DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present application, filed on February 22, 2021, is accepted.
Claims 1 – 9 are being considered on the merits.

Drawings
The drawings, filed on February 22, 2021, are accepted.

Specification
The specification, filed on February 22, 2021, is accepted.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 3 and 5 – 9 are rejected under 35 U.S.C. 103 as being unpatentable over US 20150036825 A1 to Tanizawa et al., (hereinafter, “Tanizawa”) in further view of US 20200409683 A1 to Fu et al., (hereinafter, “Fu”).
As per claim 1, Tanizawa teaches an application-key management system comprising: a plurality of application-key management devices; and a comprehensive management device, [Tanizawa, para. 13 discloses  communication apparatus includes a cryptographic key storage, a transmitter, a receiver, and a sharing controller. The cryptographic key storage stores therein one or more cryptographic keys shared with an external device. The transmitter transmits specifying information that specifies at least one of the cryptographic keys to the external device. The receiver receives determination information that indicates a result of determination, which is made by the external device based on the specifying information, on whether the shared cryptographic key is consistent between the apparatus and the external device. When receiving the determination information indicating that the shared cryptographic key is inconsistent between the apparatus and the external device, the sharing controller deletes the cryptographic key specified by the specifying information from the cryptographic key storage.] the application-key management devices each comprising: a first memory configured to store an application key in one or more separated logical drives for each sharing destination of the application key shared by quantum cryptographic communication; [Tanizawa, para. 45 discloses the node 100a and the node 100b share a cryptographic key as a premise. The cryptographic key sharing operation is performed based on a quantum key distribution technique or the like. A timing of the cryptographic key sharing between the node 100a and the node 100b is basically synchronized. Accordingly, inconsistency of the shared cryptographic keys is impossible to occur under normal circumstances. The cryptographic key is stored in the cryptographic key storage 103 included in each of the node 100a and the node 100b.] and a first processor coupled to the first memory and configured to: and delete the application key stored in the logical drive specified by the deletion request. [Tanizawa, para. 71 discloses in the absence of such a method of synchronizing the timing of deleting cryptographic keys, when the above-mentioned cryptographic key verification process is performed, a large number of cryptographic keys that are held by one node 100 but not held by the other node 100 will be found. Para. 72 discloses In response to a request from the application 200 (the application 200a in FIG. 1, for example), the node 100a provides a cryptographic key to the application 200 (step S301). Likewise, in response to a request from the application 200 (the application 200b in FIG. 1, for example), the node 100b provides a cryptographic key to the application 200. Para. 73 discloses in deleting a cryptographic key, the node 100 notifies an opposed node of a fact that the cryptographic key is to be deleted and of a cryptographic key ID to be deleted. For example, the node 100a transmits a request of deleting a cryptographic key and a cryptographic key ID to the node 100b (step S302). Here, data exchanges for deleting the cryptographic key are performed independently of the provision of the cryptographic key (step S301). Alternatively, a process of step S302 may be performed each time when the cryptographic key is provided. Still alternatively, after the provision of a cryptographic key is performed multiple times, requests of deleting cryptographic keys in step 5302 may also be performed together. Para. 74 discloses the opposed node (the node 100b) that receives the request of deleting a cryptographic key and the cryptographic key ID to be deleted verifies whether a cryptographic key of the received cryptographic key ID can be deleted (step S303). For example, the node 100b determines whether the cryptographic key of the received cryptographic key ID has been previously used. The node 100b notifies the node 100a of a verification result (step S304). For example, when the cryptographic key of the received cryptographic key ID 100a can be deleted, the node 100b notifies the node 100a of the verification result (OK response) indicating that the cryptographic key can be deleted.], but Tanizawa does not teach receive, from the comprehensive management device, a deletion request of specifying a logical drive storing the application key to be deleted among the logical drives;
However, Fu does teach receive, from the comprehensive management device, a deletion request of specifying a logical drive storing the application key to be deleted among the logical drives; [Fu, para. 56 discloses the first data node is an abnormal node, and the authority information stored on the first data node is stored onto the second data node. At this time, the first data node may be deleted. Deleting the first data node may be understood as stopping the first data node from serving the outside. Para. 58 discloses in the present embodiment, the updated authority information is acquired; the first update notification is transmitted to the first data node, the first update notification including the updated authority information; if the update result returned by the first data node is not received, or the update result returned by the first data node is received and the update result is the update failure, whether the third party node includes the registration message transmitted by the first data node within the preset time is determined; if the third party node does not include the registration message, the authority information stored on the first data node is stored onto the second data node; and the first data node is deleted. The first data node, after receiving the first update notification, may directly acquire the updated authority information from the first update notification, and update, thereby simplifying the updating process and improving the updating efficiency.]
 	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Fu’s system with Tanizawa’s system, with a motivation to discover and timely delete (or get rid of) an abnormal data node, so as to ensure consistent authority information of the first data node and the control node and to ensure user data security. [Fu, para. 59]

