DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.    	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
2.    	Claims 1-20 are pending. Claims 1, 11, 12, and 20 are in independent forms. 

Information Disclosure Statement
3.    	The information disclosure statements (I DS's) submitted on 04/07/2021 is in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
4.    	The drawings filed on 01/29/2021 are accepted by the examiner.

Claim Rejections - 35 USC § 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Harris et al.  US Patent Application Publication No. 2007/0245409 (hereinafter Harris) in view of Moskowitz US Patent Application Publication No. 2015/0052348 (hereinafter Moskowitz).
Regarding claim 1, Harris discloses a system for securely transferring data between two software programs executing on the same end-user device (Fig. 40 A, client 6205), the system comprising: 
a first program (Fig. 40 A, first program 6222) that executes on an end-user device to: 
“send one or more encrypted data elements towards a server machine over one or more computer networks” (see Harris par. 0798, At step 6402 of method 6400, the client 6205 performs a log in procedure and establishes an encrypted data communication session with appliance 1250 via network 6204. In one embodiment, the encrypted data communication session is used as a tunnel to bridge traffic from client 6205 to any of servers 30 which reside behind appliance 1250 in private data communication network);
a second program (Fig. 40 A, Acceleration Program 6120) that executes on the end-user device to: 
“intercept the one or more encrypted data elements before they leave the end-user device, with the one or more encrypted data elements remaining opaque to the second program” (see Harris par. 0801, the second program is configured, in part, to intercept communications from applications 6220 running on client 6205 that are destined for resources on network 6204 and to provide the intercepted communications to the first program 6222 for sending to appliance 1250 via the encrypted data communication session); and, 
“encapsulate the one or more encrypted data elements using an encapsulating protocol that has one or more control fields and one or more payload fields” (see Harris par. 0808, 0637, At step 6458, each intercepted communication is terminated or proxied by the first program 6222, and the first program 6222 prepares the intercepted communication for transmission via the established encrypted data communication session. In one embodiment, the first program 6222 separates out the payload and encapsulates the payload for delivery via the established encrypted data communication session. In another embodiment, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250);
“send the encapsulated one or more encrypted data elements to the server machine in the one or more payload fields” (see Harris par. 0804, At step 6458, the first program 6222 terminates or proxies the connection, separates the payload and encapsulates the payload for delivery via the established encrypted communication session. At step 6460, the first program 6222 sends intercepted communications over public network to appliance 1250 in private network via pre-established encrypted communication session); 
the server machine (Fig. 1A, servers 30) configured with software to: 
“receive the encapsulated one or more encrypted data elements” (see Harris par. 0808, At step 6458, each intercepted communication is terminated or proxied by the first program 6222, and the first program 6222 prepares the intercepted communication for transmission via the established encrypted data communication session. In another embodiment, the first program 6222 encapsulates the intercepted communicated as received from the second program);
decrypt the one or more encrypted data elements to generate one or more data elements (see Harris par. 0765, At step 6320, upon receipt of the acceleration program 6120, the client 6205 automatically executes or performs a silent installation of the acceleration program 6120. At step 6325, upon completion of installation of the acceleration program 6120, the client 6205 automatically executes the acceleration program 6120 in the network stack 6210 to intercept communications between the client 6205 and the server 30. At step 6330, the acceleration program 6120 performs any of the plurality of acceleration techniques and may encrypt and/or decrypt communications); and 
after said decryption, send the one or more data elements back to the second program in the one or more control fields of the encapsulating protocol, so that the second program can read the one or more data elements (see Harris par. 0702, the method of flowchart 5300 begins at step 5302, in which appliance 1250 receives an encrypted packet from one of clients 10. In an embodiment, appliance 1250 is configured to act as a proxy SSL endpoint for servers 30, decrypting encrypted packets received from clients 10, and then sending there on for further processing as necessary and ultimately on to an appropriate resource based on address information within the encrypted packets. The appropriate resource may be, for example, any of servers 30 or the cache managed by appliance 1250. At step 5304, appliance 1250 performs decryption processing on the packet);  
Harris does not explicitly discloses extract the one or more encrypted data elements from the one or more payload fields.
However, in analogues art, Moskowitz discloses extract the one or more encrypted data elements from the one or more payload fields (see Moskowitz par. 0029-0031, Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Durham into the system of Harris to include encapsulating session payload data based on the selected encapsulation format type; encrypting the portions of the encapsulated data using the session encryption key and based on the encryption algorithm specified in the ciphersuite (see Moskowitz par. 0037).
 
