DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This is in response to Amendments/REMARKS, filed on 07/14/2022.
Claims 4 &20 are cancelled;
Claims 1—3, 5—19 are pending.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1 … have been considered but are moot because the new ground of rejection does not rely on the reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Regarding features disclosed in claim 4; it is argued that Shah keeps it’s “private key is kept secret within one entity…” Examiner respectfully disagrees because; for example, in Shah appliances decrypt CKE using a private key (col. 5, lines 37—48).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1—4 & 9—17 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Karagiannis” et al. [US 10389524 B2] in view of “Xie” et al. [US 2019/0140823 A1], and further in view of “Shah” [US 10447658 B2].

REGARDING CLAIM 1. Karagiannis disclose An apparatus comprising: first interface circuitry to communicate with a first computing device; second interface circuitry to communicate with a second computing device [see Abstract; Figures 2a—4: where Client 102, SGX/Mbox-, Server 104 are disclosed], wherein:
the first interface circuitry is configured to receive a handshake message from the first computing device [see Abstract; and Figure 4 (Client 102 transmitting hello to Mbox-C 108-C, …)]; the second interface circuitry is configured to transmit the handshake message to the second computing device and to receive a handshake response message from the second computing device [Karagiannis disclose “establishing a second secure transport layer channel between first endpoint and a middlebox” (Abstract); and see Figure 4 (Mbox-C 108-C, … transmitting hello to Server 104 with Middlebox Announcement)]; and 
the first interface circuitry is configured to transmit the handshake response message to the first computing device, whereby to establish a communication session between the first computing device and the second computing device [see next step in Figure 4, where Server 104, via Mbox-C, … establishes communication session with Client 102: ServerHello + MiddleboxSupportExt (Certificate + ServerKeyExchange)], and trusted execution environment circuitry to execute computer instructions to: 
determine a cryptographic session key associated with said communication session [Karagiannis disclose “… sharing the encryption key the first channel…” (Abstract); see next steps in Figure 4, where ServerHello Certificate + ServerKeyExchange & ClientKeyExchange +  ChangeCipherSpect + Finished)]; and

Karagiannis may not expressly disclose; but, Xie, analogues art, discloses and use said session key to decrypt content of encrypted messages transmitted between the first computing device and the second computing device via the apparatus, and to analyse said decrypted content [“… application data transmitted over the TLS secure channel, decrypting, by the middlebox network device, the encrypted application data using a session key, and detecting decrypted content” (Abstract); see FIGS.4—6, where Xie disclose encrypting/decrypting steps in 404/405, 511/512, 610/611, etc.].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the system of Karagiannis by incorporating the session key encryption/decryption teachings of Xie for the benefit of establishing a method for detecting encrypted content.

Karagiannis in view of Xie further disclose wherein the trusted execution environment circuitry configured to: determine the session key based on said content of the handshake response message [see Figure 4, where Server 104, via Mbox-C, … establishes communication session with Client 102: ServerHello + MiddleboxSupportExt (Certificate + ServerKeyExchange)]; Karagiannis/Xie may not expressly disclose, but, Shah, analogues art, disclose is configured to: receive, from the first computing device, a cryptographic private key associated with the first computing device [Shah appliances decrypt CKE using a private key (col. 5, lines 37—48)]; use said private key to determine content of the handshake response message [Shah disclose Hardware security device 1290 (FIG.1) storing any keys and certificate (including private key): see step 833, FIG.8]. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the system of Karagiannis/Xie by incorporating the private key of Shah for the benefit of optimizing network device within a plurality of appliance devices. 

