DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


1. The following is a non-Final Office Action in response to applicant’s arguments/filing filed on June 7, 2021
Claims 1-20 are pending 


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/1/2021 was filed prior to the mailing date of the first office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

The information disclosure statement (IDS) submitted on 6/7/2021 was filed prior to the mailing date of the first office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
The information disclosure statement (IDS) submitted on 7/30/2021 was filed prior to the mailing date of the first office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Drawings
Acknowledgment is made of applicant’s drawings submitted on 6/7/2021.

Oath/Declaration
Acknowledgment is made of applicant’s oath submitted on 6/7/2021

Application Data Sheet
Acknowledgment is made of applicant’s application data sheet submitted on 6/7/2021.



Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed  determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 9, and 16 rejected on the ground of nonstatutory double patenting over claims 1, 7, and 11 of U. S. Patent No. US 11063914 and claims 1, 9, and 14 of U.S. Patent No. 9374344 since the claims, if allowed, would improperly extend the "right to exclude" already granted in the patent.
The subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the application are claiming common subject matter, as follows: 

Instant Application
Patents
11063914
1. A system, comprising: a key cache; at least one processor; and memory storing instructions configured to instruct the at least one processor to: load a first set of keys into the key cache; provide the first set of keys to an external site; receive first data; encrypt the first data with the first set of keys; authenticate the external site; after authenticating the external site, send the encrypted first data to the external site; request, from the external site, the encrypted first data; in reply to the request, receive, from the external site, the encrypted first data; and decrypt the received encrypted first data with the first set of keys.

9. A method, comprising: providing, by at least one processor, a first set of keys to an external site; authenticating the external site; receiving first data from a data storage; encrypting, by the at least one processor, the first data with the first set of keys; after authenticating the external site, sending the encrypted first data to the external site; requesting, by the at least one processor, the encrypted first data from the external site; receiving the encrypted first data; and decrypting the received encrypted first data with the first set of keys.

16. A method, comprising: loading a first set of keys into a first computing device; providing a second set of keys to an external site; decrypting, by the first computing device using the first set of keys, first data obtained from a data storage; encrypting, by a second computing device, the first data using the second set of keys; authenticating the external site using an authentication code; after authenticating the external site, sending the encrypted first data over a network to the external site; requesting the first data from the external site; receiving, over the network, encrypted first data from the external site; and decrypting the received encrypted first data from the external site with the second set of keys using the second computing device.
1. A method, comprising: loading, by a key manager, a first set of keys into a security device, the security device comprising at least one processor and memory; providing the first set of keys to an external site, wherein the external site is a data center or storage site; authenticating the external site using an authentication code prior to sending data to the external site; receiving first data from a data storage; encrypting the first data with the first set of keys; sending, over a network, the encrypted first data to the external site, wherein the external site is configured to decrypt the first data using the first set of keys, and wherein the external site is further configured to store data received from each of a plurality of data sources including the data storage; requesting the encrypted first data from the external site; receiving, over the network, the encrypted first data; and decrypting the received encrypted first data with the first set of keys using the security device. 
7. A method, comprising: loading, by a first key manager, a first set of keys into a first security device, wherein the first security device comprises at least one processor and memory; providing a second set of keys to an external site; authenticating the external site using an authentication code prior to sending data to the external site; decrypting, by the first security device using the first set of keys, first data obtained from a data storage; encrypting, by a second security device, the first data using the second set of keys, wherein the second security device comprises at least one processor and memory; sending the encrypted first data over a network to the external site, wherein the external site is configured to decrypt the first data using the second set of keys, and wherein the external site is further configured to store data received from each of a plurality of data sources including the data storage; requesting the first data from the external site, wherein the external site is further configured to encrypt the first data using the second set of keys; receiving, over the network, encrypted first data from the external site; and decrypting the received encrypted first data from the external site with the second set of keys using the second security device.
11. A system, comprising: at least one processor; and memory storing instructions configured to instruct the at least one processor to: load a first set of keys into a key cache; provide the first set of keys to an external site; authenticate the external site using an authentication code prior to sending data to the external site; receive first data from an internal network; encrypt the first data with the first set of keys; provide the encrypted first data for sending by transport network equipment over a network to the external site, wherein the external site is configured to store data received from each of a plurality of data sources including the internal network; request the encrypted first data from the external site; receive the encrypted first data from the external site; and decrypt the received encrypted first data with the first set of keys.



Instant application
Patent
9374344
1. A system, comprising: a key cache; at least one processor; and memory storing instructions configured to instruct the at least one processor to: load a first set of keys into the key cache; provide the first set of keys to an external site; receive first data; encrypt the first data with the first set of keys; authenticate the external site; after authenticating the external site, send the encrypted first data to the external site; request, from the external site, the encrypted first data; in reply to the request, receive, from the external site, the encrypted first data; and decrypt the received encrypted first data with the first set of keys.

