Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 have been examined.

Drawings
2.	The drawings filed on 11/22/2022 are acceptable for examination proceedings.

Specification
3.	The specification filed on 11/22/2022 is acceptable for examination proceedings.

Information Disclosure Statement
4.	The information disclosure statement (IDS) submitted on 02/02/2022, 06/9/2022, 08/30/2022. Accordingly, the information disclosure statement is being considered by the examiner.

Internet Communications
5. 	Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439,
http://www.uspto.gov/sites/defauit/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only. (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03. 

Double Patenting
6.	A rejection based on double patenting of the "same invention" type finds its support in the language of 35 U.S.C. 101 which states that "whoever invents or discovers any new and useful process ... may obtain a patent therefor ..."  (Emphasis added).  Thus, the term "same invention," in this context, means an invention drawn to identical subject matter.  See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957); and In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970).

A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the conflicting claims so they are no longer coextensive in scope.  The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.


7.	Claims 1-20 are provisionally rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-13 of US Patent No. 11,218,317.  This is a provisional double patenting rejection since the conflicting claims have not in fact been patented. 

8.	Below is a table of comparison between independent claims of the instant application and that of US patent No. 11,218,317.

9.	Claims 1-20 are rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-13 of U.S. Patent No 11,218,317 B2 (hereinafter refereed as ‘317 US Patent). Although the conflicting claims are not identical, they are not patentably distinct from each other.
The following is referring to the independent claim


[Symbol font/0xB7]  	As per independent claims 1,10 and 19, 
Independent claims 1, 10 and 19 of the instant application and claim 1, of the ‘317 US Patent recite similar limitation. The above independent claims, namely claim 1 of the instant/present application would have been obvious over claim 1,7 and 13, of the ‘317 US Patent because each and every element of the above independent claims 1,10 and 19 of the present application is anticipated by the corresponding independent claim 1 of the ‘317 US Patent.
The following is referring to the dependent claims

[Symbol font/0xB7]  	Referring to dependent claims 2-9,11-18 and 20,
Claims 2-9,11-18 and 20 of the instant application is also anticipated by claims 2-6 and 8-12 of the ‘317 US Patent since the corresponding claims further recite similar/same limitation of the same subject matter.
US Patent 11,218,317 
Instant / current application No.17/532,883
1. A computer-implemented method for enforcing authentication/authorization checking in a secure enclave, the method comprising: receiving, by a proxy server, a cryptographic request for a cryptographic operation that is initiated by a client device, wherein the cryptographic request includes a key name of a cryptographic key and an authentication code; 
in response to receiving the request, sending, by the proxy server, the authentication code and the request to a secure enclave that is associated with a cryptographic device that stores a plurality of cryptographic keys that includes the cryptographic key; 
wherein the secure enclave is on a computing device that hosts the proxy server or on a first computing device that is in the same computer network as a second computing device that hosts the proxy server; wherein the secure enclave validates the authentication code based on a local key that is stored in the secure enclave; wherein the secure enclave sends, to the cryptographic device that performs the cryptographic operation, (1) data associated with the secure enclave and (2) the cryptographic request; after the secure enclave validates the code, receiving, by the proxy server, from the secure enclave, the cryptographic request and the data associated with the secure enclave; wherein receiving the cryptographic request and the data associated with the secure enclave is through an end-to-end secure connection that is established between the secure enclave and the cryptographic device; receiving, by the proxy server, from the cryptographic device, result data that was generated by the cryptographic device as a result of performing the cryptographic operation; sending, by the proxy server, to the client device, the result data; wherein the method is performed by one or more computing devices.
1. A computer-implemented method for enforcing authentication/authorization checking in a secure enclave, the method comprising: receiving, by a proxy server, a request for a cryptographic operation that is initiated by a client device, wherein the request includes a key name of a cryptographic key and a code; in response to receiving the request, sending, by the proxy server, the code and the request to a secure enclave that is associated with a cryptographic device that stores a plurality of cryptographic keys that includes the cryptographic key; 
wherein the secure enclave validates the code based on a local key that is stored in the secure enclave;
 wherein the secure enclave sends, to the cryptographic device that performs the cryptographic operation, (1) data associated with the secure enclave and (2) the cryptographic request; 
receiving, by the proxy server, from the cryptographic device, result data that was generated by the cryptographic device as a result of performing the cryptographic operation; sending, by the proxy server, to the client device, the result data; wherein the method is performed by one or more computing devices.  

