DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 05/17/2022 has been received and considered.
Claims 1-24 are pending.
This action is Final.
Response to Arguments
2.	Applicant's arguments filed 05/17/2022 have been fully considered but they are not persuasive. Applicant argues that regarding independent claim 1, Diamant in view of Levy fails to teach “receiving, at a host device, secure data from a memory device that is coupled to the host device, the secure data including a first content block and a second content block; determining, by the host device, that the first content block is encrypted; determining, by the host device, that the second content block is unencrypted”
	With respect to this argument, as disclosed below, Diamant in col. 3 lines 45-55 discloses reading data packets from a host device which may be encrypted or unencrypted. In col. 9 lines 6-19, security processing instructions are used to determine an offset of the data payload and whether the data should be encrypted or decrypted. Furthermore, in col. 7 lines 38-52, a data packet is received and assessed to determine if the packet’s payload is in plaintext or encrypted.
Therefore, Diamant in view of Levy teaches the claimed limitations of claim 1 and thereby the dependent claims. 
Applicant further argues that regarding independent claim 10, Diamant in view of Unruh fails to teach “encrypting, in each section, a subset of the content blocks included in the section; and including, in each section, a remaining number of unencrypted content blocks as plaintext; and sending, to the host device, the plurality of sections along with the signature, each of the plurality of sections including encrypted content blocks and unencrypted content blocks”
With respect to this argument, as disclosed below, Diamant in col. 9 lines 6-11 discloses using security processing instructions to identify an offset of the data payload in a packet and determining which part of the packet payload to encrypt or decrypt. In col. 7 lines 18-52, an offset is computed from the beginning of the packet to the beginning of the payload. The offset is a value used to determine where in the packet to begin the encryption or decryption process, that is, which bit corresponds to the beginning of the payload. The packet may be stored and read by the host computer including encrypted data and a digital signature for validation. Furthermore, col. 12 lines 64-67 and col. 13 lines 1-8, Diamant discloses authenticating a portion of the defined data and encrypting another internal portion of the data. Diamant fails to explicitly disclose including a remaining number of unencrypted content blocks as plaintext however this can be determined based on the security parameters and offset within the packet payload. Unruh in paragraph [0020] discloses using a counter value to determine a remaining number of plaintext blocks. 
Therefore, the combination of Diamant and Unruh teaches the claimed limitations of claim 10 and thereby the dependent claims. 
Applicant further argues that regarding dependent claims 3 and 4, Diamant in view of Levy and Unruh fails to teach “determining that the first content block is encrypted using a first encryption mechanism, and wherein decrypting the first content block comprises decrypting the first content block using the first encryption mechanism” and “determining, by the host device, that the third content block is encrypted using a second encryption mechanism that is different from the first encryption mechanism; and upon determining that the third content block is encrypted using the second encryption mechanism, decrypting, by the host device, the third content block using the second encryption mechanism to obtain third plaintext data”
With respect to this argument, as disclosed below, Diamant in col.2 lines 18-26 and 56-67 discloses performing a security operation on data packet which includes decryption of an encrypted packet payload or encryption of a plaintext (i.e., unencrypted) packet payload. A hardware security accelerator is configured to analyze certain bit fields within the header to determine the protocols present and the security parameters are used to decrypt the packet's payload accordingly. In col. 8 lines 13-23, specific header fields are extracted and used to determine cryptographic parameters such as an encryption/decryption algorithm, mode and cipher keys. For each packet a specific initialization vector is used and the processing instructions include the next expected logical block address (LBA) and an updated replay counter. Furthermore, Unruh in paragraph [0040]-[0043] discloses encrypting three blocks of plaintext data. The block are encrypted and authenticated using an XOR operator, generating ciphertext and an authentication tag. The result of the XOR operation is encrypted using a secret key to produce ciphertext. The encryption operation performs a second XOR operation on the ciphertext and a previous hash value received from the multiplier of the previous block. 
Therefore, the combination of Diamant, Levy and Unruh teach the claimed limitations of claims 3 and 4 and thereby the dependent claims.
Applicant further argues that regarding dependent claim 5, Diamant in view of Levy and Unruh fails to teach “determining that the first content block is encrypted using the first encryption mechanism comprises determining that a value of the counter is less than a first threshold value that corresponds to a number of content blocks in a section encrypted using the first encryption mechanism” and “determining that the third content block is encrypted using the second encryption mechanism comprises determining that the value of the counter is greater than the first threshold value but less than a second threshold value that corresponds to a number of content blocks in a section encrypted using the first encryption mechanism and the second encryption mechanism”
With respect to this argument, as disclosed below, Unruh in paragraph [0020] discloses a reduced leakage encryption technique using a counter which corresponds to the plaintext block. A multiplication factor is used to encrypt the block of data and the same technique is used for the next block id the length of remaining unencrypted plaintext in the data record is greater than zero. In paragraph [0038], a second plaintext block of the plaintext data is encrypted by the same operations described above for the first block, except that the operations are applied to the second plaintext and a second seed value to produce a second ciphertext. The second block encryption operation uses the same key K and encryption method as the first block encryption operation and operates on the XOR of a plaintext block and a seed. If the size of the plaintext input data is greater than three times the block size, then an additional block processor that includes an XOR operation and a block cipher may be used for each additional plaintext data block. Furthermore, in paragraph [0058] the plaintext is XORed with a seed value that is based on the sum of an initialization vector IV and an integer multiple of an increment value. 
Therefore, the combination of Diamant, Levy and Unruh teach the claimed limitations of claim 5 and thereby the dependent claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



3.	Claims 1-3, 9 and 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. US 10, 212,138 B1 to Diamant, (hereinafter, “Diamant”) in view of US Pub. No. US 2018/0167220 A1 to Levy, (hereinafter, “Levy”).
As per claim 1, Diamant teaches a method comprising: 
receiving, at a host device, secure data from a memory device that is coupled to the host device, the secure data including a first content block and a second content block (Diamant, col. 3 lines 45-55 “Upon reading data (which may be encrypted) from the storage server 30, the hardware security accelerator 100 may decrypt the data before providing the corresponding plaintext data to the application 280. Thus, the hardware security accelerator 100 performs ciphering operations on data including encryption and/or decryption of such data. As noted above, a function performed by the host computer 200 (e.g., by application 280) is to store data on the storage server 30. Data may be provided from the host computer 200 to the storage server 30 in the form of packets” and col. 4 lines 49-55 “That is, the hardware security accelerator 100 can read encrypted data from the storage server 30, decrypt the retrieved encrypted data, and store the resulting plaintext data into the host computer's local memory 223 without having to temporarily store the data elsewhere pending the decryption process. The same principle is true when encrypting and writing encrypted data to the storage server 30”);
determining, by the host device, that the first content block is encrypted (Diamant, col. 9 lines 6-19 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload. The TID table 106 can be accessed using the TID determined by the protocol and transaction determination unit 104 to access an encryption key associated with the packet's transaction. The encryption and possibly other cryptographic parameters may be retrieved from the TID table 106 and provided to the configurable security unit 110 for decryption of the packet's payload.”);
upon determining that the first content block is encrypted, decrypting, by the host device, the first content block to obtain corresponding first plaintext data (Diamant, col. 4 lines 41-44 “The hardware security accelerator 100 decrypts the packet's data payload and stores the plaintext version of the packet in local memory 223.” and col. 10 lines 33-38 “The configurable security engine 143 performs security processing of the packet to provide at least one security result. Examples of such security processing include encrypting the payload in the event the payload is a plaintext data payload, and decrypting the payload in the event the payload is encrypted.”);
determining, by the host device, that the second content block is unencrypted (Diamant, col. 2 lines 18-35 “The hardware security accelerator of the disclosed embodiments performs a security operation on a packet. Such security operations may include decryption of an encrypted packet payload as well as encryption of a plaintext (i.e., unencrypted) packet payload. During the decryption process, for example, the hardware security accelerator obtains various security-related parameters based on the determined packet type and decrypts the packet's payload accordingly. Some of the security-related parameters are extracted from the packet itself by the hardware security accelerator based on the packet type, while other security-related parameters (e.g., encryption keys) may be retrieved from a transaction identifier (TID) table. The collection of security-related parameters (some extracted from the packet and others retrieved from the TID table) are provided to a security engine which uses the parameters to decrypt the encrypted payload. A similar process may be performed to encrypt a plaintext packet payload.”);
upon determining that the second content block is unencrypted, obtaining, by the host device from the second content block, corresponding second plaintext data (Diamant, col. 7 lines 38-52 “At 401, the method includes receiving a packet. In some embodiments, the packet is received by the hardware security accelerator 100. The packet received may be a packet to be decrypted or encrypted. For example, the packet may have been stored on storage server 30 with encrypted data (or in plaintext, that is, not encrypted) and the packet is now being read back by the host computer 200. The packet is retrieved from the storage server 30 over network 40 and received by the hardware security accelerator 100. The encrypted data payload of the packet is to be decrypted by the hardware security accelerator 100 before being returned to the application 280 that requested the data in the first place. If the packet's payload was stored in plaintext, the hardware security accelerator nevertheless may operate to validate a digital signature in the packet.”);
determining, by the host device, whether reception of secure data from the memory device is completed (Diamant, col. 14 lines 4-23 “FIG. 10 illustrates an example of a configurable security engine 143. The illustrative configurable security engine 143 includes a field translation table 72 and a field modification unit 74. The field translation table 72 is used to translate an extracted field (from configurable field extraction unit 141) if and as desired. The field modification unit 74 may perform calculations, based on the security processing instructions provided to it. Such calculations may include calculating the next initialization vector, the next sequence number, and/or the replay counter based upon the extracted field or a translated field from field translation table 72. For example, the for MACSec, the header length may be used as an authentication start offset (i.e., offset to a byte to begin authentication, for example, a digital signature). By way of an additional example, the a value such as 16 may be added to the header length to form the authentication offset value, The field medication unit performs such calculations. The field modification unit 74 may be implemented as an arithmetic logic unit (ALU) comprising adders, subtractors, Boolean operators, multiplexers, etc.”)
