DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
1. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2. 	Amendment was filed on 05/12/2022 has been acknowledged. Claims 1-20 are currently pending and have been considered below. Claims 1, 10-11, 13, 15-17 and 19 have been amended. Claims 1, 14 and 18 are independent claims. 

Priority
3. 	No priority claimed. 

Response to Arguments
4. 	Applicant’s argument is persuasive and the previous rejection is withdrawn.

Claim Rejections - 35 USC § 103
5. 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


6. 	Claims 1-4, 6, 8, 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Depew (US Patent Publication No. 20190236279 A1) in view of Benson (US Patent Publication No. US 10708059 B2)

7. 	Regarding Claim 1, Depew, an electronic device comprising: 
a component comprising information (Depew, [0031], As used herein a memory device 132 is a component that can store information); 
a secure storage (Depew, [0049], As noted above, a secure storage can be used and cryptographic information about the inventory can be stored); 
Depew does not explicitly disclose the following limitations that Benson teaches:
and a controller to: generate a digital signature based on the information of the component (Benson, [0040], Col.14, lines, 44-50, the signature in step 280, the server may simultaneously note that the server both validated the first and second credential. If the first credential includes a voice biometric, password, and a location, and the second credential may include at least one signature with an asymmetric key stored on the device, then the system simultaneously proves four-factor authentication.) 
and detect a modification of the component based on the digital signature, detect a receipt of an invalid credential used in an attempt at authorizing the modification of the component, and log, to the secure storage, an indication of the modification of the component and an indication of the receipt of the invalid credential (Benson, Col. 2, lines, 33-38, a request for a registration code to register a mobile device; (2) transmitting, to the authorized device, the registration code; (3) receiving, from the mobile device, the registration code and a mobile device identifier, and (4) authorizing the mobile device. Col. 7 lines, 52-67, 1-3, In another embodiment, in order to protect the user from inappropriate uses of a digital signature, the value may also contain a string whose purpose is to invalidate a transaction signature, e.g., “this string is only signed at authentication and is not used in combination with a digital signature of one or more transactions.”). 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include a modification of the signature to detect the receipt on the invalid credential of the component to enhance security features on the electronic device. 

8. 	Regarding Claim 2, Depew and Benson disclose, the electronic device of claim 1, 
Depew does not explicitly disclose the following limitations that Benson teaches:
wherein the detection of the modification of the component comprises a detection of a new component that was not previously present in the electronic device (Benson, Col. 6, lines 24-28, In one embodiment, if such rooting/alteration is detected then the registration process may simply stop. In one embodiment, the device may perform the root check in step 210, and may provide the result to the server in step 220).  

9. 	Regarding Claim 3, Depew and Benson disclose, the electronic device of claim 2, wherein the detection of the new component comprises a detection responsive to an addition of the new component to a slot that was previously empty (Depew, [0029], the firmware engine 110 can interrogate (e.g., send a query and receive a response) to and from each of the components to be inventoried. This may be performed by a particular sequence to ensure that each component is detected and inventoried. ). 
	
10. 	Regarding Claim 4, Depew and Benson disclose, the electronic device of claim 1, wherein the detection of the modification of the component comprises a detection responsive to a removal of an existing component from the electronic device (Depew, [0009], Accordingly, approaches described herein allows for unauthorized changes to hardware components, theft of hardware components, and modification of hardware components and/or firmware configurations to be detected.).  
	 
11. 	Regarding Claim 6, Depew and Benson disclose, the electronic device of claim 1, wherein the detection of the modification of the component comprises a detection of a change of the component (Depew, [0034], As used herein, hash can refer to each information of the components being separately hashed or for the whole inventory to be determined and then a single hash being taken for the whole inventory. In some examples, the stored inventory 112 can be stored in plain text. Separate hashes allows for determining what changed to be simplified).
	 
12. 	Regarding Claim 8, Depew and Benson disclose, the electronic device of claim 1, 
Depew does not explicitly disclose the following limitations that Benson teaches:
wherein the controller is to validate the modification of the component responsive to receipt of a valid credential (Benson, Col. 7, lines 49-54, In one embodiment, the server may provide a unique receipt after validating the first credential. In one embodiment, this signed receipt may include a digitally signed message digest of information pertaining to the voice biometric event, and may also include other aspects, such as the date and/or time, and a unique event number, etc.).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the modification of the receipt and credentials on the controller.

13. 	Regarding Claim 12, Depew and Benson disclose, the electronic device of claim 1, wherein the component comprises a hardware device, a program code, or a security configuration setting (Depew, [0013], In some examples all configuration settings can be inventoried. In other examples, a subset of the configuration settings (e.g., settings associated with security, updates, hardware components, etc.) can be inventoried.).

14. 	Regarding Claim 13, Depew and Benson disclose, the electronic device of claim 1, 
	Depew does not disclose the following limitations that Benson teaches:
wherein the controller is to log, to the secure storage, the indication of the modification of the component after the modification of the component has occurred, the invalid credential is presented, and the modification of the component is undone (Benson, [0127], the user's device as invalid, and subsequently fail to validate any authentication or signature event using this public key. In effect, once marked as invalid, the device can no longer authenticate or perform signatures until the device re-registers new cryptographic keys.).

