Nicira, Inc.Download PDFPatent Trials and Appeals BoardJul 27, 20212020001137 (P.T.A.B. Jul. 27, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/815,950 07/31/2015 Kiran Kumar Thota N162.07.C1 (B839.07.C1) 7665 109858 7590 07/27/2021 ADELI LLP P.O. Box 516 Pacific Palisades, CA 90272 EXAMINER ALMAMUN, ABDULLAH ART UNIT PAPER NUMBER 2431 NOTIFICATION DATE DELIVERY MODE 07/27/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ipadmin@vmware.com mail@adelillp.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte KIRAN KUMAR THOTA, AZEEM FEROZ, and JAMES CHRISTOPHER WIESE Appeal 2020-001137 Application 14/815,9501 Technology Center 2400 Before MAHSHID D. SAADAT, ALLEN R. MacDONALD, and NABEEL U. KHAN, Administrative Patent Judges. SAADAT, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant2 appeals from the Examiner’s decision to reject claims 1–20. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 Appeal No. 2019-005596 (Application No. 14/320,581) appears to be related to this appeal, as both appeals are directed to substantially similar inventions. 2 We use the word Appellant to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real parties in interest as VMware, Inc., and Nicira, Inc. Appeal Br. 2. Appeal 2020-001137 Application 14/815,950 2 CLAIMED SUBJECT MATTER The claims are directed to an encryption method for encrypting data messages sent by guest virtual machines (“GVMs”). Spec. ¶ 5. Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A non-transitory machine readable medium for storing a program for updating a keyring with a plurality of keys, the keyring stored on a host computing device that executes a plurality of virtual machines (VMs) and used for encryption operations for data messages associated with at least one particular VM, the program for execution by at least one processing unit, the program comprising sets of instructions for: receiving a command from a controller to (1) fetch a new key for the keyring and (2) remove a particular key from the plurality of keys in the keyring; based on the received command, sending a request for the new key to a key generator; continuing to process data messages received for the particular VM by using any of a first plurality of keys in the keyring including the particular key, while processing data messages transmitted by the particular VM using any of a second plurality of keys in the keyring excluding the particular key; and removing the particular key from the keyring after receiving the new key so that the particular key is no longer used to process data messages for the particular VM. REFERENCES The prior art relied upon by the Examiner is: Name Reference Date Yared US 2003/0149781 A1 Aug. 7, 2003 Boubion US 2008/0170689 A1 July 17, 2008 Lin US 8,340,300 B2 Dec. 25, 2012 Allen US 8,584,216 B1 Nov. 12, 2013 Harjula US 2015/0242594 A1 Aug. 27, 2015 Appeal 2020-001137 Application 14/815,950 3 REJECTIONS Claims 1–3, 7, 12–15, and 18 stand rejected under 35 U.S.C. § 103 as unpatentable over Allen, Lin, and Harjula. Claims 4–6, 8, 16–17, and 19 stand rejected under 35 U.S.C. § 103 as unpatentable over Allen, Lin, Harjula, and Boubion. Claims 9–11 and 20 stand rejected under 35 U.S.C. § 103 as unpatentable over Allen, Lin, Harjula, and Yared. OPINION We have reviewed the Examiner’s rejections under 35 U.S.C. § 103 in light of Appellant’s contentions and the evidence of record. We agree with the Examiner and highlight the following for emphasis. Claims 1, 12, and 14 The Examiner found Allen discloses, inter alia, “receiving a command from a controller to (1) fetch a new key for the keyring and (2) remove a particular key from the plurality of keys in the keyring,” and “based on the received command, sending a request for the new key to a key generator,” as recited in independent clam 1 and similarly recited in independent claim 12. See Final Act. 9 (citing Allen 6:40–42, 10:40–53, 11:7–25, Fig. 3); see also Ans. 7–9 (citing Allen 5:7–20, 5:52–57, Figs. 1, 2). More specifically, as found by the Examiner, Allen discloses a request- processing module 104 that, as part of a server 206 illustrated in Figure 2, receives a request from client device 202(1) for its subscribed cryptographic key material including cryptographic keys. See Allen 6:40–48; Figs. 2, 3. Allen further discloses that a subscription-management module 106, as part of server 206, identifies that the cryptographic key material 212(1) currently possessed by client device 202(1) does not match the cryptographic key Appeal 2020-001137 Application 14/815,950 4 material to which client device 202(1) is subscribed. See id. at 7:52–57, 9:4–15, Figs. 2, 3. As also disclosed in Allen, an update module 108 deploys an update to client device 202(1) that causes client device 202(1) to update cryptographic key material 212(1) to match the set of cryptographic key material to which client device 202(1) is subscribed. See id. at 10:30– 39, Figs. 2, 3. Allen further discloses a systems-management module 110 that creates a new set of cryptographic keys. See id. at 11:7–25, Fig. 2. Appellant contends that none of the interactions described in Allen and cited by the Examiner teach the claimed “command from a controller to (1) fetch a new key for the keyring and (2) remove a particular key from the plurality of keys in the keyring” because none of the cited interactions teach a command from a controller to fetch a new key for a keyring and to remove a particular key from multiple keys in the keyring. See Appeal Br. 10–13; see also Reply Br. 3–4, 10–12. Appellant further contends the cited interactions are also incompatible with each other as each has a different pair of controller and