As per claim 2, Tanizawa teaches the system according to claim 1, wherein when a failure occurs, the first processor is configured to transmit a failure notification to the comprehensive management device, [Tanizawa, para. 48 discloses Some kind of failure occurs in a part of a link (or a network) used for the cryptographic key sharing between the node 100a and the node 100b, resulting in a temporary inaccessible state from one node to the other node. Under these circumstances, the state of the node cannot be grasped. In such a state, the node 100 performs some kind of processing to restart the synchronized key sharing operation (step S101). For example, in the state (a), the node 100 stopped is restarted manually by an administrator or automatically and the cryptographic key sharing operation is restarted. Furthermore, for example, in the state (b), the restoration of the link (or the network) is confirmed and thereafter, the cryptographic key sharing operation is reinitialized. However, in a state that the cryptographic key sharing operation is reinitialized or restarted, it is uncertain that the synchronization of the cryptographic key between nodes is maintained.] the comprehensive management device includes: a second processor configured to: receive the failure notification from a first application-key management device; and identify one or more second logical drives associated with one or more first logical drives of the first application-key management device, [Tanizawa, para. 50 discloses the node 100a that has determined to restart (or reinitialize) the cryptographic key sharing operation transmits restart notification data for restarting the cryptographic key sharing operation to the node 100b (step S102). The restart notification data contains, for example, ID information for identifying the node 100a. The restart notification data may further contain ID information of the node 100b. The restart notification data may be exchanged as a control signal of the cryptographic key sharing network. For example, in the case where a cryptographic key is shared by using the quantum key distribution technique, the restart notification data may be transmitted by using a transmission channel for transmitting a control signal, the transmission channel being different from a transmission channel for transmitting the cryptographic key.] and the second processor is configured to transmit, to the first application-key management device, a first deletion request of specifying the one or more first logical drives, and transmit, to one or more second application-key management devices each including a second memory having the second logical drives, a second deletion request of specifying the second logical drives. [Tanizawa, para. 71 discloses in the absence of such a method of synchronizing the timing of deleting cryptographic keys, when the above-mentioned cryptographic key verification process is performed, a large number of cryptographic keys that are held by one node 100 but not held by the other node 100 will be found. Para. 72 discloses In response to a request from the application 200 (the application 200a in FIG. 1, for example), the node 100a provides a cryptographic key to the application 200 (step S301). Likewise, in response to a request from the application 200 (the application 200b in FIG. 1, for example), the node 100b provides a cryptographic key to the application 200. Para. 73 discloses in deleting a cryptographic key, the node 100 notifies an opposed node of a fact that the cryptographic key is to be deleted and of a cryptographic key ID to be deleted. For example, the node 100a transmits a request of deleting a cryptographic key and a cryptographic key ID to the node 100b (step S302). Here, data exchanges for deleting the cryptographic key are performed independently of the provision of the cryptographic key (step S301). Alternatively, a process of step S302 may be performed each time when the cryptographic key is provided. Still alternatively, after the provision of a cryptographic key is performed multiple times, requests of deleting cryptographic keys in step 5302 may also be performed together. Para. 74 discloses the opposed node (the node 100b) that receives the request of deleting a cryptographic key and the cryptographic key ID to be deleted verifies whether a cryptographic key of the received cryptographic key ID can be deleted (step S303). For example, the node 100b determines whether the cryptographic key of the received cryptographic key ID has been previously used. The node 100b notifies the node 100a of a verification result (step S304). For example, when the cryptographic key of the received cryptographic key ID 100a can be deleted, the node 100b notifies the node 100a of the verification result (OK response) indicating that the cryptographic key can be deleted.]

