DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 103 (or as subject to pre-AIA  35 U.S.C. 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


    PNG
    media_image1.png
    308
    93
    media_image1.png
    Greyscale
Claims 1-2, 4-7, 9-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bernat (US 10484174 B1), further in view of Upadhyay (US 20210240570 A1), further in view of Leighton (US 20200351310 A1), and in further view of Wilson (US 10255460 B2).
Claim 14: (Currently Amended) An electronic device, comprising: 
at least one processing unit; and 
at least one memory, the at least one memory being coupled to the at least one processing unit and storing instructions, which when executed by the at least one processing unit, cause the at least one processing unit to perform an action, the action comprising: 
acquiring a lock attribute record in a lock attribute record blockchain from a data protection network for backing up data, the data protection network including a plurality of data protection servers that reach a consensus on the lock attribute record blockchain, the lock attribute record comprising a first attribute value of an attribute of a lock operation, the lock operation being used for preventing a backup of the data stored in a storage server from being tampered with, the lock attribute record being a block in the lock attribute record blockchain; 
acquiring, based on the lock attribute record, a second attribute value of the attribute of the lock operation from the storage server; and 
generating, based on determining that the first attribute value does not match the second attribute value, an alarm indicating that the backup is tampered with, 
wherein acquiring the lock attribute record comprises: 
acquiring a plurality of candidate lock attribute records for the backup in the lock attribute record blockchain from the data protection network, and 
determining a candidate lock attribute record with the time indicated by the timestamp exceeding a time threshold among the plurality of candidate lock attribute records as the lock attribute record.


Referring to claims 1, 6, 14, and 19 and taking claim 14 as exemplary, Bernat teaches an electronic device, comprising: 
at least one processing unit; and at least one memory, the at least one memory being coupled to the at least one processing unit and storing instructions, which when executed by the at least one processing unit, cause the at least one processing unit to perform an action, the action comprising: ([Bernat Claim 8] An apparatus for protecting an encryption key for data stored in a storage system that includes a plurality of storage devices, the apparatus comprising: a computer processor; and a computer memory operatively coupled to the computer processor; wherein the computer memory having disposed within it computer program instructions that, when executed by the computer processor, cause the apparatus to carry out the steps of)
acquiring a lock attribute record in a lock attribute record blockchain ([Bernat Col 33 lines 31-45] discloses blockchain) from a data protection network ([Bernat 1:15-18, 2:11-18] network) for backing up data, ([Bernat 29:17-48] data protection and backup)
the lock attribute record being a block in the lock attribute record blockchain; ([Bernat 28:1-18] each block acts as an individual hard drive/storage device. [Bernat 37:39-38:20] encryption keys are stored in a storage system, which can be implemented as [Bernat 25:61-26:15] a cloud storage block-based device. As blocks [Bernat 33:31-45] in a blockchain contain a multitude of data types and attributes, this would include a lock attribute record.)
acquiring, based on the lock attribute record, a second attribute value of the attribute of the lock operation from the storage server; and ([Bernat 47:23-24] reading, from a main portion of a majority of one of the storage devices, a remote resource access key) (remote access key is taken as the second attribute value)
wherein acquiring the lock attribute record comprises: 
acquiring a plurality of candidate lock attribute records for the backup ([Bernat 29:17-48] backup) in the lock attribute record blockchain from the data protection network, and ([Bernat 40:52-41:10] the apartment key, and/or duplicate copies of the apartment key, may be stored on several devices, including to allow for device failure, i.e., for backup)
determining a candidate lock attribute record with the time indicated by the timestamp ([Bernat 16:21-37] timestamp) exceeding a time threshold among the plurality of candidate lock attribute records as the lock attribute record. ([Bernat 40:31-51] an apartment key is identified after a predetermined period of time expires and is updated)
that reach a consensus on the lock attribute record blockchain, ([Bernat Claim 8] the encryption key can only be reconstructed with correct apartment keys. i.e., servers provide the correct keys, thus reaching consensus) 
the lock attribute record comprising a first attribute value of an attribute of a lock operation, ([Bernat 22:57-23:52, 42:14-48] The network lock manager locks records using permissions and object identification and may be implemented with an audit log that records event information.
[Bernat 29:17-48] discloses data backup, but does not teach the lock operation being used for preventing a backup of the data.
However, Upadhyay teaches the lock operation being used for preventing a backup of the data stored in a storage server from being tampered with, ([Upadhyay 0069, 0073, 0082] Images are taken as data. The data backup is retention locked to prevent modification.)
Bernat modified and Upadhyay are analogous art because they are from the same field of endeavor in data storage within memory systems or architectures. Before the effective date of invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of Bernat and Upadhyay to combine the data protection network of Bernat with the backup locking of Upadhyay. The reason for doing so would be to ensure the ([Upadhyay 0073] backup data file images that are retention locked may not be deleted or modified in any way.)
Bernat modified teaches blockchain data protection and storage server environment, but Bernat modified does not explicitly teach a plurality of data protection servers.
However, Leighton teaches the data protection network including a plurality of data protection servers ([Leighton 0028] data protection server and network)
Bernat modified and Leighton are analogous art because they are from the same field of endeavor in accessing, addressing or allocating within memory systems or architectures. Before the effective date of invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of Bernat and Leighton to combine the data protection network of Bernat with the data protection server of Leighton. The reason for doing so would be to avoid ([Leighton Background] data leakage from a single system element or endpoint security breach.)
Bernat modified teaches data security, but does not explicitly teach generating an alarm in response to data tampering. 
However, Wilson teaches generating, based on determining that the first attribute value does not match the second attribute value, an alarm indicating that the backup is tampered with; ([Wilson, Col. 26 lines 39-51] In block 1011, the verification IVCs are generated, and are compared with the original IVCs in block 1013. It should be noted that the IVCs appearing on any page of a document would not include their own values in the calculation, unless a predictive-recursive hash algorithm could be found that produced a hash value of a document that already contained the calculated hash value within the document. In decision block 1015, if a match is detected and remaining sections require verification, method 1000 returns to block 1005 to increment N. Otherwise, a tamper report is generated in block 1017. In some embodiments, block 1017 comprises providing a warning to a user. In some embodiments, block 1017 comprises creating or annotating a log file.).
Bernat modified and Wilson are analogous art because they are from the same field of endeavor in accessing, addressing or allocating within memory systems or architectures. Before the effective date of invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of Bernat modified and Wilson to combine the data protection scheme of Bernat modified with the alarm generation of Wilson. The reason for doing so would be to render files tamper evident and alert the system to ensure data integrity ([Wilson, Col. 2 lines 5-7] There has thus been a long-felt need for a system and method for rendering printed documents tamper evident, such that tampering and forgery may be easily detected.).
Claim 1 and claim 6 are method claims, and claim 19 is a device claim of the device of claim 14 and are rejected using the same rationale. 

