ETAILED ACTION

Response to Amendment

1. This written action is responding to the amendment dated on 10/28/2022.
2. Claims 1, 15-16, and 21 are amended.
3. Claims 4 and 18 are cancelled.
4.  Claims 1-3, 5-17 and 19-27 are submitted for examination.
5.  Claims 1-3, 5-13,15-17 and 19-27 have been examined and rejected.
6.  The Examiner would like to point out that this action is made final (See MPEP 
    706.07a).


7. 
Response to Arguments
Applicant’s Argument:
On pages 10-13 of the Remarks/Arguments, Applicant argues: none of the reference alone or in combination teach a secure stream number to associate the secure TLP with a particular secure stream.


Response to Argument: Examiner respectfully disagrees with Applicant’s arguments because Ben substantially teaches a packet number field contains a packet number which is a monotonically-increasing number that is used to prevent replay attacks, the packet number may also be used to help detect missing packets [0050-0051].  



8.
Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claims 1-12, 15 and 26-27 are rejected under 35 U.S.C. 102(a)(2) as being unpatentable Over Benjamini et al,. US 2020/0089645 (Benjamini et al claims priority to provisional applications No. 62/731,286 filed on Sep 14, 2018, 62/745,542 filed on Oct 15, 2018, 62/788,264 filed on Jan 4, 2019, and 62/840,643 filed on Apr 30, 2019) (hereinafter Ben).

Regarding claim 1 Ben teaches an apparatus comprising: 
transaction layer logic comprising hardware circuitry to: access a transaction layer packet (TLP); generate a secure TLP comprising integrity protection information for the TLP and an encrypted data payload of the TLP, and a secure stream number to associate the secure TLP with a particular secure stream; and transmit the secure TLP across the secure stream to a link partner (Ben teaches at a transaction layer a TLP header is generated along with a TLP prefix, wherein the payload may be encrypted, and the ICV is calculated and appended, wherein the combined packet is then sent over a PCIE link to a receiver, wherein the receiver decrypt the payload, validate the ICV [0062], wherein the ICV is an integrity check value, appended to the TLP packet, wherein the TLP is generated based on the TLP packet and any TLP prefixes including a security prefix. At a receiver, if the ICV does not match, then the receiver has evidence that the TLP packet may have been subjected to tampering [0026], [0047], fig. 5, 7 and 8. A packet number field contains a packet number which is a monotonically-increasing number that is used to prevent replay attacks, the packet number may also be used to help detect missing packets [0050-0051]).  

Regarding claim 2 Ben teaches the apparatus of claim 1, further comprising transaction layer logic circuitry to: 
read an extended capability register indicating a capability to support IDE; and 
determine that the apparatus and the link partner support integrity protection and data encryption for TLP encoding (Ben teaches the capabilities and configurations of the various endpoints may be stored in the data register 320 so that the root complex may use the security features of the present disclosure with those endpoints which are so enabled [0030], [0035]). 
 
Regarding claim 3 Ben teaches the apparatus of claim 2, further comprising transaction layer logic circuitry to:
 set in a control register indicating that the apparatus and the link partner support a secure stream using integrity protection or data encryption [0030] and [0035].  

Regarding claim 5 Ben teaches the apparatus of claim 1, further comprising an encryption engine comprising hardware circuitry to encrypt the data payload of the TLP (Ben teaches the host device includes a host encryption/decryption engine [0014], and [0029]).  

Regarding claim 6 Ben teaches the apparatus of claim 5, wherein the encryption engine uses an encryption standard based on an American Encryption Standard Galois counter mode (AES-GCM) encryption protocol [0047].  

Regarding claim 7 Ben teaches the apparatus of claim 1, further comprising a data integrity protection engine comprising hardware circuitry to generate the integrity protection information for the secure TLP [0047], and fig. 7-8.  

Regarding claim 8 Ben teaches the apparatus of claim 7, wherein the data integrity protection engine uses an integrity protocol based on an American Encryption Standard Galois Counter Mode (AES- GCM) protocol [0047].  

Regarding claim 9 Ben teaches the apparatus of claim 1, further comprising transaction layer logic circuitry to: augment the TLP with information indicating that the TLP comprises integrity protection and data encryption (fig. 7).  

Regarding claim 10 Ben teaches the apparatus of claim 9, wherein the information is contained in one of a TLP prefix or a TLP header (fig. 7).  

Regarding claim 11 Ben teaches the apparatus of claim 9, wherein the information comprises an L bit that when set indicates that the TLP is a last secure TLP on the secure stream and that subsequent TLPs received on the secure stream are to have a new encryption key set (Ben teaches a transport layer protocol (TLP) packet has a TLP prefix prepended indicating the security features of the TLP packet. Such security features may include a counter or counter equivalent to prevent replay attacks, encryption of a payload of the TLP packet to prevent snooping and/or an authentication value calculated from one or more portions of the TLP packet to detect tampering. The TLP prefix may indicate which, if any, of the security features are present in the associated TLP packet. The counter may be a monotonically-increasing number included in each packet [0026]. After termination, a new encryption link may be established with new keys [0037], and [0049]).

