DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 12/04/2020. Claims 1-10 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 17/111,620.
Claim Objections
Claim 1 is objected to because of the typographical error, " storing the data encryption key (DEK) within the storage of the processing device” should be “storing the encrypted data encryption key (DEK) within the storage of the processing device”. Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-27 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US9,026,805) issued to Acar and in view of US Patent No. (US8,498,417) issued to Harwood.
Regarding claims 1, and 7, Acar discloses a method of sharing data among processing devices incorporating a trusted execution environment, the method comprising [ see FIG.5 and corresponding text for more detail], and [Abstract]; and
receiving a data encryption key (DEK) from a management software communicating with multiple processing devices[See claim 7, a computer to perform a process and operate as a distributed key management (DKM) client in a DKM system in which DKM clients use trusted platform modules (TPM) respectively thereon to secure DKM keys distributed to the DKM clients (multiple processing device) by a DKM server (management software)], and [see claim 2, wherein the DKM keys (DEK are encrypted by encryption facilities executing in the memory outside any of the TPMs]; and 
 encrypting the received data encryption key (DEK) using a sealing key accessible within the trusted execution environment and storing the data encryption key (DEK) within the storage of the processing device[ See claim 1,  wherein TPMs of the DKM clients are used to decrypt the DKM keys with TPM private keys, and wherein software cryptography components are used to encrypt the DKM keys with TPM public keys, and wherein the DKM keys when not in use are stored as encrypted by the TPM public keys, and wherein the DKM keys, when decrypted, are used by the cryptography software components of the DKM clients to encrypt and decrypt data, and wherein the decrypted DKM keys are accessible in clear form in memory of the DKM clients during encryption or decryption operations that use the decrypted DKM keys], and [Col. 4 lines 15-24]; and 
 decrypting, using the sealing key, the stored data encryption key (DEK) in response to a data sharing request [See claim7, using, by the TPM of the DKM client, a TPM wrapping key of the DKM client to unseal the sealed DKM key (DEK) [ and 
 encrypting data to be protected and shared using the decrypted data encryption key (DEK) [Abstract, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key, once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data].
and storing the encrypted data in a shared storage apparatus
Even though Acar discloses this limitation as [Col. 1 lines 19-27, in response to the need to share secure information among users and to provide group-level data protection and access control, data protection facilities such as DPAPI need to be extended to allow groups of related machines or users to share protected data. Distributed Key Management (DKM) services have been used to allow sharing of keys and other grouping functionality. Specifically, a DKM service might provide cryptographic key management services for secure data sharing for distributed applications…], and [Col.3 lines 58-59 …In short, the DKM storage 145 is a shared resource (a server or a group of synchronized servers)].
However, Acar does not explicitly disclose and Harwood discloses 
[Col. 4 lines 47-51, With reference to FIG. 1, there is shown a data processing system incorporating the present invention for storage of encrypted data. The data processing system includes a number of host processors 21, 22, linked by a storage area network (SAN) 23 to a number of storage systems 24, 25], and [Col. 6 lines 16-22, In a preferred implementation, encryption and decryption is performed in each I/O module 28, 29, 30, and 31. Alternatively, the encryption and decryption could be performed by each storage processor or by an encryption and decryption offload device controlled by the storage processor, so that ciphertext and not plaintext is streamed to an I/O module during a write to storage], and [see FIGs 4-6 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Acar with the teaching of Harwood in order to   provide a storage system that stores data in encrypted form by implementing A key management server in a storage area network (SAN)  which provides encryption keys for source and destination storage objects and also associates destination storage objects with source storage objects.[ Harwood, Abstract,  Col.1 lines19-20].
Regarding claim 2, Acar discloses, wherein the management software generates the data encryption key (DEK) and performs remote attestation on the processing device to which the generated data encryption key (DEK) is to be transmitted [Col. 5 lines 31-36, the DKM server 170 also stores a list of authorized TPM public keys 234. Each entry is a signed public EK: Sign.sub.Ks(EK-pub). The list of authorized TPM public keys 234 is a list of signed TPM public keys (public EKs) that can acquire a DKM key. The signature key is one or more of the keys in the authorized server public key list 232], and [Col. 6 lines 7-21, regarding the list of authorized TPM public keys 234, this list contains endorsement public keys that identify corresponding TPMs. The list is signed by one or more of the keys on the authorized server public key list 232. The authorized list of TPM public keys 234 is used by DKM servers to determine if a requesting DKM node (e.g., a DKM client or DKM server) is authorized to receive a particular DKM key…].
