional request for credential provisioning is received while the waiting period is still pending, the presence of a wireless interloper may be presumed. Thus, the method would abort at step 215 and the AP would resume the secure mode of operation. In addition, a network administrator may be informed of the attempted unauthorized credential provisioning. ; FIG 2 step 215, Abort authentication, note: access limited to secure mode, open access mode is no longer available).

Claim 12 is a device (capture) claim composed with of substantially similar limitations of method claim 1, also rejected accordingly.

Claim 14 is a device claim (access point) composed with of substantially similar limitations of method claim 1, also rejected accordingly.

Claim 21 is a system claims comprising device of claim 12 and 14 also rejected accordingly.

Claim 26 is the product claim corresponding device claim 14, also rejected accordingly.

With regards to claim 6, 24, Enright in view of Kroselberg discloses, wherein the generated and/or determined network access configuration data comprise a public or hidden network name and/or an access key (Kroselberg [0107] Next, the setup unit 321 of the mobile phone 3 automatically generates an encryption key with the setup-mode SSID of the selected device on specific conditions (Step S122). The specific conditions are the same algorithm as that of the specific conditions used when automatically generating the encryption key in the PC 2. The setup unit 321 then holds on a link data storage 326 the setup-mode SSID, the automatically generated encryption key, device information (profile information) in the setup mode of the selected device.. ). Motivation would be same as stated in claim 5. 

Claims 8-10, 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Enright(US 20060171537 A1) in view of Kroselberg (US 20040210766 A1) and PHILLIPS et al(US 20170264613 A1.

With regards to claim 8, 16. Enright in view of Kroselberg do not but PHILLIPS teaches,  wherein the one or more network access devices permit a communication connection from the network access device to a network service server so that one or more of the services are provided by the network service server (PHILLIPS [0101] Once the border router 26 is satisfied that the device (D) is approved to access the requested service 16 by the trusted issuer, and also verifies that the device (D) is that which it purports to be, then the border router 26 establishes an encrypted connection 25 (e.g. TLS) with the service 16 and allows device (D) to access the service 16 via the connection 25, thereby controlling the connection to the service 16 by the device (D).). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Method of Enright in view of Kroselberg with teaching of PHILLIPS  in order to controlling communications between a data processing device and a service (PHILLIPS [0001])

With regards to claim 9, 17 Enright in view of Kroselberg and PHILLIPS discloses, wherein that port in the network access device which is used for the second communication connection to the capture device is enabled for this communication connection to the network service server (PHILLIPS FIG 2, 5 and associated text; device 30 accessed service cloud with proper authentication suggest a port is enabled to communicate that Data communication can be interpreted as second communication after handshake/initiation is done(first communication)). Motivation would be same as stated in claim 8.

With regards to claims 10, 18 Enright in view of Kroselberg and PHILLIPS discloses, wherein the port is enabled on the basis of the first communication connection (PHILLIPS 0006] According to a first aspect of the invention there is provided a method for controlling communications between a data processing device in a first network and a target service in a second network via a gateway apparatus, the method comprising: transmitting a request to communicate with the target service from the data processing device to the gateway apparatus; transmitting device credentials from the data processing device to the gateway apparatus, wherein the device credentials comprise information relating to the target service; verifying at the gateway apparatus an authentication status of the data processing device based on the device credentials; establishing a communication path between the data processing device and the target service if the authentication status is verified.). Motivation would be same as stated in claim 8.

Claims 11, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Enright(US 20060171537 A1) in view of Kroselberg (US 20040210766 A1) and PHILLIPS et al(US 20170264613 A1 and Neginhal et al(US 20150271303 A1).

With regards to claims 11, 19 Enright in view of Kroselberg and PHILLIPS do not but Neginhal teaches, the port to be enabled is preconfigured or is dynamically determined from said the network access configuration data (Neginhal [0007]; [0007] In some embodiments, the routes that a network controller dynamically propagates include connected routes as well as manually entered static routes. The connected routes, described above, may be automatically generated for a logical router based on the configuration of the logical router (i.e., based on the attachment of a logical port to a particular subnet). ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Method of Enright in view of Kroselberg and PHILLIPS with teaching of Neginhal in order to to manage, via the configuration of a provider logical router, the handling of traffic entering and exiting the datacenter.  (Neginhal [0005]). 

Allowable Subject Matter

Claim 4, 23 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498