As per claim 3, Tanizawa teaches the system according to claim 2, wherein the second processor is configured to identify, from correspondence information indicating a combination of logical drives sharing the application key, the one or more second logical drives associated with the one or more first logical drives. [Tanizawa, para. 37 discloses the hash value is one example of specifying information for specifying at least one cryptographic key. The other node 100 compares a hash value calculated by the calculator 105 with a hash value calculated from a cryptographic key stored in the other node 100 itself, thereby determining whether the shared cryptographic key is consistent between the nodes 100. Para. 38 discloses the specifying information is not limited to the hash value, and any kind of information that specifies a cryptographic key may be used. For example, specifying information calculated from a cryptographic key by an algorithm other than a hash value used in common among a plurality of nodes 100 may be used. Furthermore, for example, identification information (cryptographic key ID) imparted to a cryptographic key may be used as the specifying information. To consider a case where the cryptographic key ID is used as the specifying information, if the cryptographic key ID is consistent between the nodes but cryptographic key per se is inconsistent between the nodes, it is usually impossible to detect an abnormality (inconsistency). The hash value is used as the specifying information, thereby avoiding such a problem. Para. 34 discloses the cryptographic key storage 103 accumulates and stores therein one or more cryptographic keys shared with the other node 100. Para. 40 discloses When determination information indicating that the cryptographic key is not consistent between the nodes is received, the above-mentioned sharing controller 102 controls, for example, deleting the cryptographic key specified by the specifying information from the cryptographic key storage 103.] 

Regarding claim 5, modified Tanizawa teaches the system according to claim 3, but Tanizawa does not teach wherein when a logical drive sharing the application key is deleted, the first processor is configured to transmit, to the comprehensive management device, a logical-drive deletion notification indicating that the logical drive sharing the application key is deleted, and the second processor is configured to: identify, based on the correspondence information, an application-key management device of the sharing destination having a logical drive sharing the application key stored in the deleted logical drive; and transmit, to the application-key management device of the sharing destination, a deletion request of specifying the logical drive associated with the deleted logical drive.
However, Fu does teach wherein when a logical drive sharing the application key is deleted, the first processor is configured to transmit, to the comprehensive management device, a logical-drive deletion notification indicating that the logical drive sharing the application key is deleted, [Fu, para. 56 discloses the first data node is an abnormal node, and the authority information stored on the first data node is stored onto the second data node. At this time, the first data node may be deleted. Deleting the first data node may be understood as stopping the first data node from serving the outside. Para. 58 discloses In the present embodiment, the updated authority information is acquired; the first update notification is transmitted to the first data node, the first update notification including the updated authority information; if the update result returned by the first data node is not received, or the update result returned by the first data node is received and the update result is the update failure, whether the third party node includes the registration message transmitted by the first data node within the preset time is determined] and the second processor is configured to: identify, based on the correspondence information, an application-key management device of the sharing destination having a logical drive sharing the application key stored in the deleted logical drive; [Fu, para. 57 discloses since the authority information of all data nodes is stored in the control node, when storing the authority information stored on the first data node onto the second data node, the authority information stored on the first data node may be obtained from the control node. The step of storing the authority information stored on the first data node onto the second data node may be executed before the step of deleting the first data node, or may be executed after the step of deleting the first data node Para. 58 discloses In the present embodiment, the updated authority information is acquired; the first update notification is transmitted to the first data node, the first update notification including the updated authority information; if the update result returned by the first data node is not received, or the update result returned by the first data node is received and the update result is the update failure, whether the third party node includes the registration message transmitted by the first data node within the preset time is determined; if the third party node does not include the registration message, the authority information stored on the first data node is stored onto the second data node; and the first data node is deleted. The first data node, after receiving the first update notification, may directly acquire the updated authority information from the first update notification, and update, thereby simplifying the updating process and improving the updating efficiency.] and transmit, to the application-key management device of the sharing destination, a deletion request of specifying the logical drive associated with the deleted logical drive. [Fu, para. 59 discloses if the update result returned by the first data node is not received, or the update result returned by the first data node is received and the update result is the update failure, whether the first data node is abnormal may be determined by determining whether the third party node includes the registration message transmitted within the preset time by the first data node, and the first data node is deleted in case of an abnormality. That is, the method in the present embodiment may discover and timely delete (or get rid of) an abnormal data node, so as to ensure consistent authority information of the first data node and the control node and to ensure user data security.]
  	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Fu’s system with Tanizawa’s system, with a motivation to discover and timely delete (or get rid of) an abnormal data node, so as to ensure consistent authority information of the first data node and the control node and to ensure user data security. [Fu, para. 59]