9. A method, comprising: providing, by at least one processor, a first set of keys to an external site; authenticating the external site; receiving first data from a data storage; encrypting, by the at least one processor, the first data with the first set of keys; after authenticating the external site, sending the encrypted first data to the external site; requesting, by the at least one processor, the encrypted first data from the external site; receiving the encrypted first data; and decrypting the received encrypted first data with the first set of keys.

16. A method, comprising: loading a first set of keys into a first computing device; providing a second set of keys to an external site; decrypting, by the first computing device using the first set of keys, first data obtained from a data storage; encrypting, by a second computing device, the first data using the second set of keys; authenticating the external site using an authentication code; after authenticating the external site, sending the encrypted first data over a network to the external site; requesting the first data from the external site; receiving, over the network, encrypted first data from the external site; and decrypting the received encrypted first data from the external site with the second set of keys using the second computing device.
1. A method, comprising: receiving first data from an internal network of a first data source; loading, by a key manager, a first set of keys into a first security device associated with the first data source; encrypting the first data with the first set of keys using the first security device; receiving, by transport network equipment from the first security device, the encrypted first data; sending, by the transport network equipment, over an external network, the encrypted first data to an external site that stores data received from each of a plurality of data sources; after the sending to the external site, requesting the encrypted first data from the external site; in response to the requesting, receiving, by the transport network equipment, over the external network, the encrypted first data; decrypting, by the first security device using the first set of keys, the received encrypted first data; and providing, from the first security device, the decrypted first data to the internal network.

9. A method, comprising: loading, by a first key manager, a first set of keys into a first security device; decrypting, by the first security device using the first set of keys, first data obtained from a data storage; encrypting, by a second security device, the first data using a second set of keys; receiving, by transport network equipment from the second security device, the encrypted first data; and sending, by the transport network equipment, over an external network, the encrypted first data to an external site that stores data received from each of a plurality of data sources.

14. A system, comprising: transport network equipment configured to communicate with an external site that stores encrypted data provided from each of a plurality of data sites, including a first data site; a security device, coupled to receive first data from an internal network of the first data site, the security device configured to: encrypt the first data with a first set of keys, provide the encrypted first data for sending by the transport network equipment over an external network for storage the external site, receive, via the transport network equipment, over the external network, the encrypted first data from the external site, decrypt, using the first set of keys, the received encrypted first data, and provide the decrypted first data to the internal network; and a first key manager configured to load the first set of keys into the security device.




Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


1.) Claims 9, 11, 14, and 15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by IDS supplied reference, US 20100254537, Buer 
In regards to claim 9, Buer teaches a method, comprising: providing, by at least one processor, a first set of keys to an external site(see US 20100254537, Buer, fig. 2A and para. 0031, 0033, [0031]- In embodiment, key server 310 serves the encrypted keys, the authentication tag, and/or the index to the host…In this embodiment, key server 310 includes a plurality of key encryption keys which are transmitted to key cache 206 of general purpose of cryptography engine 200 via a secure channel. {note: where a key server[310][i.e. key manager] sends keys to host[1st external site] and the GPE[i.e. 2nd external site] for storage}[0033] - General purpose cryptography engine 200 also includes a Direct Memory Access (DMA) engine 208, Peripheral Component Interconnect (PCI) interface 210, general purpose interface 214, Universal Serial Bus (USB) interface 250 and buses 212a-c that enable general purpose cryptography engine 200 to communicate with external devices such as host 100 and key server 310 (FIGS. 3 and 4). Interface 214 includes but is not limited to a Universal Asynchronous Receiver Transmitter (UART) interface, an (Inter-IC) I2C interface, a Serial Port Interface (SPI) and a general purpose input/output (GPIO) interface. Buses 212a-c include but are not limited to one or more of PCI, USB, I2C, SPI, UART, GPIO buses); authenticating the external site(US 20100254537, Buer, para. 0025, In an embodiment, key manager 204 authenticates host 100 for every block of data that is to be cryptographically processed using an authentication tag. The authentication tag used to authenticate a process on host 100 may be a static password or a dynamic one time password (OTP) or a shared secret that is static or rolling and is a predefined length (e.g., 64-bits).);receiving first data from a data storage(see US 20100254537, Buer, para. 0040 and 0045, [0040]- In step 506, a request is received from the host to encrypt or decrypt a block of data. The request includes an encrypted key and a key handle. For example, general purpose cryptography engine 200 receives a request to encrypt or decrypt data 104 from host 100 along with encrypted key 302a and key handle 300. As shown in FIG. 3B, host 100 is configured to communicate key handle 300, encrypted key 302 and data to be processed 104, to security processing unit 202 via bus 106. Key handle 300 includes an authentication tag and an index to reference a key encryption key 304a that can decrypt encrypted key 302a.[0045]- In step 516, the data received in step 506 is cryptographically processed using the plaintext key. For example, data 104 is cryptographically processed using key 102 to generate processed data 112. As shown in FIG. 3D, key manager 204 is configured to send plaintext key 102 to security processing unit 202. Security processing unit 202 is configured to process data 104 using plaintext key 102 to generate processed data 112.); encrypting, by the at least one processor, the first data with the first set of keys(see US 20100254537, Buer, fig. 1A and para. 0031 and 0056, [0031]-Security processing unit 202 is configured to use the plaintext key to cryptographically process data 104 and generate processed data 112. [note: where the keys are used to cryptographically process data[112]
[0056]- In step 614, data received in step 606 is cryptographically processed using the key retrieved in step 612. As shown in FIG. 4D, key manager 204 is configured to send retrieved plaintext key 102a to security processing unit 202. Security processing unit 202 is configured to use plaintext key 102a to cryptographically process data 104 and generate processed data 112. Security processing unit 202 encrypts or decrypts data 104 based on the request received from host 100.); after authenticating the external site, sending the encrypted first data to the external site(see US 20100254537, Buer, fig. 5, steps 508, 516 and 518, where after the host is authenticated, data may be encrypted and transmitted to the host);
requesting, by the at least one processor, the encrypted first data from the external site(see US 20100254537, Buer, fig. 5, steps 506, 516 and para. 0040 and 0045, In step 506, a request is received from the host to encrypt or decrypt a block of data. The request includes an encrypted key and a key handle. For example, general purpose cryptography engine 200 receives a request to encrypt or decrypt data 104 from host 100 along with encrypted key 302a and key handle 300…the data received in step 506 is cryptographically processed using the plaintext key.); receiving the encrypted first data(see US 20100254537, Buer, para. 0040 and 0045, [0040]- In step 506, a request is received from the host to encrypt or decrypt a block of data. The request includes an encrypted key and a key handle. For example, general purpose cryptography engine 200 receives a request to encrypt or decrypt data 104 from host 100 along with encrypted key 302a and key handle 300. As shown in FIG. 3B, host 100 is configured to communicate key handle 300, encrypted key 302 and data to be processed 104, to security processing unit 202 via bus 106. Key handle 300 includes an authentication tag and an index to reference a key encryption key 304a that can decrypt encrypted key 302a.[0045]- In step 516, the data received in step 506 is cryptographically processed using the plaintext key. For example, data 104 is cryptographically processed using key 102 to generate processed data 112. As shown in FIG. 3D, key manager 204 is configured to send plaintext key 102 to security processing unit 202. Security processing unit 202 is configured to process data 104 using plaintext key 102 to generate processed data 112.); and decrypting the received encrypted first data with the first set of keys(see US 20100254537, Buer, fig. 1B, where data is received by the crypto engine, wherein the data is subsequently decrypted[112]); 	
 	In regards to claim 11, Buer teaches the method of claim 9, wherein the external site is a site of a user that controls the first set of keys(see US 20100254537, Buer, fig. 1A, where keys are controlled by a host device).  In regards to claim 14, the combination of Buer and Alao teach the method of claim 9, further comprising: receiving, over a network at the external site, the encrypted first data(see US 20100254537, Buer, fig. 1A and para. 0022, where the crypto. Engine may receive encrypted data from a host that may be decrypted); storing the encrypted first data in a data storage at the external site(see US 20100254537, Buer,  para. [0038] and fig. 4A, item 104 - In step 502, a plurality of key encryption keys are received at GPE 200 via a secure channel from key server 310. General purpose cryptography engine 200 is coupled to key server 310 via bus 318. Key encryption keys 304 may be received from key server 310 via bus 318 (see FIG. 3A). The key encryption keys may be received via a secure channel, for example, a transport layer security (TLS) protocol or a Secure Sockets Layer (SSL) protocol. The key encryption keys 304 may be received from key server 310 before data to be processed 104 is received from host 100.); and  	after the storing of the encrypted first data in the data storage at the external site, accessing the encrypted first data by decrypting the first data at the external site(see US 20100254537, Buer, fig. 5, step 516, where the encrypted data is decrypted).
 	In regards to claim 15, the combination of Buer and Alao teach the method of claim 14, further comprising loading, by a key manager, the first set of keys into a computing device at the external site(see US 20100254537, Buer, fig. 2A and para. 0030, In an embodiment, key cache 206 is configured to store plaintext keys received from key server 310 (FIG. 3A-D). The plaintext keys may be received under a secure key management protocol. In another embodiment, key cache 206 provides a scalable key management by storing[i.e. loading] key encryption keys received from key server 310 (FIGS. 4A-D).). 


