DETAILED ACTION
This office action is in reply to applicant communication filed on May 13, 2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claims 1-20 have been amended.
Claims 1-20 are pending. 

Response to Argument
Applicant’s arguments filed on May 13, 2022 with respect to the 35 U.S.C. 102/103 rejections have been fully considered but are moot in view of new ground(s) of rejection.

Applicant’s arguments filed on May 13, 2022 with respect to the double patenting rejections have been fully considered and maintained until proper terminal disclaimer filed to overcome the rejection.

Applicant’s argues that the prior art on record, Cortez (US Pub. No. 2007/0180230) in view of Zhang (2005/0154895), fails to teach the limitation of independent claims, “…… wherein the public key and the private key are limited use keys”. Examiner respectfully disagrees.

A review of the prior art of the record (Cortez), corresponding to the above argued claim limitation reveals that the argued limitation is disclosed by Cortez’s reference as, (abstract of Cortez,  a private "server-key", a public "client-key" and a server session ID are generated by the server, and the client-key and the session ID are sent to the browser with the code used to encrypt the message). Cortez further discloses the session ID as a temporally key, (paragraph 53 of Cortez, in a preferred embodiment according to the invention, the session ID string is a pseudo-randomly generated list of alphanumeric characters. Each application container itself generates this key for the express purpose of creating a unique number that is associated with the current user's session. It is temporarily stored in a session cookie in the browser's memory (not permanently on disk). Once the session is completed via logoff, or the browser is closed, this session cookie is permanently destroyed. Upon subsequent access to the same server, a different session ID will be generated for the same user. This sequence of characters is used by the application container to validate each request sent by the client to allow access to the private user data) and (paragraph 44 of Cortez, a preferred embodiment uses a private decryption key ("server-key"), a public encryption key ("client-key") and a server session ID. The server-key and the client-key are both generated by the server, however, only the client-key and the session ID are sent across the communication channel to the browser along with the code used to encrypt). Therefore, Cortez disclosed the above argued limitation as shown above.

Applicant’s argues that the prior art on record fails to teach the amended limitation, “…. searching a database to identify the key identifier and extract the associated private key” of the independent claims. However, upon further consideration a new ground(s) of rejection is made using newly discovered prior arts to Ignatchenko (US Pub. No. 2014/0006788).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1-20 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-22 of U.S. Patent No. 10,205,709. Although the claims at issue are not identical, they are not patentable distinct from each other because the instant application and ‘709 are directed to a methods and systems for using a limited-use public/private key pair to encrypt and decrypt messages sent through an intermediary/access device. 

Claims 1-20 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-12 of U.S. Patent No. 10,356,057. Although the claims at issue are not identical, they are not patentable distinct from each other because the instant application and ‘057 are directed to a methods and systems for using a limited-use public/private key pair to encrypt and decrypt messages sent through an intermediary/access device.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 4, 7-8, 11, 14-15, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Cortez (US Pub. No. 2007/0180230) in view of Zhang (2005/0154895) and further in view of Ignatchenko (US Pub. No. 2014/0006788).

