DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	Applicant’s response filed on August 10, 2022 have been considered.  Claims 1, 3-6, 11, and 13 have been amended.  No claim has been added or canceled. Claims 1-20 are pending. 

Claim Rejections - 35 USC § 102

3.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:           (a)(1) the claimed invention was patented, described in a printed publication, or in public use, or sale
or otherwise available to the public before the effective filing date of the claimed invention. 
        
4.	Claims 1-2, 4, and 11 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zhu et al. (U.S. 2018/0316663 A1), hereinafter “Zhu”.
Referring to claims 1, 11:
Zhu teaches:
           A system for secure remote access to an industrial control system using hardware based authentication, comprising (see Zhu, fig. 1, 116 ‘smart card’; [0016] ‘user 108 may gain remote access to those machines’): 
          a smart card for decentralized secure user authentication, wherein the secure user authentication comprises possession of said smart card and knowledge of the corresponding personal identification number (PIN) (see Zhu, [0037] ‘The multi-factor authentication data can include smart card data 272, PIN or password data 274, and it can include a wide variety of different or other data 276.’; [0061] ‘user 108 may interact directly with a machine in data center computing system 102. In another example, user 108 may gain remote access to those machines through user machine 104 [i.e., decentralized secure user authentication ].’ ); and
          a managed remote-access appliance (RAA) for secure interactive remote access or secure machine-to-machine remote access or communication (see Zhu, [0016] ‘In another example, user 108 may gain remote access to those machines [i.e., secure machine-to-machine remote access ] through user machine 104 [i.e., a managed remote-access appliance (RAA) ].’); and 
           remote access services comprising a server (see Zhu, fig. 5, item 502 ‘cloud’, 102 ‘data center computing system’; [0060] ‘elements of data center 102 [i.e., a server ] can disposed in cloud… hosted at a remote site by a service… provided as a service through a cloud’).
Referring to claim 2:
	Zhu further discloses:
	wherein the secure user authentication comprises two-factor authentication (2FA) or three-factor authentication (3FA) based on smart cards (see Zhu, [0020] ‘multi-factor authentication... smart card’).
Referring to claim 4:
	Zhu further discloses:
                           wherein the smart cards comprise secure element (SE) storing of credentials, cryptographic keys, and X.509 certificates (see Zhu, fig. 2, 116 ‘smart card’, 164 ‘digital certificate’, 166 ‘private key’, 168 ‘pin’). 

Claim Rejections - 35 USC § 103

5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 3, 5-10, 12-14,  16, and 18-20  are rejected under 35 U.S.C. 103 as being unpatentable over Zhu et al. (U.S. 2018/0316663 A1), in view of Ford et al. (U.S. 2017/0041296 A1), hereinafter “Ford”.
Referring to claims 3, 12:
		Zhu discloses multi-factor authentication that includes a smart card, a pin (see Zhu, [0037] ‘The multi-factor authentication data can include smart card data 272, PIN or password data 274, and it can include a wide variety of different or other data 276.’).  However, Zhu does not explicitly disclose biometrics.
		Ford discloses biometrics authentication (see Ford, [0131] ‘biometric authentication’).
	 	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize biometric authentication.  Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “an identity facility, multi-factor authentication, dynamic access authorization, and various enhancements to a customizable exchange system.”(see Ford, [0005]).
Referring to claims 5, 14:
		Zhu and Ford further disclose:
		wherein the smart cards for an administrator, a supervisor, and an end-user have different capabilities (see Ford, [0208] ‘administrator’, ‘a manager’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize different roles, such as administrator, a manager. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “an identity facility, multi-factor authentication, dynamic access authorization, and various enhancements to a customizable exchange system.”(see Ford, [0005]).
Referring to claims 6, 13:
		Zhu and Ford further disclose:
           wherein the secure interactive remote access comprises a managed remote-access appliance (RAA), comprising a virtual machine and software (see Zhu, [0016] ‘In another example, user 108 may gain remote access to those machines [i.e., secure interactive remote access ] through user machine 104 [i.e., a managed remote-access appliance (RAA) ].’. And, Ford, [0265] ‘virtual machine’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize virtual machine. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because virtual machine is well-known and popular in regard to embedded systems.
Referring to claim 7:
	Zhu and Ford further disclose:
                           wherein the managed remote-access appliance (RAA) can only be used with a smart card credential (see Zhu, fig. 2, 104 ‘user machine’, 116 ‘smart card’, 168 ‘pin’).
Referring to claims 8, 16:
		Zhu and Ford further disclose:
	wherein the remote access services comprises technical cyber-security control services that automate security policy and processes for user and token lifecycle management, software configuration management, access control and authorization using layered security, and audit trails of remote access (see Zhu, [0019] ‘users that may be authorized to perform changes to services 128 … they have a relative high degree of authorized access to data center’. And, Ford, [0094] ‘configuration’; [0108] ‘policy’ ‘audit and access history’; [0250] ‘tokens’; [0553] ‘layered security environment’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize configuration, policy, auditing, tokens, and layered security. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.
Referring to claim 9:
		Zhu and Ford further disclose:
		wherein the remote access services comprises management of users, smart card tokens, and remote-access appliance (RAA) state (see Zhu, [0037] ‘smart card’. And, Ford, [0074] ‘maintaining state and system status’; [0189] ‘management of users and groups’; [0250] ‘tokens’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize state, management of users. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.
Referring to claim 10:
		Zhu and Ford further disclose:
	wherein the remote access services comprise management of remote access authorizations and policy, and layered-security controls (see Ford, [0071] ‘authorization’; [0108] ‘policy’; [0553] ‘layered security environment’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize authorization, policy, and layered security. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.
Referring to claim 18:
		Zhu and Ford further disclose:
           wherein the step of providing remote access services comprises sending system use notifications to a supervisor informing the supervisor of end-user login, logout and workstation access of the end-user (see Ford, [0075] ‘create a notification’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize notification. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.
Referring to claims 19-20:
		Zhu and Ford further disclose:
	wherein the step of providing remote access services comprises requiring a supervisor to authorize user access to a workstation (see Ford, [0241] ‘a manager’; [0249] ‘a user authorization facility’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize authorization. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.