2.) Claims 1, 3, and 4 are rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20060140410, Aihara

 	In regards to claim 1, Buer teaches a system, comprising: a key cache(see US 20100254537, Buer, fig. 2A, item 206, key cache); at least one processor(see US 20100254537, Buer, fig. 2B, item 236[processor]); and memory storing instructions configured to instruct the at least one processor(see US 20100254537, Buer, fig. 2B, item 206[memory]) to: load a first set of keys into the key cache(see US 20100254537, Buer, fig. 2A and para. 0030, key cache 206 provides a scalable key management by storing key encryption keys received from key server 310 [note: where a key server[310][i.e. key manager] sends keys to key cache for storage]); provide the first set of keys to an external site(see US 20100254537, Buer, fig. 2A and para. 0031 and 0033, In embodiment, key server 310 serves the encrypted keys, the authentication tag, and/or the index to the host…In this embodiment, key server 310 includes a plurality of key encryption keys which are transmitted to key cache 206 of general purpose of cryptography engine 200 via a secure channel. [0033] - General purpose cryptography engine 200 also includes a Direct Memory Access (DMA) engine 208, Peripheral Component Interconnect (PCI) interface 210, general purpose interface 214, Universal Serial Bus (USB) interface 250 and buses 212a-c that enable general purpose cryptography engine 200 to communicate with external devices such as host 100 and key server 310 (FIGS. 3 and 4). Interface 214 includes but is not limited to a Universal Asynchronous Receiver Transmitter (UART) interface, an (Inter-IC) I2C interface, a Serial Port Interface (SPI) and a general purpose input/output (GPIO) interface. Buses 212a-c include but are not limited to one or more of PCI, USB, I2C, SPI, UART, GPIO buses); receive first data(see US 20100254537, Buer, para. 0022, Cryptography engine 110 is configured to cryptographically process data 104 using plaintext key 102a and generate processed data 112 that is communicated back to host 100 via bus 106.); encrypt the first data with the first set of keys(see US 20100254537, Buer, fig. 1A, para. 0031 and 0056, Security processing unit 202 is configured to use the plaintext key to cryptographically process data 104 and generate processed data 112. [note: where the keys are used to cryptographically process data[112];
[0056] - In step 614, data received in step 606 is cryptographically processed using the key retrieved in step 612. As shown in FIG. 4D, key manager 204 is configured to send retrieved plaintext key 102a to security processing unit 202. Security processing unit 202 is configured to use plaintext key 102a to cryptographically process data 104 and generate processed data 112. Security processing unit 202 encrypts or decrypts data 104 based on the request received from host 100.);authenticate the external site(US 20100254537, Buer, para. 0025, In an embodiment, key manager 204 authenticates host 100 for every block of data that is to be cryptographically processed using an authentication tag. The authentication tag used to authenticate a process on host 100 may be a static password or a dynamic one time password (OTP) or a shared secret that is static or rolling and is a predefined length (e.g., 64-bits).);after authenticating the external site, send the encrypted first data to the external site in reply to the request, receive, from the external site, the encrypted first data(see US 20100254537, Buer, fig. 5, steps 508, and para. 0040, 0045: [Fig. 5, steps 508]- Perform Host authentication
[0040]- In step 506, a request is received from the host to encrypt or decrypt a block of data. The request includes an encrypted key and a key handle. For example, general purpose cryptography engine 200 receives a request to encrypt or decrypt data 104 from host 100 along with encrypted key 302a and key handle 300. As shown in FIG. 3B, host 100 is configured to communicate key handle 300, encrypted key 302 and data to be processed 104, to security processing unit 202 via bus 106. Key handle 300 includes an authentication tag and an index to reference a key encryption key 304a that can decrypt encrypted key 302a.[0045]- In step 516, the data received in step 506 is cryptographically processed using the plaintext key. For example, data 104 is cryptographically processed using key 102 to generate processed data 112. As shown in FIG. 3D, key manager 204 is configured to send plaintext key 102 to security processing unit 202. Security processing unit 202 is configured to process data 104 using plaintext key 102 to generate processed data 112.);
request, from the external site, the encrypted first data(see US 20100254537, Buer, fig. 5, steps 506, and para. 0040 and 0045, In step 506, a request is received from the host to encrypt or decrypt a block of data. The request includes an encrypted key and a key handle. For example, general purpose cryptography engine 200 receives a request to encrypt or decrypt data 104 from host 100 along with encrypted key 302a and key handle 300…the data received in step 506 is cryptographically processed using the plaintext key.); and decrypt the received encrypted first data with the first set of keys(see US 20100254537, Buer, fig. 5, steps 502, 516, where the received data may be decrypted using plaintext key decrypted from the plurality of received encrypted keys);   	Buer does not teach in reply to the request, receive, from the external site, the encrypted first data
 	However, Aihara teaches in reply to the request, receive, from the external site, the encrypted first data(US 20060140410, Aihara, fig. 3, steps 306, 307 and para. 0011: [fig. 3, steps 306 and 307] – a request for data is received and data is transmitted.
[0011] -  The invention may provide a wireless communication device for wirelessly transmitting data from a plurality of data sources to a different device, the wireless communication device including: an authentication unit that authenticates the different device; an encryption unit that encrypts the data from the data source using a cipher key; a communication unit that transmits the data encrypted by the encryption unit to the different device authenticated by the authentication unit; a switch unit that switches the data source for supplying the data transmitted to the different device; and a cipher key update unit that updates the cipher key used by the encryption unit when the switch unit switches the data source.) 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Buer with the teaching of Aihara because a user would have been motivated to enhance the operational capacity of the system taught by Buer by permitting a plurality of devices to efficiently and securely authenticate and exchange information with other devices in order to provide a user with the convenience of viewing video data from different channels(see Aihara, para. 0024)   	
 	In regards to claim 3, the combination of Buer and Aihara teach the system of claim 1, wherein the external site is configured to store data received from each of a plurality of data sources(see US 20100254537, Buer, para. 0037 and fig. 5, step 518
[0037] -  FIGS. 3A-C illustrate an exemplary system for secure key management and cryptographic processing of data according to an embodiment of the invention. Host 100 is coupled to general purpose cryptography engine 200 via bus 106 and interface 108. Bus 106 may be one of buses 212a-c and interface 108 may be one of PCI interface 210, USB 250 and GPIO 214. As shown in FIG. 3A, host 100 initially includes key handle 300, encrypted keys 302 and data to be processed 104 and key server 310 include key encryption keys 304. In embodiments, the key handles and encrypted keys are securely served to host 100 by key server 310.
[fig. 5, step 518] – where encrypted/decrypted data may be received by the host[i.e. implicitly stored by the host])