	As per claim 1 Cortez discloses:
A verification server comprising: a processor; and a memory coupled to the processor, the memory storing instructions, which when executed by the processor, cause the verification server to perform operations including: receiving a request for a public key: (see the request from client to server in fig. 2 of Cortez).
Generating the public key, a private key that corresponds to the public key, and a key identifier associated with the private key, wherein the public key and the private key are limited-use keys; (abstract of Cortez,  a private "server-key", a public "client-key" and a server session ID are generated by the server, and the client-key and the session ID are sent to the browser with the code used to encrypt the message).
Transmitting the public key and the key identifier to the client device; (paragraph 69 of Cortez, the server A sends {n,e}, session ID string and encryption operation code across the communication channel to the client B browser).
Receiving, from the client device a message and the key identifier from the client device, wherein the message is encrypted using the public key; (client (browser) runs the encryption operation as shown in fig. 2 or Cortez using the received public key). Also see paragraph 69 of Cortez.
Retrieving the private key associated with the key identifier; and decrypting the message using the private key. (the server runs the decryption operation code using the private key corresponding to the public key as show in fig. 2 of Cortez). Also see paragraph 70 of Cortez.
Cortez teaches the method of generating a public key by the server based on the received request from the client (see Fig. 2 of Cortez) but fails to disclose:
Receiving, over a first network, from an access device, wherein the access device sends the request in response to an interaction with a client device and transmitting to the access device, wherein the access device transmits the key to the client device and Receiving over a second network, the message.
However, in the same field of endeavor, Zhang teaches this limitation as, (abstract of Zhang. a packet is received from the user device that includes a user device public key, by the second network via the first network. A session key is sent from the second network to the user device, via the first network, when a source Internet Protocol (IP) address associated with the packet falls into a range allocated to the first network. The session key is encrypted with the user device public key. The user device decrypts the session key using a private key and uses the session key thereafter to access the second network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Cortez and include the above limitation using the teaching of Zhang in order to communicate the message using a secured and verified network to the server. 
The combination of Cortez and Zhang teaches the method of retrieving the private key associated with the key identifier; and decrypting the message using the private key (see Fig. 2 of Cortez) but fails to disclose:
Searching a database to identify the key identifier and extract the associated private key.
However, in the same field of endeavor, Ignatchenko teaches this limitation as, (paragraph 80 of Ignatchenko,  if all verifications pass successfully, then, at step 530, the key storage device 400 may retrieve the root private key 101 identified by identifier 620 from the key storage 110) and (paragraph 92 of Ignatchenko, the key storage device 400 may retrieve the root private key 101 identified by identifier 830 from the key storage 110, and at step 735, the key storage device 100 may retrieve the appropriate CRL from CRL storage 102).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Cortez and Zhang to include the above limitation using the teaching of Ignatchenko in order to securely store and retrieve cryptographic keys using the key identifier (see paragraph 50 and 92 of Ignatchenko).

Claims 8, 15, and 18 are rejected under the same reason set forth in rejection of claim 1:

As per claim 4 Cortez in view of Zhang and further in view of Ignatchenko discloses:
The verification server of claim 1, wherein the private key associated with the key identifier is retrieved after determining that the key identifier has not expired. (Paragraph 30 of Cortez, if the end of the session ID is reached prior to completing the target message, then the process can restart at the first session ID character in the session ID string). 

Claim 11 is rejected under the same reason set forth in rejection of claim 4:

As per claim 7 Cortez in view of Zhang and further in view of Ignatchenko discloses:
The verification server of claim 1, wherein the limited-use keys are valid for one or more of: a predetermined time period or a predetermined number of uses. (Paragraph 30 of Cortez, if the end of the session ID is reached prior to completing the target message, then the process can restart at the first session ID character in the session ID string). 

Claims 14, 17, and 20 are rejected under the same reason set forth in rejection of claim 7:

Claims 2-3, 9-10, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Cortez (US Pub. No. 2007/0180230) in view of Zhang (2005/0154895) and further in view of Ignatchenko (US Pub. No. 2014/0006788) and Laurila (US Pub. No. 2005/0152275).

As per claim 2:
The combination of Cortez, Zhang, and Ignatchenko teaches the method of generating a public key by the server based on the received request from the client (see Fig. 2 of Cortez) but fails to disclose:
The verification server of claim 1, wherein the operations further include: generating a token in response to the message, wherein the token authorizes access to a resource; and transmitting the token to the access device.
However, in the same field of endeavor, Laurila teaches this limitation as, (Claim 25 of Laurila,  wherein a media authorization is performed between the first and second networks, a User Equipment (UE) sends an Authorization Token to the second network which Authorization Token represents a session being created in the first network, the Authorization Token being reported to a Mapping Function in a Lawful Interception (LI) information message which includes a user identity used in the second network, the Mapping Function activating interception in the first network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Cortez, Zhang, and Ignatchenko to include the above limitation using the teaching of Laurila in order to authenticate the user and provide token to enhance the security of future communication. 