Regarding claim 2, Harris in view of Moskowitz discloses the system of claim 1, 
Harris further discloses wherein the first program executes to establish a TCP connection to the software on the server machine, and to use TLS to encrypt the one or more encrypted data elements and send them over the TCP connection (see Harris pars. 0640, 0537).

Regarding claim 3, Harris in view of Moskowitz discloses the system of claim 2, 
Harris further discloses wherein the second program intercepts the TCP connection (see Harris par. 0747).  

Regarding claim 4, Harris in view of Moskowitz discloses the system of claim 1, 
Harris further discloses wherein the first program comprises a web browser (see Harris par. 0798).  

Regarding claim 5, Harris in view of Moskowitz discloses the system of claim 1, 
Harris further discloses wherein the second program comprises an access client for providing secure access to one or more enterprise resources over the public Internet (see Harris par. 0583).

Regarding claim 6, Harris in view of Moskowitz discloses the system of claim 1, 
Harris further discloses wherein the one or more data elements comprise any of: session state, one or more authenticators, one or more authorization tokens (see Harris par. 0156).  

Regarding claim 7, Harris in view of Moskowitz discloses the system of claim 1, 
Harris further discloses wherein the second program selectively intercepts the one or more encrypted data elements based on at least one of: destination domain name or destination IP address (see Harris par. 0637).  

Regarding claim 8, Harris in view of Moskowitz discloses the system of claim 1, 
Harris further discloses wherein the software of the server machine is configured to execute a pairing operation, at least prior to the server machine sending of the one or more data elements back to the second program, the pairing operation being performed to establish that the first and second programs are on the same end-user device (see Harris Fig. 40A, par. 0734).  

Regarding claim 9, Harris in view of Moskowitz discloses the system of claim 8, 
Harris further discloses wherein the pairing operation comprises: the server machine sending an instruction to the second program to provide a signal to an end-user via an end-user interface of the end-user device, and prompting the end-user to report said signal to the first program, so that the first program can transmit the reported signal back to the server machine for verification (see Harris pars. 0399, 0404).

Regarding claim 10, Harris in view of Moskowitz discloses the system of claim 9, 
Harris further discloses wherein the signal is any of a visual and audio code (see Harris pars. 0112, 0160, 0243).  

