DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant's amendments filed on 12/02/2022 has been received and entered.  Currently Claims 2-21 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 12/02/2022 has been considered by the examiner.

Response to Arguments
Applicant argues on pages 9-10 of applicant’s remarks that Ali, whether taken alone or in combination with Adams and Ohmori, fails to teach or suggest “deriving a recovery element derived encryption key based at least in part on the at least one recovery element” as recited in the claims.
The examiner respectfully disagrees.  Ali teaches encryption server recovery master key (e.g. a recovery element) can also be used to generate secret keys (e.g. a recovery element derived encryption key) to be used for encryption. The encryption server recovery master key is thus indirectly used for the encryption of the unique encryption key Ku ([0047]).  Therefore, Ali teaches limitations of the claims.

Applicant argues on pages 10-11 of applicant’s remarks that Ali, whether taken alone or in combination with Adams and Ohmori, also fails to teach or suggest "encrypting the master encryption key stored in the temporary memory using the recovery element derived encryption key..." as recited in the claims.
The examiner respectfully disagrees.  Ali teaches encryption server recovery master key (e.g. a recovery element) can also be used to generate secret keys (e.g. a recovery element derived encryption key) to be used for encryption. The encryption server recovery master key is thus indirectly used for the encryption of the unique encryption key Ku (e.g. a master encryption key) ([0047]).  Ali teaches the encrypted unique encryption key Ku is stored in memory ([0014]).  Ali further teaches the unique encryption key Ku is used to encrypt files ([0045]-[0046]).  Ali does not explicitly disclose the unique encryption key Ku stored in temporary memory.  In an analogous art, Adams teaches encrypting a master key stored in temporary memory and then discarding the plaintext master key ([0089], [0124]).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ali with the teachings of Adams to include discarding the master key after encrypting the master key in order to protect the master key from malicious entities by not persistently storing the master key.  Therefore, Ali in view of Adams teaches limitations of the claims.

Applicant argues on page 11 of applicant’s remarks that Ali, whether taken alone or in combination with Adams and Ohmori, also fails to teach or suggest “receiving…at least one recovery element, wherein the at least one recovery element represents communication channel information for a user of the computing device” as recited in the claims.
The examiner respectfully disagrees.  Ohmori teaches receiving telephone number (e.g. a recovery element), wherein a master password is encrypted using the telephone number ([0063], [0066]).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ali in view of Adams with the teachings of Ohmori to include receiving a recovery element and encrypting a master key using the received recovery element such as a phone number in order to encrypt the master key using a user defined recovery element.  Therefore, Ali in view of Adams and Ohmori teaches limitations of the claims.

