DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is response to communication filed on September 08, 2022.
Status of claims within the present application:
Claims 1 – 2, 13 – 17, 20 – 22, 28, 31 – 32, and 34 – 40 are pending.
Claims 1, 2, 13, 15 – 17, 20 – 22, 28, and 32 are amended.
Claims 3 – 12, 18 – 19, 23 – 27, 29 – 30, and 33 are cancelled.
Claims 34 – 40 are new.

Response to Arguments
Applicant’s argument, see page [11 – 12] of Applicant’s remarks, filed on September 08, 2022 with respect to claim 1 that was rejected under 35 U.S.C. 103 as being unpatentable over US 20190190695 A1 to Kaul et al., (hereafter, “Kaul”) in view of US 20160239657 A1 to Loughlin-McHugh et al., (hereafter, “Loughlin”), in view of US 20170286698 A1 to Shetty et al., (hereafter, “Shetty”), and in view of US 9838205 B2 to Lundstrom, have been fully considered, but they are not persuasive. Therefore, Applicant is directed to response below:
With respect to claim 1, Applicant argued that there is no clear indication that “a unique identification code” is similar to applicant’s “serial number”. Examiner noted that, in Lundstrom, “The client device 2 includes a plurality of hardware components (not shown in the drawings), such as a central processing unit, a basic input/output system (BIOS) unit, a storage unit, a network interface unit, a motherboard, etc., each of which has a unique identification code” [Col. 3 lines 40 – 59] which is mapped direct to the hardware of device having a serial number. Applicant also argued that “ wherein the GUI indicates a serial number of the device” is not presented within the prior art. Examiner noted that Lundstrom disclose “the client device 2 first displays the transaction data on the display unit for viewing by the end user 5 so that the end user 5 is able to confirm the correctness of the transaction data displayed on the display unit of the client device 2.” [col. 7 lines 32 – 36] and The authentication server 4 stores the second private key portion 315, and reference hardware identification data 41 that is associated with the UID 311 of the end user 5 and that is used to verify the identity of the client device 2. [col. 3 lines 55 – 59]. This provides that the user device, having a display unit, display transaction data that allows comparison of hardware identification data with the user device and the authentication device. Therefore, the rejection still stands.
Applicant’s argument, see page [13] of Applicant’s remarks, filed on September 08, 2022 with respect to claim 14 that was rejected under 35 U.S.C. 103 as being unpatentable over US 20190190695 A1 to Kaul et al., (hereafter, “Kaul”) in view of US 20160239657 A1 to Loughlin-McHugh et al., (hereafter, “Loughlin”) and in view of US 20170286698 A1 to Shetty et al., (hereafter, “Shetty”) and US 9838205 B2 to Lundstrom, further in view of US 20200341744 A1 to Suryanarayana et al., (hereafter, “Surya”) and in view of US 8468580 B1 to Casey et al., (hereafter, “Casey”), have been fully considered and persuasive. Therefore, the rejection is withdrawn.
Applicant’s argument, see page [13 – 14] of Applicant’s remarks, filed on September 08, 2022 with respect to claim 21 that was rejected under 35 U.S.C. 103 as being unpatentable over US 20150067328 A1 to Yin in view of US 20200341744 A1 to Suryanarayana et al., (hereafter, “Surya”), have been fully considered and persuasive. Therefore, the rejection is withdrawn.
Applicant’s argument, see page [14 – 15] of Applicant’s remarks, filed on September 08, 2022 with respect to claims 22 – 23 that were rejected under 35 U.S.C. 103 as being unpatentable over US 20150067328 A1 to Yin in view of US 20200341744 A1 to Suryanarayana et al., (hereafter, “Surya”) in further view of US 20120163589 to Johnson et al., (hereafter, “Johnson”), have been fully considered and persuasive. Therefore, the rejection is withdrawn.
Applicant’s argument, see page [15] of Applicant’s remarks, filed on September 08, 2022 with respect to claims 31 that were rejected under 35 U.S.C. 103 as being unpatentable over US 20150067328 A1 to Yin in view of US 20060204949 A1 to Fok et al., (hereafter, “Fok”) in further view of US 20200082390 A1 to Mursalov and US 10985967 B1 to Erez et al., (hereinafter, “Erez”), have been fully considered and persuasive. Therefore, the rejection is withdrawn.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over US 20190190695 A1 to Kaul et al., (hereafter, “Kaul”) in view of US 20160239657 A1 to Loughlin-McHugh et al., (hereafter, “Loughlin”), in view of US 20170286698 A1 to Shetty et al., (hereafter, “Shetty”), and in view of US 9838205 B2 to Lundstrom.
