DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restrictions warranted at applicant’s initial time of filing for patent. 
Priority
This application is a CON and claim[s] domestic priority 35 USC 120 non – provisional application # 17/096052, filed on 11/12/2020, now US PAT # 11399027, which further is a CON of non – provisional application # 16/062192, filed on 06/14/2018, now US PAT # 10887310, which further claim[s] domestic priority as a BY – PASS application and claims priority under 35 USC 371 to PCT/EP2016/080161, filed on 12/08/2016. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/27/2022, the submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Oath/Declaration
Applicant’s oath was filed on 06/27/2022. 
Drawings
The drawings are objected to under 37 CFR 1.83(a) because they fail to show the labels of components: 110, 111, 112, 113, 120, 130, 131, 132, 140, 150…etc., of Figure # 1, and Figure # 9b, components: 1110, 1120, 1122, 1124, 1126, 1130, as described in the specification. Any structural detail that is essential for a proper understanding of the disclosed invention should be shown in the drawing. MPEP § 608.02(d). Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
	Appropriate action required. 

INFORMATION ON HOW TO EFFECT DRAWING CHANGES


Replacement Drawing Sheets

Drawing changes must be made by presenting replacement sheets which incorporate the desired changes and which comply with 37 CFR 1.84.  An explanation of the changes made must be presented either in the drawing amendments section, or remarks, section of the amendment paper.  Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d).  A replacement sheet must include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended.  The figure or figure number of the amended drawing(s) must not be labeled as “amended.”  If the changes to the drawing figure(s) are not accepted by the examiner, applicant will be notified of any required corrective action in the next Office action.  No further drawing submission will be required, unless applicant is notified.

Identifying indicia, if provided, should include the title of the invention, inventor’s name, and application number, or docket number (if any) if an application number has not been assigned to the application. If this information is provided, it must be placed on the front of each sheet and within the top margin. 

Annotated Drawing Sheets

A marked-up copy of any amended drawing figure, including annotations indicating the changes made, may be submitted or required by the examiner.  The annotated drawing sheet(s) must be clearly labeled as “Annotated Sheet” and must be presented in the amendment or remarks section that explains the change(s) to the drawings.

Timing of Corrections

Applicant is required to submit acceptable corrected drawings within the time period set in the Office action. See 37 CFR 1.85(a). Failure to take corrective action within the set period will result in ABANDONMENT of the application. 

If corrected drawings are required in a Notice of Allowability (PTOL-37), the new drawings MUST be filed within the THREE MONTH shortened statutory period set for reply in the “Notice of Allowability.” Extensions of time may NOT be obtained under the provisions of 37 CFR 1.136 for filing the corrected drawings after the mailing of a Notice of Allowability. 

Specification
The abstract of the disclosure is objected to because the abstract is replete with numbered-parenthesis that makes reading the abstract distracting.  
Correction is required.  See MPEP § 608.01(b).
Claim Objections
NO claim objections warranted at applicant’s initial time of filing for patent. 
Claim Interpretation
It is in the examiner’s opinion that claim[s] 1 – 18 do not invoke means for or step plus functional claim language under the meaning of the statute. 
Claim Rejections - 35 USC § 112
NO rejections warranted at applicant’s initial time of filing for patent. 
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim[s] 1 – 4, 6 – 13, 15 – 18 are rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 1 – 4, 6, 8, 9 – 14, 16, 18 - 20 of U.S. Patent No. 11399027. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the pending application and the patented subject matter are the same or similar in scope:
“An enrollee in communication network can use the network by exchanging
communication parameters with a configurator to access the network. The enrollee
acquires a data pattern and derives a first shared key based on the network public key
and the first enrollee private key, and encodes second enrollees public key using the
first shared key, where a network access request. The configurator derives the first
shared key, and verifies whether the encoded second enrollee public key was encoded
by the first shared key, and generates security data and cryptographically protects data
using a second shared Key, and generates a network access message. The enrollee
processor further receives the second shared key and verifies whether the data was
cryptographically protected and that allows for engaging in secure communication
based on the second enrollee private key and the security data.”