Regarding claim 11, Harris discloses a system for securely transferring data between two software programs executing on the same end-user device (Fig. 40 A, client 6205), the system comprising: 
a first program (Fig. 40 A, first program 6222) that executes on an end-user device to: 
“establish a first communication channel to a server machine over one or more computer networks” (see Harris par. 0798, At step 6402 of method 6400, the client 6205 performs a log in procedure and establishes an encrypted data communication session with appliance 1250 via network 6204. In one embodiment, the encrypted data communication session is used as a tunnel to bridge traffic from client 6205 to any of servers 30 which reside behind appliance 1250 in private data communication network);
 a second program (Fig. 40 A, Acceleration Program 6120)  that executes on the end-user device to: 
“intercept the first communication channel before it leaves the end-user device, with messages in the first communication channel remaining opaque to the second program” (see Harris par. 0801, the second program is configured, in part, to intercept communications from applications 6220 running on client 6205 that are destined for resources on network 6204 and to provide the intercepted communications to the first program 6222 for sending to appliance 1250 via the encrypted data communication session);  and, 
“encapsulate the first communication channel using an encapsulating protocol that has one or more control fields and one or more payload fields” (see Harris par. 0808, 0637, At step 6458, each intercepted communication is terminated or proxied by the first program 6222, and the first program 6222 prepares the intercepted communication for transmission via the established encrypted data communication session. In one embodiment, the first program 6222 separates out the payload and encapsulates the payload for delivery via the established encrypted data communication session. In another embodiment, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250);
“send the encapsulated first communication channel to the server machine in the one or more payload fields” (see Harris par. 0804, At step 6458, the first program 6222 terminates or proxies the connection, separates the payload and encapsulates the payload for delivery via the established encrypted communication session. At step 6460, the first program 6222 sends intercepted communications over public network to appliance 1250 in private network via pre-established encrypted communication session);  
“send one or more data elements to the server machine via the encapsulating protocol” (see Harris par. 0808, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250); 
the server machine (Fig. 1A, servers 30)  configured with software to: 
 receive the one or more data elements from the second program via the encapsulating protocol (see Harris par. 0808, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250); 
Harris does not explicitly discloses send the one or more data elements back to the first program using the encapsulated first communication channel, in an encrypted form so that the second program cannot read the one or more data elements but the first program can.
However, in analogues art, send the one or more data elements back to the first program using the encapsulated first communication channel, in an encrypted form so that the second program cannot read the one or more data elements but the first program can (see Moskowitz pars. 0035-0036, Application layer 410-1 receives session payload data 405 as the service data unit (SDU), encapsulates session payload data 405, and passes the encapsulated data down to presentation layer 415-1 as a protocol data unit (PDU). Presentation layer 415-1 receives the PDU from application layer 410-1 as a SDU and translates data of the SDU between application and network formats. Presentation layer 415-1 formats and encrypts the data of the SDU to be sent across network 120. Presentation layer 415-1 the SDU, encapsulates the SDU, and passes the encapsulated SDU to session layer 420-1 as a PDU).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Moskowitz into the system of Harris to provide any communicating application with standardized message security encapsulation formats, wherein one of the different message encapsulation format types may be selected for use at the session layer based on the cost or bandwidth constraints of the transporting network.  (see Moskowitz par. 0017).