upon determining that reception of secure data from the memory device is completed, obtaining, by the host device, a first signature from a signature block sent by the memory device in conjunction with the secure data (Diamant, col. 7 lines 38-52 “At 401, the method includes receiving a packet. In some embodiments, the packet is received by the hardware security accelerator 100. The packet received may be a packet to be decrypted or encrypted. For example, the packet may have been stored on storage server 30 with encrypted data (or in plaintext, that is, not encrypted) and the packet is now being read back by the host computer 200. The packet is retrieved from the storage server 30 over network 40 and received by the hardware security accelerator 100. The encrypted data payload of the packet is to be decrypted by the hardware security accelerator 100 before being returned to the application 280 that requested the data in the first place. If the packet's payload was stored in plaintext, the hardware security accelerator nevertheless may operate to validate a digital signature in the packet.” And col. 10 lines 11-22 “The configurable security unit 140 may perform security processing operations such as encryption or decryption, as well as digital signature generation and/or validation of packets. In the example of FIG. 6 the configurable security unit 40 includes a configurable field extraction unit 141, a configuration unit 142, a configurable security engine 143, a validation unit 144, and a packet transaction/connection unit 145. The configurable field extraction unit 141 extracts from a packet multiple security-related fields. Example of such security-related fields include a TID, an initialization vector or bits used to compute an initialization vector, etc.”); 
Diamant teaches all the limitations of claim 1 above, however fails to explicitly teach but Levy teaches: 
computing, by the host device, a second signature on plaintext data obtained by the host device, the plaintext data including the first plaintext data and the second plaintext data (Levy, para. [0032] “A DLP system may obtain one or more communications that individually or collectively contain a ciphertext and cryptographically verifiable assurance with a cryptographic key usage limit for a cryptographic key used to generate the ciphertext from plaintext. In embodiments where the ciphertexts are digitally signed, the DLP system may generate a reference digital signature based, at least in part, on the ciphertext and compare the reference signature to a digital signature of the ciphertext contained in the one or more communications…In embodiments where the one or more communications contain cryptographic hashes of code executed by the system providing the ciphertexts, the DLP system may verify the cryptographic hashes in accordance with the techniques used to generate the cryptographic hashes, which may be the same techniques used for verifying digital signatures and, if applicable, utilizing a certificate of a cryptographic module that generated the cryptographic hashes.” And para. [0047] “FIG. 3, the management component encryption device 302 obtains plaintext such as by receiving the plaintext or generating the plaintext and uses the cryptographic key 304 to generate ciphertext 308…Accordingly as illustrated in FIG. 3, one or more of the encryption devices 302 may obtain the ciphertext 308 and use the cryptographic key 304 to decrypt the ciphertext 308 to obtain plaintext from the ciphertext 308. In this example, the management component 302 defines a host class 314 comprising one or more encryption devices 302. Members of the host class 314 are instructed via electronic communications to obtain the ciphertext 308 and decrypt the ciphertext 308 using the cryptographic key 304 to obtain plaintext and to perform one or more operations with the plaintext.”);
comparing, by the host device, the first signature to the second signature (Levy, para. [0032] “the DLP system may generate a reference digital signature based, at least in part, on the ciphertext and compare the reference signature to a digital signature of the ciphertext contained in the one or more communications. The reference signature may be generated using a public key provided in or otherwise referenced in a certificate of the system that provided the ciphertext, using a symmetric cryptographic key shared between the system that provided the ciphertext and the DLP system, or may provide the ciphertext and digital signature to another system configured to verify digital cryptographically verifiable assurances of compliance” and para. [0087] “Upon performance of the digital signature verification algorithm, the process 900 may include determining 912 whether the digital signature of the data obtained from the queue is valid based at least in part on a result of performing 910 the digital signature verification algorithm. If it is determined 912 that the digital signature is valid, the process 900 may include transmitting 914 the data to its destination (e.g., a network address identified in one or more data packets that contain the data). The data may be transmitted with the digital signature that was included with the data or, in some embodiments, the data is transmitted to a destination without the digital signature.”); and
conditioned on determining, by the host device as a result of the comparing, that the first signature is equal to the second signature, accepting, by the host device, the plaintext data as legitimate (Levy, para. [0078] “The DLP enforcement component 708 may determine whether to block the request…The attestation 716 and digital signature 714 may be cryptographically verified by the DLP enforcement component and successful verification of at least both may indicate that the key usage enforcement component 702 is operable to enforce the one or more policies 716 on the cryptographic keys 718 and, in particular, the cryptographic key used to generate the encrypted data record 712. As a result, the DLP enforcement component 708 may transmit the request 710 to a destination of the request 710 (or generate a different request that lacks one or more of the attestation 716 and digital signature 714).”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Levy’s digital signature validation into Diamant’s hardware security method, with a motivation to prevent unauthorized access to data (Levy, para. [0003]).

As per claim 2, the combination of Diamant and Levy teach the method of claim 1, further comprising: conditioned on determining, by the host device as a result of the comparing, that the first signature is not equal to the second signature, discarding, by the host device, the plaintext data as compromised (Diamant, col. 14 lines 61-67 “The comparator 995 is configured to compare two numbers, with an accept/reject rule. For example, the packet replay counter may be extracted from the headers, and the comparator 995 may compare it to the last accepted replay counter (stored internally). If the new replay counter is greater than the last accepted replay counter, the packet is accepted; otherwise the packet is dropped.”).
As per claim 3, the combination of Diamant and Levy teach the method of claim 1, wherein determining that the first content block is encrypted comprises determining that the first content block is encrypted using a first encryption mechanism, and wherein decrypting the first content block comprises decrypting the first content block using the first encryption mechanism (Diamant, col. 2 lines 18-26 and 56-67 “The hardware security accelerator of the disclosed embodiments performs a security operation on a packet. Such security operations may include decryption of an encrypted packet payload as well as encryption of a plaintext (i.e., unencrypted) packet payload. During the decryption process, for example, the hardware security accelerator obtains various security-related parameters based on the determined packet type and decrypts the packet's payload accordingly…The hardware security accelerator described herein is configurable to permit it to analyze the headers of a given packet and determine the particular combination of protocols of the headers. The protocols determined by the accelerator may be standard protocols or proprietary protocols. The hardware security accelerator may be configured to analyze certain bit fields within the header to determine the protocols that are present. The particular bit fields that are examined by the hardware security accelerator are configurable. Further, the security operation performed by the hardware security accelerator (encryption, decryption, signature generation, signature validation, etc.) also is configurable for each particular set of protocols that the hardware security accelerator is configured to detect.”).
As per claim 9, the combination of Diamant and Levy teach the method of claim 1, wherein decrypting the first content block to obtain corresponding first plaintext data comprises: 
upon decrypting the first content block, identifying a nonce value included in the first content block (Diamant, col. 4 lines 37-55 “The relevant set of cryptographic parameters may be identified using a packet type identifier and/or a TID. The packet type identifier may be determined based on the particular combination of protocols of the packet's headers and the TID may be parsed from the packet. The hardware security accelerator 100 decrypts the packet's data payload and stores the plaintext version of the packet in local memory 223. Through the hypervisor 260 and/or OS 270, the application 280 may access the local memory 223 to retrieve the plaintext data. The hardware security accelerator 100 essentially combines the functionality of in-band encryption/decryption with remote direct memory access (RDMA). That is, the hardware security accelerator 100 can read encrypted data from the storage server 30, decrypt the retrieved encrypted data, and store the resulting plaintext data into the host computer's local memory 223 without having to temporarily store the data elsewhere pending the decryption process. The same principle is true when encrypting and writing encrypted data to the storage server 30”); and 
removing the nonce value from the decrypted first content block to obtain the first plaintext data, wherein the nonce value is synchronized between the host device and the memory device (Diamant, col. 5 lines 54-67 and col. 6 lines 1-11 “The protocol and transaction determination unit also generates a TID (nonce). the TID is included as a field within one or more of the headers of the packet. The specific bits within the headers that contain the TID 105 may be protocol specific. That is, for one particular combination of protocols, the TID 105 is specified in certain bits of the packet headers, while for another combination of protocols, the TID may be specified in other bits of the packet headers. The PTI 103 is indicative of the particular protocols, and based on the particular protocols implemented in the packet, the protocol and transaction determination unit 104 obtains the particular subset of bits from the packet headers that include the TID 105. The TID 105 is provided by the protocol and transaction determination unit 104 to the TID table 106, along with one or more headers 111 extracted form the packet by the parser 102. The TID table 106 maps TIDs and one or more fields from the extracted headers to cryptographic parameters. The cryptographic parameters 107 associated with the particular TID 105 are retrieved from the TID table 106 and provided to the configurable security unit 110.”).