Applicant argues on page 11 of applicant’s remarks that no motivations exits to combine Ali with Adams in the manner suggested by the Examiner. Ali is directed to a method for managing modifications of encryption credentials, whereas Adams is directed to maintaining encryption keys. Therefore, a person of ordinary skill in the art attempting to manage modifications of encryption credentials, as discussed in Ali, would have had no motivation to combine Ali with Adams, which is directed to maintaining encryption keys.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).
Ali is directed to key recovery by encrypting a master key with a recovery element.  In an analogous art, Adams is also directed to key recovery by encrypting a master key with a recovery element.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ali with the teachings of Adams to include discarding the master key after encrypting the master key in order to protect the master key from malicious entities by not persistently storing the master key.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-4, 6-7, 9-11, 13-14, 16-18 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Ali et al. US2015/0372814 hereinafter referred to as Ali, in view of Adams et al. US2019/0222419 hereinafter referred to as Adams, and Ohmori et al. US2004/0133812 hereinafter referred to as Ohmori.
As per claim 2, Ali teaches a computer-implemented method comprising: receiving, from a computing device, a password (Ali paragraph [0014], [0041]-[0042], [0043], receive encryption credential password); 
deriving a password derived encryption key based at least in part on the password (Ali paragraph [0018], [0024], derive key based on password); 
deriving a recovery element derived encryption key based at least in part on the at least one recovery element (Ali paragraph [0047]-[0049], derive recovery key based on recovery element); 
encrypting a master encryption key stored in memory using the password derived encryption key to generate a password encryption key cipher for storage in non-transitory memory (Ali paragraph [0014], [0024], [0044], encrypt user master key with password derived key); 
encrypting the master encryption key stored in the memory using the recovery element derived encryption key to generate a recovery element encryption key cipher for storage in the non-transitory memory, wherein the master encryption key is utilized for encrypting underlying data (Ali paragraph [0014], [0045]-[0046], [0047]-[0049], encrypt user master key with recovery derived key. The user master key is used to encrypt user files).
Ali does not explicitly disclose upon encrypting master encryption key using password derived encryption key and recovery element derived encryption key, clearing the master encryption key from temporary memory.
Adams teaches upon encrypting master encryption key using password derived encryption key and recovery element derived encryption key, clearing the master encryption key from temporary memory (Adams paragraph [0078]-[0079], [0088]-[0089], [0105], [0124], claim 4, data and operations are performed using volatile memory.  Encrypt master key with password derived key, encrypt master key with recovery derived key, discarding the master key after the encryptions.).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ali with the teachings of Adams to include discarding the master key after encrypting the master key in order to protect the master key from malicious entities by not persistently storing the master key.
Ali in view of Adams does not explicitly disclose receiving, at least one recovery element, wherein the at least one recovery element represents communication channel information for a user of computing device.
Ohmori teaches receiving, at least one recovery element, wherein the at least one recovery element represents communication channel information for a user of computing device (Ohmori paragraph [0063], [0066], receive phone number, encrypt master password using phone number).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ali in view of Adams with the teachings of Ohmori to include receiving a recovery element and encrypting a master key using the received recovery element such as a phone number in order to encrypt the master key using a user defined recovery element.

As per claim 3, Ali in view of Adams and Ohmori teaches the computer-implemented method of claim 2, further comprising storing the password encryption key cipher and the recovery element encryption key cipher in association with a unique ID associated with the user (Ali paragraph [0012], [0041], [0044], [0047]-[0049], [0051], [0053], stored the encrypted master keys in association with the user account indicated by the username)(It is obvious to one of ordinary skill in the art that usernames are unique).  

As per claim 4, Ali in view of Adams and Ohmori teaches the computer-implemented method of claim 2, wherein the at least one recovery element comprises at least one of: an email address, a mobile phone number, a landline phone number, a social media account identifier or a messaging application account identifier (Ohmori paragraph [0063], [0066], phone number).  

As per claim 6, Ali in view of Adams and Ohmori teaches the computer-implemented method of claim 2, further comprising: determining the recovery element derived encryption key based on the at least one recovery element; and decrypting the recovery element encryption key cipher to produce the master encryption key using the recovery element derived encryption key (Ali paragraph [0047]-[0049], [0057], determine recovery key and decrypt encrypted user master key; Adams paragraph [0080], [0114]-[0115], determine recovery key and decrypt encrypted master key; Ohmori pararagraph [0083]-[0085]).  

As per claim 7, Ali in view of Adams and Ohmori teaches the computer-implemented method of claim 2, further comprising: determining the password derived encryption key based on the password; and decrypting the password encryption key cipher to produce the master encryption key using the password derived encryption key (Ali paragraph [0018], [0024], [0051], determine password key and decrypt encrypted user master key; Adams paragraph [0075], [0093]-[0094], determine password key and decrypt encrypted master key).  

As per claims 9-11, 13-14, 16-18 and 20-21, the claims claim an apparatus and a non-transitory computer readable storage medium essentially corresponding to the method claims 2-4 and 6-7 above, and they are rejected, at least for the same reasons.

Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ali in view of Adams and Ohmori, and further in view of Ramalingam et al. US2017/0070510 hereinafter referred to as Ramalingam.
As per claim 5, Ali in view of Adams and Ohmori teaches the computer-implemented method of claim 2, authenticated user to the master encryption key and determining the recovery element derived encryption key based at least in part on the recovery element (Ali paragraph [0047], [0054], [0055]-[0057], user is authenticated to access the user master key, determine the recovery key; Adams paragraph [0105], [0114]-[0115], determine recovery key; Ohmori paragraph [0063], [0066], encrypt master password using phone number).
Ali in view of Adams and Ohmori does not explicitly disclose further comprising: receiving, from computing device, data indicative of at least one recovery element; 
utilizing a verification instrument associated with the at least one recovery element to establish user of the computing device as an authenticated user; and 
upon verifying the user as the authenticated user, granting access.  
Ramalingam teaches further comprising: receiving, from computing device, data indicative of at least one recovery element (Ramalingam paragraph [0045], [0049]-[0050], sending verification code to user via SMS)(It is obvious to one of ordinary skill in the art that the recover system receives a phone number from the user in order to send the verification code to the user via SMS); 
utilizing a verification instrument associated with the at least one recovery element to establish user of the computing device as an authenticated user (Ramalingam paragraph [0050], [0055], verifying the verification code and grants access); and 
upon verifying the user as the authenticated user, granting access (Ramalingam paragraph [0050], [0055], verifying the verification code and grants access).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ali in view of Adams and Ohmori with the teachings of Ramalingam to include authenticating users such as using a challenge/response authentication method before granting access in order to allow only authenticated users access to their master user key.

As per claims 12 and 19, the claims claim an apparatus and a non-transitory computer readable storage medium essentially corresponding to the method claim 5 above, and they are rejected, at least for the same reasons.

Claims 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Ali in view of Adams and Ohmori, and further in view of Nabi et al. US2019/0295185 hereinafter referred to as Nabi.
As per claim 8, Ali in view of Adams and Ohmori teaches the computer-implemented method of claim 2, further comprising: retrieving a corresponding recovery element encryption key cipher (Ali paragraph [0056]-[0057], retrieve encrypted user master key; Adams paragraph [0080], [0114]-[0115], retrieve encrypted master key; Ohmori pararagraph [0083]-[0085])
processing the at least one recovery element to derive the recovery element derived encryption key (Ali paragraph [0047]-[0049], [0056]-[0057], derive recovery key; Adams paragraph [0080], [0114]-[0115], determine recovery key; Ohmori pararagraph [0083]-[0085]);
decrypting the corresponding recovery element encryption key cipher to produce the master encryption key using the recovery element derived encryption key (Ali paragraph [0047]-[0049], [0057], determine recovery key and decrypt encrypted user master key; Adams paragraph [0080], [0114]-[0115], determine recovery key and decrypt encrypted master key; Ohmori pararagraph [0083]-[0085]); 
encrypting the master encryption key using a new password received from the computing device (Ali paragraph [0017], [0055], [0057], enter new password and encrypt user mater key with the new password; Adams paragraph [0061], [0066], encrypt master key with new password).  
Ali in view of Adams and Ohmori does not explicitly disclose receiving, from computing device, data indicative of at least one recovery element and a user identifier; 
retrieving data based at least in part on the user identifier.
Nabi teaches receiving, from computing device, data indicative of at least one recovery element and a user identifier (Nabi paragraph [0030], receive username and email address); 
retrieving data based at least in part on the user identifier (Nabi paragraph [0030], retrieve data to send to the user)(It is obvious to one of ordinary skill in the art that the username is used to lookup the user account in order to retrieve the user data).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ali in view of Adams and Ohmori with the teachings of Nabi to include receiving a recovery element and a user id and retrieving data based on the user id because the results would have been predictable and resulted in the user entering a recovery element and a user id and retrieving data such as an encrypted master password based on the user id.

As per claim 15, the claim claims an apparatus essentially corresponding to the method claim 8 above, and they are rejected, at least for the same reasons.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/             Primary Examiner, Art Unit 2495