Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
1.	This action is responsive to communication filed on: 31 October 2022 with acknowledgement of an original application filed on 5 March 2020.
2.	Claims 1-16 and 18-20, are currently pending.  Claims 1, 9, and 16, are independent claims.  Claims 1, 9, and 16, have been amended.  Claim 17 has been canceled.  
Response to Arguments

3.	Applicant's arguments filed 31 October 2022 have been fully considered however they are not persuasive where noted below.  The 101 rejection is removed due to arguments submitted with the 31 October 2022 response.
I)	In response to Applicant’s argument beginning on page 10, “Rejection under § 103 …Amended claim 1 recites in part “…deleting the connection secrets stored on, and accessible by, the handshake processor instance…As now claimed, the connection secrets are explicitly accessible by the handshake processor instance…the Office Action asserts that Gero discloses the deletion of the connection secrets at the following location: Gero: Col. 5 para. 36-38…The Applicant respectfully submits that the above portions of Gero, nor the rest of the application, teaches or suggests the deletion of connection secrets accessible by the handshake instance that establishes a TLS connection and the connection secrets…[The Applicant argued the additional references did not remedy the deficiencies’ of Schnellbaecher and Gero”.
	The Examiner disagrees with argument.  Below is Gero the Title, Abstract, as well as paragraphs 36-38:
Terminating SSL Connections Without Locally-accessible Private Keys
Abstract
An Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy "service" as an enhancement to the SSL protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS "locally," the SSL server proxies (forwards) the ePMS to an RSA proxy server component and receives, in response, the decrypted pre-master secret. In this manner, the decryption key does not need to be stored in association with the SSL server.
[0036] An embodiment of the RSA proxy server component executing at the data center facility is now described. As noted, its basic operation is to receive unencrypted packets containing the request specified above and to respond with the defined response packet. Preferably, the RSA proxy server maintains a least-recently-used (LRU) cache of ePMS values. Before performing a decryption, the module checks the cache to see if the requested ePMS has been seen. This check may be performed using a hash lookup scheme. If the hash of the encrypted pre-master secret already exists in the cache, a bad status is returned to the RSA proxy client component (and an error or alert is generated for the administrator). Preferably, the server component of the RSA proxy server rate limits requests to prevent a compromised machine from using a flush attack to remove a previously decrypted secret. Preferably, the server component of the RSA proxy server also maintains a table of the certificate and keypairs for which it can act as a proxy. Using this table (which also may be implemented as a hash table) enables the proxy server to efficiently look up server keypairs (e.g., by the hash of the certificate which is sent by the client component). Once the server component of the RSA proxy server has verified the ePMS is new, it adds it to the cache, looks up the server private key in its table, decrypts the ePMS, and sends the response.
[0037] The technique described herein has many advantages. The primary advantage is that SSL private keys are not stored on the SSL server. In a distributed solution such as described above, this means that the private keys are not stored in the branch office box that is terminating SSL, but instead at the data center box that is hosting the server component of the RSA proxy server. With replay protection implemented, an attacker cannot use a compromised SSL server to decrypt previous SSL transactions. On a normal SSL server, if the key is compromised, other technologies (such as certificate revocation lists or OCSP at the client browser) must be used to prevent use of the stolen SSL key. With RSA proxy, the service provider only needs to make a configuration change in the RSA proxy server. Using this distributed approach, the computationally-expensive part of the SSL transaction, the RSA decryption, can be done on a machine with custom hardware in the data center.
[0038] If a web proxy node (at a branch office) is discovered to be compromised, the administrator simply needs to remove authenticated credentials for the compromised node. For standard SSL, the revocation would need to be done on each end user system, which may be more difficult to administer. Additionally, key rotation only needs to occur on the RSA proxy machine, rather than all the web proxy machines, as would be required with standard SSL.

Note the claim states “deleting the connection secrets on, and accessible by, the handshake processor instance”.  Gero suggests the connections secrets i.e. decryption keys are stored on a RSA proxy server and are deleted and/or removed from the RSA proxy server when a time has passed after the decryption key has been used or if the key has been compromised.  Both of these outcomes only using the encrypted pre-master secret (ePMS) once or removing authenticated credential for the compromised node suggest “deleting connection secrets”.  The Examiner interprets the RSA proxy equivalent to the “handshake processor instance”.  Therefore, the Applicant’s argument is not persuasive. 
Claim Objections
4.	Claim 21 objected to because of the following informalities:  It appears a formatting error occurred with the last claim submission wherein claim 20 is blank and claim 21 appears as an original claim, with the limitations of claim 20.  Appropriate correction is required.
Claim Rejections – 35 USC § 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