As per claim 23, Diamant teaches a method comprising: 
receiving, at a host device, secure data from a memory device that is coupled to the host device, the secure data including a first content block and a second content block (Diamant, col. 3 lines 45-55 “Upon reading data (which may be encrypted) from the storage server 30, the hardware security accelerator 100 may decrypt the data before providing the corresponding plaintext data to the application 280. Thus, the hardware security accelerator 100 performs ciphering operations on data including encryption and/or decryption of such data. As noted above, a function performed by the host computer 200 (e.g., by application 280) is to store data on the storage server 30. Data may be provided from the host computer 200 to the storage server 30 in the form of packets” and col. 4 lines 49-55 “That is, the hardware security accelerator 100 can read encrypted data from the storage server 30, decrypt the retrieved encrypted data, and store the resulting plaintext data into the host computer's local memory 223 without having to temporarily store the data elsewhere pending the decryption process. The same principle is true when encrypting and writing encrypted data to the storage server 30”);  
determining, by the host device, that the first content block is encrypted using a first encryption mechanism (Diamant, col. 9 lines 6-19 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload. The TID table 106 can be accessed using the TID determined by the protocol and transaction determination unit 104 to access an encryption key associated with the packet's transaction. The encryption and possibly other cryptographic parameters may be retrieved from the TID table 106 and provided to the configurable security unit 110 for decryption of the packet's payload.”); 
upon determining that the first content block is encrypted using the first encryption mechanism, decrypting, by the host device, the first content block using the first encryption mechanism to obtain corresponding first plaintext data (Diamant, col. 4 lines 41-44 “The hardware security accelerator 100 decrypts the packet's data payload and stores the plaintext version of the packet in local memory 223.” and col. 10 lines 33-38 “The configurable security engine 143 performs security processing of the packet to provide at least one security result. Examples of such security processing include encrypting the payload in the event the payload is a plaintext data payload, and decrypting the payload in the event the payload is encrypted.”); 
determining, by the host device, that the second content block is encrypted using a second encryption mechanism that is different from the first encryption mechanism (Diamant, col. 8 lines 13-23 “At 404, the method includes using the packet type (e.g., the PTI 103) to access a set of security processing instructions. The security processing instructions may be stored in the protocol and transaction determination unit 104. The security processing instructions may include information on how to extract specific header fields in order to construct a TID. The TID may be used, for example, to access a TID table that may contain cryptographic parameters such as encryption/authentication algorithm and mode, cipher keys, next expected logical block address (LBA) or replay-protection counter related to the transaction.” And col. 9 lines 20-26 “At 407, the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”); 
upon determining that the second content block is encrypted using the second encryption mechanism, decrypting, by the host device, the second content block using the second encryption mechanism to obtain corresponding second plaintext data (Diamant, col. 4 lines 41-52 “The hardware security accelerator 100 decrypts the packet's data payload and stores the plaintext version of the packet in local memory 223. Through the hypervisor 260 and/or OS 270, the application 280 may access the local memory 223 to retrieve the plaintext data. The hardware security accelerator 100 essentially combines the functionality of in-band encryption/decryption with remote direct memory access (RDMA). That is, the hardware security accelerator 100 can read encrypted data from the storage server 30, decrypt the retrieved encrypted data, and store the resulting plaintext data into the host computer's local memory 223” and col. 8 lines 6-12 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload.”); 
determining, by the host device, whether reception of secure data from the memory device is completed (Diamant, col. 14 lines 4-23 “FIG. 10 illustrates an example of a configurable security engine 143. The illustrative configurable security engine 143 includes a field translation table 72 and a field modification unit 74. The field translation table 72 is used to translate an extracted field (from configurable field extraction unit 141) if and as desired. The field modification unit 74 may perform calculations, based on the security processing instructions provided to it. Such calculations may include calculating the next initialization vector, the next sequence number, and/or the replay counter based upon the extracted field or a translated field from field translation table 72. For example, the for MACSec, the header length may be used as an authentication start offset (i.e., offset to a byte to begin authentication, for example, a digital signature). By way of an additional example, the a value such as 16 may be added to the header length to form the authentication offset value, The field medication unit performs such calculations. The field modification unit 74 may be implemented as an arithmetic logic unit (ALU) comprising adders, subtractors, Boolean operators, multiplexers, etc.”); 
Diamant teaches all the limitations of claim 23 above, however fails to explicitly teach but Levy teaches: 
upon determining that reception of secure data from the memory device is completed, authenticating, by the host device, the first plaintext data and the second plaintext data (Levy, para. [0032] “A DLP system may obtain one or more communications that individually or collectively contain a ciphertext and cryptographically verifiable assurance with a cryptographic key usage limit for a cryptographic key used to generate the ciphertext from plaintext. In embodiments where the ciphertexts are digitally signed, the DLP system may generate a reference digital signature based, at least in part, on the ciphertext and compare the reference signature to a digital signature of the ciphertext contained in the one or more communications…In embodiments where the one or more communications contain cryptographic hashes of code executed by the system providing the ciphertexts, the DLP system may verify the cryptographic hashes in accordance with the techniques used to generate the cryptographic hashes, which may be the same techniques used for verifying digital signatures and, if applicable, utilizing a certificate of a cryptographic module that generated the cryptographic hashes.” And para. [0047] “FIG. 3, the management component encryption device 302 obtains plaintext such as by receiving the plaintext or generating the plaintext and uses the cryptographic key 304 to generate ciphertext 308…Accordingly as illustrated in FIG. 3, one or more of the encryption devices 302 may obtain the ciphertext 308 and use the cryptographic key 304 to decrypt the ciphertext 308 to obtain plaintext from the ciphertext 308. In this example, the management component 302 defines a host class 314 comprising one or more encryption devices 302. Members of the host class 314 are instructed via electronic communications to obtain the ciphertext 308 and decrypt the ciphertext 308 using the cryptographic key 304 to obtain plaintext and to perform one or more operations with the plaintext.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Levy’s digital signature validation into Diamant’s hardware security method, with a motivation to prevent unauthorized access to data (Levy, para. [0003]).