 	In regards to claim 4, the combination of Buer and Aihara teach the system of claim 1, wherein the first set of keys is selected from a plurality of key sets(see US 20100254537, Buer, fig. 3A, where an encrypted keys[302] stored in memory are provided to a cryptographic engine).

3.) Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20060140410, Aihara and further in view of US 20040034772, Alao  
 	In regards to claim 5, the combination of Buer and Aihara teach the system of claim 1. The combination of Buer and Aihara do not teach wherein the external site includes a computing device configured to receive, over a network, the encrypted first data, and to decrypt the received first data with the first set of keys 	However, Alao teaches wherein the external site includes a computing device configured to receive, over a network, the encrypted first data(US 20040034772, Alao, fig. 6B, step 168, where encrypted computed encryption initialization data is received), and to decrypt the received first data with the first set of keys (US 20040034772, Alao, para. 0097, In FIG. 6B at Step 170, the encrypted computed Blowfish block cipher initialization data is decrypted on the second device 102-110 using the selected private session key. At Step 172, the Blowfish block cipher encryption method is initialized on the second device 102-110 with the decrypted computed Blowfish block cipher initialization data. The initialization data reduces a number of calculations needed on the second device 102-110 to initialize the Blowfish block cipher encryption method.) 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer and Aihara with the teaching of Alao because a user would have been motivated to improve the efficiency of transmitting encrypted information in the system taught by the combination of Buer and Aihara by using encryption acceleration data, taught by Alao, in order to reduce the number of calculations for performing an encryption(Alao, para. 0022)4.) Claims 12, 13, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20040034772, Alao 	
 
 	In regards to claim 12, Buer teaches the method of claim 9. Buer does not teach further comprising: receiving, over a network by the external site, the encrypted first data; wherein the received first data is decrypted with the first set of keys 	However, Alao teaches further comprising: receiving, over a network by the external site, the encrypted first data(US 20040034772, Alao, fig. 6B, step 168, where encrypted computed encryption initialization data is received); wherein the received first data is decrypted with the first set of keys(US 20040034772, Alao, para. 0097, In FIG. 6B at Step 170, the encrypted computed Blowfish block cipher initialization data is decrypted on the second device 102-110 using the selected private session key. At Step 172, the Blowfish block cipher encryption method is initialized on the second device 102-110 with the decrypted computed Blowfish block cipher initialization data. The initialization data reduces a number of calculations needed on the second device 102-110 to initialize the Blowfish block cipher encryption method.).  	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Buer with the teaching of Alao because a user would have been motivated to improve the efficiency of transmitting encrypted information in the system taught by Buer by using encryption acceleration data, taught by Alao, in order to reduce the number of calculations for performing an encryption(Alao, para. 0022) 
 	In regards to claim 13, the combination of Buer and Alao teach the method of claim 12, further comprising loading by the at least one processor, the first set of keys into memory (see US 20100254537, Buer, para. 0022:  As shown in FIG. 1A, host 100 stores[i.e. loads] multiple cryptographic keys 102 in plaintext format (unencrypted keys are referred to as "plaintext keys" throughout) along with data 104 that is to be cryptographically processed (e.g. encrypted or decrypted), decrypting the received encrypted first data with the first set of keys using the security device (see US 20100254537, Buer, para. 0033 and 0056, [0033]-Cryptography engine 110 is configured to cryptographically process data 104 using plaintext key 102a and generate processed data 112 that is communicated back to host 100 via bus 106.
[0056]- In step 614, data received in step 606 is cryptographically processed using the key retrieved in step 612. As shown in FIG. 4D, key manager 204 is configured to send retrieved plaintext key 102a to security processing unit 202. Security processing unit 202 is configured to use plaintext key 102a to cryptographically process data 104 and generate processed data 112. Security processing unit 202 encrypts or decrypts data 104 based on the request received from host 100.). 