15. 	Claims 5, 7 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Depew (US Patent Publication No. 20190236279 A1) and Benson (US Patent Publication No. US 10708059 B2) in view of Schibuk (US Patent Publication No. 2013/0061055 A1).

16. 	Regarding Claim 5, Depew and Benson discloses, the electronic device of claim 1, 
Depew and Benson does not explicitly disclose the following limitations that Schibuk teaches:
wherein the detection of the modification of the component comprises a detection of a replacement of a first component with a second component (Schibuk, [0314], The prevention of multiple logons from different locations is also difficult, due to the stateless nature of HTTP. In fact, since the central server has no contact with the user, a lost connection or a second logon are difficult even to detect)
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the replacement from the first to the second component to enhance security. 

17. 	Regarding Claim 7, Depew and Benson disclose, the electronic device of claim 1, 
Depew and Benson does not explicitly disclose the following limitations that Schibuk teaches:
wherein the detection of the modification of the component comprises a detection of a modification of a collection of components that includes the component (Schibuk, [0037], This method includes using the primary credential to access from storage a summary certificate associated in the storage with the primary credential, the summary certificate containing a collection of secondary credentials considered by the agency in issuing the primary credential. The method also includes, in a revocation computer process, collecting secondary credential revocation information).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the collection of component to enhance security of the device. 

18. 	Regarding Claim 9, Depew and Benson disclose, the electronic device of claim 1, 
	Depew and Benson does not explicitly disclose the following limitations that Schibuk teaches:
wherein the controller is to further log a timestamp specifying a time of the modification of the component or a time of the receipt of the invalid credential (Schibuk, [0016], the digitally signed document was received from the device with a timestamp in the document; and/or obtaining a certificate status response from the mobile electronic device. The timestamp may be indicative of the time when credentials on the mobile electronic device were last updated or when the mobile electronic device was last connected to a network in a session meeting pre-specified criteria.).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include modify the time of the receipt of the components to the credentials that are invalid to enhance security. 

19. 	Regarding Claim 10, Depew and Benson disclose, the electronic device of claim 1, 
Depew and Benson does not explicitly disclose the following limitations that Schibuk teaches: 
wherein the indication of the modification of the component comprises a count of a number of occurrences of component modifications (Schibuk, [0274], The servers which already track credential requests provide the certificate numbers, and forward those numbers to the appropriate caches. Again, this embodiment eliminates from the cache the credential data of all those who do not use the service, and keeps the number of validation responses to the originating CA small.).	
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the count of amount that the component has modified the device to enhance security.

20. 	Regarding Claim 11, Depew and Benson disclose, the electronic device of claim 1, 
Depew and Benson does not explicitly disclose the following limitations that Schibuk teaches:
wherein the indication of the receipt of the invalid credential comprises a count of a multiple occurrences of receipt of invalid credentials, the count being greater than one (Schibuk, [0292], The overhead here is not significant, as the gateway can ensure, through certificate management processes known in the art, that certificate invalidity occurs in only a tiny fraction of total requests (if ever). There is no need for the gateway to distribute validation responses to the enterprise, because those responses are stored with the user).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the amount of the receipts invalid credentials. 

21. 	Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Schibuk (US Patent Publication No. 2013/0061055 A1) in view of Benson (US Patent Publication No. US 10708059 B2).

22. 	Regarding Claim 14, Schibuk discloses, a non-transitory machine-readable storage medium comprising instructions that upon execution cause a controller to: generate a digital signature based on information of a component in an electronic device (Schibuk, [0238], The user's electronic device, in one embodiment, also verifies a digital signature of the trusted source, using public keys obtained from the PKI during system initialization. In another embodiment, the device verifies a digital signature); 
detect a modification of the component based on the digital signature (Schibuk, [0093], An identity certificate is an electronic document issued by a trusted authority which incorporates a digital signature); 
detect a receipt of an invalid credential used in an attempt to authorize the modification of the component (Benson, Col. 10, lines 23-26,  In another embodiment, the server may mark the public key associated with the user's device as invalid, and subsequently fail to validate any authentication or signature event); 
and log, to a secure storage, an indication of the modification of the component and an indication of the receipt of the invalid credential (Benson, Col. 7 lines, 52-67, 1-3, In another embodiment, in order to protect the user from inappropriate uses of a digital signature, the value may also contain a string whose purpose is to invalidate a transaction signature, e.g., “this string is only signed at authentication and is not used in combination with a digital signature of one or more transactions.”).  