As per claim 24, the combination of Diamant and Levy teach the method of claim 23, wherein authenticating the first plaintext data and the second plaintext data comprises: 
upon determining that reception of secure data from the memory device is completed, obtaining, by the host device, a first signature from a signature block sent by the memory device in conjunction with the secure data (Diamant, col. 7 lines 38-52 “At 401, the method includes receiving a packet. In some embodiments, the packet is received by the hardware security accelerator 100. The packet received may be a packet to be decrypted or encrypted. For example, the packet may have been stored on storage server 30 with encrypted data (or in plaintext, that is, not encrypted) and the packet is now being read back by the host computer 200. The packet is retrieved from the storage server 30 over network 40 and received by the hardware security accelerator 100. The encrypted data payload of the packet is to be decrypted by the hardware security accelerator 100 before being returned to the application 280 that requested the data in the first place. If the packet's payload was stored in plaintext, the hardware security accelerator nevertheless may operate to validate a digital signature in the packet.” And col. 10 lines 11-22 “The configurable security unit 140 may perform security processing operations such as encryption or decryption, as well as digital signature generation and/or validation of packets. In the example of FIG. 6 the configurable security unit 40 includes a configurable field extraction unit 141, a configuration unit 142, a configurable security engine 143, a validation unit 144, and a packet transaction/connection unit 145. The configurable field extraction unit 141 extracts from a packet multiple security-related fields. Example of such security-related fields include a TID, an initialization vector or bits used to compute an initialization vector, etc.”); 

computing, by the host device, a second signature on plaintext data obtained by the host device, the plaintext data including the first plaintext data and the second plaintext data (Levy, para. [0032] “A DLP system may obtain one or more communications that individually or collectively contain a ciphertext and cryptographically verifiable assurance with a cryptographic key usage limit for a cryptographic key used to generate the ciphertext from plaintext. In embodiments where the ciphertexts are digitally signed, the DLP system may generate a reference digital signature based, at least in part, on the ciphertext and compare the reference signature to a digital signature of the ciphertext contained in the one or more communications…In embodiments where the one or more communications contain cryptographic hashes of code executed by the system providing the ciphertexts, the DLP system may verify the cryptographic hashes in accordance with the techniques used to generate the cryptographic hashes, which may be the same techniques used for verifying digital signatures and, if applicable, utilizing a certificate of a cryptographic module that generated the cryptographic hashes.” And para. [0047] “FIG. 3, the management component encryption device 302 obtains plaintext such as by receiving the plaintext or generating the plaintext and uses the cryptographic key 304 to generate ciphertext 308…Accordingly as illustrated in FIG. 3, one or more of the encryption devices 302 may obtain the ciphertext 308 and use the cryptographic key 304 to decrypt the ciphertext 308 to obtain plaintext from the ciphertext 308. In this example, the management component 302 defines a host class 314 comprising one or more encryption devices 302. Members of the host class 314 are instructed via electronic communications to obtain the ciphertext 308 and decrypt the ciphertext 308 using the cryptographic key 304 to obtain plaintext and to perform one or more operations with the plaintext.”);
comparing, by the host device, the first signature to the second signature (Levy, para. [0032] “the DLP system may generate a reference digital signature based, at least in part, on the ciphertext and compare the reference signature to a digital signature of the ciphertext contained in the one or more communications. The reference signature may be generated using a public key provided in or otherwise referenced in a certificate of the system that provided the ciphertext, using a symmetric cryptographic key shared between the system that provided the ciphertext and the DLP system, or may provide the ciphertext and digital signature to another system configured to verify digital cryptographically verifiable assurances of compliance” and para. [0087] “Upon performance of the digital signature verification algorithm, the process 900 may include determining 912 whether the digital signature of the data obtained from the queue is valid based at least in part on a result of performing 910 the digital signature verification algorithm. If it is determined 912 that the digital signature is valid, the process 900 may include transmitting 914 the data to its destination (e.g., a network address identified in one or more data packets that contain the data). The data may be transmitted with the digital signature that was included with the data or, in some embodiments, the data is transmitted to a destination without the digital signature.”); and 
conditioned on determining, by the host device as a result of the comparing, that the first signature is equal to the second signature, accepting, by the host device, the plaintext data as legitimate (Levy, para. [0078] “The DLP enforcement component 708 may determine whether to block the request…The attestation 716 and digital signature 714 may be cryptographically verified by the DLP enforcement component and successful verification of at least both may indicate that the key usage enforcement component 702 is operable to enforce the one or more policies 716 on the cryptographic keys 718 and, in particular, the cryptographic key used to generate the encrypted data record 712. As a result, the DLP enforcement component 708 may transmit the request 710 to a destination of the request 710 (or generate a different request that lacks one or more of the attestation 716 and digital signature 714).”).

4.	Claims 4-8 are rejected under 35 U.S.C. 103 as being unpatentable over Diamant in view of Levy, as disclosed above, in further view of US Pub. No. US 2010/0303229 A1 to Uhruh, (hereinafter, “Unruh”).
As per claim 4, the combination of Diamant and Levy teach the method of claim 3, further comprising: 
receiving, at the host device, a third content block of the secure data from the memory device; determining, by the host device, that the third content block is encrypted using a second encryption mechanism that is different from the first encryption mechanism (Diamant, col. 8 lines 13-23 “At 404, the method includes using the packet type (e.g., the PTI 103) to access a set of security processing instructions. The security processing instructions may be stored in the protocol and transaction determination unit 104. The security processing instructions may include information on how to extract specific header fields in order to construct a TID. The TID may be used, for example, to access a TID table that may contain cryptographic parameters such as encryption/authentication algorithm and mode, cipher keys, next expected logical block address (LBA) or replay-protection counter related to the transaction.” And col. 9 lines 20-26 “At 407, the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”); and 
upon determining that the third content block is encrypted using the second encryption mechanism, decrypting, by the host device, the third content block using the second encryption mechanism to obtain third plaintext data (Diamant, col. 4 lines 41-52 “The hardware security accelerator 100 decrypts the packet's data payload and stores the plaintext version of the packet in local memory 223. Through the hypervisor 260 and/or OS 270, the application 280 may access the local memory 223 to retrieve the plaintext data. The hardware security accelerator 100 essentially combines the functionality of in-band encryption/decryption with remote direct memory access (RDMA). That is, the hardware security accelerator 100 can read encrypted data from the storage server 30, decrypt the retrieved encrypted data, and store the resulting plaintext data into the host computer's local memory 223” and col. 8 lines 6-12 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload.”), 
The combination of Diamant and Levy teaches all the limitations of claim 4 above however fails to explicitly teach but Unruh teaches:
wherein the second signature is computed on plaintext data that includes the first plaintext data, the second plaintext data and the third plaintext data (Unruh, para. [0040] “The data flow diagram represents an encryption operation that executes on a computer system 202 and stores the data values shown, e.g., Plaintext 212, Ciphertext 216, Seed(1) 210, and Auth Tag 248, in the computer system's memory.” And para. [0041]” The operation illustrated in FIG. 2C encrypts one or more blocks of plaintext 212, 222, 232. Three block-encryption operations are shown, labeled 1, 2, and N, with the operations for each block shown in a separate vertical column. Although three blocks are shown in FIG. 2C, any number of operations maybe performed to produce corresponding blocks of ciphertext. The encryption and authentication operation generates ciphertext and an authentication tag 248. Three blocks of cipher text 216, 226, 236 are shown in FIG. 2C.” and para. [0043] “The result of the XOR operation 213 is encrypted by a block cipher 214, e.g., AES or the like, using a secret key K to produce ciphertext 216. The encryption operation performs a second XOR operation 217 on the ciphertext 216 and a previous hash value received from the multiplier 208 of the previous block.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s encryption and authentication operation into Levy’s digital signature validation and Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).

As per claim 5, the combination of Diamant, Levy and Unruh teach the method of claim 4, wherein the host device receives the secure data from the memory device in a plurality of sections that each includes encrypted content blocks and unencrypted content blocks, wherein the host device includes a counter to count a number of content blocks of the secure data that is received (Unruh, para. [0020] “the invention features a reduced leakage encryption technique for encrypting data. The technique compares the counter value, Counter i, with the plaintext block corresponding to the counter (e.g., operates on the counter value and the plaintext block), and encrypts the result of the comparison using the block encryption cipher, e.g., AES or the like…The technique continues by exclusive-or-ing (abbreviated herein as XORing) the block of ciphertext with a multiplication factor generated for the previous block to produce a multiplication factor for the current block, and passing the multiplication factor for the current block to the next block. The technique continues by encrypting the next block of the data record using the same technique if the length of the remaining unencrypted plaintext in the data record is greater than zero. That is, for the next block, the counter value Counter i (e.g., for i=2), computing the exclusive-or of the next block of plaintext to produce the next block of ciphertext if there is more plaintext to encrypt, and XORing the multiplication factor from the block preceding the next block with the ciphertext of the next block to generate the multiplication factor of the next block., until the last block of plaintext has been encrypted, and generating the authentication tag, as described below.”), wherein 
determining that the first content block is encrypted using the first encryption mechanism comprises determining that a value of the counter is less than a first threshold value that corresponds to a number of content blocks in a section encrypted using the first encryption mechanism (Uhruh, para. [0058] “The reduced leakage encryption operation shown in FIG. 3 encrypts data using a technique similar to that shown in FIG. 2C. In the technique of FIG. 3, the plaintext 312 is XORed with a seed value 310 that is based on the sum of an initialization vector IV and an integer multiple of an increment value IV_INC. IV and IV_INC are distinct, random values chosen before encryption begins. That is, the operation of FIG. 3 corresponds to FIG. 2C with the seed value S(I)=IV+I*IV_INC, where I is the index of the block being processed, e.g., I=0 before any blocks have been processed, I=1 for the first block, and I=N for the Nth block. The lengths of IV and IV_INC are based upon the cipher block length, e.g., 128 bits, 256 bits, or the like. In one example, IV is a 128-bit value that is incremented by IV_INC for each block. That is, the counter value 330 for block number N is IV+N*IV_INC. For example, Counter 0 344 has the value IV, Counter 1 310 has the value IV+1*IV_INC, and Counter 2 320 has the value IV+2*IV_INC.”), 
determining that the third content block is encrypted using the second encryption mechanism comprises determining that the value of the counter is greater than the first threshold value but less than a second threshold value that corresponds to a number of content blocks in a section encrypted using the first encryption mechanism and the second encryption mechanism (Unruh, para. [0038] “A second plaintext block 222 of the plaintext data is encrypted by the same operations described above for the first block, except that the operations are applied to the second plaintext 222 and a second seed value, Seed(2) 220, to produce a second ciphertext 226. The second block encryption operation 224 uses the same key K and encryption method (e.g., AES) as the first block encryption operation 214, and operates on the XOR of a plaintext block and a seed. The second XOR operator 223 and the second block encryption operation 224 may be referred to as a second block processor. The second block processor is, in one example, the same as a first block processor that includes the first XOR operator 213 and the first block encryption operation 214. An Nth block processor that includes an Nth XOR operator 233 and an Nth block encryption operation 234 is present if needed, i.e., if the size of the plaintext input data is greater than twice the block size. If the size of the plaintext input data is greater than three times the block size, then an additional block processor that includes an XOR operation (not shown) and a block cipher 229 may be used for each additional plaintext data block 232.” And para. [0060] “Block 402 of the method generates a seed value by, for example, evaluating a function Seed(I) that produces a value based upon the function's argument I, where I is an index of a block of data to be encrypted or decrypted.”), and 
determining that the second content block is unencrypted comprises determining that the value of the counter is greater than the second threshold value but less than a third threshold value that corresponds to a total number of content blocks in a section (Unruh, para. [0038] “The encryption operation of FIG. 2A encrypts a given plaintext block 212 by computing the XOR of a Seed(1) 210 and a plaintext block 212 using an XOR operator 213, and invoking a block encryption operation 214 on result of the XOR operator 213, where the encryption key for the operation 214 is represented by a value K. The encryption operation 214 uses, for example, an AES encryption technique, and produces a ciphertext block 216. The size of the plaintext block 212 is specified by a block size, e.g., 128 bits, 256 bits, or any selected number of bits or bytes. The ciphertext block 216 is the same size as the plaintext block 212. Plaintext data larger than the block size is encrypted by partitioning the plaintext into blocks and applying the block encryption operation to each block, either in parallel, as shown in FIG. 2A, or sequentially.” And para. [0060] “Block 402 of the method generates a seed value by, for example, evaluating a function Seed(I) that produces a value based upon the function's argument I, where I is an index of a block of data to be encrypted or decrypted.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s counter mode encryption into Levy’s digital signature validation and Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).