Referring to claims 2, 7, 15, and 20 and taking claim 15 as exemplary, Bernat modified teaches the device according to claim 14, wherein the attribute comprises at least one of following items:
a data protection server identifier representing an identifier of a data protection server that initiates the backup among the plurality of data protection servers; 
a lock role representing a role that executes the lock operation; 
a backup identifier representing an identifier of the backup; 
a backup hash value representing a value obtained by hashing the backup; 
a storage identifier representing an identifier of the storage server; a lock mode representing a mode used by the lock operation; 
holding time representing a duration for which the lock operation is to last; 
a last lock attribute record representing an address of a lock attribute record of a last lock operation for the backup; 
a timestamp representing time at which the lock attribute record is created; and 
an illegality tag indicating whether the lock operation is illegal, the illegality comprising the holding time being shortened relative to the last lock operation ([Bernat 42:14-48, 22:57-23:52] When an access key is determined as invalid/illegal, the storage device is locked and the key is marked as invalid. An audit log records the timestamp of the locking event.)

Claim 2 and claim 7 are method claims, and claim 20 is a device claim of the device of claim 15 and are rejected using the same rationale. 

Claims 3, 8, and 16 (Cancelled)

Referring to claims 4 and 17 and taking claim 17 as exemplary, Bernat modified teaches the device according to claim 14, wherein the action further comprises: 
determining information associated with an attempted illegal lock operation from a candidate lock attribute record indicated by the illegality tag to be illegal among the plurality of candidate lock attribute records. ([Bernat, Col. 41 lines 56-67] The example method depicted in FIG. 6 also includes detecting (602) that the third-party resource access key is invalid. In the example method depicted in FIG. 6, detecting (602) that the third-party resource access key is invalid may be carried out, for example, by determining that the third-party resource access key has expired, by receiving a message indicating that the third-party resource access key has changed, by receiving a message from the third-party resource (460) indicating that the third-party resource access key provided by the storage system is invalid during an attempt to connect to the third-party resource (460), or in other ways.)
Claim 4 is a method claim of the device of claim 17 and is rejected using the same rationale.

