DETAILED ACTION
This action is in response to the amendment filed on November 21, 2022. Claims 15-27 are
pending. Claims 15, 17, 21 -25, and 27 are amended. Of such, claims 15-21 represent a device, claims 22-26 represent a method, and claim 27 represents a non-transitory computer program product directed to network function messaging.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see remarks page 7, filed on November 11, 2022, with respect to the instant application predating the prior art reference have been fully considered and are persuasive.  However, upon further consideration, a new ground(s) of rejection is made in view of an earlier version of the same prior art ETSI (NPL ETSI TS 133 501 V15.1.0 – Change Request 33.501).
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 15-27 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated over ETSI (NPL ETSI TS 133 501 V15.1.0 – Change Request 33.501), hereinafter referred to as ETSI.
	Regarding Claim 15, ETSI discloses:
A first security edge proxy serving a first network function, comprising; a communication circuitry; a data storage; and a processing circuitry configured to cause, using the communication circuitry and non-transitory memory (on page 7, section 13.2.x, ETSI discloses “secure communication between service-consuming and a service-producing NFs in different PLMNs. Security is enabled by the Security Edge Protection Proxies of both networks, henceforth called cSEPP and pSEPP respectively. The SEPPs enforce protection policies regarding application layer security thereby ensuring integrity and confidentiality protection for those elements to be protected.” See figure 13.2.x-1): forming a transport layer security protected first control plane connection between the first security edge proxy and a second security edge proxy so that the first security edge proxy is a transport layer security client and the second security edge proxy is a transport layer security server for the first control plane connection (on page 8, see ETSI figure 13.2.x-1, on page 8, section 13.2.y.1, ETSI further discloses “When the SEPPs have mutually authenticated each other and when the negotiated the security mechanism to use over N32 is Application Layer Security, the SEPPs use the established TLS connection (N32-c connection) to negotiate the N32 specific associated security configuration parameters.”); and forming a transport layer security protected second control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a transport layer security server and the second security edge proxy is a transport layer security client for the second control plane connection (on page 8, see ETSI figure 13.2.x-1, on page 8, section 13.2.y.1, ETSI further discloses “When the SEPPs have mutually authenticated each other and when the negotiated the security mechanism to use over N32 is Application Layer Security, the SEPPs use the established TLS connection (N32-c connection) to negotiate the N32 specific associated security configuration parameters.”); wherein the forming of the transport layer security protected first control plane connection comprises forming a first shared secret (on page 8, section 13.2.y.1, ETSI discloses “Key agreement: The SEPPs independently export keying material associated with the established N32-c connection between them and use it as the pre-shared key for generating the shared session key required. This is based on RFC 5705 [xx] for TLS 1.2. For TLS 1.3, the exporter described in section 7.5 of [yy] is used.”); and the forming of the transport layer security protected second control plane connection comprises forming a second shared secret (on page 8, section 13.2.y.1, ETSI discloses “Key agreement: The SEPPs independently export keying material associated with the established N32-c connection between them and use it as the pre-shared key for generating the shared session key required. This is based on RFC 5705 [xx] for TLS 1.2. For TLS 1.3, the exporter described in section 7.5 of [yy] is used.”); and the processing circuitry is further configured to: obtain a first master key from the first shared secret (on page 16, section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”); obtain a second master key from the second shared secret (on page 16, section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”); exchange pre-context identifications between the first security edge proxy and the second security edge proxy for combining to form a first unique identifier representing a logical connection context information for message protection on a first logical connection that is associated with the first control plane connection (On page 15, ETSI discloses “Unique identifier (64 bit integer) representing a HTTP Request/Response transaction between two SEPPs.”) form a second unique identifier representing a logical connection context information for message protection on a second logical connection that is associated with the second control plane (On page 15, ETSI discloses “Unique identifier (64 bit integer) representing a HTTP Request/Response transaction between two SEPPs.”) form, based on the first master key and the first unique identifier, a first session key for first logical connection encryption (on page 16, section 13.2.a.4.1, ETSI discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export. Each run of the N32-f key derivation creates two pairs of session keys and IV salts. The two pairs are used in two different HTTP/2 sessions. In one Session the N32-c initiatior acts as the HTTP client and in the second the N32-c responder acts as the client.”); and form, based on the second master key and the second unique identifier, a second session key for second logical connection encryption  (on page 16, section 13.2.a.4.1, ETSI discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export. Each run of the N32-f key derivation creates two pairs of session keys and IV salts. The two pairs are used in two different HTTP/2 sessions. In one Session the N32-c initiatior acts as the HTTP client and in the second the N32-c responder acts as the client.”);
	Regarding Claim 16, ETSI discloses:
The first security edge proxy of claim 15, wherein the processing circuitry is further configured to form a first initialization vector randomizer for the encryption of the first logical connection request to the second security edge proxy  (in section 13.2.a.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in “aad”) and JWE Authentication Tag (“tag”).”).