Regarding claims 3, and 3, Acar discloses wherein receiving the data encryption key (DEK) comprises: calculating, by a processor of the processing device, a hash value of the software and processor information being executed in the processing device by the processor of the processing device, electronically signing the hash value using a key generated from a value inherent to the processor, transmitting the electronic signature to the management software, and attesting, by the management software, the electronic signature received from the processor of the processing device[ See FIG.1 and corresponding text for more detail, (14), The TPM 102 is capable of both generating and storing cryptographic keys. The TPM 102 may also have functions for sealing, binding, measurement, and other functions, all described in detail elsewhere. A cryptographic processor 108 may have components such as a key generator 110 to generate public-private key pairs, a hash generator 112, and other components such as an encryption-decryption and signature engine 114…], and [Col. 6 lines 7-21, regarding the list of authorized TPM public keys 234, this list contains endorsement public keys that identify corresponding TPMs. The list is signed by one or more of the keys on the authorized server public key list 232. The authorized list of TPM public keys 234 is used by DKM servers to determine if a requesting DKM node (e.g., a DKM client or DKM server) is authorized to receive a particular DKM key…].
Regarding claims 4, and 9, Acar discloses, wherein receiving the data encryption key (DEK) comprises: establishing a secure communication channel between the processing device and the management software when the management software successfully completes attestation of the electronic signature, and transmitting the data encryption key (DEK) generated by the management software through the established secure communication channel [ Col.4 lines 25-35,  Long-term DKM storage is maintained on the DKM server 170. A DKM server component 174 handles communication with DKM clients. The TLS (transport layer security) protocol may be used by the client DKM-TMP 144 and the DKM server component 174 as an authentication protocol. The TLS protocol is used to create a mutually authenticated secure session using private keys and certificates rooted in their respective TPMs. For network communication, HTTPS (hypertext transport protocol secure) can be used as a network communication protocol data exchange between the client DKM-TPM 144 and the DKM server module 174].
Regarding claims 5, and 10, Acar discloses, wherein storing the encrypted data in the shared storage apparatus comprises: generating a sealing key from a value inherent to the processor of the processing device, encrypting the received data encryption key (DEK) using the sealing key, and storing the encrypted data encryption key (DEK) in a storage within the processing device [ See claim 1,  wherein TPMs of the DKM clients are used to decrypt the DKM keys with TPM private keys, and wherein software cryptography components are used to encrypt the DKM keys with TPM public keys, and wherein the DKM keys when not in use are stored as encrypted by the TPM public keys, and wherein the DKM keys, when decrypted, are used by the cryptography software components of the DKM clients to encrypt and decrypt data, and wherein the decrypted DKM keys are accessible in clear form in memory of the DKM clients during encryption or decryption operations that use the decrypted DKM keys], and[Col. 4 lines 15-24, a DKM client may also have a client DKM storage 172 to store TPM-encrypted DKM keys. The client DKM storage 172, storing encrypted DKM keys, may reside locally either in a persisted storage or in memory as a client-side cache. The client DKM storage 172 may not be relied on for long-term DKM key storage, but rather may be used as a local cache to reduce network communications and computation. Known cache maintenance algorithms may be used to purge stale data], and [ Col. 5 lines 25-28, the list of sealed DKM keys 230 is a list of signed and encrypted DKM keys, each encrypted with the corresponding TPM public key of the node it is stored on. [Col. 6 lines 7-17, regarding the list of authorized TPM public keys 234, this list contains endorsement public keys that identify corresponding TPMs. The list is signed by one or more of the keys on the authorized server public key list 232. The authorized list of TPM public keys 234 is used by DKM servers to determine if a requesting DKM node (e.g., a DKM client or DKM server) is authorized to receive a particular DKM key. If the requestor's public key is in this list, the server responds back with the sealed blob of the requested DKM key with the requestor's TPM wrapping key, and signs the response with the server's private key], and [Abstract].
Regarding claim 6, Acar discloses wherein the other processing devices decrypt the encrypted data, stored in the shared storage apparatus, by using the data encryption keys (DEKs) stored in each of the processing devices [Abstract, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key (DEK), once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Johnson (US2012/0159184) [Technique for Supporting Multiple Secure Enclaves].
Lee(U2016/0246736) [ System and Method for Processor-Based Security].
JP2007096817 [CONTENT DATA MANAGEMENT SYSTEM AND APPARATUS].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496