2. The method of Claim 1, wherein the secure enclave is on a computing device that hosts the proxy server or on a first computing device that is in the same computer network as a second computing device that hosts the proxy server.
3. The method of Claim 2, further comprising: after the secure enclave validates the code, receiving, by the proxy server, from the secure enclave, the cryptographic request and the data associated with the secure enclave; wherein receiving the cryptographic request and the data associated with the secure enclave is through an end-to-end secure connection that is established between the secure enclave and the cryptographic device.  
3. The method of claim 1, wherein the authentication code is generated by a computing device that is operated by a third-party and that is separate from the client device and the proxy server.
4. The method of Claim 1, wherein the secure enclave and the cryptographic device reside in the same computer network that is separate from a computer network in which the proxy server resides.
2. The method of claim 1, wherein the client device generated the authentication code and the request is from the client device.
5. The method of Claim 1, wherein the client device generated the code and the request is from the client device.  
3. The method of claim 1, wherein the authentication code is generated by a computing device that is operated by a third-party and that is separate from the client device and the proxy server.
6. The method of Claim 1, wherein the code is generated by a computing device that is operated by a third-party and that is separate from the client device and the proxy server.  
4. The method of claim 1, wherein: the authentication code is a first authentication code; sending the authentication code to the secure enclave comprises sending, to the secure enclave, a plurality of authentication codes that includes the first authentication code and a second authentication code; the secure enclave validates the authentication code based on a second local key that is stored in the secure enclave; the secure enclave sends the request to the cryptographic device if the secure enclave validates each authentication code in the plurality of authentication codes.
7. The method of Claim 1, wherein: the code is a first code; sending the code to the secure enclave comprises sending, to the secure enclave, a plurality of codes that includes the first code and a second code; the secure enclave validates the code based on a second local key that is stored in the secure enclave; the secure enclave sends the request to the cryptographic device if the secure enclave validates each code in the plurality of codes.  
5. The method of claim 4, wherein: one of the client device, the proxy server, or a third-party entity generated the first authentication code; and another one of the client device, the proxy server, or the third-party entity generated the second authentication code.

8. The method of Claim 7, wherein: one of the client device, the proxy server, or a third-party entity generated the first code; and another one of the client device, the proxy server, or the third-party entity generated the second code. 
6. The method of claim 1, wherein: the request also includes secret key information; sending the authentication code and the request to the secure enclave also includes sending the secret key information to the secure enclave; the secure enclave also sends the secret key information to the cryptographic device.
9. The method of Claim 1, wherein: the request also includes secret key information; sending the code and the request to the secure enclave also includes sending the secret key information to the secure enclave; the secure enclave also sends the secret key information to the cryptographic device.  
7. One or more storage media storing instructions for enforcing authentication/authorization checking in a secure enclave, wherein the instructions, when executed by one or more processors, cause: receiving, by a proxy server, a cryptographic request for a cryptographic operation that is initiated by a client device, wherein the request includes a key name of a cryptographic key and an authentication code; in response to receiving the cryptographic request, sending, by the proxy server, the authentication code and the request to a secure enclave that is associated with a cryptographic device that stores a plurality of cryptographic keys that includes the cryptographic key; wherein the secure enclave is on a computing device that hosts the proxy server or on a first computing device that is in the same computer network as a second computing device that hosts the proxy server; wherein the secure enclave validates the authentication code based on a local key that is stored in the secure enclave; wherein the secure enclave sends, to the cryptographic device that performs the cryptographic operation, (1) data associated with the secure enclave and (2) the cryptographic request; after the secure enclave validates the code, receiving, by the proxy server, from the secure enclave, the cryptographic request and the data associated with the secure enclave; wherein receiving the cryptographic request and the data associated with the secure enclave is through an end-to-end secure connection that is established between the secure enclave and the cryptographic device; receiving, by the proxy server, from the cryptographic device, result data that was generated by the cryptographic device as a result of performing the cryptographic operation; sending, by the proxy server, to the client device, the result data.
10. One or more storage media storing instructions for enforcing authentication/authorization checking in a secure enclave, wherein the instructions, when executed by one or more processors, cause: receiving, by a proxy server, a request for a cryptographic operation that is initiated by a client device, wherein the request includes a key name of a cryptographic key and an code; in response to receiving the request, sending, by the proxy server, the code and the request to a secure enclave that is associated with a cryptographic device that stores a plurality of cryptographic keys that includes the cryptographic key; wherein the secure enclave validates the code based on a local key that is stored in the secure enclave; wherein the secure enclave sends, to the cryptographic device that performs the cryptographic operation, (1) data associated with the secure enclave and (2) the cryptographic request; receiving, by the proxy server, from the cryptographic device, result data that was generated by the cryptographic device as a result of performing the cryptographic operation; sending, by the proxy server, to the client device, the result data.  
11. The one or more storage media of Claim 10, wherein the secure enclave is on a computing device that hosts the proxy server or on a first computing device that is in the same computer network as a second computing device that hosts the proxy server.  
12. The one or more storage media of Claim 11, wherein the instructions, when executed by the one or more processors, further cause: after the secure enclave validates the code, receiving, by the proxy server, from the secure enclave, the cryptographic request and the data associated with the secure enclave; wherein receiving the cryptographic request and the data associated with the secure enclave is through an end-to-end secure connection that is established between the secure enclave and the cryptographic device.  
9. The one or more storage media of claim 7, wherein the authentication code is generated by a computing device that is operated by a third-party and that is separate from the client device and the proxy server.
13. The one or more storage media of Claim 10, wherein the secure enclave and the cryptographic device reside in the same computer network that is separate from a computer network in which the proxy server resides.  
8. The one or more storage media of claim 7, wherein the client device generated the authentication code and the request is from the client device.
14. The one or more storage media of Claim 10, wherein the client device generated the code and the request is from the client device.  
9. The one or more storage media of claim 7, wherein the authentication code is generated by a computing device that is operated by a third-party and that is separate from the client device and the proxy server.