	Regarding Claim 17, ETSI discloses:
	The first security edge proxy of claim 15, wherein the processing circuitry is further configured to form a second initialization vector randomizer for the decryption of the second logical connection request from the second security edge proxy (in section 13.2.a.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in “aad”) and JWE Authentication Tag (“tag”).”).
	Regarding Claim 18, ETSI discloses:
	The first security edge proxy of claim 15, wherein: the first logical connection is protected by application layer security; the second logical connection is protected by application layer security (in section 13.2.x, ETSI discloses “The SEPPs enforce protection policies regarding application layer security thereby ensuring integrity and confidentiality protection for those elements to be protected.”) and the application layer security employs different cipher suites for the first and second logical connections (in section 13.2.y.2, ETSI discloses “The SEPP which initiated the TLS connection sends a Parameter Exchange Request message to the responding SEPP including the initiating SEPP’s supported cipher suites. The cipher suites are ordered in initiating SEPP’s priority order. The SEPP provides a N32-f precontext ID for the responding SEPP. The precontext IDs are 32-bit random integers, represented as 0-left padded strings of hexadecimal digits”).
	Regarding Claim 19, ETSI discloses:
	The first security edge proxy of claim 15, wherein the processing circuitry is further configured to cause encrypting, using the first shared secret, first control data for transmission over the first control plane connection (In section 13.2.a.1, ETSI discloses “Encryption of IEs take place end to end between cSEPP and pSEPP.”) and the processing circuitry is further configured to cause decrypting, using the second shared secret, second control data received over the second control plane connection (in section 13.2.a.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in “aad”) and JWE Authentication Tag (“tag”).”).
	Regarding Claim 20, ETSI discloses:
	The first security edge proxy of claim 19, wherein the application layer security employs JSON Web Encryption, JWE (In section 13.2.a.4, ETSI discloses “Protection of reformatted HTTP messages between SEPPs shall use JSON Web Encryption (JWE) as specified in IETF RFC 7516 [xx].”).
	Regarding Claim 21, ETSI discloses:
The first security edge proxy of claim 15, wherein the first master key may be formed using a transport layer security exporter function associated with the first control connection (In section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”); and the second master key may be formed using a TLS exporter function associated with the second control connection (In section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”);
	Regarding Claim 22, ETSI discloses:
	A method, wherein the method is performed in a security edge proxy, the method comprising: forming a transport layer security protected first control plane connection between a first security edge proxy and a second security edge proxy so that the first security edge proxy is a transport layer security client and the second security edge proxy is a transport layer security server for the first control plane connection (on page 8, see ETSI figure 13.2.x-1, on page 8, section 13.2.y.1, ETSI further discloses “When the SEPPs have mutually authenticated each other and when the negotiated the security mechanism to use over N32 is Application Layer Security, the SEPPs use the established TLS connection (N32-c connection) to negotiate the N32 specific associated security configuration parameters.”); and forming a transport layer security protected second control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a transport layer security server and the second security edge proxy is a transport layer security client server for the second control plane connection (on page 8, see ETSI figure 13.2.x-1, on page 8, section 13.2.y.1, ETSI further discloses “When the SEPPs have mutually authenticated each other and when the negotiated the security mechanism to use over N32 is Application Layer Security, the SEPPs use the established TLS connection (N32-c connection) to negotiate the N32 specific associated security configuration parameters.”); wherein the forming of the transport layer security protected first control plane connection comprises forming a first shared 4Docket No. NC307444-US-PCTCustomer No. 73658 secret (on page 8, section 13.2.y.1, ETSI discloses “Key agreement: The SEPPs independently export keying material associated with the established N32-c connection between them and use it as the pre-shared key for generating the shared session key required. This is based on RFC 5705 [xx] for TLS 1.2. For TLS 1.3, the exporter described in section 7.5 of [yy] is used.”); and the forming of the transport layer security protected