Regarding claim 12, Harris discloses a method for securely transferring data between two software programs executing on the same end-user device (Fig. 40 A, client 6205), the method comprising: 
with a first program (Fig. 40 A, first program 6222)  executing on an end-user device: 
“sending one or more encrypted data elements towards a server machine over one or more computer networks” (see Harris par. 0804, At step 6458, the first program 6222 terminates or proxies the connection, separates the payload and encapsulates the payload for delivery via the established encrypted communication session. At step 6460, the first program 6222 sends intercepted communications over public network to appliance 1250 in private network via pre-established encrypted communication session); 
 with a second program (Fig. 40 A, Acceleration Program 6120) executing on the end-user device: 
“intercepting the one or more encrypted data elements before they leave the end-user device, with the one or more encrypted data elements remaining opaque to the second program” (see Harris par. 0801, the second program is configured, in part, to intercept communications from applications 6220 running on client 6205 that are destined for resources on network 6204 and to provide the intercepted communications to the first program 6222 for sending to appliance 1250 via the encrypted data communication session); and, 
“encapsulating the one or more encrypted data elements using an encapsulating protocol that has one or more control fields and one or more payload fields” (see Harris par. 0808, 0637, At step 6458, each intercepted communication is terminated or proxied by the first program 6222, and the first program 6222 prepares the intercepted communication for transmission via the established encrypted data communication session. In one embodiment, the first program 6222 separates out the payload and encapsulates the payload for delivery via the established encrypted data communication session. In another embodiment, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250);
 “sending the encapsulated one or more encrypted data elements to the server machine in the one or more payload fields” (see Harris par. 0804, At step 6458, the first program 6222 terminates or proxies the connection, separates the payload and encapsulates the payload for delivery via the established encrypted communication session. At step 6460, the first program 6222 sends intercepted communications over public network to appliance 1250 in private network via pre-established encrypted communication session);  
with the server machine (Fig. 1A, servers 30): 
“receiving the encapsulated one or more encrypted data elements” (see Harris par. 0808, At step 6458, each intercepted communication is terminated or proxied by the first program 6222, and the first program 6222 prepares the intercepted communication for transmission via the established encrypted data communication session. In another embodiment, the first program 6222 encapsulates the intercepted communicated as received from the second program);
 “decrypting the one or more encrypted data elements to generate one or more data elements” (see Harris par. 0765, At step 6320, upon receipt of the acceleration program 6120, the client 6205 automatically executes or performs a silent installation of the acceleration program 6120. At step 6325, upon completion of installation of the acceleration program 6120, the client 6205 automatically executes the acceleration program 6120 in the network stack 6210 to intercept communications between the client 6205 and the server 30. At step 6330, the acceleration program 6120 performs any of the plurality of acceleration techniques and may encrypt and/or decrypt communications); and, 
“after said decryption, sending the one or more data elements back to the second program in the one or more control fields of the encapsulating protocol, so that the second program can read the one or more data elements” (see Harris par. 0702, the method of flowchart 5300 begins at step 5302, in which appliance 1250 receives an encrypted packet from one of clients 10. In an embodiment, appliance 1250 is configured to act as a proxy SSL endpoint for servers 30, decrypting encrypted packets received from clients 10, and then sending there on for further processing as necessary and ultimately on to an appropriate resource based on address information within the encrypted packets. The appropriate resource may be, for example, any of servers 30 or the cache managed by appliance 1250. At step 5304, appliance 1250 performs decryption processing on the packet);  
 
Harris does not explicitly discloses extract the one or more encrypted data elements from the one or more payload fields.
However, in analogues art, Durham discloses extracting the one or more encrypted data elements from the one or more payload fields (see Moskowitz par. 0029-0031, Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Durham into the system of Harris to include encapsulating session payload data based on the selected encapsulation format type; encrypting the portions of the encapsulated data using the session encryption key and based on the encryption algorithm specified in the ciphersuite (see Moskowitz par. 0037).

Regarding claim 13, Harris in view of Moskowitz discloses the method of claim 12, 
Harris further discloses wherein the first program executes to establish a TCP connection to the software on the server machine, and to use TLS to encrypt the one or more encrypted data elements and send them over the TCP connection (see Harris pars. 0640, 0537).
 Regarding claim 14, Harris in view of Moskowitz discloses the method of claim 12, 
Harris further discloses wherein the first program comprises a web browser (see Harris par. 0798).  
 Regarding claim 15, Harris in view of Moskowitz discloses the method of claim 12, 
Harris further discloses wherein the second program comprises an access client for providing secure access to one or more enterprise resources over the public Internet (see Harris par. 0583).
 
Regarding claim 16, Harris in view of Moskowitz discloses the method of claim 12, 
Harris further discloses wherein the one or more data elements comprise any of: session state, one or more authenticators, one or more authorization tokens (see Harris par. 0156).  
  
Regarding claim 17, Harris in view of Moskowitz discloses the method of claim 12, 
Harris further discloses wherein the second program selectively intercepts the one or more encrypted data elements based on at least one of: destination domain name or destination IP address (see Harris par. 0637).   

Regarding claim 18, Harris in view of Moskowitz discloses the method of claim 12, 
Harris further discloses wherein the server machine executes a pairing operation, at least prior to the server machine sending of the one or more data elements back to the second program, the pairing operation being performed to establish that the first and second programs are on the same end-user device (see Harris Fig. 40A, par. 0734).  