In regards to claim 16, Buer teaches a method, comprising: loading a first set of keys into a first computing device(see US 20100254537, Buer, fig. 2A and para. 0030, In an embodiment, key cache 206 is configured to store plaintext keys received from key server 310 (FIG. 3A-D). The plaintext keys may be received under a secure key management protocol. In another embodiment, key cache 206 provides a scalable key management by storing[i.e. loading] key encryption keys received from key server 310 (FIGS. 4A-D).); providing a second set of keys to an external site(see US 20100254537, Buer, fig. 2A and para. 0031, [0031] - In embodiment, key server 310 serves the encrypted keys, the authentication tag, and/or the index to the host…In this embodiment, key server 310 includes a plurality of key encryption keys which are transmitted to key cache 206 of general purpose of cryptography engine 200 via a secure channel. {note: where a key server[310][i.e. key manager] sends keys to host[1st external site] and the GPE[i.e. 2nd external site] for storage}[0033] - General purpose cryptography engine 200 also includes a Direct Memory Access (DMA) engine 208, Peripheral Component Interconnect (PCI) interface 210, general purpose interface 214, Universal Serial Bus (USB) interface 250 and buses 212a-c that enable general purpose cryptography engine 200 to communicate with external devices such as host 100 and key server 310 (FIGS. 3 and 4). Interface 214 includes but is not limited to a Universal Asynchronous Receiver Transmitter (UART) interface, an (Inter-IC) I2C interface, a Serial Port Interface (SPI) and a general purpose input/output (GPIO) interface. Buses 212a-c include but are not limited to one or more of PCI, USB, I2C, SPI, UART, GPIO buses); decrypting, by the first computing device using the first set of keys, first data obtained from a data storage(see US 20100254537, Buer, fig. 1A and para. 0031, Security processing unit 202 is configured to use the plaintext key to cryptographically process data 104 and generate processed data 112. [note: where the keys are used to cryptographically process data[112]);
encrypting, by a second computing device, the first data using the second set of keys(see US 20100254537, Buer, [0056]- In step 614, data received in step 606 is cryptographically processed using the key retrieved in step 612. As shown in FIG. 4D, key manager 204 is configured to send retrieved plaintext key 102a to security processing unit 202. Security processing unit 202 is configured to use plaintext key 102a to cryptographically process data 104 and generate processed data 112. Security processing unit 202 encrypts or decrypts data 104 based on the request received from host 100.);authenticating the external site using an authentication code(US 20100254537, Buer, para. 0025, In an embodiment, key manager 204 authenticates host 100 for every block of data that is to be cryptographically processed using an authentication tag. The authentication tag used to authenticate a process on host 100 may be a static password or a dynamic one time password (OTP) or a shared secret that is static or rolling and is a predefined length (e.g., 64-bits).)after authenticating the external site, sending the encrypted first data over a network to the external site(see US 20100254537, Buer, fig. 5, steps 508, 516 and 518, where after the host is authenticated, data may be encrypted and transmitted to the host)requesting the first data from the external site(see US 20100254537, Buer, para. 0040,  In step 506, a request is received from the host to encrypt or decrypt a block of data. The request includes an encrypted key and a key handle. For example, general purpose cryptography engine 200 receives a request to encrypt or decrypt data 104 from host 100 along with encrypted key 302a and key handle 300. As shown in FIG. 3B, host 100 is configured to communicate key handle 300, encrypted key 302 and data to be processed 104, to security processing unit 202 via bus 106. Key handle 300 includes an authentication tag and an index to reference a key encryption key 304a that can decrypt encrypted key 302a.); receiving, over the network, encrypted first data from the external site(see US 20100254537, Buer, para. 0040 and 0045, [0040]- In step 506, a request is received from the host to encrypt or decrypt a block of data. The request includes an encrypted key and a key handle. For example, general purpose cryptography engine 200 receives a request to encrypt or decrypt data 104 from host 100 along with encrypted key 302a and key handle 300. As shown in FIG. 3B, host 100 is configured to communicate key handle 300, encrypted key 302 and data to be processed 104, to security processing unit 202 via bus 106. Key handle 300 includes an authentication tag and an index to reference a key encryption key 304a that can decrypt encrypted key 302a.[0045]- In step 516, the data received in step 506 is cryptographically processed using the plaintext key. For example, data 104 is cryptographically processed using key 102 to generate processed data 112. As shown in FIG. 3D, key manager 204 is configured to send plaintext key 102 to security processing unit 202. Security processing unit 202 is configured to process data 104 using plaintext key 102 to generate processed data 112.); and  	Buer does not teach decrypting the received encrypted first data from the external site with the second set of keys using the second computing device 	However, Alao teaches decrypting the received encrypted first data from the external site with the second set of keys using the second computing device (US 20040034772, Alao, para. 0097, In FIG. 6B at Step 170, the encrypted computed Blowfish block cipher initialization data is decrypted on the second device 102-110 using the selected private session key. At Step 172, the Blowfish block cipher encryption method is initialized on the second device 102-110 with the decrypted computed Blowfish block cipher initialization data. The initialization data reduces a number of calculations needed on the second device 102-110 to initialize the Blowfish block cipher encryption method.) 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer and Aihara with the teaching of Alao because a user would have been motivated to improve the efficiency of transmitting encrypted information in the system taught by the combination of Buer and Aihara by using encryption acceleration data, taught by Alao, in order to reduce the number of calculations for performing an encryption(Alao, para. 0022).  	
 	In regards to claim 20, the combination of Buer and Alao teach the method of claim 16, wherein the external site is configured to decrypt the first data using the second set of keys(see US 20100254537, Buer, fig. 1A and para. 0022 and 0056, [0022]- As shown in FIG. 1A, host 100 stores multiple cryptographic keys 102 in plaintext format (unencrypted keys are referred to as "plaintext keys" throughout) along with data 104 that is to be cryptographically processed (e.g. encrypted or decrypted).
[0056]- In step 614, data received in step 606 is cryptographically processed using the key retrieved in step 612. As shown in FIG. 4D, key manager 204 is configured to send retrieved plaintext key 102a to security processing unit 202. Security processing unit 202 is configured to use plaintext key 102a to cryptographically process data 104 and generate processed data 112. Security processing unit 202 encrypts or decrypts data 104 based on the request received from host 100.).