As per claim 6, Tanizawa teaches the system according to claim 3, wherein when a logical drive sharing the application key is changed, the first processor is configured to transmit, to the comprehensive management device, a logical-drive change notification indicating that the logical drive sharing the application key is changed, [Tanizawa, para. 50 discloses the node 100a that has determined to restart (or reinitialize) the cryptographic key sharing operation transmits restart notification data for restarting the cryptographic key sharing operation to the node 100b (step S102). The restart notification data contains, for example, ID information for identifying the node 100a. The restart notification data may further contain ID information of the node 100b. The restart notification data may be exchanged as a control signal of the cryptographic key sharing network. For example, in the case where a cryptographic key is shared by using the quantum key distribution technique, the restart notification data may be transmitted by using a transmission channel for transmitting a control signal, the transmission channel being different from a transmission channel for transmitting the cryptographic key.] and the second processor is configured to: update the correspondence information based on the logical-drive change notification and identifies, based on the updated correspondence information, an application-key management device of a sharing destination having a logical drive sharing the application key stored in the changed logical drive; [Tanizawa, para. 51 discloses the restart notification data may be encrypted (and/or authenticated) by using a cryptographic key that is shared before restarting. The restart notification data may be exchanged via the application network 302. In this case too, the restart notification data may be encrypted (and/or authenticated) by using the cryptographic key that is shared before restarting. Para. 52 discloses After receiving the restart notification data, the node 100b verifies ID information contained in the restart notification data to confirm whether the restart notification data is valid (step S103). For example, the node 100b confirms whether the ID information is ID information of the node 100a. Para. 54 discloses After receiving the OK signal, the calculator 105 of the node 100a calculates (all or some of) hash values of cryptographic key that are currently held by the node 100a (step S105). Here, the hash values of at least part of the cryptographic keys may be calculated in advance. The hashing algorithm to be used is set in advance] and notify the application-key management device of the sharing destination that the logical drive of the sharing destination of the application key is changed. [Tanizawa, para. 52 discloses after receiving the restart notification data, the node 100b verifies ID information contained in the restart notification para.55 the transmitter 106 of the node 100a notifies the node 100b of the calculated hash values and the cryptographic key IDs (or alternatively, a range of the cryptographic key IDs when a hash value of combined cryptographic keys together is calculated) of the cryptographic keys used for calculating those hash values (step S106). Variations of a method for transmitting a notification are conceivable in the same manner as described with respect to step S102.] 

As per claim 7, Tanizawa teaches the system according to claim 1, wherein a number of logical drives storing the shared application key is a same between a sharing destination and a sharing source of the application key. [Tanizawa, para. 24 discloses the application 200 has the function of acquiring a link key from the node 100 connected thereto and performing cryptographic data communication with the other application (connected to an opposed node and capable of acquiring the same link key) by using the link key as a cryptographic key. The cryptographic data communication may be implemented via a network (application network) such as the Internet that is different from a cryptographic key sharing network. Furthermore, the node 100 and the application 200 may be implemented in an integrated manner. Each of the node 100 and the application 200 may be constituted as an independent terminal to transmit/receive an application key therebetween. FIG. 1 illustrates one example in the case that the node 100 and the application 200 are separately installed on the private networks 303a and 303b operated for the respective nodes 100a and 100b. Para. 45 discloses First of all, the node 100a and the node 100b share a cryptographic key as a premise. The cryptographic key sharing operation is performed based on a quantum key distribution technique or the like. A timing of the cryptographic key sharing between the node 100a and the node 100b is basically synchronized. Accordingly, inconsistency of the shared cryptographic keys is impossible to occur under normal circumstances. The cryptographic key is stored in the cryptographic key storage 103 included in each of the node 100a and the node 100b.] 