	Also, see the table below for a claim by claim comparison
Pending US Application # 17/849773
US PAT # 11399027
1. An enrollee device comprising:

an enrollee wireless communication unit,
an enrollee sensor that acquires a data pattern, the data pattern representing
a network public key; and

an enrollee processor comprising a memory that includes a first enrollee public key and a corresponding first enrollee private key and includes a second enrollee public key and a corresponding second enrollee private key,

wherein the enrollee processor:

derives a first snared key based on the network public key and the first enrollee private key, 

encodes the second enrollee public key using the first shared key,

generates a network access request, the network access request including the encoded second enrollee public key and the first enrollee public key, 

transfers the network access request to a configurator device;

receives a network access message from the configurator device, 

wherein the network access message includes protected data that is encrypted at the configurator device using a second shared key,

derives the second shared key based on the first enrollee private key,

the second enrollee private key, and 

the network public key, verifies that the protected data was cryptographically protected by the second shared key, and

engages the secure communication based on the second enrollee private key and the protected data.

1. An enrollee device for use in a network system arranges provides wireless communication between network devices for secure communication according to a security protocol, the network system comprising:

a network device that acts as the enrollee device according to the
security protocol, and

a network device that acts as a configurator device according to the
security protocol;

wherein the configurator device comprises a configurator communication unit
that receives, from the enrollee device, a network access request according
to the security protocol, the network access request including an encoded second
enrollee public key and a first enrollee public key, and

a configurator processor comprising a memory that includes, for the configurator device, a configurator public key and a corresponding configurator private key and includes, for the network system, a network public key and a corresponding network private key, 

wherein the configurator processor:

derives a first shared key based on the network private key and the first
enrollee public key,
decodes the encoded second enrollee public key using the first shared
key,

verifies that the encoded second enrollee public key was encoded
by the first shared key,

generates security data using the second enrollee public key and the
configurator private key,
derives a second shared key based on the first enrollee public key, the
second enrollee public key and the network private key,

protects cryptographically, using the second shared key, at least one of
the security data and configurator public key, and

generates a network access message according to the security protocol,
the network access message including at least one of the protected security data and
protected configurator public key;

wherein the enrollee device comprises:

an enrollee wireless communication unit,

an enrollee sensor that acquires a data pattern, the data pattern being provided in the area and representing the network public key; and

an enrollee processor comprising a memory that includes the first enrollee public key and a corresponding first enrollee private key and
includes the second enrollee public key and a corresponding second enrollee
private key,

wherein the enrollee processor:

derives the first shared key based on the network public key and the first
enrollee private key,

encodes the second enrollee public key using the first shared key,

generates the network access request according to the security protocol,
the network access request including the encoded second enrollee public key and the
first enrollee public key,

transfers the network access request to the configurator device;

receives the network access message in the form of action frames from
the configurator,

derives the second shared key based on the first enrollee private key, the
second enrollee private key and the network public key,

verifies that at least one of the protected security data and the protected configurator public key was cryptographically protected by the second shared key, and

engages the secure communication based on the second enrollee private
key and the security data.


2. The enrollee device as claimed in claim 1, wherein the enrollee processor generates at least one of: 

a first set of keys comprising the first enrollee public key and the first enrollee private key; 

a second set of keys comprising the second enrollee public key and the second enrollee private key.
2. The enrollee device as claimed in claim 1, wherein the enrollee processor generates at least one of:

a first set of keys comprising a temporary enrollee public key and a corresponding temporary enrollee private key, which first set keys constitute the first enrollee public key and the corresponding first enrollee private key;

a second set of keys comprising a further temporary enrollee public key and a corresponding further temporary enrollee
private key, which second set of keys constitute the second enrollee public key and the corresponding second enrollee private key.