5.) Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20040034772, Alao and further in view of US 20120159159, Messerges	 
	 	 
 	In regards to claim 19, the combination of Buer and Alao teach the method of claim 16. The combination of Buer and Alao do not teach further comprising loading the second set of keys into the second computing device 	However, Messerges teaches further comprising loading the second set of keys into the second computing device (US 20120159159, Messerges, para. 0026, Further in accordance with the present teachings, a method performed by a key-management server for secure communications in a communication system includes sending a first set of keys to a source device, and sending a second set of keys to an infrastructure device that forwards the packets sent by the source device to one or more destination device. The first set of keys enables both authentication and encryption of packets sent by the source device to the destination device. For example, the first set of keys contains an authentication key, an encryption key, and a salt key. Alternatively, the first set of keys contains a master key, from which an authentication key, an encryption key, and a salt key are derived. However, the second set of keys enables authentication, but not encryption, of the packets sent by the source device to the destination device. For example, the second set of keys contains a group authentication key and a plurality of source authentication keys.).  	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer and Alao with the teaching of Messerges because a user would have been motivated to enhance the system security of the system taught by the combination of Buer and Alao by performing packet authentication in order to mitigate possible network attacks(Messerges, para. 0003) 

6.) Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20060140410, Aihara and further in view of US 6275588, Videcrantz

 	In regards to claim 2, the combination of Buer and Aihara teach the system of claim 1. The combination of Buer and Aihara do not teach wherein a key address is sent with the encrypted first data to the external site, and wherein the key address is used by the external site to select the first set of keys for decrypting the first data 	However, Videcrantz teaches wherein a key address is sent with the encrypted first data to the external site, and wherein the key address is used by the external site to select the first set of keys for decrypting the first data (US 6275588, Videcrantz, col. 19, lines 21-29, The receiving station may locate an encryption key in a local key centre and recall the encryption key associated with the transmitting station, similarly the transmitting station prior to encryption may locate an encryption key in a local key centre and recall the encryption key associated with the receiving station. According to the addresses of the receiving and transmitting stations contained in the clear text 12 the correct selection of an encryption key may be performed. [note: where a location of an encryption key may be located and selected by using received address information]). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer and Aihara with the teaching of Videcrantz because a user would have been motivated to optimize the transmission rate for data transmitted to external devices, taught by Buer, by switching between data compression modes in order to maximize transmission rates(Videcrantz, col. 5, lines 51-56)  
7.) Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 6275588, Videcrantz 	

 	In regards to claim 10, Buer teaches the method of claim 9. Buer does not teach wherein a key address is sent with the encrypted first data to the external site, and wherein the key address is used by the external site to select the first set of keys 	However, Videcrantz teaches wherein a key address is sent with the encrypted first data to the external site, and wherein the key address is used by the external site to select the first set of keys (US 6275588, Videcrantz, col. 19, lines 21-29, The receiving station may locate an encryption key in a local key centre and recall the encryption key associated with the transmitting station, similarly the transmitting station prior to encryption may locate an encryption key in a local key centre and recall the encryption key associated with the receiving station. According to the addresses of the receiving and transmitting stations contained in the clear text 12 the correct selection of an encryption key may be performed. [note: where a location of an encryption key may be located and selected by using received address information]). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Buer with the teaching of Videcrantz because a user would have been motivated to optimize the transmission rate for data transmitted to external devices, taught by Buer, by switching between data compression modes in order to maximize transmission rates(Videcrantz, col. 5, lines 51-56)