actor receiving the command. See Appeal Br. 13–14. We are not persuaded by Appellant’s argument. Instead, we agree with the Examiner’s findings that Allen’s request for a cryptographic key received from client device 202(1) is a command to request-processing module 104 to update the cryptographic key stored at client device 202(1), where the request specifically commands request-processing module 104 to fetch a new cryptographic key from server 206 and replace an old cryptographic key at client device 202(1) with the new cryptographic key. See Ans. 7. Appellant’s argument that Allen does not teach that the command is received from a controller is not persuasive because we agree with the Examiner that neither Appellant’s claims, nor Appellant’s Appeal 2020-001137 Application 14/815,950 5 Specification, defines “controller” in a way that distinguishes “controller” from Allen’s client device 202(1). See Ans. 8. Thus, the Examiner did not err in finding that Allen teaches or suggests the aforementioned element recited in claim 1 and similarly recited in claim 12. Appellant additionally contends none of the cited interactions described in Allen teach “based on the received command, sending a request for the new key to a key generator,” as recited in claim 1 and similarly recited in claim 12. See Appeal Br. 14–16; see also Reply Br. 4–5. We are not persuaded by this argument either. Rather, we agree with the Examiner that, based on the request received by request-processing module 104, subscription-management module 106 sends a request for a new cryptographic key to systems-management module 110 in order to update the cryptographic key stored at client device 202(1). See Ans. 9. Because the request by subscription-management module 106 to update the cryptographic key stored at client device 202(1) is based on the initial request sent by client device 202(1) and received by request-processing module 104, the Examiner also did not err in finding that Allen teaches or suggests the aforementioned element recited in claim 1 and similarly recited in claim 12. Appellant further contends Allen fails to disclose any combination of the client device, key managing server, and administrator (or any other elements disclosed in Allen) that teaches “the three-part pattern of the controller that sends the command to fetch a new key, the actor that receives the command and send a request for the new key to a key generator, and the key generator that receives said request.” See Appeal Br. 16–18; see also Reply Br. 5–6. This argument is not persuasive either. We agree with the Appeal 2020-001137 Application 14/815,950 6 Examiner’s finding that the client device 202(1) teaches the claimed “controller”; the request-processing module 104 teaches the claimed entity that “[receives] a command from a controller to (1) fetch a new key for the keyring and (2) remove a particular key from the plurality of keys in the keyring”; the subscription-management module 106 teaches the claimed entity that “[sends] a request for the new key to a key generator”; and the systems-management module 110 teaches the claimed “key generator.” See Ans. 7–9. Contrary to Appellant’s argument, the claims do not require that the same entity receives the command from the controller and sends the request for the new key to the key generator. The Examiner further found the combination of Lin and Harjula discloses, “continuing to process data messages received for the particular VM by using any of a first plurality of keys in the keyring including the particular key, while processing data messages transmitted by the particular VM using any of a second plurality of keys in the keyring excluding the particular key,” as recited in claim 1 and similarly recited in claim 12. See Final Act. 10 (citing Lin 3:16–59, 4:59–7:11, Fig. 2; Harjula ¶¶ 54, 62); see also Ans. 11–12 (citing Harjula ¶¶ 54, 62). More specifically, as found by the Examiner, Lin discloses a method for implementing a new authentication key in a network device having an old authentication key. See Lin 4:47–52; Fig. 2. Lin discloses that during a specific time period, outgoing packets are sent using the new authentication key and incoming packets are authenticated using both the old authentication key and the new authentication key. See id. at 5:7–12, Fig. 2. As also found by the Examiner, Harjula discloses managing keys for virtual machines including Appeal 2020-001137 Application 14/815,950 7 generating a new key in order to rotate keys for the virtual machines. See Harjula ¶¶ 25, 54, 62, 216, 221. The Examiner additionally found Lin discloses “wherein the first plurality of keys includes the particular key and the second plurality of keys excludes the particular key in order to rotate out the particular key and rotate in the new key when the new key is received, wherein after receiving the new key both the first and second pluralities of keys are the same,” as recited in claim 14. See Final Act. 15 (citing Lin 4:64–7:15; Fig. 2). More specifically, as previously described, Lin discloses rotating out an old authentication key while rotating in a new authentication key in a network device. See Lin 4:47–5:12; Fig. 2. Appellant contends Lin’s old and new cryptographic key do not teach or suggest “a first plurality of keys in the keyring including the particular key,” and “a second plurality of keys in the keyring excluding the particular key,” as recited in claim 1 and similarly recited in claim 12, and “wherein the first plurality of keys includes the particular key and the second plurality of keys excludes the particular key,” as recited in claim 14, because a single key is not a plurality of keys. See