REGARDING CLAIM 15. Karagiannis in view of Xie, and further in view of Shah disclose A method comprising: 
transmitting a handshake message from a first computing device to a middlebox device [see Abstract; and Figure 4 (Client 102 transmitting hello to Mbox-C 108-C, …)]; transmitting the handshake message from the middlebox device to a second computing device [see Abstract; and Figure 4 (Mbox-C 108-C, … transmitting hello to Server 104 with Middlebox Announcement)]; 
responsive to receiving the handshake message at the second computing device, transmitting a handshake response message from the second computing device to the first computing device, via the middlebox device, whereby to establish a communication session between the first computing device and the second computing device [see next step in Figure 4, where Server 104, via Mbox-C, … establishes communication session with Client 102: ServerHello + MiddleboxSupportExt (Certificate + ServerKeyExchange)]; 
determining, by trusted execution environment circuitry of the middlebox device, a cryptographic session key associated with said communication session based on said content of the handshake response message[see next steps in Figure 4, where ServerHello Certificate + ServerKeyExchange & ClientKeyExchange +  ChangeCipherSpect + Finished)]; 

And, Xie disclose 
and using, by the trusted execution environment circuitry, said session key to decrypt content of encrypted messages transmitted between the first computing device and the second computing device via the apparatus, and to analyse said decrypted content [“… application data transmitted over the TLS secure channel, decrypting, by the middlebox network device, the encrypted application data using a session key, and detecting decrypted content (Abstract); see FIGS.4—6, where Xie disclose encrypting/decrypting steps in 404/405, 511/512, 610/611, etc.]. 

And, Shah disclose
receive, from the first computing device, a cryptographic private key associated with the first computing device [Shah appliances decrypt CKE using a private key (col. 5, lines 37—48)]; use said private key to determine content of the handshake response message [Shah disclose Hardware security device 1290 (FIG.1) storing any keys and certificate (including private key): see step 833, FIG.8]. 
The motivation to combine is the same as that of claim 1 above.
Karagiannis in view of Xie, and further in view of Shah further disclose claim 2. An apparatus according to claim 1, wherein: the first interface circuitry is configured to provide the handshake message unmodified to the second interface circuitry; and the second interface circuitry is configured to provide the handshake response message unmodified to the first interface circuitry [Karagiannis disclose unmodified (for e.g., Primary TLS Session) handshake b/n client 102 & server 104 (Figure 2A)]. 

Karagiannis in view of Xie, and further in view of Shah further disclose claim 3. An apparatus according to claim 1, wherein: the trusted execution environment circuitry is configured to determine the session key by receiving, from one of the first computing device and the second computing device, a message comprising said session key, said session key having been generated by said one of the first computing device and the second computing device responsive to at least one of said handshake message and said handshake response message [Xie disclose Obtain session key (steps 509, 608 of FIGS.5-6) based on the key info]. The motivation to combine is the same as that of claim 1 above.

Karagiannis in view of Xie, and further in view of Shah further disclose claims 9 & 10. An apparatus according to claim 1, wherein the trusted execution environment circuitry is configured to perform an attestation process in respect of at least one of: said computer instructions to be executed by the trusted execution environment circuitry; and initial data, associated with the trusted execution environment circuitry, in respect of which the trusted execution environment circuitry is to perform said computer instructions; and wherein the attestation process comprises: receiving, from one of the first computing device and the second computing device, an attestation request message; and responsive to said attestation request message, transmitting to said one of the first computing device and the second computing device an attestation token for verification [Karagiannis disclose transmitting attestation request message and also certificate (as attestation token): see Certificate/attestation (in Figure 4)]. 

Karagiannis in view of Xie, and further in view of Shah further disclose claim 11. An apparatus according to claim 10, wherein the attestation token comprises at least one of: a cryptographic hash of said computer instructions; and a cryptographic hash of said initial data [Karagiannis disclose “The attestation includes a cryptographic hash of initial state of the enclave code…”]. 

Karagiannis in view of Xie, and further in view of Shah further disclose claim 12. An apparatus according to claim 1, wherein the trusted execution environment circuitry is configured to disallow unencrypted transmission of said decrypted content of said encrypted messages outside of the trusted execution environment circuitry [“… application data transmitted over the TLS secure channel, decrypting, by the middlebox network device, the encrypted application data using a session key, and detecting decrypted content” (Abstract); see FIGS.4—6, where Xie disclose encrypting/decrypting steps in 404/405, 511/512, 610/611, etc.]. 
The motivation to combine is the same as that of claim 1 above.