3. The enrollee device as claimed in claim 1, wherein the protected data comprises a configurator session key, and 

wherein the enrollee processor engages the secure communication based on the configurator session key.
3. The enrollee device as claimed in claim 1, wherein the configurator processor:

generates the security data by providing a configurator session key and
transfers the configurator session key to the enrollee device;

wherein the enrollee processor:

receives the configurator session key, and
engages the secure communication based on the configurator session key.

4. The enrollee device as claimed in claim 1, wherein the enrollee processor: 

derives a third shared key based on the second enrollee private key and a configurator session public key provided by the configurator device, and engages secure communication based on the third shared key.
4. The enrollee device as claimed in claim 1, wherein the configurator processor:

generates a configurator session public key and a corresponding configurator
session private key,

derives a third shared key based on the configurator session private key and the
second enrollee public key, and

transfers the configurator session public key to the enrollee device;

wherein the enrollee processor:

receives the configurator session public key,

derives the third shared key based on the second enrollee private key and
the configurator session public key, and
engages secure communication based on the third shared key.

6. The enrollee device as claimed in claim 1, wherein the protected data includes a digital signature of the second enrollee public key using a configurator private key of the configurator device, wherein the enrollee processor: 

verifies, based on the digital signature and a configurator public key of the configurator device, whether the second enrollee public key was correctly signed and, if the second enrollee public key was correctly signed,
 
engages the secure communication based on the second enrollee private. 
6. The enrollee device as claimed in claim 1, wherein the configurator processor:

generates the security data comprising a digital signature by digitally signing
the second enrollee public key with the configurator private key,

transfers the digital signature to a third device and/or to the enrollee device
for enabling secure communication between the enrollee device and the third device;

wherein the enrollee processor:

receives the digital signature,

verifies, based on the digital signature and the configurator public key,
whether the second enrollee public key was correctly signed and,

if the second enrollee public key was correctly signed, 

engages the secure
communication based on the second enrollee private key.

7. The enrollee device as claimed in claim 1, wherein the enrollee processor: 
receives a further public key and a further digital signature of the further public using a configurator private key of the configurator device, verifies, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and,
if the further public key was correctly signed, securely communicates with a further network device using the second enrollee private key and the further public key.

8. The enrollee device as claimed in claim 1, wherein the configurator processor:

generates further security data comprising a further digital signature by digitally
signing, with the configurator private key, a further public key of a further network
device;

wherein the enrollee processor:

receives the further public key and the further digital signature,

verifies, based on the further digital signature and the configurator public
key, whether the further public key was correctly signed and,

if the further public key was correctly signed, securely with the further network device using the second enrollee private key and the further public key.

8. The enrollee device as claimed in claim 1, wherein the enrollee processor: 
generates enrollee test data, encodes the enrollee test data using the second shared key, and transfers the encoded enrollee test data to the configurator device for verification by the configurator device.

9. The enrollee device as claimed in claim 1, wherein the configurator processor:


decodes encoded enrollee test data using the second shared key, and 

verifies whether the enrollee test data was encoded by the second shared
key at the enrollee device,

wherein the enrollee processor:

generates the enrollee test data,
encodes the enrollee test data using the second shared key, art
transfers the encoded enrollee test data to the configurator.

9. The enrollee device as claimed in claim 1, wherein the enrollee processor:
receives encoded configurator test data from the configurator device; 
decodes the encoded configurator test data using the second shared key, and verifies whether the configurator test data was encoded by the second shared key at the configurator.

10. The enrollee device as claimed in claim 1, wherein the configurator processor:


generates configurator test data,
encodes the configurator test data using the second shared key, and

transfers the encoded configurator test data to the enrollee device;

wherein the enrollee processors:

decodes the encoded configurator test data using the second shared key,
verifies whether the configurator test data was encoded by the
second shared key at the configurator.