Appeal Br. 18–20, 25–26; see also Reply Br. 6–7, 9–10. We are not persuaded by Appellant’s argument. Rather, we agree with the Examiner’s finding that Lin teaches outgoing packets are authenticated using a new authentication key and incoming packets are authenticated using both an old authentication key and a new authentication key. See Lin 5:7–12. Appellant’s argument that Lin discloses using a single authentication key rather than a plurality of authentication keys is not persuasive because Allen and Harjula disclose using a plurality of authentication keys in place of a single authentication key. See Allen 6:46– Appeal 2020-001137 Application 14/815,950 8 47 (“[t]he term ‘cryptographic key material,’ as used herein, may include cryptographic keys”); see also Harjula ¶ 26 (“a key pair comprising a public key and a private key”). Accordingly, we sustain the rejection of claims 1, 12, and 14 under 35 U.S.C. § 103. Claims 4, 6, and 17 The Examiner found Boubion discloses “wherein the command is received when the particular key has been used to encrypt a particular number of data messages,” as recited in claim 4, and further discloses “wherein the controller generates the command based on statistics that the controller collects from the host computing device regarding data that the particular key was used to encrypt,” as recited in claim 6 and similarly recited in claim 17. See Final Act. 16–17 (citing Boubion ¶¶ 54, 78, 82); see also Ans. 12–14. More specifically, as found by the Examiner, Boubion discloses rotating one or more keys generated by a user during a communication session, where rotation of the keys occurs at predetermined times or at predetermined events, such as after a predetermined amount of data is transmitted during a communication event. See Boubion ¶¶ 78, 82. Appellant contends Boubion does not teach the aforementioned element of claim 4 because, although Boubion discloses rotating keys based on triggers and events, Boubion is silent regarding receiving a command from a controller when a key has been used to encrypt a particular number of data messages, as a number of data messages encrypted is distinct from an amount of data transmitted. See Appeal Br. 21–22; see also Reply Br. 7–8. Appellant further contends Boubion also does not teach the aforementioned elements of claims 6 and 17 because, although Boubion discloses rotating keys at an encryptor after a predetermined amount of data is transmitted, Appeal 2020-001137 Application 14/815,950 9 Boubion is silent regarding collecting statistics at a claimed controller from a virtual machine host and generating a command to fetch a new key for a keyring and remove a particular key from multiple keys in the keyring at the virtual machine host. See Appeal Br. 22–23; see also Reply Br. 8. These arguments are not persuasive. As Boubion generally discloses rotating keys based on predetermined events, such as a particular number of data messages, one of ordinary skill in the art would understand that a predetermined event may be a particular number of data messages encrypted by the key. See Boubion ¶¶ 78, 82. Accordingly, we sustain the rejection of claims 4, 6, and 17 under 35 U.S.C. § 103 as well. Claims 8 and 19 The Examiner found the combination of Harjula and Boubion discloses “wherein the program further comprises a set of instructions for receiving the new key from the key generator in response to the sent request, wherein the controller monitors usage of keys on the host computing device,” as recited in claim 8 and similarly recited in claim 19. See Final Act. 17 (citing Harjula ¶¶ 26, 216, 221; Boubion ¶ 78). More specifically, as found by the Examiner, Harjula discloses the rotation of keys includes generating a new key and installing a new key where the old key resided. See Harjula ¶ 221. Boubion further discloses rotating one or more keys after a predetermined amount of data is transmitted during a communication event. See Boubion ¶ 82. Appellant contends the combination of Harjula and Boubion fail to teach the aforementioned elements of claims 8 and 19 because, although Boubion discloses rotating keys based on data monitoring, Boubion fails to disclose that the monitoring is done by a controller from which the claimed Appeal 2020-001137 Application 14/815,950 10 command is received to fetch a new encryption key. See Appeal Br. 24; see also Reply Br. 9. We are not persuaded by this argument. As previously described, Allen discloses the interactions with the claimed “controller” and the claimed “command” to fetch a new encryption key. Further, as Boubion discloses monitoring amount of data transmitted during a communication session in order to determine when to rotate keys used during the communication session, Boubion also teaches monitoring the keys used to transmit the data during the communication session. See Boubion ¶¶ 78, 82. Accordingly, we sustain the rejections of claims 8 and 19 under 35 U.S.C. § 103 also. Claims 2, 3, 5, 7, 9–11, 13, 15, 16, 18, and 20 No separate arguments are presented for claims 2, 3, 5, 7, 9–11, 13, 15, 16, 18, and 20. See generally Appeal Br. Accordingly, we sustain the rejection of claims 2, 3, 5, 7, 9–11, 13, 15, 16, 18, and 20 under 35 U.S.C. § 103. CONCLUSION We affirm the Examiner’s decision to reject claims 1–20 under 35 U.S.C. § 103. Appeal 2020-001137 Application 14/815,950 11 DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–3, 7, 12– 15, 18 103 Allen, Lin, Harjula 1–3, 7, 12– 15, 18 4–6, 8, 16– 17, 19 103 Allen, Lin, Harjula, Boubion 4–6, 8, 16– 17, 19 9–11, 20 103 Allen, Lin, Harjula, Yared 9–11, 20 Overall Outcome 1–20 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation
