Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the communication and claim amendment filed on 07/28/2022; Claims 1 and 11 have been amended; Claims 9 and 19 have been canceled.  Claims 1-8 and 10-18, and 20 have been examined and are pending. 
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. SUAREZ, PEDRO (Reg. No.: 45895) has agreed and authorized the Examiner to amend claims 1 and 11; Claims 6-7 and 16-17 have been canceled.
Examiner’s Amendments
Claims
Replacing claims 1-20 as following:
1.	(Currently Amended) A system, comprising:
at least one data processor; and 
at least one memory storing instructions which, when executed by the at least one data processor, result in operations comprising:
establishing, by an enclave executed by a trusted execution environment that runs at an untrusted provider, a trusted relationship with a user accessing a user application, wherein the establishment is at least partially based on a trust measurement communicated between the enclave and a certificate authority component associated with the user; 
associating, by the enclave, one or more access control permissions to a file linked from the user application to a remote file system at the untrusted provider, wherein to link the file to the remote file system, the user application establishes a network connection to an untrusted transport layer security interface at the untrusted provider that runs the trusted execution environment, wherein the untrusted transport layer security interface terminates the network connection with the user application and establishes a secure transport layer security connection to a trusted transport layer security interface within the enclave, the trusted transport layer security interface decrypting or encrypting incoming or outgoing  transport layer security data and providing a secure transport layer security connection to the user application, wherein the one or more access control permissions define one or more parameters of access related to the file and defined by the user for individual users and/or groups of users; and 
providing, by the enclave, access to the file, wherein the providing is in response to a verification that a request for the file satisfies the one or more access control permissions, and wherein to provide access to the file, the operations further comprise:
receiving, by a  trusted file manager at the enclave, the file in an encrypted form from the remote file system at the untrusted provider, wherein the file is encrypted with a file key, the file key unique to the file and derived from a root key generated by the enclave;
decrypting, by the  trusted file manager at the enclave, the encrypted file[[,]]; and
sending, by the enclave, the file over the secure transport layer security connection channel to provide 
2.	(Original) The system of claim 1, wherein establishing the trusted relationship comprises:
providing, by the enclave and to the certificate authority component, a server token request comprising a public key; 
receiving, by the enclave and from the certificate authority component, a server token signed with a certificate authority public key; and 
verifying, by the enclave, the received server token, wherein the verification is based upon the certificate authority public key. 
3.	(Original) The system of claim 2, wherein the certificate authority public key is hard-coded into the enclave, and wherein the server token is persisted to memory of the enclave upon verification of the received server token. 
4.	(Original) The system of claim 2, wherein establishing the trusted relationship further comprises: 
receiving, by the enclave and from the user application, an authentication token; and
verifying, by the enclave, the authentication token based upon the certificate authority public key.
5.	(Original) The system of claim 1, wherein the one or more parameters of access related to the file comprise a level of permission for the individual users and/or the groups of users. 
6.	(Canceled) 
7.	(Canceled) 
8.	(Currently Amended) The system of claim [[7]] 1, wherein the encryption of the file with the file key occurs within the enclave. 
9.	(Canceled) 
10.	(Original) The system of claim 1, wherein providing, by the enclave, access to the file is further in response to establishment of a second trusted relationship with a second user having individual access rights or being part of a group with access rights. 
11. 	(Currently Amended) A method, comprising:
establishing
associating, by the enclave, one or more access control permissions to a file linked from the user application to a remote file system at the untrusted provider, wherein to link the file to the remote file system, the user application establishes a network connection to an untrusted transport layer security interface at the untrusted provider that runs the trusted execution environment, wherein the untrusted transport layer security interface terminates the network connection with the user application and establishes a secure transport layer security connection to a trusted transport layer security interface within the enclave, the trusted transport layer security interface decrypting or encrypting incoming or outgoing  transport layer security data and providing a secure transport layer security connection to the user application, wherein the one or more access control permissions define one or more parameters of access related to the file and defined by the user for individual users and/or groups of users; and 
providing, by the enclave, access to the file, wherein the providing is in response to a verification that a request for the file satisfies the one or more access control permissions, and wherein to provide access to the file, the method further comprises: 
receiving, by a trusted file manager at the enclave, the file in an encrypted form from the remote file system at the untrusted provider, wherein the file is encrypted with a file key, the file key unique to the file and derived from a root key generated by the enclave;
decrypting, by the trusted file manager at the enclave, the encrypted file[[,]]; and
sending, by the enclave, the file over the secure transport layer security connection channel to provide 
12.	(Original) The method of claim 11, wherein establishing the trusted relationship comprises:
providing, by the enclave and to the certificate authority component, a server token request comprising a public key; 
receiving, by the enclave and from the certificate authority component, a server token signed with a certificate authority public key; and 
verifying, by the enclave, the received server token, wherein the verification is based upon the certificate authority public key. 
13.	(Original) The method of claim 12, wherein the certificate authority public key is hard-coded into the enclave, and wherein the server token is persisted to memory of the enclave upon verification of the received server token. 
14.	(Original) The method of claim 12, wherein establishing the trusted relationship further comprises: 
receiving, by the enclave and from the user application, an authentication token; and
verifying, by the enclave, the authentication token based upon the certificate authority public key.
15.	(Original) The method of claim 11, wherein the one or more parameters of access related to the file comprise a level of permission for the individual users and/or the groups of users. 
16.	(Canceled) 
17.	(Canceled) 
18.	(Currently Amended) The method of claim [[17]] 11, wherein the encryption of the file with the file key occurs within the enclave. 
19.	(Canceled) 
20.	(Original) The method of claim 11, wherein providing, by the enclave, access to the file is further in response to establishment of a second trusted relationship with a second user having individual access rights or being part of a group with access rights. 

Examiner's Statement of reason for Allowance
Claims 1-5, 8, 10, 11-15, 18, and 20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The invention is directed a computing system and method to secure group file sharing. An architecture for end-to-end encrypted, group-based file sharing using a trusted execution environment (TEE) is provided to protect confidentiality and integrity of data and management of files, enforce immediate permission and membership revocations, support deduplication, and mitigate rollback attacks.
The closest prior arts Robert Krahn et al, (“Krahn,” PESOS: Policy Enhanced Secure Object Store, April 23-26, 2018, pages 1-17), Pierre-Louis Aublin et al. (“Aublin,” TaLoS: Secure and Transparent TLS Termination inside SGX Enclaves, Jan 1st, 2017, pages 1-4), and Saur et al. (“Saur,” US 2018/0145836, published May 24, 2018) are generally directed to various aspect of involves secure group file sharing, group-based file sharing using a trusted execution environment (TEE), establishing, by an enclave executed by a trusted execution environment that runs at an untrusted provider, a trusted relationship with a user accessing a user application, wherein the establishment is at least partially based on a trust measurement communicated between the enclave and a certificate authority component associated with the user;  associating, by the enclave, one or more access control permissions to a file linked from the user application to a remote file system at the untrusted provider, wherein to link the file to the remote file system, the user application establishes a network connection to an untrusted transport layer security interface at the untrusted provider that runs the trusted execution environment.
However, none of Krahn, Aublin, and Saur teaches or suggests, alone or in combination, the particular combination of steps or elements recited in the independent claims 1 and 11.  For examples, it failed to teach “the untrusted transport layer security interface terminates the network connection with the user application and establishes a secure transport layer security connection to a trusted transport layer security interface within the enclave, the trusted transport layer security interface decrypting or encrypting incoming or outgoing  transport layer security data and providing a secure transport layer security connection to the user application, wherein the one or more access control permissions define one or more parameters of access related to the file and defined by the user for individual users and/or groups of users;” and “providing, by the enclave, access to the file, wherein the providing is in response to a verification that a request for the file satisfies the one or more access control permissions, and wherein to provide access to the file, the operations further comprise:
This feature in light of other features, when considered as a whole, in the independent claims 1 and 11 are allowable over the prior arts of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380.  The examiner can normally be reached on Monday-Friday: 6:00 AM-3:30 PM, other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.

Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Canh Le/
Examiner, Art Unit 2439

August 19th, 2022



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439