Regarding claim 12 Ben teaches the apparatus of claim 1, wherein the secure stream comprises one or more substreams, the one or more secure substreams comprising a secure substream for posted requests, non-posted requests, or completions (Ben teaches each type of PCIE TLP such as posted, non-posted, and completion may have a separate counter [0053]).  

Regarding claim 15 Ben teaches the apparatus of claim 1, further comprising transaction layer logic circuitry to: determine that the TLP is to transmit to a link partner on a selective secure stream or a link secure stream; and selectively encode one or more TLPs in the secure stream or selectively encrypt data payload of one or more TLPs ([0026], [0062] and fig. 7-8).  

Regarding claim 26 Ben teaches the apparatus of claim 1, wherein the integrity protection information is based on a header of the TLP and the encrypted data payload of the TLP [0047].  

Regarding claim 27 Ben teaches the apparatus of claim 9, wherein the integrity protection information is based on the information indicating that the TLP comprises integrity protection and data encryption (fig. 7).  

9.
Claim Rejections - 35 USC § 103
 In the event the determination of the status of the application as subject to AIA  35   U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Ben as mentioned above, and further in view of Engel et al, US. 2009/0019206 (hereinafter Engel).
Regarding claim 13 Ben teaches the apparatus of claim 12, further comprising transaction layer logic circuitry to: construct an initialization vector (IV) that is related to data to be transmitted (Ben teaches a packet number may also be used to formulate an initialization vector (IV) as an input into a block cypher algorithm such as AES-GCM-128 [0051], wherein the encrypted data may be transmitted to another entity [0062]).  Ben does not teach constructing a vector that includes a fixed field unique to a device and an invocation field unique to data. Engel substantially teaches an adapter builds a vector of fields, wherein a field vector may include fields that were extracted from the packet header (e.g., source/destination addresses Ethernet/IP etc.), fields extracted from the packet application data, data resulting from a certain operation (e.g. tupliz-hash calculation on the packet data/header-fields) [0115].
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben such that the invention further includes constructing a vector that includes a fixed field unique to a device and an invocation field unique to data. One would have been motivated to do so to use the IV as a unique identifier to perform cryptographic operation on a specific data and for a specific device.  

10.
Claims 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ben as mentioned above, and further in view of Natu et al, US. 2012/0047309 (hereinafter Natu).
Regarding claim 16 Ben teaches a method comprising: determining, by logic circuitry at a transaction layer of a protocol stack of a device, that a packet is to traverse to a link partner on a secure stream; configuring a transaction layer packet (TLP) prefix to identify the TLP as a secure TLP; associating the secure TLP with the secure stream, comprising encoding a secure stream number into the TLP prefix, the secure stream number to associate the secure TLP with a particular secure stream; encrypting a portion of the secure TLP; encoding the secure TLP with integrity protection information; and transmitting the secure TLP across the secure stream to the link partner (Ben teaches at a transaction layer a TLP header is generated along with a TLP prefix, wherein the payload may be encrypted, and the ICV is calculated and appended, wherein the combined packet is then sent over a PCIE link to a receiver, wherein the receiver decrypts the payload, validate the ICV [0062], wherein the ICV is an integrity check value, appended to the TLP packet, wherein the TLP is generated based on the TLP packet and any TLP prefixes including a security prefix. At a receiver, if the ICV does not match, then the receiver has evidence that the TLP packet may have been subjected to tampering [0026], [0047], fig. 5, 7 and 8. A packet number field contains a packet number which is a monotonically-increasing number that is used to prevent replay attacks, the packet number may also be used to help detect missing packets [0050-0051]). Ben does not teach authenticating a receiving port of the link partner. Natu substantially teaches PCI Express Root ports and Switch Ports will compare the BDF fields in MCTP packets against this Address Validation List (AVL) for every request [0032].
  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben such that the invention further includes authenticating a receiving port of the link partner. One would have been motivated to do so to avoid spoofing attack [0032].  

Regarding claim 17 Ben teaches the method of claim 16, further comprising: associating the secure stream with an authentication key; and associating the authentication key with a key identifier (Key ID), the Key ID unique to each of data encryption and integrity protection (Ben teaches an encrypted TLP comprises a TLP  prefix, wherein the TLP prefix comprises an authentication key such as a ICV which  associated with a plurality of other identification information [0045], [0062], and fig. 5 and 7). 
 
In response to Claim 19: Rejected for the same reason as claim 6
In response to Claim 20: Rejected for the same reason as claim 8

11.
Claims 21-22, and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Ben as mentioned above, and further in view of Guddeti et al, US. 2016/0179738 (hereinafter Guddeti).