8.) Claims 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20040034772, Alao and further in view of US 6275588, Videcrantz
 	In regards to claim 17, the combination of Buer and Alao teach the method of claim 16. The combination of Buer and Alao do not teach wherein a key address is sent with the first data over the network, and the key address is for use by the external site in selecting the second set of keys 	However, Videcrantz teaches wherein a key address is sent with the first data over the network, and the key address is for use by the external site in selecting the second set of keys  (US 6275588, Videcrantz, col. 19, lines 21-29, The receiving station may locate an encryption key in a local key centre and recall the encryption key associated with the transmitting station, similarly the transmitting station prior to encryption may locate an encryption key in a local key centre and recall the encryption key associated with the receiving station. According to the addresses of the receiving and transmitting stations contained in the clear text 12 the correct selection of an encryption key may be performed. [note: where a location of an encryption key may be located and selected by using received address information]). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer and Alao with the teaching of Videcrantz because a user would have been motivated to optimize the transmission rate for data transmitted to external devices, taught by Buer, by switching between data compression modes in order to maximize transmission rates(Videcrantz, col. 5, lines 51-56)
 	In regards to claim 18, the combination of Buer and Alao teach the method of claim 16. The combination of Buer and Alao do not teach further comprising using the authentication code to verify that a proper key address is used when selecting the second set of keys 	However, Videcrantz teaches further comprising using the authentication code to verify that a proper key address is used when selecting the second set of keys (US 6275588, Videcrantz, col. 41, lines 60-65, (311) 1: Append authentication value to the end of the source buffer (i.e. SrcBufEndPtr); (312) The SrcBufStartPtr of the next PU will be updated with the address of the octet immediately after the authentication value). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer and Alao with the teaching of Videcrantz because a user would have been motivated to optimize the transmission rate for data transmitted to external devices, taught by Buer, by switching between data compression modes in order to maximize transmission rates(Videcrantz, col. 5, lines 51-56)


9.) Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20060140410, Aihara and further in view of US 20090249084, Ogawa

 	In regards to claim 6, the combination of Buer and Aihara teach the system of claim 1. The combination of Buer and Aihara do not teach further comprising a computing device configured to decrypt the first data with a second set of keys after obtaining the first data, and prior to the encrypting of the first data 	However, Ogawa teaches further comprising a computing device configured to decrypt the first data with a second set of keys after obtaining the first data, and prior to the encrypting of the first data(US 20090249084, Ogawa, para. 0009: In yet another exemplary aspect of the current invention, a removable storage unit contains a computer readable program in internal memory for implementing a method which accesses a designated database server for obtaining encrypted data saved in the database server, decrypts the encrypted data using a predetermined shared encryption key, re-encrypts and saves decrypted data using an encryption key of the removable storage unit, and decrypts the encrypted data and outputs the decrypted data with the encryption key.) 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer and Aihara with the teaching of Ogawa because a user would have been motivated to mitigate malicious attacks on the cryptographic keys, taught by Buer by applying an algorithm to establish a validity time or lifespan for the keys(Ogawa, para. 0045)  
 	In regards to claim 7, the combination of Buer, Aihara and Ogawa teach the system of claim 6, wherein the second set of keys is stored in the computing device (see US 20100254537, Buer, fig. 2A and para. 0030 and 0031, where a key server[310][i.e. key manager] stores keys [i.e. 2nd set of keys] for sending to host[1st external site] and the GPE[i.e. 2nd external site] for storage).
 	
10.) Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over IDS supplied reference, US 20100254537, Buer in view of US 20060140410, Aihara and further in view of US 20090249084, Ogawa and further in view of US 20130332724, Walters 

 	In regards to claim 8, the combination of Buer, Aihara and Ogawa teach the system of claim 6, to provide the first data for encryption prior to sending the encrypted first data(US 20100254537, Buer, fig. 5, steps 516 and 518, where data is decrypted/encrypted using a key [step 516] prior to transmission [step 518]) 	The combination of Buer, Aihara and Ogawa do not teach further comprising a server configured to receive the decrypted first data from the computing device 	However, Walters teaches further comprising a server configured to receive the decrypted first data from the computing device (US 20130332724, Walters, para. 0036, Next an application server connected to the second cryptographic application device receives the decrypted data 597. The application server may be a software program running to serve the computational or communication tasks of the non-secure application. The application server may also be a physical computer dedicated to running one or more applications to serve the needs of communications devices on the network. The application server may include an email-server, computer, server, switch, gateway, router, database server, file server, mail server, print server, web server, or other electronic device capable of directing electronic data to a communication device. The application server uses the destination information to determine which end device to transmit the decrypted data. For example, the application server may use the device name, IP address, or port number to determine the second communication device to transmit the data.) 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Buer, Aihara and Ogawa with the teaching of Walters because a user would have been motivated to enhance data security for the data transmitted by the combination of Buer, Aihara and Ogawa by applying transmission authentication to the data in order to minimize malicious activities(see Walters, para. 0003 and 0008).  




CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY LANE whose telephone number is (571)270-7469.  The examiner can normally be reached on 571 270 7469 from 8:00 AM to 6:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Taghi Arani, can be reached on 571 272 3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/GREGORY A LANE/Examiner, Art Unit 2438                                                                                                                                                                                                        


/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434