7.	Claims 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu et al. (U.S. 2018/0316663 A1), in view of Lamb (U.S. 2012/0060030 A1).
Referring to claim 15:
	Zhu discloses the limitations as described in claim 11.
		However, Zhu does not disclose RSA cryptosystem digital signature scheme.
	Lamb disclose the RSA cryptosystem digital signature scheme (see Lamb, [0188] ‘RSA Secure ID’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Lamb into the system of Zhu to utilize RSA digital signature. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Lamb’s teaching could enhance the system of Zhu, because RSA digital signature provide authentication and data integrity.
Referring to claim 17:
	Zhu, and Lamb further disclose:
	wherein the step of providing remote access services comprises limiting the number of incorrect PIN entries (see Lamb, [0062] ‘PIN’; [0092] ‘upon failure, to retry the biometric scan 822 a predefined number of times based upon the service provider's policy’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Lamb into the system of Zhu to set a limit for retrying to enter a PIN. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Lamb’s teaching could enhance the system of Zhu, because set a limit for failures to enter a PIN could prevent tampering with the system.

Response to Arguments
8.	Applicant's arguments filed on August 10, 2022 have been fully considered but they are not persuasive.
(a)	Applicant submits:
“Zhu only discloses a method for authentication to a single data center and not an end-to-end communication security system for decentralized remote access.” (see page 8, 2nd par)
Examiner maintains:
Zhu discloses: [0061] ‘user 108 may interact directly with a machine in data center computing system 102. In another example, user 108 may gain remote access to those machines through user machine 104 [i.e., decentralized secure user authentication ].’
Therefore, Zhu discloses decentralized secure user authentication.
Zhu further discloses: [0016] ‘In another example, user 108 may gain remote access to those machines [i.e., secure machine-to-machine remote access ] through user machine 104 [i.e., a managed remote-access appliance (RAA) ].’
Therefore, Zhu discloses an end-to-end communication security system.
Thus, Zhu discloses an end-to-end communication security system for decentralized remote access, as claimed.
(b)	Applicant submits:
“The decentralized end-to-end remote security access system of claim 1 utilizes a managed remote access appliance (RAA), which provides controls for the end device.” (see page 8, 3rd par)
Examiner maintains:
Zhu further discloses: [0016] ‘In another example, user 108 may gain remote access to those machines [i.e., secure machine-to-machine remote access ] through user machine 104 [i.e., a managed remote-access appliance (RAA) ].’
Therefore, Zhu discloses utilizing managed remote access appliance (RAA), which provides controls for the end device. 
(c)	Applicant submits:
“On the other hand, the Zhu system and process is limited to a centralized static system that defines a static policy.” (see page 8, last par)
Examiner maintains:
Zhu discloses a decentralized system, as claimed (see (a) above).
(d)	Applicant submits:
“The user authentication process disclosed by Zhu uses an authentication mechanism only based on the smart card, policy, and multifactor authentication to the smart card, but does not include independent session authorization.” (see page 9, 1st par)
Examiner maintains:
Zhu discloses: [0019] ‘users that may be authorized to perform changes to services 128 … they have a relative high degree of authorized access to data center’.
Therefore, Zhu discloses independent session authorization, as claimed. 

Conclusion

9.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Rogers; Marc William et al. (US 20220271940 A1) disclose method and system for verifying device ownership upon receiving a tagged communication from the device;
(b)	McIntosh; Gordon David (US 20220055657 A1) disclose system and method to enhance autonomous vehicle operations;
(c)	Agrawal; Sunil (US 20210119991 A1) disclose system and method for selecting authentication methods for secure transport layer communication;
(d)	Caldwell; John Ryan (US 20190114444 A1) disclose aggregation platform permissions;
(e)	Deutschmann; Ingo et al. (US 20190065712 A1) disclose Method, computer program, and system to realize and guard over a secure input routine based on their behavior;
(f)	Zager; Robert Philip et al. (US 20180295137 A1) disclose techniques for dynamic authentication in connection within applications and sessions.

10.      THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
           A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
          Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
          If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492