10. An enrollee method comprising: 
acquiring a data pattern, the data pattern representing a network public key; 
accessing a memory that includes the first enrollee public key and a corresponding first enrollee private key, and includes the second enrollee public key and a corresponding second enrollee private key,
deriving a first shared key based on the network public key and the first enrollee private key,
encoding the second enrollee public key using the first shared key,
generating a network access request, the network access request including the encoded second enrollee public key and the first enrollee public key,
transferring the network access request to a configurator device;
receiving a network access message from the configurator, the network access message comprising protected data;
deriving a second shared key based on the first enrollee private key, the second enrollee private key, and the network public key,
verifying that the protected data was cryptographically protected by the second shared key, and
engaging the secure communication based on the second enrollee private key and the protected data.

11. An enrollee method for use in a network system that provides wireless communication between network devices in an area
and secure communication according to a security protocol, the network system
comprising:

a network device executing the enrollee method to act as an enrollee device
according to the security protocol, and

a network device that acts as a configurator device according to the
security protocol for enabling access to the network by the enrollee device;

wherein the configurator device comprises:

a configurator communication unit that receives a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key, and

a configurator processor comprising a memory that has, for the configurator device, a configurator public key and a corresponding configurator private key and has, for the network system, a network public key and a
corresponding network private key,

wherein the configurator processor:

derives a first shared key based on the network private key and the first

enrollee public key,
decodes the encoded second enrollee public key using the first shared
key,

verifies that the encoded second enrollee public key was encoded
by the first shared key,

generates security data using the second enrollee public key and the
configurator private key,

derives a second shared key based on the first enrollee public key, the
second enrollee public key and the network private key,

protects cryptographically, using the second shared key, at least one of
the security data and configurator public key, and

generates a network access message according to the security protocol,
the network access message including at least one of the protected security data and
protected configurator public key;

wherein the enrollee method comprises:

acquiring a data pattern, the data pattern being provided in the area and representing the network public key;

accessing a memory that includes the first enrollee public key and a corresponding first enrollee private key,
and includes the second enrollee public key and a corresponding second
enrollee private key,

deriving the first shared key based on the network public key and
the first enrollee private key,

encoding second enrollee public key using the first shared key,

generating the network access request according to the security
protocol, the network access request including the encoded second enrollee public key
and the first enrollee public key,

transfers the network access request to the configurator device;

receiving the network access message in the form of action frames from
the configurator,

deriving the second shared key based on the first enrollee private key, the
second enrollee private key and the network public key,

verifying at least one of the protected security data and the protected configurator public key was cryptographically protected by the second shared key, and

engaging the secure communication based on the second enrollee private
key and the security data.

11. The enrollee method as claimed in claim 10, comprising generating at least one of:
a first set of keys comprising the first enrollee public key and the corresponding first enrollee private key; and
a second set of keys comprising the second enrollee public key and the corresponding second enrollee private key.

12. The enrollee method as claimed in claim 11, comprising generating at least one of:

 temporary enrollee public key and a
corresponding temporary enrollee private key, which first set of keys constitute the first
enrollee public key and the corresponding first enrollee private key; 

a second set of keys comprising a further temporary enrollee private key, which second set of keys constitute the second enrollee public key and the corresponding second enrollee private key.

12. The enrollee method as claimed in claim 10, wherein 

the protected data includes a configurator session key; 
wherein the enrollee method comprises engaging the secure communication based on the configurator session key.

13. The enrollee method as claimed in claim 11, wherein the configurator processor:

generates the security data by providing a configurator session key and

transfers the configurator session key to the enrollee device;

wherein the enrollee method comprises:

 receiving the configurator session key, and

engaging the secure communication based on the configurator
session key.

13. The enrollee method as claimed in claim 10, the enrollee method comprises: 
receiving a configurator session public key from the configurator device, deriving a third shared key based on the second enrollee private key and the configurator session public key and engaging secure communication based on the third shared key.

14. The enrollee method as claimed in claim 11, wherein the configurator processor:

generates a configurator session public key and a corresponding configurator
session private key,

derives a third shared key based on the configurator session private key and the
second enrollee public key, and

transfers the configurator session public key to the enrollee device;

wherein the enrollee method comprises:

receiving the configurator session public key,

deriving the third shared key based on the second enrollee private
key and the configurator session public key and

engaging in secure communication based on the third shared key.