Regarding claim 1, Kaul teaches a method, comprising: a command to at least one computer for: using the key to encrypt storage of the device; [Kaul, para. 36 discloses encrypts the sensitive database or information using the techniques described herein. The data owner 302 then sends the encrypted database to the cloud service provider 304 for maintenance and storage. The data owner 302 additionally sends the encryption keys to the security agent 303 so that the security agent 303 can encrypt queries provided by clients 301A-301X before sending to the cloud storage provider 304. Additionally, the security agent 303 decrypts information received from the cloud service provider 304 before returning a plaintext result to the requesting client 301A-301X. Alternatively, rather than the data owner 302 encrypting the data and then sending the encryption keys to the security agent 303, the data owner may send the unencrypted data to the security agent 303 for encryption by the security agent 303 before being sent to the cloud storage provider 304], but Kaul does not teach presenting graphical user interface (GUI) on a display, the GUI comprising a selector that is selectable to issue a command to at least one computer for: generating a key: storing the key at a hypertext transfer protocol secure (HTTPS)-based storage area; generating a key based on one or more of: at least one hardware component identifier for hardware of a device, and at least one piece of firmware code of the device; wherein the GUI indicates a serial number of the device, and wherein the serial number of the device establishes a first hardware component identifier of the at least one hardware component identifier.
However, Shetty does teach storing the key at a hypertext transfer protocol secure (HTTPS)-based storage area; [Shetty, para. 130 discloses storing the key at a hypertext transfer protocol secure (HTTPS)-based storage area. Para. 140 discloses upload service 320 receives a response from HSM 702 including the encrypted object key, via HSM proxy 704 (and optionally load balancer 806 in the case of deployment 800). Then, in a fourth step 1108, upload service 320 stores the encrypted object key in encrypted object key field 538 of the associated object key record 530. In a fifth step 1110, upload service 320 discards (permanently deletes) the plaintext object key, including from plaintext object field if the object key was temporarily stored there. Thus, according to method 1100, only an encrypted object key is stored in object database 324. This enables the customer to tightly control access to the encrypted object stored on cloud object store 102, because it controls the HSM key needed for decryption in its HSM 702]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Shetty’s system with Kaul’s system, with a motivation to eliminate the need for complex network setup and security controls between object store nodes 230(1-m) and HSM 702, because protecting and securing an HTTPS service between object store nodes 230(1-m) and HSM proxy 704 on the customer's premises, is significantly easier than opening up firewall ports and defining firewall rules at the customer. [Shetty, para. 130]
	However, Kaul in view of Shetty does not teach generating a key based on one or more of: at least one hardware component identifier for hardware of a device, and at least one piece of firmware code of the device, but Loughlin does teach generating a key based on one or more of: at least one hardware component identifier for hardware of a device, and at least one piece of firmware code of the device; [Loughlin, para. 92 discloses when the credential is generated using certain “ingredients” (such as a random sequence, random number and device metadata, such as a device identifier), it is generally more efficient to store the ingredients instead as these generally have a lower bit-size than the credential itself. The ingredients can be used to generate a copy of the credential for such comparison. For example, the credential can be generated by hashing a random seed and device metadata (e.g. which is or comprises a device identifier) a random number of times—the uPass system can store the metadata, seed and random number to create another copy later. Para. 248 – 256 discloses this process is carried out by the identity management code executed by processor 114 (or by any suitable computer mechanism) at registration of a new profile, and at each occasion the profile is used. Determine the device identification number of a new device when it is registered; Calculate the SHA-2 HMAC of this device identification number; Store this device identification number securely; For each credential generated: create a random salt value (preferably at least 8 bytes in length), combine this with the stored device identification number to create a unique credential number; perform SHA-2 hashing iteratively with the stored credential number as the seed value; the number of iterations is chosen randomly within specified bounds;]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Loughlin’s system with Kaul’s system, with a motivation to compare against a presented credential, and the profile to which the credential is bound unlocked only if the stored credential matched the presented credential [Loughlin, para. 92]
