DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 16, 20 were amended, claims 1-4, 16-20 are pending.
Examiner called applicant representative multiple times and informed that current amendment can be rejected by Ahuja para[0044], and suggested to moving up objected claims for compact prosecution. However, office have not received any response back from the applicant representative yet. 
Priority
This application discloses and claims only subject matter disclosed in prior application no 15/699,553, filed 09/08/2017, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a continuation. 
Response to Arguments
Applicant’s arguments with respect to claims 1, 16, 20 have been considered but  not persuasive. On page 8  the applicant argued on establishing obviousness that  The Office must set forth "the relevant teachings of the prior art relied upon." MPEP § 2142. In KSR International Co. v. Teleflex Inc., the Supreme Court noted that the analysis supporting a rejection under 35 U.S.C. § 103 must be made explicit. See 550 U.S. 398, 418 (2007); MPEP § 2142. "[O]bviousness [also] requires a suggestion of all limitations in a claim." In re Wada andMurphy, Appeal 2007-3733 (citing CFMT, Inc. v. Yieldup Intern. Corp., 349 F.3d 1333, 1342 (Fed. Cir. 2003)). 
Examiner recognizes that obviousness can only be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988) and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992).  In this case, the differences between the prior art and the claims in issue have been set forth. The level of ordinary skill in the art is deemed to be a person who is presumed to be aware of all prior art, specifically relating to control. The rejection is based on what was known prior to the time the Applicant created the invention and rest on a factual basis, and supported by the motivation as noted in the above office action. Under such considerations, the prior art teaches the claims as written.

On page 8-9 the applicant argued that  any combination-do not teach or suggest "wherein the encryption implementation is selected in place of a second encryption implementation based at least in part on the tenant and a security level associated with the data set," as recited in amended independent claim 1. Examiner respectfully disagrees. Examiner do not believe specification support “the encryption implementation is selected in place of a second encryption implementation based at least in part on the tenant “. Ahuja [0044] teaches  "wherein the encryption implementation is selected in place of a second encryption implementation based at least in part on a security level associated with the data set," .
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 16, 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

The claims recited as “performing, at the kernel module and based at least in part on the system call, an encryption process on the data set with an encryption implementation and the tenant specific encryption key, wherein the encryption implementation is selected in place of a second encryption implementation based at least in part on the tenant and a security level associated with the data set. According to the Specification, the only support is found in [0042], in which it discloses “In some cases, the data handling platform may dynamically switch between different encryption implementations, for example, for different tenants or data security levels.” However, there is nothing else in the specification that describes what such “implementation” corresponds to”.  Nor there is any description about how the selection is even made for different tenants.

Dependent claims do not cure the deficiencies, also rejected accordingly. 

Note: Examiner earlier withdrawal of 112(a) was not accurate due to internal Quality tracker by the office. For examination purpose examiner interpreted as encryption key generated corresponding to tenant/USER IDs.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 16, 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 16, 20 recite “wherein the encryption implementation is selected in place of a second encryption implementation based at least in part on the tenant and a security level associated with the data set”. Examiner not sure what applicant meant by a second encryption implementation without identifying a first encryption.  For procecution purpose examiner interpreted as “wherein the encryption implementation is selected based at least in part on a security level associated with the data set”

Dependent claims do not cure the deficiencies, also rejected accordingly. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-9, 11, 16, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 20140194094 A1) in view of Hsu (US 5,584,023B2).