Regarding claim 19, Harris in view of Moskowitz discloses the method of claim 18, 
Harris further discloses wherein the pairing operation comprises: the server machine sending an instruction to the second program to provide a signal to an end-user via an end-user interface of the end-user device, and prompting the end-user to report said signal to the first program, so that the first program can transmit the reported signal back to the server machine for verification (see Harris pars. 0399, 0404).
  
Regarding claim 20, Harris discloses a method for securely transferring data between two software programs executing on the same end-user device (Fig. 40 A, client 6205), the method comprising: 
with a first program (Fig. 40 A, first program 6222) executing on an end-user device: 
“establishing a first communication channel to a server machine over one or more computer networks” (see Harris par. 0804, At step 6458, the first program 6222 terminates or proxies the connection, separates the payload and encapsulates the payload for delivery via the established encrypted communication session. At step 6460, the first program 6222 sends intercepted communications over public network to appliance 1250 in private network via pre-established encrypted communication session); 
with a second program (Fig. 40 A, Acceleration Program 6120) executing on the end-user device: 
“intercepting the first communication channel before it leaves the end-user device, with messages in the first communication channel remaining opaque to the second program” (see Harris par. 0801, the second program is configured, in part, to intercept communications from applications 6220 running on client 6205 that are destined for resources on network 6204 and to provide the intercepted communications to the first program 6222 for sending to appliance 1250 via the encrypted data communication session);  and, 
“encapsulating the first communication channel using an encapsulating protocol that has one or more control fields and one or more payload fields” (see Harris par. 0808, 0637, At step 6458, each intercepted communication is terminated or proxied by the first program 6222, and the first program 6222 prepares the intercepted communication for transmission via the established encrypted data communication session. In one embodiment, the first program 6222 separates out the payload and encapsulates the payload for delivery via the established encrypted data communication session. In another embodiment, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250);
 “sending the encapsulated first communication channel to the server machine in the one or more payload fields” (see Harris par. 0804, At step 6458, the first program 6222 terminates or proxies the connection, separates the payload and encapsulates the payload for delivery via the established encrypted communication session. At step 6460, the first program 6222 sends intercepted communications over public network to appliance 1250 in private network via pre-established encrypted communication session);  
“sending one or more data elements to the server machine via the encapsulating protocol” (see Harris par. 0808, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250); 
 with the server machine (Fig. 1A, servers 30): 
“receiving the one or more data elements from the second program via the encapsulating protocol” (see Harris par. 0808, the first program 6222 encapsulates the intercepted communicated as received from the second program. In some embodiment, the payload is a TCP payload and is encapsulated into a new TCP connection between the client 6205 and the server 30, such as via appliance 1250); 
 Harris does not explicitly discloses sending the one or more data elements back to the first program using the encapsulated first communication channel, in an encrypted form so that the second program cannot read the one or more data elements but the first program can.
However, in analogues art, sending the one or more data elements back to the first program using the encapsulated first communication channel, in an encrypted form so that the second program cannot read the one or more data elements but the first program can (see Moskowitz pars. 0035-0036, Application layer 410-1 receives session payload data 405 as the service data unit (SDU), encapsulates session payload data 405, and passes the encapsulated data down to presentation layer 415-1 as a protocol data unit (PDU). Presentation layer 415-1 receives the PDU from application layer 410-1 as a SDU and translates data of the SDU between application and network formats. Presentation layer 415-1 formats and encrypts the data of the SDU to be sent across network 120. Presentation layer 415-1 the SDU, encapsulates the SDU, and passes the encapsulated SDU to session layer 420-1 as a PDU).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Moskowitz into the system of Harris to provide any communicating application with standardized message security encapsulation formats, wherein one of the different message encapsulation format types may be selected for use at the session layer based on the cost or bandwidth constraints of the transporting network.  (see Moskowitz par. 0017).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMUEL AMBAYE whose telephone number is (571)270-7635. The examiner can normally be reached M-F 9:00 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/SAMUEL AMBAYE/Examiner, Art Unit 2433      

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433