second control plane connection comprises forming a second shared secret (on page 8, section 13.2.y.1, ETSI discloses “Key agreement: The SEPPs independently export keying material associated with the established N32-c connection between them and use it as the pre-shared key for generating the shared session key required. This is based on RFC 5705 [xx] for TLS 1.2. For TLS 1.3, the exporter described in section 7.5 of [yy] is used.”); the method further comprising: obtaining a first master key from the first shared (on page 16, section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”);; obtaining a second master key from the second shared secret (on page 16, section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”); exchanging pre-context identifications between the first security edge proxy and the second security edge proxy for combining to form a first unique identifier representing a logical connection context information for message protection on a first logical connection that is associated with the first control plane connection (On page 15, ETSI discloses “Unique identifier (64 bit integer) representing a HTTP Request/Response transaction between two SEPPs.”)  forming a second unique identifier representing a logical connection context information for message protection on a second logical connection that is associated with the second control plane connection (On page 15, ETSI discloses “Unique identifier (64 bit integer) representing a HTTP Request/Response transaction between two SEPPs.”) forming, based on the first master key and the first unique identifier, a first session key for first logical connection encryption (on page 16, section 13.2.a.4.1, ETSI discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export. Each run of the N32-f key derivation creates two pairs of session keys and IV salts. The two pairs are used in two different HTTP/2 sessions. In one Session the N32-c initiatior acts as the HTTP client and in the second the N32-c responder acts as the client.”) and forming, based on the second master key and the second unique identifier, a second session key for second logical connection encryption   (on page 16, section 13.2.a.4.1, ETSI discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export. Each run of the N32-f key derivation creates two pairs of session keys and IV salts. The two pairs are used in two different HTTP/2 sessions. In one Session the N32-c initiatior acts as the HTTP client and in the second the N32-c responder acts as the client.”);
	Regarding Claim 23, ETSI discloses:
	The method of claim 22, further comprising forming a first initialization vector randomizer for the encryption of the first logical connection request to the second security edge proxy (in section 13.2.a.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in “aad”) and JWE Authentication Tag (“tag”).”).
	Regarding Claim 24, ETSI discloses:
	The method of claim 22, further comprising forming a second initialization vector randomizer for the decryption of the second logical connection request from the second security edge proxy (in section 13.2.a.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in “aad”) and JWE Authentication Tag (“tag”).”).
	Regarding Claim 25, ETSI discloses:
	The method of claim 22, further comprising: protecting the first logical connection by application layer security; protecting the second logical connection by application layer (in section 13.2.x, ETSI discloses “The SEPPs enforce protection policies regarding application layer security thereby ensuring integrity and confidentiality protection for those elements to be protected.”)  and employing different application layer security cipher suites for the first and second logical connections (in section 13.2.y.2, ETSI discloses “The SEPP which initiated the TLS connection sends a Parameter Exchange Request message to the responding SEPP including the initiating SEPP’s supported cipher suites. The cipher suites are ordered in initiating SEPP’s priority order. The SEPP provides a N32-f precontext ID for the responding SEPP. The precontext IDs are 32-bit random integers, represented as 0-left padded strings of hexadecimal digits”).
	Regarding Claim 26, ETSI discloses:
	The method of claim 23, further comprising: encrypting, using the first shared secret, first control data for transmission over the first control plane connection (In section 13.2.a.1, ETSI discloses “Encryption of IEs take place end to end between cSEPP and pSEPP.”); and decrypting, using the second shared secret, second control data received over the second control plane connection (in section 13.2.a.7, ETSI discloses “The receiving SEPP shall decrypt the JWE ciphertext using the shared session key and the following parameters obtained from the JWE object – Initialization Vector, Additional Authenticated Data value (clearTextEncapsulatedMessage in “aad”) and JWE Authentication Tag (“tag”).”).