6.	Claims 1, 4, 9, and 11, are rejected under 35 U.S.C. 103 as being unpatentable over Schnellbaecher U.S. Patent Application No. 2008/0263215 (hereinafter ‘215) in view of Gero et al. U.S. Patent Application Publication No. 2013/0156189 (hereinafter ‘189).
	As to independent claim 1, “A computer-implemented method for performing transport layer security (TLS) protocol functions in separate processing instances, the computer-implemented method comprising: receiving, by a handshake processor instance, a TLS connection request from a client to a server, the handshake processor instance configured to perform TLS handshake protocol functions” is taught in ‘215 paragraphs 24 and 36, note the ‘handshake processor instance’ is interpreted to be the ‘transparent proxy’;
	“establishing, by the handshake processor instance, a TLS connection including connection secrets” is shown in ‘215 paragraphs 37, 40 and 52, note a secure connection is established with the SSL handshake which includes a certificate (i.e. connection secrets) as well as client key exchange (i.e. secrets); 
	“transmitting, by the handshake processor instance, the connection secrets to a connection processor instance, the connection processor configured to perform TLS record protocol functions” is disclosed in ‘215 paragraph 53;
	“and processing, by the connection processor instance, application data used during communication with the client” is taught in ‘215 paragraph 53;
the following is not explicitly taught in ‘215:
	“deleting the connection secrets stored on, and accessible by the handshake processor instance” however ‘189 teaches a RSA proxy server (i.e. handshake processor) which improves SSL encryption because if a proxy machine is compromised the credentials (i.e. connection secrets) can be removed in paragraphs 36-38.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a transparent secure socket layer including a transparent proxy taught in ‘215 to include a means to delete connection secrets.  One of ordinary skill in the art would have been motivated to perform such a modification to easily protect secrets in SSL connections see ‘189 (paragraphs 7and 38). 
	As to dependent claim 4, “The computer-implemented method of claim 1, wherein deleting the connection secrets includes performing a deletion technique to a memory location where the connection secrets were stored on the handshake processor instance” is taught in ‘189 paragraphs 36-38.
	As to independent claim 9, this claim is directed to a computer program product executing the method of claim 1; therefore, it is rejected along similar rationale.
	As to dependent claim11, this claim contains substantially similar subject matter as claim 4; therefore, it is rejected along similar rationale.
7.	Claims 2 and 10, and  are rejected under 35 U.S.C. 103 as being unpatentable over Schnellbaecher U.S. Patent Application No. 2008/0263215 (hereinafter ‘215) in view of Gero et al. U.S. Patent Application Publication No. 2013/0156189 (hereinafter ‘189) in further view of Shah et al. U.S. Patent Application Publication No. 2016/0277372 (hereinafter ‘372).
	As to dependent claim 2, “The computer-implemented method of claim 1, wherein establishing the TLS connection comprises: transmitting server information to the client; transmitting a server certificate to the client, wherein the server certificate includes a server identification and a public key to the client” is taught in ‘215 paragraph 34;
	“transmitting a server hello done message to the client” is shown in ‘215 paragraph 48;the following is not explicitly taught in ‘215 and ‘189: 
	“receiving a client certificate and a client key exchange from the client; receiving a pre-master secret from the client, wherein the pre-master secret is encrypted using the public key; decrypting the pre-master secret using a private key; computing the connection secrets; and receiving a first encrypted message from the client using the connection secrets” however ‘372 teaches the client providing a client certificate as well as pre-master secret exchange in paragraphs 46-49.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a transparent secure socket layer including a transparent proxy taught in ‘215 and ‘189 to include a means to exchange client certificates and pre-master secrets.  One of ordinary skill in the art would have been motivated to perform such a modification to accelerate secure communications without exposing private cryptographic keys see ‘372 (paragraphs 1-5). 
	As to dependent claim 10, this claim contains substantially similar subject matter as claim 2; therefore, it is rejected along similar rationale.
8.	Claims 3, 5, 6, 8, 10, 12, 13, and 15, are rejected under 35 U.S.C. 103 as being unpatentable over Schnellbaecher U.S. Patent Application No. 2008/0263215 (hereinafter ‘215) in view of Gero et al. U.S. Patent Application Publication No. 2013/0156189 (hereinafter ‘189) in further view of Kravitz et al. U.S. Patent Application Publication No. 2012/0284506 (hereinafter ‘506).
	As to dependent claim 3, “The computer-implemented method of claim 1, wherein processing the application data comprises: accessing the connection secrets received from the handshake processor instance; receiving encrypted client data from the client; decrypting the encrypted client data into client data using the connection secrets” is taught in ‘189 Abstract and paragraphs 6-9; the following is not explicitly taught in ‘215 and ‘189: 
	“encrypting the application data generated in response to the client; and transmitting the encrypted application data to the client” however ‘506 teaches encrypting and transmitting encrypted application data in paragraphs 138-139.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a transparent secure socket layer including a transparent proxy taught in ‘215 and ‘189 to include a means for isolated instances as well as encrypting application data.  One of ordinary skill in the art would have been motivated to perform such a modification to prevent crimeware attacks see ‘506 paragraphs 9-11.
	As to dependent claim 5, “The computer-implemented method of claim 1, further comprising: severing a communication connection between the handshake processor instance and the connection processor instance upon transmitting the connection secrets” is taught in ‘506 Abstract.
	As to dependent claim 6, “The computer-implemented method of claim 1, wherein the handshake processor instance and the connection processor instance operate on separate containers within a distributed system” is shown in ‘506 paragraphs 29-30 and 36.
	As to dependent claim 8, “The computer-implemented method of claim 1, wherein transmitting comprises: establishing a secure connection between the handshake processor instance and the connection processor instance; encrypting the connection secrets using physical security controls; and transmitting the encrypted connection secrets to the connection processor instance” is disclosed in ‘506 paragraph 56.
	As to dependent claims 10, 12, 13, and 15, these claims contain substantially similar subject matter as claims 3, 5, 6, and 8; therefore, they are rejected along similar rationale. 	
9.	Claims 7 and 14, and  are rejected under 35 U.S.C. 103 as being unpatentable over Schnellbaecher U.S. Patent Application No. 2008/0263215 (hereinafter ‘215) in view of Gero et al. U.S. Patent Application Publication No. 2013/0156189 (hereinafter ‘189) in further view of Burgess et al. U.S. Patent Application Publication No. 2018/0241728(hereinafter ‘728).
	As to dependent claim 7, the following is not explicitly taught in ‘215 and ‘189: “The computer-implemented method of claim 1, wherein the handshake processor instance and the connection processor instance operate on separate virtual machines within a computing environment” however ‘728 teaches establishing secure connection i.e. TLS using a virtual environment in paragraphs 32, 53, and 74-83.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a transparent secure socket layer including a transparent proxy taught in ‘215 and ‘189 to include a means to utilize virtual machines.  One of ordinary skill in the art would have been motivated to perform such a modification to enhance client computing capabilities see ‘728 paragraphs 77-79.
	As to dependent claim 14, this claim contains substantially similar subject matter as claim 7; therefore, it is rejected along similar rationale.
10.	Claims 16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Schnellbaecher U.S. Patent Application No. 2008/0263215 (hereinafter ‘215) in view of Kravitz et al. U.S. Patent Application Publication No. 2012/0284506 (hereinafter ‘506).
	As to independent claim 16, “A Transport Layer Security (TLS) separation system comprising: at least one processor; at least one memory component; a handshake processor instance configured to perform a TLS handshake between a server and a client”;
	“wherein the handshake processor instance is further configured to transmit connection secrets generated during the TLS handshake between the server and the client” is taught in ‘215 paragraphs 37, 40 and 52;
	