As per claim 6, the combination of Diamant, Levy and Unruh teach the method of claim 5, further comprising: 
upon determining that reception of secure data from the memory device is not completed, incrementing the counter (Unruh, para. [0058] “The reduced leakage encryption operation shown in FIG. 3 encrypts data using a technique similar to that shown in FIG. 2C. In the technique of FIG. 3, the plaintext 312 is XORed with a seed value 310 that is based on the sum of an initialization vector IV and an integer multiple of an increment value IV_INC. IV and IV_INC are distinct, random values chosen before encryption begins. That is, the operation of FIG. 3 corresponds to FIG. 2C with the seed value S(I)=IV+I*IV_INC, where I is the index of the block being processed, e.g., I=0 before any blocks have been processed, I=1 for the first block, and I=N for the Nth block.”); 
determining whether the counter is equal to the third threshold value (Unruh, para. [0046] “After the last block, shown as block i in FIG. 2C, has been encrypted, and block i's multiplication factor has been computed by the multiplier 238, block i's multiplication factor is XORed with the lengths of the authentication data 204 and the length of the ciphertext. The multiplier 242 then generates a hash value for the result of the XOR operation 241, and the hash value is XORed with the result of the encryption operation 246 to generate the authentication tag 248, i.e., the authentication code for the cipher text.”); 
conditioned on determining that the counter is equal to the third threshold value, resetting the counter to process a new section of the secure data received from the memory device (Diamant, col. 9 lines 20-26 “the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”); and conditioned on determining that the counter is not equal to the third threshold value, processing one or more additional content blocks of the current section, the one or more additional content blocks including at least one of a content block encrypted using the first encryption mechanism, a content block encrypted using the second encryption mechanism, or an unencrypted content block (Unruh, para. [0062] “The method of FIG. 5 decrypts ciphertext such as the ciphertext produced by the encryption method of FIG. 4. Block 502 generates the value Seed(I) for block I, where I is the index of the block being processed by the method, as described above with reference to FIG. 4. In another example, block 502 may retrieve the value of Seed(I) from storage, e.g., from a memory. Block 504 executes the block cipher encryption operation on the ciphertext, thereby generating a result. Block 506 recovers the plaintext by computing the XOR of Seed(I) and the result from block 504.”).

As per claim 7, the combination of Diamant, Levy and Unruh teach the method of claim 5, wherein one or more of the first threshold value, the second threshold value or the third threshold value are configurable by a user, and wherein one or more of the first threshold value, the second threshold value or the third threshold value are stored in registers coupled to the memory device (Diamant, col. 9 lines 6-19“the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload. The TID table 106 can be accessed using the TID determined by the protocol and transaction determination unit 104 to access an encryption key associated with the packet's transaction. The encryption and possibly other cryptographic parameters may be retrieved from the TID table 106 and provided to the configurable security unit 110 for decryption of the packet's payload.”).
As per claim 8, the combination of Diamant, Levy and Unruh teach the method of claim 4, wherein the secure data received from the memory device includes a plurality of encrypted content blocks and unencrypted content blocks, wherein the host device receives additional information with the memory device about at least one of a relative arrangement of the encrypted content blocks and unencrypted content blocks in the secure data, the first encryption mechanism, or the second encryption mechanism (Diamant, col. 2 lines 36-52 “The hardware security accelerator is configurable and, as such, can extract various fields of information from the packet's headers that are needed to perform the security operation and do so based on the specific protocols of each such packet. The particular information fields that are extracted are specific to the particular packet type (i.e., the particular combination of protocols of the headers). Thus, one packet type may cause the hardware security accelerator to extract one set of information fields to decrypt the payload, while a different packet type may cause the accelerator to extract a different set of information fields for decryption purposes. The disclosed embodiments of the hardware security accelerator and associated methods may optimize security on both stream-based and block-based data traffic. Further, the hardware security accelerator is usable to support various security protocols and support proprietary protocols and packet formats.”), wherein 
determining that the first content block is encrypted using the first encryption mechanism comprises analyzing the additional information received from the memory device to determine at least one of the first content block is encrypted or the first encryption mechanism is used to encrypt the first content block, determining that the third content block is encrypted using the second encryption mechanism comprises analyzing the additional information received from the memory device to determine at least one of the third content block is encrypted or the second encryption mechanism is used to encrypt the third content block (Diamant, col. 2 lines 56-67 “The hardware security accelerator described herein is configurable to permit it to analyze the headers of a given packet and determine the particular combination of protocols of the headers. The protocols determined by the accelerator may be standard protocols or proprietary protocols. The hardware security accelerator may be configured to analyze certain bit fields within the header to determine the protocols that are present. The particular bit fields that are examined by the hardware security accelerator are configurable. Further, the security operation performed by the hardware security accelerator (encryption, decryption, signature generation, signature validation, etc.) also is configurable for each particular set of protocols that the hardware security accelerator is configured to detect.”), and 
determining that the second content block is unencrypted comprises analyzing the additional information received from the memory device to determine that the second content block is unencrypted (Diamant, col. 8 lines 13-23 “At 404, the method includes using the packet type (e.g., the PTI 103) to access a set of security processing instructions. The security processing instructions may be stored in the protocol and transaction determination unit 104. The security processing instructions may include information on how to extract specific header fields in order to construct a TID. The TID may be used, for example, to access a TID table that may contain cryptographic parameters such as encryption/authentication algorithm and mode, cipher keys, next expected logical block address (LBA) or replay-protection counter related to the transaction.” And col. 9 lines 20-26 “At 407, the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”).