Regarding claim 8 – 9, they recite features similar to feature presented within claim 1, therefore, they are rejected in a similar manner.

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over US 20150036825 A1 to Tanizawa et al., (hereinafter, “Tanizawa”) in further view of US 20200409683 A1 to Fu et al., (hereinafter, “Fu”) in further view of US 20200120202 A1 to Jakobsson et al., (hereinafter, “Jakobsson”).
Regarding claim 4, Tanizawa teaches the system according to claim 3, but modified Tanizawa does not teach wherein when a new logical drive is created, the first processor is configured to transmit, to the comprehensive management device, a logical-drive addition notification indicating the new logical drive and an application-key management device of a sharing destination of an application key stored in the new logical drive, and the second processor is configured to: store, based on the logical-drive addition notification, the new logical drive in the correspondence information; and transmit, to the application-key management device of the sharing destination, a request of creating a logical drive associated with the new logical drive.
	However, Jakobsson does teach wherein when a new logical drive is created, the first processor is configured to transmit, to the comprehensive management device, a logical-drive addition notification indicating the new logical drive and an application-key management device of a sharing destination of an application key stored in the new logical drive, [Jakobsson, para. 135 discloses the router of the network of installation site is configured to only permit traffic from devices that have the access credentials, except traffic to the site registering new nodes. This way, a new node can connect automatically to the server, identify itself using the unique identifier, and obtain access credentials for the network. In one alternative, the router accepts any traffic to the backend that provides the service to the node, and not only for registration purposes. In this case, no credential is needed. This can also be achieved by the new node contacting the server by routing its traffic via other, already registered nodes, that will convey the traffic to the backend. Para. 136 discloses Such users can receive a notification from the server stating that new nodes have been added, but before they are allowed to contribute data and be controlled, they need to be accepted by the user, to belong to the network. This indication is provided by the user by connecting to the registration server and accepting the new nodes, and preferably also providing additional information such as a location designation, which can be a descriptor from a pull-down or other menu, or which can be user-entered text.] and the second processor is configured to: store, based on the logical-drive addition notification, the new logical drive in the correspondence information; [Jakobsson, para. 137 discloses each node stores, at the time of installation and using non-volatile memory, an identifier and a symmetric key. The identifier would be a unique number, such as a 32 bit number, and the symmetric key would be a number selected, at manufacture, using a random or pseudo-random process, and may be a 128 bit number. The symmetric keys are also stored in a large database, at the backend, indexed by the identifier. Alternatively, the symmetric key would be a one-way function of the identifier and a secret master key known only to the manufacturer, where the backend computes the symmetric key, provided the unique identifier, and access to the master key.] and transmit, to the application-key management device of the sharing destination, a request of creating a logical drive associated with the new logical drive. [Jakobsson, para. 139 discloses The access credential needs to be updated for all nodes in case it is later changed; that process can be performed by a new credential being transmitted over the overlay network made up by individual BLE connections or similar, and encrypted and authenticated using the symmetric key for encryption and the symmetric key for authentication. If at any point a node is removed from the network, the remaining nodes may be sent updated keys, encrypted using the symmetric keys associated with their identifiers, which remain stored on each node, in non-volatile storage. If a node is added or removed, this may require some of the remaining nodes to be reconfigured by the server, e.g., to take fewer or more inputs into consideration when collecting input to be conveyed to the server.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Jakobsson’s system with modified Tanizawa’s system, with a motivation to provide by the user by connecting to the registration server and accepting the new nodes, and preferably also providing additional information such as a location designation, which can be a descriptor from a pull-down or other menu, or which can be user-entered text. [Jakobsson, para. 136]

Conclusion
Pertinent prior art made of record however not relied upon includes:
US 20140143867 A1 to Tanizawa et al. 
“According to an embodiment, a communication device is connected to a plurality of external devices which share key information with each other. The communication device includes a detector and an instructing unit. The detector is configured to, from among the external devices, detect an external device that has been subject to attack. The instructing unit is configured to issue an instruction to stop using key information which is shared with the detected external device.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893. The examiner can normally be reached Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/P.P./Patent Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434