Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/15/2022 has been entered.  Claims 1, 8, 9, 11, 16, 23, 24 and 26 are amended.  Claims 1-30 are pending.

Response to Arguments
Applicant’s arguments with respect to amended claims have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
 	Notes:  The newly cited prior art, Kiang,  is merely provided to support the functionality of the key service proxy or broker.  The fact that the key service is mentioned to in the cloud environment would not preclude Kiang from meeting the claim third party key service being in a cloud environment independent of the cloud service of the client device.  For example, Kiang discloses a key service engine can include, for example, a request interface, a key service proxy, a key encryption/decryption engine…the key service engine and/or each components/modules/engines can be physically and/or functionally distributed (paragraph 0065); key service engine include the key service proxy which can comprise any device configured to initiate a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality (paragraph 0069).  As provided in previous rejection well-known feature of key brokering (e.g. e.g. Harris et al. 2016/0241390) even though may resign in a cloud system but is served as independent key service brokering in a cloud environment.  As long as the brokering system is an independent key service brokering, it meet the claim feature of providing a key encryption/decryption separate from any cloud system that support operational service for a requesting entity that may be in a cloud system.  Kiang is provided to provide such independent key service proxy that provide remote key management functionality that can be physically or functionally distributed.  

Claim Rejections - 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 	Claims 1-30 are rejected under 35 U.S.C. 103 as being unpatentable over Ghetti et al. (U.S. Patent No. 9,608,809, hereinafter Ghetti) in view of Kiang et al. (U.S. Patent Application Publication No. 2014/0270178, hereinafter Kiang). 
 	With respect to claim 1, Ghetti discloses a method comprising: 
obtaining, by data processing hardware, a client-side cryptographic key; locally encrypting, by the data processing hardware, user content using the client-side cryptographic key (e.g. Ghetti, col. 4, line 22-col. 5, line 56, “…a context based key may be generated by a random number generator and stored in association with one or more metadata attributes dependent on the environmental conditions associated with the context of the data…such original data to be secured arises from user interactions with software and/or hardware component included in a user’s electronic computing device…” (col. 4, lines 31-37);  
 	communicating, by the data processing hardware, the client-side cryptographic key to a third party key manager, the key manager configured to protect the client-side cryptographic key; in response to the key manager protecting the client-side cryptographic key, receiving, at the data processing hardware, a token from the key manager, the token identifying the client-side cryptographic key protected by the key manager; and uploading, by the data processing hardware, the encrypted user content and the token to a server of a cloud computing platform (e.g. Ghetti, col. 8, lines 23-53, “…the step of determining the key space corresponding to the user and/or the electronic computing device further comprises the step of determining, based on the key space, the key service corresponding to the determined key space…wherein the key service is managed separately from the server…wherein the server has no access to data maintained in the key service…the server comprises a cloud-based security platform… wherein the key service generates the unique cryptographic information according to one or more predefined rule…wherein the request for encryption of data and the unique cryptographic information are securely enveloped…wherein the electronic computing device decrypt the unique cryptographic information to uniquely encrypt the data…wherein the unique cryptographic information comprises an encryption key and a key tag…”; col. 61, lines 26-41, “the enrollment service…generates a token…the service 201 stores this token along with the user’s identity and authentication information for later use…”; col. 39, lines 60-63, “the configuration-driven action might permit the upload of the file, but only if the client module encrypts the file prior to its transmission”). 
 	Ghetti discloses does not explicitly mention transmit the key to the third party key manager wherein the server of the cloud computing platform is unable to access the client-side cryptographic key and the client side cryptographic key encrypted by key encryption key.        
  	However, Kiang discloses a key service engine can include, for example, a request interface, a key service proxy, a key encryption/decryption engine…the key service engine and/or each components/modules/engines can be physically and/or functionally distributed (paragraph 0065); key service engine include the key service proxy which can comprise any device configured to initiate a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality (paragraph 0069).  Furthermore, encrypting key with key encryption key is well-known in the art.  
 	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement a key service proxy (or broker) to facilitate key encryption/decryption service taught by Kiang with well-known feature of encrypting key with key encryption key to provide third party key services and protecting key information from the cloud system of the entity that requesting key services.  
 	Moreover, Ghetti discloses the key server is managed separately and not accessible by the server (e.g. Ghetti, col. 8, lines 23-35). 
Therefore, It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to derive the claimed feature of the third party key manager as a matter of design choice.
Moreover, Ghetti does not explicitly disclose the cryptographic token corresponding to the client-side cryptographic key protected by key encryption key.  However, encrypted token and encrypted client key with key encryption key is old and well-known in the art (see PTO 892 for supported reference).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to derive the claimed feature for additional security to key protection.
 	 	With respect to claim 2, Ghetti discloses the method of claim 1, further comprising: receiving, at the data processing hardware, the user content at a client-facing library associated with an application interface of the cloud computing platform; and identifying, by the data processing hardware, a user associated with the user content to be stored on the server of a cloud computing platform (e.g. Ghetti, col. 33, lines 20-38).  	With respect to claim 3, Ghetti discloses the method of claim 1, wherein the client-side cryptographic key comprises a length of 256 bits (e.g. Ghetti, col. 16, lines 23-29).  	With respect to claim 4, Ghetti discloses the method of claim 1, wherein: the user content comprises a plurality of individual pieces of content; obtaining the client-side cryptographic key comprises obtaining a unique respective client-side cryptographic key for each individual piece of content of the plurality of individual pieces of content; and locally encrypting the user content comprises locally encrypting each individual piece of content of the plurality of individual pieces of content using the respective client-side cryptographic key (e.g. Ghetti, col. 8, lines 23-53).  	With respect to claim 5, Ghetti discloses the method of claim 1, further comprising, prior to communicating the client-side cryptographic key, authenticating, by the data processing hardware, the third party key manager (e.g. Ghetti, col. 61, 26-41).  	With respect to claim 6, Ghetti discloses the method of claim 5, wherein authenticating the third party key manager comprises requesting authentication credentials for the third party key manager from an identity provider service, the identity provider service external to the cloud computing platform (e.g. Ghetti, col. 61, 26-41).  	With respect to claim 7, Ghetti discloses the method of claim 1, wherein the third party key manager comprises a different entity than a provider of the cloud computing platform (e.g. Ghetti, paragraphs 0023-0035).  	With respect to claim 8, Ghetti discloses the method of claim 1, further comprising: 
 	receiving, at the data processing hardware, a retrieval request for retrieving the encrypted user content from the server of the cloud computing platform; retrieving, by the data processing hardware, the encrypted user content and the token from the server of the cloud computing platform; retrieving, by the data processing hardware, the client-side cryptographic key directly from the third party key manager using the token; and decrypting, by the data processing hardware, the encrypted user content using the client-side cryptographic key (e.g. Ghetti, col. 8, lines 23-35 and col. 61, lines 26-41) . 	With respect to claims 9-30, the claims are method and system claims that are similar to method claims 1-9.  Therefore, claims 9-30 are rejected based on the similar rationale.

	Conclusion
5. 	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to TONGOC TRAN whose telephone number is (571)272-3843.  The examiner can normally be reached on 9-5 Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/TONGOC TRAN/Primary Examiner, Art Unit 2434