5.	Claims 10-22 are rejected under 35 U.S.C. 103 as being unpatentable over Diamant in view of Unruh. 
As per claim 10, Diamant teaches a method comprising: 
receiving, at a memory device, a request for data from a host device that is coupled to the memory device (Diamant, col. 7 lines 38-52 “At 401, the method includes receiving a packet. In some embodiments, the packet is received by the hardware security accelerator 100. The packet received may be a packet to be decrypted or encrypted. For example, the packet may have been stored on storage server 30 with encrypted data (or in plaintext, that is, not encrypted) and the packet is now being read back by the host computer 200. The packet is retrieved from the storage server 30 over network 40 and received by the hardware security accelerator 100. The encrypted data payload of the packet is to be decrypted by the hardware security accelerator 100 before being returned to the application 280 that requested the data in the first place. If the packet's payload was stored in plaintext, the hardware security accelerator nevertheless may operate to validate a digital signature in the packet.”); in response to the request, processing, by the memory device, the data for transmission to the host device, wherein the processing comprises: 
dividing the data into a plurality of sections, each section including one or more content blocks (Diamant, col. 7 lines 53-58 “At 402, the method includes parsing the packet. Parsing the packet may be performed by parser 102 to detect the protocols of the packet's headers (e.g., the L2/L3/L4 protocols). In some embodiments, such as those described above, a given header (e.g., L2 or L3 header) may contain an identification of the next higher layer's protocol.”); 
computing a signature on the content blocks included in the plurality of sections (Diamant, col. 8 lines 13-23 “At 404, the method includes using the packet type (e.g., the PTI 103) to access a set of security processing instructions. The security processing instructions may be stored in the protocol and transaction determination unit 104. The security processing instructions may include information on how to extract specific header fields in order to construct a TID. The TID may be used, for example, to access a TID table that may contain cryptographic parameters such as encryption/authentication algorithm and mode, cipher keys, next expected logical block address (LBA) or replay-protection counter related to the transaction.” And col. 9 lines 20-26 “At 407, the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”);
encrypting, in each section, a subset of the content blocks included in the section (Diamant, col. 9 lines 6-11 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload”); and 
sending, to the host device, the plurality of sections along with the signature, each of the plurality of sections including encrypted content blocks and unencrypted content blocks (Diamant, col. 2 lines 18-35 “The hardware security accelerator of the disclosed embodiments performs a security operation on a packet. Such security operations may include decryption of an encrypted packet payload as well as encryption of a plaintext (i.e., unencrypted) packet payload. During the decryption process, for example, the hardware security accelerator obtains various security-related parameters based on the determined packet type and decrypts the packet's payload accordingly. Some of the security-related parameters are extracted from the packet itself by the hardware security accelerator based on the packet type, while other security-related parameters (e.g., encryption keys) may be retrieved from a transaction identifier (TID) table. The collection of security-related parameters (some extracted from the packet and others retrieved from the TID table) are provided to a security engine which uses the parameters to decrypt the encrypted payload. A similar process may be performed to encrypt a plaintext packet payload.”).
Diamant teaches all the limitations of claim 10 above however fails to explicitly teach but Unruh teaches:
including, in each section, a remaining number of unencrypted content blocks as plaintext (Unruh, para. [0020] “the invention features a reduced leakage encryption technique for encrypting data. The technique compares the counter value, Counter i, with the plaintext block corresponding to the counter (e.g., operates on the counter value and the plaintext block), and encrypts the result of the comparison using the block encryption cipher, e.g., AES or the like…The technique continues by exclusive-or-ing (abbreviated herein as XORing) the block of ciphertext with a multiplication factor generated for the previous block to produce a multiplication factor for the current block, and passing the multiplication factor for the current block to the next block. The technique continues by encrypting the next block of the data record using the same technique if the length of the remaining unencrypted plaintext in the data record is greater than zero. That is, for the next block, the counter value Counter i (e.g., for i=2), computing the exclusive-or of the next block of plaintext to produce the next block of ciphertext if there is more plaintext to encrypt, and XORing the multiplication factor from the block preceding the next block with the ciphertext of the next block to generate the multiplication factor of the next block., until the last block of plaintext has been encrypted, and generating the authentication tag, as described below.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s counter mode encryption into Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).

As per claim 11, the combination of Diamant and Unruh teach the method of claim 10, wherein the memory device includes a counter to count a number of content blocks in each section, and wherein encrypting the subset of the content blocks in each section comprises: 
determining whether a value of the counter is less than a first threshold value that corresponds to a number of content blocks in a section encrypted using a first encryption mechanism; and upon determining that the value of the counter is less than the first threshold value, iteratively encrypting first content blocks of the subset of the content blocks using the first encryption mechanism, and incrementing the counter (Uhruh, para. [0058] “The reduced leakage encryption operation shown in FIG. 3 encrypts data using a technique similar to that shown in FIG. 2C. In the technique of FIG. 3, the plaintext 312 is XORed with a seed value 310 that is based on the sum of an initialization vector IV and an integer multiple of an increment value IV_INC. IV and IV_INC are distinct, random values chosen before encryption begins. That is, the operation of FIG. 3 corresponds to FIG. 2C with the seed value S(I)=IV+I*IV_INC, where I is the index of the block being processed, e.g., I=0 before any blocks have been processed, I=1 for the first block, and I=N for the Nth block. The lengths of IV and IV_INC are based upon the cipher block length, e.g., 128 bits, 256 bits, or the like. In one example, IV is a 128-bit value that is incremented by IV_INC for each block. That is, the counter value 330 for block number N is IV+N*IV_INC. For example, Counter 0 344 has the value IV, Counter 1 310 has the value IV+1*IV_INC, and Counter 2 320 has the value IV+2*IV_INC.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s counter mode encryption into Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).
As per claim 12, the combination of Diamant and Unruh teach the method of claim 11, further comprising: 
determining whether the value of the counter is less than a second threshold value that corresponds to a number of content blocks in a section encrypted using a second encryption mechanism that is different from the first encryption mechanism; upon determining that the value of the counter is less than the second threshold value, iteratively encrypting second content blocks of the subset of the content blocks using the second encryption mechanism, and incrementing the counter (Unruh, para. [0038] “A second plaintext block 222 of the plaintext data is encrypted by the same operations described above for the first block, except that the operations are applied to the second plaintext 222 and a second seed value, Seed(2) 220, to produce a second ciphertext 226. The second block encryption operation 224 uses the same key K and encryption method (e.g., AES) as the first block encryption operation 214, and operates on the XOR of a plaintext block and a seed. The second XOR operator 223 and the second block encryption operation 224 may be referred to as a second block processor. The second block processor is, in one example, the same as a first block processor that includes the first XOR operator 213 and the first block encryption operation 214. An Nth block processor that includes an Nth XOR operator 233 and an Nth block encryption operation 234 is present if needed, i.e., if the size of the plaintext input data is greater than twice the block size. If the size of the plaintext input data is greater than three times the block size, then an additional block processor that includes an XOR operation (not shown) and a block cipher 229 may be used for each additional plaintext data block 232.” And para. [0060] “Block 402 of the method generates a seed value by, for example, evaluating a function Seed(I) that produces a value based upon the function's argument I, where I is an index of a block of data to be encrypted or decrypted.”);
determining that the value of the counter is equal to a third threshold value that corresponds to a total number of content blocks in a section (Unruh, para. [0046] “After the last block, shown as block i in FIG. 2C, has been encrypted, and block i's multiplication factor has been computed by the multiplier 238, block i's multiplication factor is XORed with the lengths of the authentication data 204 and the length of the ciphertext. The multiplier 242 then generates a hash value for the result of the XOR operation 241, and the hash value is XORed with the result of the encryption operation 246 to generate the authentication tag 248, i.e., the authentication code for the cipher text.”);  and 
upon determining that the value of the counter is equal to the third threshold value, resetting the counter and processing a next section of the plurality of sections (Diamant, col. 9 lines 20-26 “the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s counter mode encryption and authentication operation into Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).
As per claim 13, the combination of Diamant and Unruh teach the method of claim 12, further comprising: 
receiving, from the host device, one or more of the first threshold value, the second threshold value or the third threshold value that are configured by a user; and storing one or more of the first threshold value, the second threshold value or the third threshold value in registers coupled to the memory device (Diamant, col. 9 lines 6-19“the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload. The TID table 106 can be accessed using the TID determined by the protocol and transaction determination unit 104 to access an encryption key associated with the packet's transaction. The encryption and possibly other cryptographic parameters may be retrieved from the TID table 106 and provided to the configurable security unit 110 for decryption of the packet's payload.”).
As per claim 14, the combination of Diamant and Unruh teach the method of claim 10, wherein encrypting the subset of the content blocks in each section comprises: 
including, in one or more content blocks of the subset of the content blocks, a nonce value (Diamant, col. 5 lines 54-67 and col. 6 lines 1-11 “The protocol and transaction determination unit also generates a TID (nonce). the TID is included as a field within one or more of the headers of the packet. The specific bits within the headers that contain the TID 105 may be protocol specific. That is, for one particular combination of protocols, the TID 105 is specified in certain bits of the packet headers, while for another combination of protocols, the TID may be specified in other bits of the packet headers. The PTI 103 is indicative of the particular protocols, and based on the particular protocols implemented in the packet, the protocol and transaction determination unit 104 obtains the particular subset of bits from the packet headers that include the TID 105. The TID 105 is provided by the protocol and transaction determination unit 104 to the TID table 106, along with one or more headers 111 extracted form the packet by the parser 102. The TID table 106 maps TIDs and one or more fields from the extracted headers to cryptographic parameters. The cryptographic parameters 107 associated with the particular TID 105 are retrieved from the TID table 106 and provided to the configurable security unit 110.”); and 
encrypting the subset of the content blocks following including the nonce value in the one or more content blocks of the subset of the content blocks, wherein the nonce value is synchronized with the host device (Diamant, col. 4 lines 37-55 “The relevant set of cryptographic parameters may be identified using a packet type identifier and/or a TID. The packet type identifier may be determined based on the particular combination of protocols of the packet's headers and the TID may be parsed from the packet. The hardware security accelerator 100 decrypts the packet's data payload and stores the plaintext version of the packet in local memory 223. Through the hypervisor 260 and/or OS 270, the application 280 may access the local memory 223 to retrieve the plaintext data. The hardware security accelerator 100 essentially combines the functionality of in-band encryption/decryption with remote direct memory access (RDMA). That is, the hardware security accelerator 100 can read encrypted data from the storage server 30, decrypt the retrieved encrypted data, and store the resulting plaintext data into the host computer's local memory 223 without having to temporarily store the data elsewhere pending the decryption process. The same principle is true when encrypting and writing encrypted data to the storage server 30”).