With regards to claim 1, Ahuja discloses, A method for data encryption or decryption, comprising: 
intercepting, at a kernel module (FIG 1 and associated text; [0055]; Still further, portions of a hosted application can be executed by a user working directly at a server hosting the application, as well as remotely at a client.  ), a system call and a data set associated with the system call (FIG 9A 905 and associated text; ); 
determining, that the data set associated with the system call is marked for encryption ([0048] In the example of FIG. 9A, system calls can be monitored 905, for instance, by a security module interfacing with a kernel, such as an LSM. A particular system call can be intercepted 910 that relates to I/O functionality of the mobile computing device. A DLP agent on the mobile computing device can be queried for DLP policies applicable to the intercepted system call. In some instances, a DLP agent can be queried for each system call monitored by security module. In other examples, a security module can filter which system calls are intercepted and communicated to the DLP agent based upon logic and rules accessible to the security module, such as system calls that likely relate to I/O functionality of the mobile computing device and relate to DLP goals and/or policies for the device, among other examples [0065] In one example, the DLP enforcement action includes causing data to be input or output in connection with the particular system call to be encrypted.  ); 
wherein the encryption implementation is selected in place of based at least in part on a security level associated with the data set ([0044] In some implementations, in addition to encryption functionality provided to other potential DLP solutions, such as encryption containers, a security module can be used to intercept data included in system calls and dynamically identify, based on identified rules and policies maintained by the DLP agent, that the intercepted data is of a sensitive nature and should be encrypted. Accordingly, in some implementations, a security module can cause such intercepted data to be encrypted before proceeding, for instance, to device storage, to a device application, or to a device subsystem, for instance, to be communicated outside the mobile device. This can allow for more efficient encryption of files on a file-by-file basis and in accordance with the fine-grained DLP policies, rather than more brute force approaches, such as the encryption of an entire file system, entirety of application data, and so on. By encrypting data automatically and without explicit file-by-file designation by user, the most sensitive data on a mobile device can be maintained in an encrypted format to protect, for instance, the data being leaked or lost, such as in connection with the theft or other loss of the mobile device.)
Ahuja does not exclusively but Hsu teaches, 
identifying, a tenant identifier associated with the data set (Hsu Col 8 ; Table III; Process with P_uid); 
retrieving a tenant specific encryption key associated with the data set (Col 22 line 0-10; The key-based transparent file encryption system of claim 13 wherein the encryption and decryption of said predetermined file by said encryption routine is dependant on said predetermined password as an encryption key.  FIG 4A 54 and associated text;  Col 10 line 10-25; ); and 
performing, at the kernel module and based at least in part on the system call, an encryption process on the data set with an encryption implementation and tenant specific encryption key (Col 10 line 10-25; The ioctl system call specific to the device driver of the present invention is issued by a simple application program also specific to the present invention. The application program provides a simple user interface to obtain a password key for validating the encryption and decryption of data files protected by the present invention. Note: Examiner interpreted limitation as performing an encryption process on data set with tenant specific encryption key. here password key which is a  tenant specific key is used for encryption and decryption of data files).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Ahuja’s method with teaching of Hsu in order to secure transfer data in storage(Hsu Abstract)

Claims 16, 20 are device and product claim corresponding method claim also rejected accordingly.

With regards to claim 6, Ahuja in view of Hsu discloses, wherein determining that the data set associated with the system call is marked for encryption is based at least in part on a directory that the data set is associated with (Hsu Col 6 line 45 to 67 ; Consequently, the open, create, read, write, seek, stat and close system call procedures permit logical operation relative to a wide variety of logical data entities, including directories, files, and pipes, for example, that are treated as files referenceable via directories. In tum, directories are maintained on disk as standard files containing specifically structured data. This directory file data includes a pointer to a disk based structure of disk inode entries. Each inode entry stores specifically relevant information describing, among other things, the protection mode, owner, user group and size of a particular data file. A summary of an inode entry, as stored on disk, is provided in Table II. ). Motivation would be same as stated in claim 1, 16. 

With regards to claim 7, Ahuja in view of Hsu discloses, wherein the tenant specific encryption key is based at least in part on a cryptographic nonce associated with the data set (Hsu Col 11 line 45-67;   The user provided password key is used in conjunction with a predefined seed table to create, by index value substitution, an encryption table 56 that is stored in the alpha structure SO. The seed table, preferably included as a predefined element of the device driver of the present invention, preferably consists of 256 randomly ordered unique byte  values. In the preferred embodiment of the present inventiona shuffle function 54 is implemented to generate the process specific encryption table 56. The preferred shuffle function provides for a modulo four progressive recalculation of values based on the byte values of the password key and the seed table. Pls see Table V; ). Motivation would be same as stated in claim 1.

With regards to claim 8, 19 Ahuja in view of Hsu discloses, wherein at least a portion of the data set is stored in a page cache (Hsu col 5 line 63-67;  FIG 5A and associated text; also see col 9-col 9; ), and the encryption process is performed on the portion of the data set (Hsu col 10 line 9-15; The ioctl system call specific to the device driver of the present invention is issued by a simple application program also specific to the present invention. The application program provides a simple user interface to obtain a password key for validating the encryption and decryption of data files protected by the present invention.). Motivation would be same as stated in claim 1.

With regards to claim 9, Ahuja in view of Hsu discloses, wherein: the system call comprises a write command; and the encryption process comprises encrypting the data set based at least in part on the tenant specific encryption key (Hsu Col 15 line 50-65;  In similar fashion, the write system call wrapper procedure is invoked to implement the functions of the present invention in connection with the writing of data to a regular file. Thus, when a user program invokes a write, specifically integrated as a call to the Unix "writei'' file system switch call layer, a the file enode structure and type are examined to determine whether the referenced file may be encrypted….The encryption procedure used is that discussed in connection with FIG. 4a; Col 22 line 0-10; The key-based transparent file encryption system of claim 13 wherein the encryption and decryption of said predetermined file by said encryption routine is dependant on said predetermined password as an encryption key.  FIG 4A 54 and associated text;  Col 10 line 10-25;). Motivation would be same as stated in claim 1, 16.