Regarding claim 21 Ben teaches a system comprising: a hardware circuitry to: encode a transaction layer packet (TLP) with a secure TLP prefix, the secure TLP prefix indicating that the TLP is to transit the interconnect on a secure stream; associate the TLP with the secure stream, comprising encoding the TLP with a secure stream identifier corresponding to the secure stream; perform data encryption on data payload of the TLP; encode the TLP with integrity protection information for the TLP; and transmit the TLP to the endpoint device (Ben teaches at a transaction layer a TLP header is generated along with a TLP prefix, wherein the payload may be encrypted, and the ICV is calculated and appended, wherein the combined packet is then sent over a PCIE link to a receiver, wherein the receiver decrypt the payload, validate the ICV [0062], wherein the ICV is an integrity check value, appended to the TLP packet, wherein the TLP is generated based on the TLP packet and any TLP prefixes including a security prefix. At a receiver, if the ICV does not match, then the receiver has evidence that the TLP packet may have been subjected to tampering [0026], [0047], fig. 5, 7 and 8. A packet number field contains a packet number which is a monotonically-increasing number that is used to prevent replay attacks, the packet number may also be used to help detect missing packets [0050-0051]). Ben does not teach a root complex comprising a root port; an endpoint device comprising an upstream port; an interconnect coupling the root port with the upstream port; the root port comprising a protocol stack comprising a transaction layer. Guddeti substantially teaches a root complex may include multiple root ports, each has a full protocol stack [0018], wherein each root port is communicating with a bridge logic (upstream side) via an interconnect [0024], and fig. 1, wherein each root port includes a transaction layer [0027].
  	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Lal such that the invention further includes a root complex comprising a root port; an endpoint device comprising an upstream port; an interconnect coupling the root port with the upstream port; the root port comprising a protocol stack comprising a transaction layer. One would have been motivated to do so to enhance the ability of IP reuse across a wide variety of chips [0040].

Regarding claim 22 Ben teaches the system of claim 21, wherein the root port is directly linked to the upstream port and wherein the secure TLP prefix comprises a local TLP prefix (Ben teaches The host device includes a root complex, a host encryption/decryption engine, and a host interface. The PCIE system also includes a PCIE link coupled to the host interface. The PCIE system also includes an endpoint device. The endpoint device includes an endpoint interface coupled to the PCIE link and an endpoint encryption/decryption engine [0014], and a TLP prefix includes a secure TLP prefix [0026]).  

Regarding claim 24 Ben teaches the system of claim 21, further comprising a switch complex comprising a downstream switch port coupled to the upstream port and an upstream switch port coupled to the root port, the transaction layer comprising hardware circuitry to secure the TLP for transmission through the switch complex to the endpoint based on a requester identifier (RID) and address association register setting (Ben teaches The PCIE RC 310 further includes a plurality of registers including a configuration address register 318 (CONFIG_ADDR) and a data register 320 (CONFIG_DATA). The capabilities and configurations of the various endpoints may be stored in the data register 320 so that the root complex may use the security features of the present disclosure with those endpoints which are so enabled [0030]).  

12.
Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Ben and Guddeti as mentioned above, and further in view of Price et al, US. 2008/0037658 (hereinafter Price).

Regarding claim 23 Ben teaches the system of claim 22. Ben and Guddeti do not teach setting a stream identifier to zero in a packet header. Price substantially teaches an identifier in a packet header of a stream is set to zero [0079].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben and Guddeti such that the invention further includes setting a stream identifier to zero in a packet header. One would have been motivated to do so to indicate the type of data in the packet [0079].

13.
Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Ben and Guddeti as mentioned above, and further in view of Junk et al, US. 2020/0259635 (hereinafter Junk).
Regarding claim 25 Ben teaches the system of claim 21, wherein the secure TLP prefix comprises: a first bit indicating a last TLP in the secure stream (Ben teaches a transport layer protocol (TLP) packet has a TLP prefix prepended indicating the security features of the TLP packet. Such security features may include a counter or counter equivalent to prevent replay attacks, encryption of a payload of the TLP packet to prevent snooping and/or an authentication value calculated from one or more portions of the TLP packet to detect tampering. The TLP prefix may indicate which, if any, of the security features are present in the associated TLP packet. The counter may be a monotonically-increasing number included in each packet [0026]); a second bit indicating whether the TLP originated from a trusted environment (Ben teaches the TLP prefix may include a plurality of indications that the TLP is originated by a trusted environment [0060], and fig. 7); a third bit indicating that the TLP includes an authentication information (Ben teaches LI bit may indicate the presence or absence of an authentication value such as the ICV [0048]); and a counter value indicating TLP count for non-posted requests and completions (Ben teaches a configuration register may also be used to set the counter. As a further option, each type of PCIE TLP (posted, non-posted, completion) may have a separate counter [0053]). Ben and Guddeti do not teach a packet associated with authentication information such as a message authentication code (MAC). Junk substantially teaches using an encryption key and an algorithm to generate a MAC, which will be used to authenticate a payload and a header data of a data packet [0036].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben and Guddeti such that the invention further includes a packet associated with authentication information such as a message authentication code (MAC). One would have been motivated to do so to verify the integrity of the packet and to authenticate a packet’s sender who has a shared secret key, however other methods such a hash value can be utilized to verify the packet’s integrity only.



















Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ayoub Alata whose telephone number is (313) 446-6541. The examiner can normally be reached on M-F: 8:00am-4:30pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jay Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
/AYOUB ALATA/Primary Examiner, Art Unit 2494