As per claim 15, Diamant teaches a memory device comprising: 
a storage memory for storing data (Diamant, col. 3 lines 27-30 “The host computer 200 includes hardware components such as local memory 223, chipset 225, CPU 222 and NIC 224. In the particular embodiment of FIG. 1, NIC 224 includes a hardware security accelerator 100.”); 
a memory controller for managing access to the storage memory (Diamant, col. 3 lines 13-21 “The storage server 30 has a storage layer 10 and a storage server control layer 20. The storage layer 10 may include any number and types of permanent (i.e., non-volatile) storage devices such as a solid state drive (SSD) 11 and a hard disk (HD) 12. The storage server control layer 20 includes a network interface card (NIC) 24, a central processing unit (CPU) 22 (or multiple CPUs), local memory 23 (e.g., random access memory) and a storage interface 21.”), wherein the memory controller is adapted to perform operations comprising: 
receiving a request for data from a host device that is coupled to the memory device (Diamant, col. 7 lines 38-52 “At 401, the method includes receiving a packet. In some embodiments, the packet is received by the hardware security accelerator 100. The packet received may be a packet to be decrypted or encrypted. For example, the packet may have been stored on storage server 30 with encrypted data (or in plaintext, that is, not encrypted) and the packet is now being read back by the host computer 200. The packet is retrieved from the storage server 30 over network 40 and received by the hardware security accelerator 100. The encrypted data payload of the packet is to be decrypted by the hardware security accelerator 100 before being returned to the application 280 that requested the data in the first place. If the packet's payload was stored in plaintext, the hardware security accelerator nevertheless may operate to validate a digital signature in the packet.”);
in response to the request, processing the requested data for transmission to the host device, wherein the processing comprises: 
accessing, from the storage memory, the requested data; dividing the requested data into a plurality of sections, each section including one or more content blocks (Diamant, col. 7 lines 53-58 “At 402, the method includes parsing the packet. Parsing the packet may be performed by parser 102 to detect the protocols of the packet's headers (e.g., the L2/L3/L4 protocols). In some embodiments, such as those described above, a given header (e.g., L2 or L3 header) may contain an identification of the next higher layer's protocol.” And col. 8 lines 13-23 “At 404, the method includes using the packet type (e.g., the PTI 103) to access a set of security processing instructions. The security processing instructions may be stored in the protocol and transaction determination unit 104. The security processing instructions may include information on how to extract specific header fields in order to construct a TID. The TID may be used, for example, to access a TID table that may contain cryptographic parameters such as encryption/authentication algorithm and mode, cipher keys, next expected logical block address (LBA) or replay-protection counter related to the transaction.” And col. 9 lines 20-26 “At 407, the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”);
computing a signature on the content blocks included in the plurality of sections Diamant, col. 8 lines 13-23 “At 404, the method includes using the packet type (e.g., the PTI 103) to access a set of security processing instructions. The security processing instructions may be stored in the protocol and transaction determination unit 104. The security processing instructions may include information on how to extract specific header fields in order to construct a TID. The TID may be used, for example, to access a TID table that may contain cryptographic parameters such as encryption/authentication algorithm and mode, cipher keys, next expected logical block address (LBA) or replay-protection counter related to the transaction.” And col. 9 lines 20-26 “At 407, the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”);
encrypting, in each section, a subset of the content blocks included in the section (Diamant, col. 9 lines 6-11 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload”); and 
sending, to the host device, the plurality of sections along with the signature, each of the plurality of sections including encrypted content blocks and unencrypted content blocks (Diamant, col. 2 lines 18-35 “The hardware security accelerator of the disclosed embodiments performs a security operation on a packet. Such security operations may include decryption of an encrypted packet payload as well as encryption of a plaintext (i.e., unencrypted) packet payload. During the decryption process, for example, the hardware security accelerator obtains various security-related parameters based on the determined packet type and decrypts the packet's payload accordingly. Some of the security-related parameters are extracted from the packet itself by the hardware security accelerator based on the packet type, while other security-related parameters (e.g., encryption keys) may be retrieved from a transaction identifier (TID) table. The collection of security-related parameters (some extracted from the packet and others retrieved from the TID table) are provided to a security engine which uses the parameters to decrypt the encrypted payload. A similar process may be performed to encrypt a plaintext packet payload.”).
Diamant teaches all the limitations of claim 15 above however fails to explicitly teach but Unruh teaches:

including, in each section, a remaining number of unencrypted content blocks as plaintext (Unruh, para. [0020] “the invention features a reduced leakage encryption technique for encrypting data. The technique compares the counter value, Counter i, with the plaintext block corresponding to the counter (e.g., operates on the counter value and the plaintext block), and encrypts the result of the comparison using the block encryption cipher, e.g., AES or the like…The technique continues by exclusive-or-ing (abbreviated herein as XORing) the block of ciphertext with a multiplication factor generated for the previous block to produce a multiplication factor for the current block, and passing the multiplication factor for the current block to the next block. The technique continues by encrypting the next block of the data record using the same technique if the length of the remaining unencrypted plaintext in the data record is greater than zero. That is, for the next block, the counter value Counter i (e.g., for i=2), computing the exclusive-or of the next block of plaintext to produce the next block of ciphertext if there is more plaintext to encrypt, and XORing the multiplication factor from the block preceding the next block with the ciphertext of the next block to generate the multiplication factor of the next block., until the last block of plaintext has been encrypted, and generating the authentication tag, as described below.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s counter mode encryption of plaintext blocks into Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).

As per claim 16, the combination of Diamant and Unruh teach the memory device of claim 15, wherein the memory controller includes a counter to count a number of content blocks in each section, and wherein encrypting the subset of the content blocks in each section comprises: 
determining whether a value of the counter is less than a first threshold value that corresponds to a number of content blocks in a section encrypted using a first encryption mechanism; and upon determining that the value of the counter is less than the first threshold value, iteratively encrypting first content blocks of the subset of the content blocks using the first encryption mechanism, and incrementing the counter (Uhruh, para. [0058] “The reduced leakage encryption operation shown in FIG. 3 encrypts data using a technique similar to that shown in FIG. 2C. In the technique of FIG. 3, the plaintext 312 is XORed with a seed value 310 that is based on the sum of an initialization vector IV and an integer multiple of an increment value IV_INC. IV and IV_INC are distinct, random values chosen before encryption begins. That is, the operation of FIG. 3 corresponds to FIG. 2C with the seed value S(I)=IV+I*IV_INC, where I is the index of the block being processed, e.g., I=0 before any blocks have been processed, I=1 for the first block, and I=N for the Nth block. The lengths of IV and IV_INC are based upon the cipher block length, e.g., 128 bits, 256 bits, or the like. In one example, IV is a 128-bit value that is incremented by IV_INC for each block. That is, the counter value 330 for block number N is IV+N*IV_INC. For example, Counter 0 344 has the value IV, Counter 1 310 has the value IV+1*IV_INC, and Counter 2 320 has the value IV+2*IV_INC.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s counter mode encryption into Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).
As per claim 17, the combination of Diamant and Unruh teach the memory device of claim 16, wherein the operations further comprise: 
determining whether the value of the counter is less than a second threshold value that corresponds to a number of content blocks in a section encrypted using a second encryption mechanism that is different from the first encryption mechanism; upon determining that the value of the counter is less than the second threshold value, iteratively encrypting second content blocks of the subset of the content blocks using the second encryption mechanism, and incrementing the counter (Unruh, para. [0038] “A second plaintext block 222 of the plaintext data is encrypted by the same operations described above for the first block, except that the operations are applied to the second plaintext 222 and a second seed value, Seed(2) 220, to produce a second ciphertext 226. The second block encryption operation 224 uses the same key K and encryption method (e.g., AES) as the first block encryption operation 214, and operates on the XOR of a plaintext block and a seed. The second XOR operator 223 and the second block encryption operation 224 may be referred to as a second block processor. The second block processor is, in one example, the same as a first block processor that includes the first XOR operator 213 and the first block encryption operation 214. An Nth block processor that includes an Nth XOR operator 233 and an Nth block encryption operation 234 is present if needed, i.e., if the size of the plaintext input data is greater than twice the block size. If the size of the plaintext input data is greater than three times the block size, then an additional block processor that includes an XOR operation (not shown) and a block cipher 229 may be used for each additional plaintext data block 232.” And para. [0060] “Block 402 of the method generates a seed value by, for example, evaluating a function Seed(I) that produces a value based upon the function's argument I, where I is an index of a block of data to be encrypted or decrypted.”);
determining that the value of the counter is equal to a third threshold value that corresponds to a total number of content blocks in a section (Unruh, para. [0046] “After the last block, shown as block i in FIG. 2C, has been encrypted, and block i's multiplication factor has been computed by the multiplier 238, block i's multiplication factor is XORed with the lengths of the authentication data 204 and the length of the ciphertext. The multiplier 242 then generates a hash value for the result of the XOR operation 241, and the hash value is XORed with the result of the encryption operation 246 to generate the authentication tag 248, i.e., the authentication code for the cipher text.”); and 
upon determining that the value of the counter is equal to the third threshold value, resetting the counter and processing a next section of the plurality of sections (Diamant, col. 9 lines 20-26 “the illustrative method of FIG. 5 further includes writing back information to the TID table 106, in order to prepare for next packet to be ciphered (e.g., decrypted). Such information written back to the TID table 106 may include the next initialization vector to use for the next packet, the next expected LBA, and an updated replay counter.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Unruh’s counter mode encryption into Diamant’s hardware security method, with a motivation to protect confidential information from unauthorized access (Unruh, para. [0004]).