15. The enrollee method as claimed in claim 10, wherein the protected data includes a digital signature of the second enrollee public key using a configurator private key of the configurator device, and; 

wherein the enrollee method comprises: 
verifying, based on the digital signature and a configurator public key of the configurator device, whether the second enrollee public key was correctly signed and, if the second enrollee public key was correctly signed,
 engaging the secure communication with a further device based on the second enrollee private key.
16. The enrollee method as claimed in claim 11, wherein the configurator processor:


generates the security data comprising a digital signature by digitally signing
the second enrollee public key with the configurator private key, and

transfers the digital signature to at least of a third device and the enrollee device for enabling secure communication between the enrollee device and the third device;

wherein the enrollee method comprises:

receiving the digital signature,

verifying, based on the digital signature and the configurator public key, whether the second enrollee public key was correctly signed and,

the secure communication based on the second enrollee private key.

16. The enrollee method as claimed in claim 10, wherein the enrollee method comprises: 
receiving a further public key and a further digital signature of the further public key of a further network device using the configurator private key of the configurator device,
verifying, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and,
if the further public key was correctly signed, securely communicating with the further network device using the second enrollee private key and the further public key.

18. The enrollee method as claimed in claim 11, wherein the configurator processor:

generates further security data comprising a further digital signature by digitally
signing, with the configurator private key, a further public key of a further network
device;

receiving the further public key and the further digital signature,

verifying, based on the further digital signature and the configurator public
key, whether the further public key was correctly signed and,

if the further public key was correctly signed. securely communicating with
the further network device using the second enrollee private key and the further public
key.

17. The enrollee method as claimed in claim 10, wherein the enrollee method comprises:
generating enrollee test data,
encoding the enrollee test data using the second shared key, and
transferring the encoded enrollee test data to the configurator device.

19. The enrollee method as claimed in claim 11, wherein the configurator processor:

decodes encoded enrollee test data using the second shared key, 

verifies whether the enrollee test data was encoded by the second shared
key at the enrollee device:

wherein the enrollee method comprises:

encoding the enrollee test data, the enrollee test data using the second shared key, and

transferring the encoded enrollee test data to the configurator.

18. The enrollee method as claimed in claim 10, wherein the enrollee method comprises:
decoding encoded configurator test data using the second shared key, and
verifying whether the configurator test data was encoded by the second shared key at the configurator device.

20. The enrollee method as claimed in claim 11, wherein the configurator processor:

generates configurator test data,
encodes the configurator test data using the second shared key, and

transfers the encoded configurator test data to the enrollee device;

wherein the enrollee method comprises:

decoding the encoded configurator test data using the second
shared key, and

verifying whether the configurator test data was encoded by the second
shared key at the configurator.



Claim[s] 1 – 4, 6 – 10, 15, 18 are rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 1 – 4, 6, 7, 9 – 11, 17, 18 of U.S. Patent No. 10887310. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the pending application and the patented subject matter are the same or similar in scope:
“An enrollee in communication network can use the network by exchanging
communication parameters with a configurator to access the network. The enrollee
acquires a data pattern and derives a first shared key based on the network public key
and the first enrollee private key, and encodes second enrollees public key using the
first shared key, where a network access request. The configurator derives the first
shared key, and verifies whether the encoded second enrollee public key was encoded
by the first shared key, and generates security data and cryptographically protects data
using a second shared Key, and generates a network access message. The enrollee
processor further receives the second shared key and verifies whether the data was
cryptographically protected and that allows for engaging in secure communication
based on the second enrollee private key and the security data.”