15. The one or more storage media of Claim 10, wherein the code is generated by a computing device that is operated by a third-party and that is separate from the client device and the proxy server.  
4. The method of claim 1, wherein: the authentication code is a first authentication code; sending the authentication code to the secure enclave comprises sending, to the secure enclave, a plurality of authentication codes that includes the first authentication code and a second authentication code; the secure enclave validates the authentication code based on a second local key that is stored in the secure enclave; the secure enclave sends the request to the cryptographic device if the secure enclave validates each authentication code in the plurality of authentication codes.
16. The one or more storage media of Claim 10, wherein: the code is a first code; sending the code to the secure enclave comprises sending, to the secure enclave, a plurality of codes that includes the first code and a second code; the secure enclave validates the code based on a second local key that is stored in the secure enclave; the secure enclave sends the request to the cryptographic device if the secure enclave validates each code in the plurality of codes.  
5. The method of claim 4, wherein: one of the client device, the proxy server, or a third-party entity generated the first authentication code; and another one of the client device, the proxy server, or the third-party entity generated the second authentication code.

17. The one or more storage media of Claim 16, wherein: one of the client device, the proxy server, or a third-party entity generated the first code; and another one of the client device, the proxy server, or the third-party entity generated the second code.  
6. The method of claim 1, wherein: the request also includes secret key information; sending the authentication code and the request to the secure enclave also includes sending the secret key information to the secure enclave; the secure enclave also sends the secret key information to the cryptographic device.
18. The one or more storage media of Claim 10, wherein: the request also includes secret key information; sending the code and the request to the secure enclave also includes sending the secret key information to the secure enclave; the secure enclave also sends the secret key information to the cryptographic device.  
13. A system for enforcing authentication/authorization checking in a secure enclave, the system comprising: one or more processors; one or more storage media storing instructions which, when executed by the one or more processors, cause: receiving, by a proxy server, a request for a cryptographic operation that is initiated by a client device, wherein the request includes a key name of a cryptographic key and an authentication code; in response to receiving the request, sending, by the proxy server, the authentication code and the request to a secure enclave that is associated with a cryptographic device that stores a plurality of cryptographic keys that includes the cryptographic key; wherein the secure enclave is on a computing device that hosts the proxy server or on a first computing device that is in the same computer network as a second computing device that hosts the proxy server; wherein the secure enclave validates the authentication code based on a local key that is stored in the secure enclave; wherein the secure enclave sends, to the cryptographic device that performs the cryptographic operation, (1) data associated with the secure enclave and (2) the cryptographic request; after the secure enclave validates the code, receiving, by the proxy server, from the secure enclave, the cryptographic request and the data associated with the secure enclave; wherein receiving the cryptographic request and the data associated with the secure enclave is through an end-to-end secure connection that is established between the secure enclave and the cryptographic device; receiving, by the proxy server, from the cryptographic device, result data that was generated by the cryptographic device as a result of performing the cryptographic operation; sending, by the proxy server, to the client device, the result data.