	Regarding Claim 27, ETSI discloses:
A non-transitory computer program product comprising computer executable program code  embodied on a non-transitory memory configured to perform: forming a transport layer security protected first control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a transport layer security client and the second security edge proxy is a transport layer security server for the first control plane connection (on page 8, see ETSI figure 13.2.x-1, on page 8, section 13.2.y.1, ETSI further discloses “When the SEPPs have mutually authenticated each other and when the negotiated the security mechanism to use over N32 is Application Layer Security, the SEPPs use the established TLS connection (N32-c connection) to negotiate the N32 specific associated security configuration parameters.”); and forming a transport layer security protected second control plane connection between the first security edge proxy and the second security edge proxy so that the first security edge proxy is a transport layer security server and the second security edge proxy is a transport layer security client server for the second control plane connection (on page 8, see ETSI figure 13.2.x-1, on page 8, section 13.2.y.1, ETSI further discloses “When the SEPPs have mutually authenticated each other and when the negotiated the security mechanism to use over N32 is Application Layer Security, the SEPPs use the established TLS connection (N32-c connection) to negotiate the N32 specific associated security configuration parameters.”); wherein the forming of the transport layer security protected first control plane connection comprises forming a first shared secret (on page 8, section 13.2.y.1, ETSI discloses “Key agreement: The SEPPs independently export keying material associated with the established N32-c connection between them and use it as the pre-shared key for generating the shared session key required. This is based on RFC 5705 [xx] for TLS 1.2. For TLS 1.3, the exporter described in section 7.5 of [yy] is used.”); and the forming of the transport layer security protected second control plane connection comprises forming a second shared secret (on page 8, section 13.2.y.1, ETSI discloses “Key agreement: The SEPPs independently export keying material associated with the established N32-c connection between them and use it as the pre-shared key for generating the shared session key required. This is based on RFC 5705 [xx] for TLS 1.2. For TLS 1.3, the exporter described in section 7.5 of [yy] is used.”); the method further comprising: obtaining a first master key from the first shared secret (on page 16, section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”); obtaining a second master key from the second shared secret (on page 16, section 13.2.y.2, ETSI discloses “The exported key shall be used as the master key to derive session keys and IVs for the N32-f context as specified in clause 13.2.a.4.1.”); exchanging pre-context identifications between the first security edge proxy and the second security edge proxy for combining to form a first unique identifier representing a logical connection context information for message protection on a first logical connection that is associated with the first control plane connection connection (On page 15, ETSI discloses “Unique identifier (64 bit integer) representing a HTTP Request/Response transaction between two SEPPs.”); forming a second unique identifier representing a logical connection context information for message protection on a second logical connection that is associated with the second control plane connection connection (On page 15, ETSI discloses “Unique identifier (64 bit integer) representing a HTTP Request/Response transaction between two SEPPs.”); forming, based on the first master key and the first unique identifier, a first session key for first logical connection encryption  (on page 16, section 13.2.a.4.1, ETSI discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export. Each run of the N32-f key derivation creates two pairs of session keys and IV salts. The two pairs are used in two different HTTP/2 sessions. In one Session the N32-c initiatior acts as the HTTP client and in the second the N32-c responder acts as the client.”);  and forming, based on the second master key and the second unique identifier, a second session key for second logical connection encryption (on page 16, section 13.2.a.4.1, ETSI discloses “The N32-f key hierarchy is based on the N32-f master key generated during the N32-c initial handshake by TLS key export. Each run of the N32-f key derivation creates two pairs of session keys and IV salts. The two pairs are used in two different HTTP/2 sessions. In one Session the N32-c initiatior acts as the HTTP client and in the second the N32-c responder acts as the client.”);
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Xu et al. (US Publication Number 2021/0044569) discloses a method for sending signal messages through an IPS proxy from a first network element to another network element. 
He et al. (US Publication Number 2020/0344604) discloses a method for performing verification using a shared key to send a message between network elements. 
Saarinen et al. (US Publication Number 2021/0014680) discloses a method of wireless communication to transmit protected messages.
Lehtovirta et al. (US Publication Number 2021/0014284) discloses a security negotiation mechanism between security gateways.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHADI H KOBROSLI/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492