the following is not explicitly taught in ‘215:
	“and to delete the connection secrets in memory upon transmission” however ‘506, teaches “Optionally, after the communications are established between the devices, the server can withdraw from the communications” in the Abstract, note this suggests removing the connection secrets;
	“and a connection processor instance configured to process communication between the server and the client during a TLS session, wherein the connection processor instance is isolated from the handshake processor instance” however ‘506 teaches a central system that mediates communications between user-controlled devices such that secure communication are separate and distinct in paragraphs 29-30 and 36.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a transparent secure socket layer including a transparent proxy taught in ‘215 to include a means for isolated instances and delete connection secrets.  One of ordinary skill in the art would have been motivated to perform such a modification to prevent crimeware attacks see ‘506 paragraphs 9-11.
	As to dependent claim 18, “The TLS separation system of claim 17, wherein the handshake processor instance is further configured to delete the connection secrets upon transmitting the connection secrets to the connection processor instance” is shown in ‘506 Abstract, note “Optionally, after the communications are established between the devices, the server can withdraw from the communications”, this suggests removing the connection secrets.
	As to dependent claim 19, “The TLS separation system of claim 16, wherein the handshake processor instance and the connection processor instance operate within separate containers” is disclosed in ‘506 paragraphs 29-30 and 36.
	As to dependent claim 20, “The TLS separation system of claim 16 further comprising: a physical security control configured to manage digital keys and provide encryption processing between the handshake processor instance and the connection processor instance” is taught in ‘506 paragraph 56.

11.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
	Sharifi Mehr		U.S. Patent No. 10,055,591, which teaches in col. 3, line 57 through col. 4, line 3 the key seed value is deleted when it is not longer needed.

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
12.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        17 November 2022