19. A system for enforcing authentication/authorization checking in a secure enclave, the system comprising: one or more processors; one or more storage media storing instructions which, when executed by the one or more processors, cause: receiving, by a proxy server, a request for a cryptographic operation that is initiated by a client device, wherein the request includes a key name of a cryptographic key and an code; in response to receiving the request, sending, by the proxy server, the code and the request to a secure enclave that is associated with a cryptographic device that stores a plurality of cryptographic keys that includes the cryptographic key; wherein the secure enclave validates the code based on a local key that is stored in the secure enclave; wherein the secure enclave sends, to the cryptographic device that performs the cryptographic operation, (1) data associated with the secure enclave and (2) the cryptographic request; receiving, by the proxy server, from the cryptographic device, result data that was generated by the cryptographic device as a result of performing the cryptographic operation; sending, by the proxy server, to the client device, the result data.  

20. The system of Claim 19, wherein the secure enclave is on a computing device that hosts the proxy server or on a first computing device that is in the same computer network as a second computing device that hosts the proxy server.  


Pertinent Art
10.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure 

Miller (US Patent 11,218,317 B1) provide  cryptographic keys and, more specifically, to enhancing the security of a system that makes use of a remote server that proxies cryptographic keys.

Belenko (US 2018/0167203 A1) provide a method performed by a computing system for establishing by a second device a Transport Layer Security session with a client on behalf of an owner of a private key of a public/private key pair is provided. The method receives from the client a request to establish a session, the request including a client random. The method sends to the client a public key certificate of a public/private key pair and a server random. The method receives from the client an encrypted secret that is encrypted using the public key. The method requests a secure enclave of the computing system to decrypt the encrypted secret using the private key of a first device. The secure enclave may have obtained the private key from the first device based on a quote provided to the first device attesting that code of the secure enclave is trusted code. In some embodiments, the method receives from the secure enclave the decrypted secret and generates a session key for the session based on the client random, the server random, and the secret. In some embodiments, the requesting of the secure enclave further includes requesting the secure enclave to generate a session key based on the client random, the server random, and the secret and to store the session key.

Gifford et al. (US 9,887,975 B1) provide a key enclave device 2900A stores one or more public keys, as in fig. 29 at step 2901. In some embodiments, the key enclave 2900A communicates with a delegate computer 2900B over a secure channel and both the key enclave 2900A and delegate computer 2900B use cryptography to enforce secrecy and authentication of messages over the channels and the secure channels utilize at least one communication link using wireless data transport.

Ortiz et al. (US 2021/0173916 A1) provide a one-way transformation (e.g., based on a cryptographic hash) in combination with one or more cryptographic keys to generate a digitally signed token, and the digitally signed token can be stored in a data storage 108 resident on the mobile computing device (e.g., a secure enclave or accessible only through a set of secure processing components and/or pathways).

Martel et al. (US 10,872,152 B1) provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.

Leiserson (US 2021/0111886 A1) provide an encrypted file system key associated with a first secure enclave may be received. A request from a second secure enclave to access a file system associated with the encrypted file system key may be received. In response to receiving the request, the encrypted file system key may be decrypted with a cryptographic key associated with an enclave manager to obtain a file system key. The file system key may be encrypted based on another cryptographic key associated with the second secure enclave to generate a re-encrypted file system key. Furthermore, the re-encrypted file system key may be provided to the second secure enclave. 

Conclusion
10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932. The examiner can normally be reached Mon.-Fri. 9:00 AM - 5:30 PM.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





A.G.
November 30, 2022
/ABIY GETACHEW/Primary Examiner, Art Unit 2434