	Also, see the table below for a claim by claim comparison
Pending US Application # 17/849773
US PAT # 10887310
1. An enrollee device comprising:

an enrollee wireless communication unit,

an enrollee sensor that acquires a data pattern, the data pattern representing
a network public key; and

an enrollee processor comprising a memory that includes a first enrollee public key and a corresponding first enrollee private key and includes a second enrollee public key and a corresponding second enrollee private key,

wherein the enrollee processor:

derives a first shared key based on the network public key and the first enrollee private key, 

encodes the second enrollee public key using the first shared key,

generates a network access request, the network access request including the encoded second enrollee public key and the first enrollee public key, 

transfers the network access request to a configurator device;

receives a network access message from the configurator device, 

wherein the network access message includes protected data that is encrypted at the configurator device using a second shared key,

derives the second shared key based on the first enrollee private key,

the second enrollee private key, and 

the network public key, verifies that the protected data was cryptographically protected by the second shared key, and

engages the secure communication based on the second enrollee private key and the protected data.

1. An enrollee device for use in a network system arranged for wireless communication between network devices in an area and for secure communication according to a security protocol, the network system comprising:

a first network device arranged to act as the enrollee device according to the security protocol for getting
access to the network, and

a second network device arranged to act as a configurator device according to the security protocol for enabling access to the network by the enrollee device; 

wherein the configurator device comprises a configurator communication unit arranged to receive, from the enrollee device, a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key, and a configurator processor comprising a memory arranged to have, for the configurator device, a configurator public key and a corresponding configurator private key and to have, for the network system, a network public key and a corresponding network private key, the configurator processor arranged to:

derive a first shared key based on the network private key and the first enrollee public key,

decode the encoded second enrollee public key using the first shared key,

verify whether the encoded second enrollee public key was encoded by the first shared key and,

generate security data using the second enrollee public key and the configurator private key,

derive a second shared key based on the first enrollee public key, the second enrollee public key and 

the network private key, protect cryptographically, using the second shared key, at least one of the security data and configurator public key, and

generate a network access message according to the security protocol, the network access message including
at least one of the protected security data and protected configurator public key;

the enrollee device comprising:

an enrollee wireless communication unit arranged for wireless communication;

an enrollee sensor arranged to:

acquire a data pattern via an out-of-band channel, the data pattern being provided in the area and representing the network public key; and

an enrollee processor comprising a memory arranged to have the first enrollee public key and a corresponding first enrollee private key and to have the second enrollee public key and a corresponding second enrollee private key, 

the enrollee processor arranged to:

derive the first shared key based on the network public key and the first enrollee private key, encode the second enrollee public key using the first shared key,
generate the network access request according to the security protocol, the network access request including the encoded second enrollee public key and the first enrollee public key, and

transfer the network access request to the configurator device via the enrollee wireless communication unit;

the enrollee processor further arranged to:

receive the network access message from the configurator via the enrollee wireless
communication unit, derive the second shared key based on the first enrollee private key, the second enrollee private key and the network public key,

verify whether at least one of the protected security data and the protected configurator public key was cryptographically protected by the second shared key, and;

engage the secure communication based on the second enrollee private key and the security data.


2. The enrollee device as claimed in claim 1, wherein the enrollee processor generates at least one of: 

a first set of keys comprising the first enrollee public key and the first enrollee private key; 
a second set of keys comprising the second enrollee public key and the second enrollee private key.
2. The enrollee device as claimed in claim 1, wherein the enrollee processor is arranged to 


generate a temporary enrollee public key and a corresponding temporary
enrollee private key, which keys constitute the first enrollee public key and the corresponding first enrollee private key;
and

the enrollee processor is arranged to generate a further temporary enrollee public key and a corresponding
further temporary enrollee private key, which keys constitute the second enrollee public key and the corresponding
second enrollee private key.

3. The enrollee device as claimed in claim 1, wherein the protected data comprises a configurator session key, and 

wherein the enrollee processor engages the secure communication based on the configurator session key.
3. The enrollee device as claimed in claim 1, the configurator processor being further arranged to 


generate the security data by
providing a configurator session key and transferring the configurator session key to the enrollee; 
wherein the enrollee processor is further arranged to receive the configurator session key and

engage the secure communication based on the configurator session key.