Referring to claims 5 and 18 and taking claim 18 as exemplary, Bernat modified teaches the device according to claim 14, wherein acquiring the second attribute value comprises:
extracting the data protection server identifier and the backup identifier of the backup and the storage identifier of the storage server from the lock attribute record ([Bernat, Col. 38 lines 46-49] The example method depicted in FIG. 4 also includes reading (446), from the main portion (434) of one of the storage devices (428), a third-party resource access key (436).); and
acquiring the second attribute value of the attribute of the lock operation for the backup from the storage server based on the data protection server identifier, the backup identifier, and
the storage identifier ([Bernat, Col. 38 lines 49-69] The third-party resource access key (436) depicted in FIG. 4 can represent some form of credentials that are used to access a third-party resource (460) such as, for example, a remote server. A third-party resource access key may be embodied, for example, as a Key Management Interoperability Protocol (‘KMIP’) certificate that is used to access a KMIP server. In the example method depicted in FIG. 4, the third-party resource access key (436) may itself be encrypted. For example, the third-party resource access key (436) may be encrypted using the apartment key as an encryption key. In such an example, reading (446) the third-party resource access key (436) from the main portion (434) of one of the storage devices (428) may therefore require that the third-party resource access key (436) be decrypted prior to attempting to use the third-party resource access key (436) to access a third-party resource (460).).
Claim 5 is method claim of the device of claim 18 and is rejected using the same rationale.

Referring to claim 9, Bernat modified teaches the method according to claim 6, further comprising: 
determining, based on determining that the last lock attribute record exists, whether an illegality tag of the last lock attribute record indicates that the last lock operation is illegal; and ([Bernat, Col. 41 lines 56-67] The example method depicted in FIG. 6 also includes detecting (602) that the third-party resource access key is invalid. In the example method depicted in FIG. 6, detecting (602) that the third-party resource access key is invalid may be carried out, for example, by determining that the third-party resource access key has expired, by receiving a message indicating that the third-party resource access key has changed, by receiving a message from the third-party resource (460) indicating that the third-party resource access key provided by the storage system is invalid during an attempt to connect to the third-party resource (460), or in other ways.)
creating, based on determining that the last lock operation is illegal, the lock attribute record based on the first lock request and the last lock attribute record, so that an attribute related to the last lock attribute record of the lock attribute record indicates an address of the last lock attribute record. ([Bernat 42:14-48, 22:57-23:52] once an invalid key is detected, the third-party resource access key is updated/created based on receiving a new third-party resource access key. As it is stored on the storage device, it knows the address of the location, because it is directed to either mark the old key as invalid or delete it. Further, audit logs may be implemented that record destination and source addresses.)

Referring to claim 10, Bernat modified teaches the method according to claim 9, further comprising:
determining, based on determining that the last lock operation is non-illegal, whether retention time of the last lock attribute record is longer than the retention time included in the first lock request; and creating, based on determining that the retention time of the last lock attribute record is shorter than the retention time included in the first lock request, the lock attribute record based on the first lock request and the last lock attribute record, so that the attribute related to the last lock attribute record of the lock attribute record indicates the address of the last lock attribute record ([Bernat, Col. 40 lines 32-35] The example method depicted in FIG. 5 also includes updating (500), upon the expiration of a predetermined period of time, each portion of the apartment key (408, 420, 432) stored on each of the storage devices (404, 416, 428).).

Referring to claim 11, Bernat modified teaches the method according to claim 10, further comprising:
creating, based on determining that the retention time of the last lock attribute record is longer than the retention time included in the first lock request, the lock attribute record based on the first lock request and the last lock attribute record, so that the attribute related to the last lock attribute record of the lock attribute record indicates the address of the last lock attribute record, and an attribute of the lock attribute record related to the illegality tag indicates illegality record ([Bernat, Col. 40 lines 36-51] Updating (500) each portion of the apartment key (408, 420, 432) stored on each of the storage devices (404, 416, 428) upon the expiration of a predetermined period of time may be carried out, for example, by creating a new apartment key and distributing the new apartment key across a plurality of storage devices via a secret sharing algorithm. In such an example, by constantly rotating the apartment key, a malicious user cannot accumulate all portions of the apartment key over an extended period of time, as a portion of a first apartment key will not be compatible with a portion of a second apartment key. As such, the predetermined period of time that defines the interval at which the apartment key is update may be defined in a way that a system administrator or other administrative entity believes is sufficient to keep a malicious actor from acquiring enough portions of the apartment key to reconstruct the apartment key.).