With regards to claim 11, Ahuja in view of Hsu discloses, wherein: the system call comprises a read command; and the encryption process comprises decrypting the data set based at least in part on the tenant specific encryption key (Hsu Col 15 line 8-24; The read system call procedure 98, is then called to obtain the requested block of data. In the preferred embodiment, this call is preferably integrated at the Unix "readi" file system switch call level, which is one layer below the system call interface layer, to permit file system switch independent operation. The read system call procedure returns the requested data to a buffer typically located in the user data space pre-allocated by the requesting application program. However, the read system call wrapper procedure 96 may access this buffer location while continuing to execute in kernel mode. That is, conventional kernel subroutine calls permit the read system call wrapper procedure to obtain the location of the user space buffer filled as a consequence of the read system call procedure. If the file was authenticated as an encrypted file capable of decryption, the read system call wrapper procedure 96 decrypts the data in the user space read buffer; Col 22 line 0-10; The key-based transparent file encryption system of claim 13 wherein the encryption and decryption of said predetermined file by said encryption routine is dependant on said predetermined password as an encryption key.  FIG 4A 54 and associated text; Col 10 line 10-25;).

Claims 2, 17,  are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 20140194094 A1)in view of Hsu (US 5,584,023B2), and Futher in view of Raiz et al(US 20020164025 A1).

With regards to claim 2, 17 Ahuja in view of Hsu  teaches, wherein retrieving the tenant specific encryption key (Hsu Col 22 line 0-10; The key-based transparent file encryption system of claim 13 wherein the encryption and decryption of said predetermined file by said encryption routine is dependant on said predetermined password as an encryption key.  FIG 4A 54 and associated text;  Col 10 line 10-25;) ; also discloses, a key cache( Hsu FIG 4C 56; Seed table) 
However Ahuja in view of Hsu do not but Raiz teaches,  transmitting,  the tenant identifier; and receiving,  based at least in part on the tenant identifier, the tenant specific encryption key associated with the tenant identifier ([0010] In general, in another aspect, the invention features a method comprising (1) distributing without charge, copies of an application program online or on storage media, (2) enabling a user of one of the computers to choose among modes he wishes to run the application program, (3) in at least one of the chosen modes, enabling the user to run the application program without requiring the user to provide information about the user, (4) in at least another one of the chosen modes, requiring the user to self-register by providing information about the user in exchange for an authorization key that is associated with a unique identifier of the computer on which the application program is to run and which enables the application to be run in the chosen mode, the authorization key having a limited validity period.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Ahuja in view of Hsu’s method with teaching of Raiz in order to secure transaction and restricting copying(Raiz [0002])

Claim 10, 12  are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 20140194094 A1)in view of Hsu (US 5,584,023B2), and Futher in view of Chang et al(US 20090006796 A1).

With regards to claim 10, Ahuja in view of Hsu do not but Chang teaches, storing an encryption key identifier in a file that is associated with the data set (Chang [0058] The memory device 202 generates a key value and associates this value with the encryption key ID provided by the host device 204, and stores the encryption key ID for the key value used to encrypt the data in its record or table for this user or application. The memory device 208 then encrypts the data and stores the encrypted data at the addresses designated by the host device 204. The memory device 202 also stores the encryption key ID within a header portion of the data file. The memory device 202 may also store encryption key ID data in a secure portion of the memory 208.  ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Ahuja in view of Hsu’s method with teaching of Chang in order  for improved control of stored media content (Chang [0002])

With regards to claim 12, Ahuja in view of Hsu, and Chang teach, wherein the tenant specific encryption key comprises a symmetric encryption key (Chang [0058] In order for a user or application to gain access to protected content or a secure memory area of the memory 208, the memory device 202 may authenticate the user or application using a credential that may be pre-registered with the memory device 202 or pre-loaded within a secure area of the memory 208. The credential can include a symmetric key, a digital signature, a digital certificate, other indicia to provide authentication, or any combination thereof.). Motivation would be same as stated in claim 10. 

Claim 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 20140194094 A1)in view of Hsu (US 5,584,023B2), and Futher in view of Devanand et al(US-20090296938-A1).

With regards to claim 13, 14 Ahuja in view of Hsu   do not but Devanand teaches , wherein performing the encryption process on the data set further comprises: using a cipher block chaining (CBC) block cipher mode; wherein performing the encryption process on the data set further comprises: using a counter (CTR) block cipher mode (Devanand [0080] FIG. 6 is a diagram of an example embodiment of a process for communicating protected content according to an example embodiment of the present invention. Part of that process is SKE. As shown at line 6a, SKE may begin with the top-level transmitter (e.g., processing system 20) generating the session key "KeyS." In one embodiment, processing system 20 generates KeyS as a random 128-bit value. As shown at line 6b, processing system 20 may then encrypt KeyS with KeyMX, using the AES cipher block in counter mode. ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Ahuja in view of Hsu’s method with teaching of Devanand in order  for protecting digital content (Devanand [0001])

Allowable Subject Matter
Claims 3-5, 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498