23.	 Regarding Claim 15, Schibuk and Benson disclose, the non-transitory machine-readable storage medium of claim 14, 
Schibuk does not explicitly disclose the following limitations that Benson teaches:
wherein the instructions upon execution cause the controller to log, to the secure storage, the indication of the modification of the component after the modification of the component has occurred, the invalid credential is presented, and the modification of the component is undone. (Benson, Col. 15, lines 9-15, The processor executes the instructions that are stored in the memory or memories in order to process data. The set of instructions may include various instructions that perform a particular task or tasks, such as those tasks described above. Such a set of instructions for performing a particular task may be characterized as a program, software program, or simply software. Col. 10, lines 23-28, In another embodiment, the server may mark the public key associated with the user's device as invalid, and subsequently fail to validate any authentication or signature event using this public key. In effect, once marked as invalid, the device can no longer authenticate or perform signatures until the device re-registers new cryptographic keys.). 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to compare the digital signature to a stored signature for modification to the component.
24. 	Regarding Claim 16, Schibuk and Benson disclose, the non-transitory machine-readable storage medium of claim 14, wherein the instructions upon execution cause the controller to: receive a valid credential (Schibuk, [0012], Receiving the response may include receiving a verification of a credential); 
generate a key based on the valid credential (Schibuk, [0140], verified the consistency of the public key and the store private key in the credential.); 
 	and access, based on the key, a data structure comprising the indication of the modification of the component and the indication of the receipt of the invalid credential (Benson, Col. 7 lines, 52-67, 1-3, In another embodiment, in order to protect the user from inappropriate uses of a digital signature, the value may also contain a string whose purpose is to invalidate a transaction signature, e.g., “this string is only signed at authentication and is not used in combination with a digital signature of one or more transactions.”).


25. 	Claims 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Schibuk (US Patent Publication No. 2013/0061055 A1) in view of Benson (US Patent Publication No. US 10708059 B2). 

26. 	Regarding Claim 18, Schibuk disclose, a method of a controller, comprising: 
generating a digital signature based on information of a component in an electronic device (Schibuk, [0238], The user's electronic device, in one embodiment, also verifies a digital signature of the trusted source, using public keys obtained from the PKI during system initialization. In another embodiment, the device verifies a digital signature);   
 	detecting a tampering of the component based on a mismatch of the digital signature to a stored digital signature (Schibuk, [0024], a digital signature in the digitally signed document is able to be validated using a public signature key of the individual or of a third party. In other, related embodiments, the process includes storing a private encryption key or private signature key of the individual in the electronic device); 
and the indication of the receipts of the invalid credentials comprises a count of a number of occurrences the receipts of the invalid credentials (Schibuk, [0274], The servers which already track credential requests provide the certificate numbers, and forward those numbers to the appropriate caches. Again, this embodiment eliminates from the cache the credential data of all those who do not use the service, and keeps the number of validation responses to the originating CA small.).
Schibuk does not explicitly disclose the following limitations that Benson teaches:
detecting receipts of invalid credentials attempting to authorize the tampering of the component (Benson, Col. 2, lines, 33-38, a request for a registration code to register a mobile device; (2) transmitting, to the authorized device, the registration code; (3) receiving, from the mobile device, the registration code and a mobile device identifier, and (4) authorizing the mobile device. Col. 7 lines, 52-67, 1-3, In another embodiment, in order to protect the user from inappropriate uses of a digital signature, the value may also contain a string whose purpose is to invalidate a transaction signature, e.g., “this string is only signed at authentication and is not used in combination with a digital signature of one or more transactions.”); 
and logging, to a data structure in a secure storage, an indication of the tampering of the component and an indication of the receipts of invalid credentials, the indication of the tampering of the component comprising a count of a number of occurrences of tampering with the component (Benson, Col. 14, lines, 40-46 In one embodiment, the value provided in step 240 may include a digital receipt that notes that the first credential or collection of credentials was properly validated by the server, e.g., the voice biometric, etc. In the authentication use case, by validating the signature in step 280, the server may simultaneously note that the server both validated the first and second credential.), 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the tampering of component of the invalid credentials and the detection of the amount of tampering is done with the components to enhance security.

27. 	Regarding Claim 19, Schibuk and Benson disclose, the method of claim 18, comprising: logging, to the data structure in the secure storage, the indication of the tampering of the component after the tampering of the component has occurred, the invalid credentials are presented, and the tampering of the component is undone. (Benson, Col. 14, lines, 40-46 In one embodiment, the value provided in step 240 may include a digital receipt that notes that the first credential or collection of credentials was properly validated by the server, e.g., the voice biometric, etc. In the authentication use case, by validating the signature in step 280, the server may simultaneously note that the server both validated the first and second credential.).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to enable the access of the data with derived key from the receipts to enhance security.

28. 	Regarding Claim 20, Schibuk and Benson disclose, the method of claim 18, further comprising: 
Schibuk does not explicitly disclose the following limitations that Benson teaches:
initiating a protective action using the indication of the tampering of the component and the indication of the receipts of invalid credentials in the data structure (Benson, Col. 14, lines, 40-46 In one embodiment, the value provided in step 240 may include a digital receipt that notes that the first credential or collection of credentials was properly validated by the server, e.g., the voice biometric, etc. In the authentication use case, by validating the signature in step 280, the server may simultaneously note that the server both validated the first and second credential.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the protective action on the components by allowing the user to take action on the tampering of components and the invalid credentials of the data to enhance security on the device

Conclusion
29. 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433