Karagiannis in view of Xie, and further in view of Shah further disclose claim 13. An apparatus according to claim 1, wherein the trusted execution environment circuitry is configured to disallow transmission of said session key outside of the trusted execution environment circuitry [Karagiannis disclose “… sharing the encryption key the first channel…” (Abstract); see Figure 4, where ServerHello Certificate + ServerKeyExchange & ClientKeyExchange +  ChangeCipherSpect + Finished)]. 

Karagiannis in view of Xie, and further in view of Shah further disclose claim 14. An apparatus according to claim 1, wherein the trusted execution environment circuitry is configured to protect said computing instructions executed by the trusted execution environment circuitry from modification by untrusted computing instructions executed by the apparatus [Karagiannis disclose middlebox and blocking eavesdroppers (Abstract; Figure 4, etc.)]. 

Karagiannis in view of Xie, and further in view of Shah further disclose claim 16. A method according to claim 15, comprising performing an attestation process in respect of computer instructions to be executed by the trusted execution environment circuitry, said computer instructions defining said determining the cryptographic session key and said using the session key [Karagiannis disclose “… sharing the encryption key the first channel…” (Abstract); see Figure 4, where ServerHello Certificate + ServerKeyExchange & ClientKeyExchange +  ChangeCipherSpect + Finished)]. 

Karagiannis in view of Xie, and further in view of Shah further disclose claim 17. A method according to claim 16, wherein the attestation process comprises: transmitting an attestation request message from one of the first computing device and the second computing device to the trusted execution environment circuitry; responsive to said attestation request message, transmitting an attestation token from the trusted execution environment circuitry to said one of the first computing device and the second computing device; certifying the attestation token as genuine by the first computing device [Karagiannis disclose transmitting attestation request message and also certificate (as attestation token): see Certificate/attestation (in Figure 4)]. 

Claims 5—8 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Karagiannis” et al. [US 10389524 B2] in view of “Xie” et al. [US 2019/0140823 A1], and further in view of “Shah” [US 10447658 B2] and further in view of “Feroz” et al. [US 9489519 B2].

Karagiannis in view of Xie/Shahfurther disclose claim 5. An apparatus according to claim 1, , said recipient device being one of the first computing device and the second computing device, determine whether to block or allow transmission of said given encrypted message to the recipient device [Karagiannis disclose middlebox and blocking eavesdroppers (Abstract; Figure 4, etc.)].
Karagiannis in view of Xie/Shah may not further disclose; but, Feroz, analogues art, disclose wherein the trusted execution environment circuitry is configured to, based on said analysing of the decrypted content of a given encrypted message directed to a recipient device [see Figures 1 & 8, where Feroz disclose inspecting attribute (metadata) for analyzing content and encryption determination; and also decrypting content (Figure 9)]. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the system of Karagiannis/Xie/Shah by incorporating the teachings of Feroz for the benefit of securing data communications from stealing & threat attacks. 

Karagiannis/Xie/Shah in view of Feroz further disclose claims 6—8. An apparatus according to claim 5, wherein the trusted execution environment circuitry is configured to: receive blocking policy information from a computing device external to the trusted execution environment; and determine whether to block or allow transmission of said given encrypted message to the recipient device based on said blocking policy information; wherein the blocking policy information indicates whether to block or allow transmission of said given encrypted message based on the decrypted content of said given encrypted message [Feroz discloses see Policies 456; and virtualized controllers 320 creating security policies (Figures 3 & 4)]; wherein the trusted execution environment circuitry is configured, responsive to a determination to allow transmission of said given encrypted message, to transmit said given encrypted message to the recipient device via the corresponding one of the first interface and the second interface [Karagiannis disclose middlebox and blocking eavesdroppers (Abstract; Figure 4, etc.)].
The motivation to combine is the same as that of claim 5 above.


Allowable Subject Matter
Claims 18 & 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
/* The statement of reasons for the indication of allowable subject matter can be found in previous office action */.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMARE F TABOR whose telephone number is (571) 270-3155. The examiner can normally be reached Mon.—Fri.: 8:00 AM to 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AMARE F TABOR/             Primary Examiner, Art Unit 2434