Referring to claim 12, Bernat modified teaches the method according to claim 6, further comprising:
sending a second lock request for a second backup of a second piece of data stored in the storage server to a third data protection server among the plurality of data protection servers;
determining, based on determining that a response for the second lock request is received from the third data protection server, whether the second lock request is successful and non-illegal; and
causing, based on determining that the second lock request is successful and non-illegal, the storage server to execute a second lock operation on the second backup ([Bernat Col. 40 lines 32-41] The example method depicted in FIG. 5 also includes updating (500), upon the expiration of a predetermined period of time, each portion of the apartment key (408, 420, 432) stored on each of the storage devices (404, 416, 428). Updating (500) each portion of the apartment key (408, 420, 432) stored on each of the storage devices (404, 416, 428) upon the expiration of a predetermined period of time may be carried out, for example, by creating a new apartment key and distributing the new apartment key across a plurality of storage devices via a secret sharing algorithm.).

Referring to claim 13, Bernat modified teaches the method according to claim 6, further comprising:
adding the lock attribute record into the lock attribute record chain ([Bernat, Col. 40 lines 32-41] The example method depicted in FIG. 5 also includes updating (500), upon the expiration of a predetermined period of time, each portion of the apartment key (408, 420, 432) stored on each of the storage devices (404, 416, 428). Updating (500) each portion of the apartment key (408, 420, 432) stored on each of the storage devices (404, 416, 428) upon the expiration of a predetermined period of time may be carried out, for example, by creating a new apartment key and distributing the new apartment key across a plurality of storage devices via a secret sharing algorithm.).

Response to Arguments
Applicant's arguments filed 09/26/2022 have been fully considered but they are not persuasive. 
The Applicant argues:
“It is noted that the Bernat method of protecting an encryption key for data stored in a storage system does not incorporate blockchain technology even though Bernat discusses that blockchains are potentially suitable for the recording of events, medical records, and other records management activities.”
However, [Bernat 33:31-45] discloses “the storage systems described above may be configured to support the storage of (among of types of data) blockchains.” Therefore, there is an instance where the entirety of the Bernat reference is implemented as a blockchain. Thus, Bernat teaches data storage, protection, and encryption using blockchain.

“Bernat method reads different portions of an apartment key only from different storage devices, using those portions to reconstruct the apartment key, then unlocking main portions of storage devices utilizing the reconstructed apartment key. In contrast, in the claimed invention of claim 1, the lock attribute record (which comprises a first attribute value of an attribute of a lock operation) is acquired from a “data protection network including a plurality of data protection servers that reach a consensus on the lock attribute record blockchain,” and a second attribute value of the attribute of the lock operation is acquired, based on the lock attribute record, “from the storage server”.
However, [Bernat 29:17-48] discloses backup, and [Bernat 40:52-41:10] discloses the apartment key, and/or duplicate copies of the apartment key, may be stored on several devices, including to allow for device failure, i.e., for backup. [Bernat Claim 8] discloses that the encryption key can only be reconstructed with correct apartment keys. i.e., servers provide the correct keys, thus reaching consensus.

“Claim 1 therefore incorporates the features of claim 3, now cancelled. With respect to prior claim 3, the Office Action points to col. 33 lines 36-38 of Bernat as disclosing “determining a candidate lock attribute record with the time indicated by the timestamp exceeding a time threshold among the plurality of candidate lock attribute records as the lock attribute record”. 
However, [Bernat 42:14-48, 22:57-23:52] discloses when an access key is determined as invalid/illegal, the storage device is locked and the key is marked as invalid. An audit log records the timestamp of the locking event.

“As recognized by the Office Action, col. 33 lines 36-38 of Bernat merely discloses “Each block in a blockchain may contain a hash pointer as a link to a previous block, a timestamp, transaction data, and so on.” There is simply no disclosure in col. 33 of Bernat of any determination of a candidate lock attribute record with the time indicated by the Bernat timestamp (as pointed to by the Bernat hash pointer) that exceeds a time threshold as the lock attribute record.”
However, [Bernat 16:21-37] discloses a timestamp, and [Bernat 40:31-51] discloses identifying an apartment key after a predetermined period of time expires (threshold) and is updated.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER VINNITSKY whose telephone number is (571)272-3280. The examiner can normally be reached 9:00-15:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Charles Rones can be reached on (571) 272-4085. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ALEXANDER VINNITSKY/Examiner, Art Unit 2136                                                                                                                                                                                                        
/CHARLES RONES/Supervisory Patent Examiner, Art Unit 2136