As per claim 18, the combination of Diamant and Unruh teach the memory device of claim 17, wherein the operations further comprise: 
receiving, from the host device, one or more of the first threshold value, the second threshold value or the third threshold value that are configured by a user; and storing one or more of the first threshold value, the second threshold value or the third threshold value in registers coupled to the memory controller (Diamant, col. 9 lines 6-19“the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload. The TID table 106 can be accessed using the TID determined by the protocol and transaction determination unit 104 to access an encryption key associated with the packet's transaction. The encryption and possibly other cryptographic parameters may be retrieved from the TID table 106 and provided to the configurable security unit 110 for decryption of the packet's payload.”).
As per claim 19, the combination of Diamant and Unruh teach the memory device of claim 15, wherein encrypting the subset of the content blocks in each section comprises: 
including, in one or more content blocks of the subset of the content blocks, a nonce value (Diamant, col. 5 lines 54-67 and col. 6 lines 1-11 “The protocol and transaction determination unit also generates a TID (nonce). the TID is included as a field within one or more of the headers of the packet. The specific bits within the headers that contain the TID 105 may be protocol specific. That is, for one particular combination of protocols, the TID 105 is specified in certain bits of the packet headers, while for another combination of protocols, the TID may be specified in other bits of the packet headers. The PTI 103 is indicative of the particular protocols, and based on the particular protocols implemented in the packet, the protocol and transaction determination unit 104 obtains the particular subset of bits from the packet headers that include the TID 105. The TID 105 is provided by the protocol and transaction determination unit 104 to the TID table 106, along with one or more headers 111 extracted form the packet by the parser 102. The TID table 106 maps TIDs and one or more fields from the extracted headers to cryptographic parameters. The cryptographic parameters 107 associated with the particular TID 105 are retrieved from the TID table 106 and provided to the configurable security unit 110.”); and 
encrypting the subset of the content blocks following including the nonce value in the one or more content blocks of the subset of the content blocks, wherein the nonce value is synchronized with the host device (Diamant, col. 4 lines 37-55 “The relevant set of cryptographic parameters may be identified using a packet type identifier and/or a TID. The packet type identifier may be determined based on the particular combination of protocols of the packet's headers and the TID may be parsed from the packet. The hardware security accelerator 100 decrypts the packet's data payload and stores the plaintext version of the packet in local memory 223. Through the hypervisor 260 and/or OS 270, the application 280 may access the local memory 223 to retrieve the plaintext data. The hardware security accelerator 100 essentially combines the functionality of in-band encryption/decryption with remote direct memory access (RDMA). That is, the hardware security accelerator 100 can read encrypted data from the storage server 30, decrypt the retrieved encrypted data, and store the resulting plaintext data into the host computer's local memory 223 without having to temporarily store the data elsewhere pending the decryption process. The same principle is true when encrypting and writing encrypted data to the storage server 30”).
As per claim 20, the combination of Diamant and Unruh teach the memory device of claim 15, wherein encrypting the subset of the content blocks in each section comprises selecting one or more first content blocks of the subset and encrypting the one or more first content blocks using a first encryption mechanism (Diamant, col. 9 lines 6-11 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload”), and 
wherein the operations further comprise sending, to the host device, additional information that includes at least one of location information of the one or more first content blocks, or the first encryption mechanism (Diamant, col. 11 lines 57-67 and col. 12 lines 1-23 “the first memory unit 133 may output one or more security processing instructions of a relevant set of security processing instructions associated with the PTI and/or cryptographic parameters associated with the TID. At least one security processing instruction of the relevant set is sent to one or more of the configuration unit 142, the configurable security engine 143, and the configurable field extraction unit 141. A security processing instruction may, for example, indicate the bit location of a particular field of the packet's headers. The field targeted by the instruction may be, for example, the data payload of the packet. In response to the security processing instruction, the configurable field extraction unit 141 may extract that particular field and send the extracted bit field to the configuration security engine 143. In another example, the bit field that is to be extracted from the packet may be any one or more of the following security fields: a TID, a CID, an epoch value, a packet sequence number, an LBA, a replay counter, an encryption start offset, an encryption end offset (from end of packet (EOP)), an authentication start offset, an authentication end offset (from EOP), and a protection information size and repetition. The extracted field may also include an initialization vector or fields from which the initialization vector is to be computed. The configurable security engine 143 may receive the payload of the packet as extracted by the configurable field extraction unit 141 and then encrypt or decrypt it. The configurable security engine 143 may be configured to perform the encryption or decryption according to one or more of the cryptographic parameters retrieved from the TID table as well as various of the fields extracted from the packet headers that contain security-related information necessary for the ciphering process.”).
As per claim 21, the combination of Diamant and Unruh teach the memory device of claim 15, wherein encrypting the subset of the content blocks in each section comprises: 
selecting one or more first content blocks and one or more second content blocks of the subset (Diamant, col. 9 lines 6-11 “At 406, the configurable security unit 110 performs any one or more of: encrypts the packet, decrypts the packet, signs the packet, authenticates the packet and/or other types of ciphering operations. The security processing instructions may specify the offset to the start and end of the data payload of the packet so that decryption of the packet will occur just on the encrypted data payload”);
encrypting the one or more first content blocks using a first encryption mechanism; and encrypting the one or more first content blocks using a second encryption mechanism (Diamant, col. 2 lines 18-35 “The hardware security accelerator of the disclosed embodiments performs a security operation on a packet. Such security operations may include decryption of an encrypted packet payload as well as encryption of a plaintext (i.e., unencrypted) packet payload. During the decryption process, for example, the hardware security accelerator obtains various security-related parameters based on the determined packet type and decrypts the packet's payload accordingly. Some of the security-related parameters are extracted from the packet itself by the hardware security accelerator based on the packet type, while other security-related parameters (e.g., encryption keys) may be retrieved from a transaction identifier (TID) table. The collection of security-related parameters (some extracted from the packet and others retrieved from the TID table) are provided to a security engine which uses the parameters to decrypt the encrypted payload. A similar process may be performed to encrypt a plaintext packet payload.”).
As per claim 22, the combination of Diamant and Unruh teach the memory device of claim 21, wherein the operations further comprise: 
sending, to the host device, additional information that includes at least one of location information of the one or more first content blocks, location information of the one or more second content blocks, the first encryption mechanism or the second encryption mechanism (Diamant, col. 11 lines 57-67 and col. 12 lines 1-23 “the first memory unit 133 may output one or more security processing instructions of a relevant set of security processing instructions associated with the PTI and/or cryptographic parameters associated with the TID. At least one security processing instruction of the relevant set is sent to one or more of the configuration unit 142, the configurable security engine 143, and the configurable field extraction unit 141. A security processing instruction may, for example, indicate the bit location of a particular field of the packet's headers. The field targeted by the instruction may be, for example, the data payload of the packet. In response to the security processing instruction, the configurable field extraction unit 141 may extract that particular field and send the extracted bit field to the configuration security engine 143. In another example, the bit field that is to be extracted from the packet may be any one or more of the following security fields: a TID, a CID, an epoch value, a packet sequence number, an LBA, a replay counter, an encryption start offset, an encryption end offset (from end of packet (EOP)), an authentication start offset, an authentication end offset (from EOP), and a protection information size and repetition. The extracted field may also include an initialization vector or fields from which the initialization vector is to be computed. The configurable security engine 143 may receive the payload of the packet as extracted by the configurable field extraction unit 141 and then encrypt or decrypt it. The configurable security engine 143 may be configured to perform the encryption or decryption according to one or more of the cryptographic parameters retrieved from the TID table as well as various of the fields extracted from the packet headers that contain security-related information necessary for the ciphering process.”).

Conclusion
6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 6845159 B1 – Converting data into multiple formats.
US 20190229924 A1 – Efficient hardware replay protection.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437  

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437