4. The enrollee device as claimed in claim 1, wherein the enrollee processor: 

derives a third shared key based on the second enrollee private key and a configurator session public key provided by the configurator device, and 


engages secure communication based on the third shared key.
4. The enrollee device as claimed in claim 1, the configurator processor being further arranged to 

generate a configurator session public key and a corresponding configurator session private key, derive a third shared key based on the configurator session private key and the second enrollee public key, and

transfer the configurator session public key to the enrollee;

wherein the enrollee processor is further arranged to receive the configurator session public key,

derive the third shared key based on the second enrollee private key and the configurator session public key and


engage secure communication based on the third shared key.

6. The enrollee device as claimed in claim 1, wherein the protected data includes a digital signature of the second enrollee public key using a configurator private key of the configurator device, wherein the enrollee processor: 

verifies, based on the digital signature and a configurator public key of the configurator device, whether the second enrollee public key was correctly signed and, if the second enrollee public key was correctly signed,
 
engages the secure communication based on the second enrollee private 
6. The enrollee device as claimed in claim 1, the configurator processor being further arranged to 


generate the security data comprising a digital signature by digitally signing the second enrollee public key with the configurator private key, 

to transfer the digital signature to a third device or to the enrollee for enabling secure communication between the enrollee and the third device;

wherein the enrollee processor is further arranged to receive the digital signature,
verify, based on the digital signature and the configurator public key, whether the second enrollee public key was
correctly signed and,

engage the secure communication based on the second enrollee private key.


7. The enrollee device as claimed in claim 1, wherein the enrollee processor: 
receives a further public key and a further digital signature of the further public using a configurator private key of the configurator device, verifies, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and,
if the further public key was correctly signed, securely communicates with a further network device using the second enrollee private key and the further public key.

7. The enrollee device as claimed in claim 6, wherein the network system comprises a further network device arranged to
obtain the configurator public key,
receive the digital signature and the second enrollee public key,

verify, based on the digital signature and the configurator public key, whether the second enrollee public key was
correctly signed and,

engage the secure communication with the enrollee device based on the second enrollee public key.

8. The enrollee device as claimed in claim 1, wherein the enrollee processor: 
generates enrollee test data, encodes the enrollee test data using the second shared key, and 
transfers the encoded enrollee test data to the configurator device for verification by the configurator device.

9. The enrollee device as claimed in claim 1, the configurator processor being further arranged to decode encoded enrollee test data using the second shared key,

verify whether the enrollee test data was encoded by the second shared key at the enrollee wherein the enrollee processor is further arranged to generate the enrollee test data,

encode the enrollee test data using the second shared key,

transfer the encoded enrollee test data to the configurator.

9. The enrollee device as claimed in claim 1, wherein the enrollee processor:
receives encoded configurator test data from the configurator device; 
decodes the encoded configurator test data using the second shared key, and 

verifies whether the configurator test data was encoded by the second shared key at the configurator.

10. The enrollee device as claimed in claim 4, the configurator processor being further arranged to generate configurator test data,

encode the configurator test data using the second shared key,

transfer the encoded configurator test data to the enrollee;

wherein the enrollee processor is further arranged to decode the encoded configurator test data using the second shared key,

verify whether the configurator test data was encoded by the second shared key at the configurator.

10. An enrollee method comprising: 
acquiring a data pattern, the data pattern representing a network public key; 
accessing a memory that includes the first enrollee public key and a corresponding first enrollee private key, and includes the second enrollee public key and a corresponding second enrollee private key,
deriving a first shared key based on the network public key and the first enrollee private key,
encoding the second enrollee public key using the first shared key,
generating a network access request, the network access request including the encoded second enrollee public key and the first enrollee public key,
transferring the network access request to a configurator device;
receiving a network access message from the configurator, the network access message comprising protected data;
deriving a second shared key based on the first enrollee private key, the second enrollee private key, and the network public key,
verifying that the protected data was cryptographically protected by the second shared key, and
engaging the secure communication based on the second enrollee private key and the protected data.