However, Kaul in view of Loughlin and Shetty does not teach presenting graphical user interface (GUI) on a display, the GUI comprising a selector that is selectable to issue a command to at least one computer for: generating a key, wherein the GUI indicates a serial number of the device, and wherein the serial number of the device establishes a first hardware component identifier of the at least one hardware component identifier, but Lundstrom does teach presenting graphical user interface (GUI) on a display, the GUI comprising a selector that is selectable to issue a command to at least one computer for: generating a key [Lundstrom, col. 5 lines 19 – 28 discloses upon receipt of the first private key portion and the certificate reference 32 from the authentication server 4, through the executed authentication application 22, the client device 2 generates the PIN code through an input operation of the user input interface by the end user 5, and encrypts the first private key portion with the PIN code generated thereby to generate the reference first private key portion 23. Finally, the client device 2 stores the reference first private key portion 23 and the certificate reference 32 in the storage unit.] wherein the GUI indicates a serial number of the device, [Lundstrom, col. 7 lines 32 – 36 disclose the client device 2 first displays the transaction data on the display unit for viewing by the end user 5 so that the end user 5 is able to confirm the correctness of the transaction data displayed on the display unit of the client device 2.] and wherein the serial number of the device establishes a first hardware component identifier of the at least one hardware component identifier [Lundstrom, col. 3 lines 40 – 59 disclose he client device 2 is used by the end user 5, and may be an electronic device capable of Internet browsing or data communication, such as a personal computer, a notebook computer, a smart phone, a tablet computer, etc. The client device 2 includes a plurality of hardware components (not shown in the drawings), such as a central processing unit, a basic input/output system (BIOS) unit, a storage unit, a network interface unit, a motherboard, etc., each of which has a unique identification code (not shown in the drawings). The storage unit of the client device 2 stores a service application 21 associated with the network server 1, an authentication application 22 associated with network authentication, the certificate reference 32, and a reference first private key portion 23 obtained by encrypting the first private key portion with a personal identification number (PIN) code that is determined by the end user 5. The authentication server 4 stores the second private key portion 315, and reference hardware identification data 41 that is associated with the UID 311 of the end user 5 and that is used to verify the identity of the client device 2.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Lundstrom’s system with Kaul’s system, with a motivation to implements a registration procedure of the network authentication method according to the embodiment of the disclosure and illustrates how the public key 312 is stored to the verification server 3, how the certification reference 32 and the reference first private key portion 23 are stored in the client device 2 and how the reference hardware identification data 41 and the second private key portion 315 are stored in the authentication server 4. [Lundstrom, col. 3 line 60 – 67 to col. 4 lines 1 – 2]

Regarding claim 13, modified Kaul teaches the method of Claim 1, but modified Kaul does not teach comprising: subsequent to at least partially facilitating booting of the device using HTTPS communication, authenticating a person associated with a third party; and responsive to authenticating the person and while the device is booted using HTTPS communication, transmitting the key to the device using HTTPS communication.
However, Shetty does teach comprising: subsequent to at least partially facilitating booting of the device using HTTPS communication, authenticating a person associated with a third party; and responsive to authenticating the person and responsive to authenticating the person and while the device is booted using HTTPS communication, transmitting the key to the device using HTTPS communication [Shetty, para. 127 discloses to provide secure access and communications between an HSM proxy 704 and a specific HSM 702, each HSM proxy 704 is configured with a security provider customized to the specific HSM 702. The security provider can also be configured with credentials (e.g., a public and private key pair, etc.) provided by the customer that allow the HSM proxy 704 to authenticate with the customer's HSM 702. For the above reasons, the same security provider cannot be used to communicate across different HSMs 702. para. 130 discloses HSM proxy 704 exposes a REST interface to key management with object store nodes 230(1-m) over HTTPS and is also protected by Client and Server CA Signed HTTPS certificate-based authentication with cloud object store nodes 230(1-m). T], [Shetty, para. 173 discloses working memory 1412 (e.g. random access memory) provides dynamic memory for computer system 1400 and includes executable code (e.g. an operating system 1416, etc.), which is loaded into working memory 1412 during system start-up. Operating system 1416 facilitates control and execution of the other modules loaded into working memory 1412. Working memory 1412 also includes an HTTP server application 1418 (e.g., Apache Tomcat™) operative to establish and manage the connections with HSM proxy 704 described herein. Working memory 1412 further includes a security provider 1420 (e.g., a Java process) that provides the framework for server application 1418 to establish credentialed access to HSM 702. Working memory 1412 further includes a proxy application 1422 that receives requests for key processing from object store nodes 230, optionally translates those requests into a format usable by HSM 702 consistent with security provider 1420, and forwards the requests to HSM 702. Additionally, proxy application 1422 receives responses to the requests for key processing from HSM 702, optionally translates the responses for cloud object store 102, and forwards the responses to object store nodes 230. Cache 1424 provides temporary storage for encryption-key-related and other cryptographic communications being routed by proxy application 1420.]