Claims 9, 16, and 19 are rejected under the same reason set forth in rejection of claim 2:

As per claim 3:
The combination of Cortez, Zhang, and Ignatchenko teaches the method of generating a public key by the server based on the received request from the client (see Fig. 2 of Cortez) but fails to disclose:
The verification server of claim 2, wherein the token is transmitted to the access device via the client device.
However, in the same field of endeavor, Laurila teaches this limitation as, (Claim 25 of Laurila,  wherein a media authorization is performed between the first and second networks, a User Equipment (UE) sends an Authorization Token to the second network which Authorization Token represents a session being created in the first network, the Authorization Token being reported to a Mapping Function in a Lawful Interception (LI) information message which includes a user identity used in the second network, the Mapping Function activating interception in the first network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Cortez, Zhang, and Ignatchenko to include the above limitation using the teaching of Laurila in order to notify the network device/access device a secure session being created to the other network. 

Claim 10 is rejected under the same reason set forth in rejection of claim 3:

Claims 5-6 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Cortez (US Pub. No. 2007/0180230) in view of Zhang (2005/0154895) and further in view of Ignatchenko (US Pub. No. 2014/0006788) and Hemphill (US Pub. No. 2014/0181521).

As per claim 5:
The combination of Cortez, Zhang, and Ignatchenko teaches the method of generating a public key by the server based on the received request from the client (see Fig. 2 of Cortez) but fails to disclose:
The verification server of claim 1, wherein receiving the request for the public key occurs after generating the public key, the private key, and the key identifier.
However, in the same field of endeavor, Hemphill teaches this limitation as, (paragraph 67 of Hemphill, as shown, block 501 may take place at some point in time before automation device 200 is manufactured, deployed, or placed into the field, retail, or distribution. Particularly, at block 501, a public-private key pair may be produced and associated with a Device ID corresponding to automation device 200).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Cortez, Zhang and Ignatchenko to include the above limitation using the teaching of Hemphill in order to improve the response time by pre-generating the public-private key pair and their identifier. 

Claim 12 is rejected under the same reason set forth in rejection of claim 5:

As per claim 6:
The combination of Cortez, Zhang, and Ignatchenko teaches the method of generating a public key by the server based on the received request from the client (see Fig. 2 of Cortez) but fails to disclose:
The verification server of claim 1, wherein generating the public key, the private key, and the key identifier comprises generating a plurality of public keys including the public key, a plurality of private keys including the private key, and a plurality of Key identifiers including the key identifier prior to receiving the request, and wherein after receiving the request, the operations further include: selecting the public key from the plurality of public keys, the private key from the plurality of private keys, and the key identifier from the plurality of key identifiers. 
However, in the same field of endeavor, Hemphill teaches this limitation as, (paragraph 67 of Hemphill, as shown, block 501 may take place at some point in time before automation device 200 is manufactured, deployed, or placed into the field, retail, or distribution. Particularly, at block 501, a public-private key pair may be produced and associated with a Device ID corresponding to automation device 200) and (paragraph 10 of Hemphill, the processing circuit may be configured to execute instructions to cause the automation device to transmit a first communication to a remotely located provisioning service, the request including the device identifier encrypted using the public key, the first communication transmitted after a message originated by a computing device is received by the provisioning service, the message including the device identifier, the provisioning service having access to a database configured to store a plurality of device identifiers and corresponding private-public key pairs, each device identifier).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Cortez, Zhang, and Ignatchenko to include the above limitation using the teaching of Hemphill in order to improve the response time by pre-generating the public-private key pair and their identifier. 

Claim 13 is rejected under the same reason set forth in rejection of claim 6:

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Ahn (US Pub. No. 2016/0140548). Ahn discloses the methods and systems for performing non-repudiation using user authentication and an asymmetric encryption key.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434