11. Enrollee method for use in a network system arranged for wireless communication between network devices in an area and for secure communication according to a security protocol, the network system comprising:

a first network device executing the enrollee method to act as an enrollee device according to the security protocol
for getting access to the network, and
a second network device arranged to act as a configurator device according to the security protocol for enabling
access to the network by the enrollee device;

wherein the configurator device comprises:

a configurator communication unit arranged to receive, from the enrollee device, a network access request according to the security protocol, the network access request including an encoded second enrollee public key and a first enrollee public key, and

a configurator processor comprising a memory arranged to have, for the configurator device, a configurator public
key and a corresponding configurator private key and to have, for the network system, a network public key and a
corresponding network private key,

the configurator processor arranged to:

derive a first shared key based on the network private key and the first enrollee public key,

decode the encoded second enrollee public key using the first shared key,
verify whether the encoded second enrollee public key was encoded by the first shared key and,

generate security data using the second enrollee public key and the configurator private key,

derive a second shared key based on the first enrollee public key, the second enrollee public key and the network
private key,

protect cryptographically, using the second shared key, at least one of the security data and configurator public key,
and

generate a network access message according to the security protocol, the network access message including at least one of the protected security data and protected configurator public key;

the enrollee method comprising:

storing the first enrollee public key and a corresponding first enrollee private key and the second enrollee public key
and a corresponding second enrollee private key,

acquiring a data pattern via an out-of-band channel, the data pattern being provided in the area and representing the
network public key,

deriving the first shared key based on the network public key and the first enrollee private key,

encoding the second enrollee public key using the first shared key,

generating the network access request according to the security protocol, the network access request including the
encoded second enrollee public key and the first enrollee public key, and

transferring the network access request to the configurator device via the enrollee wireless communication unit;

the enrollee method further comprising

receiving the network access message from the configurator,

deriving the second shared key based on the first enrollee private key, the second enrollee private key and the
network public key,

verifying whether at least one of the protected security data and the protected configurator public key was
cryptographically protected by the second shared key, and;

engaging the secure communication based on the second enrollee private key and the security data.

15. The enrollee method as claimed in claim 10, wherein the protected data includes a digital signature of the second enrollee public key using a configurator private key of the configurator device, and; 
wherein the enrollee method comprises: 
verifying, based on the digital signature and a configurator public key of the configurator device, whether the second enrollee public key was correctly signed and, if the second enrollee public key was correctly signed, 

engaging the secure communication with a further device based on the second enrollee private key.
17. The configurator device as claimed in claim 13, the enrollee processor being further arranged for using further security data by receiving a further public key and a further digital signature,



verifying, based on the further digital signature and the configurator public key, whether the further public key was correctly signed and,

securely communicating with a further network device using the second enrollee private key and the further public
key;

wherein the configurator processor is further arranged to generate the further security data comprising the further
digital signature by digitally signing, with the configurator private key, the further public key of the further network
device.


18. The enrollee method as claimed in claim 10, wherein the enrollee method comprises:
decoding encoded configurator test data using the second shared key, and
verifying whether the configurator test data was encoded by the second shared key at the configurator device.

18. The configurator device as claimed in claim 13, the enrollee processor being further arranged to

generate enrollee test data, encode the enrollee test data using the second shared key,

transfer the encoded enrollee test data to the configurator;

wherein the configurator processor is further arranged to

decode the encoded enrollee test data using the second shared key,

verify whether the enrollee test data was encoded by the second shared key at the enrollee.



Claim Rejections – 35 USC § 101
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 102
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 103
NO rejections warranted at applicant’s initial time of filing for patent. 
Allowable Subject Matter
Claim[s] 1 – 18 contain allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
***A reasons for allowance are forth coming in the next office action once all formal requirements have been met. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/          Primary Examiner, Art Unit 2434