	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Shetty’s system with modified Kaul’s system, with a motivation to eliminate the need for complex network setup and security controls between object store nodes 230(1-m) and HSM 702, because protecting and securing an HTTPS service between object store nodes 230(1-m) and HSM proxy 704 on the customer's premises, is significantly easier than opening up firewall ports and defining firewall rules at the customer [Shetty, para. 130] 

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over US 20190190695 A1 to Kaul et al., (hereafter, “Kaul”) in view of US 20160239657 A1 to Loughlin-McHugh et al., (hereafter, “Loughlin”) and in view of US 20170286698 A1 to Shetty et al., (hereafter, “Shetty”) and US 9838205 B2 to Lundstrom, further in view of US 20120163589 to Johnson et al., (hereafter, “Johnson”).
Regarding claim 2, modified Kaul teaches the method of Claim 1, but Kaul does not teach comprising: generating the key based on the at least one piece of firmware code of the device, the firmware code being code for one or more: a keyboard of the device, a display of the device, a mouse of the device, a trackpad of the device, a printer of the device, a scanner of the device, a camera of the device, a universal serial bus (USB) port of the device, a battery of the device, a battery charger of the device, a speaker of the device, a microphone of the device, a global positioning system (GPS) transceiver of the device, an accelerometer of the device, a gyroscope of the device, a motherboard of the device, a network interface of the device. 
However, Johnson does teach comprising: generating the key based on the at least one piece of firmware code of the device, [Johnson, para. 78 discloses the secure enclave root key 218 (sometimes referred to as the "seal key" in the co-pending applications) is generated using data from Flags 202, the platform unique key 203, the owner epoch value 204, and attestation primitives 291. In one embodiment, the EGETKEY command combines these values together using an Advanced Encryption Standard (AES)-CMAC function (which is an National Institute of Standards and Technology (NIST) approved algorithm for deriving multiple keys from a single unique value). Para. 79 discloses the Flags 202 shown in FIG. 2 are flags associated with the secure enclave 250 indicating a particular mode of operation such as debug mode and/or an indication that the secure enclave 250 has been initialized.] the firmware code being code for one or more: a keyboard of the device, a display of the device, a mouse of the device, a trackpad of the device, a printer of the device, a scanner of the device, a camera of the device, a universal serial bus (USB) port of the device, a battery of the device, a battery charger of the device, a speaker of the device, a microphone of the device, a global positioning system (GPS) transceiver of the device, an accelerometer of the device, a gyroscope of the device, a motherboard of the device, a network interface of the device. [Johnson, para. 81 discloses the owner epoch value 204 is set in the computer system's basic input output system (BIOS). The user may change the owner epoch value, for example, when transferring the computer to another user. Changing the owner epoch effectively wipes away all of the original user's secrets (i.e., because it results in a new root key 218). Para. 79 discloses The Flags 202 shown in FIG. 2 are flags associated with the secure enclave 250 indicating a particular mode of operation such as debug mode and/or an indication that the secure enclave 250 has been initialized.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Johnson’s system with modified Kaul’s system, with a motivation to preserve data between instantiations of the secure enclave (e.g., platform resets) the root key and encrypt and store data in external storage 210 (hard drive) and decrypt the data on a subsequent instantiation. [Johnson, para. 85]

Allowable Subject Matter
Claims 15 – 17, 20 – 22, 28, 31 – 32, and 39 – 40 are allowed.
Claims 14 and 34 – 38 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893.  The examiner can normally be reached on Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/P.P./Patent Examiner, Art Unit 2434   

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434