Ex Parte Martini

Patent Trial and Appeal BoardNov 28, 2018

14265540 (P.T.A.B. Nov. 28, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/265,540 04/30/2014 20985 7590 11/30/2018 FISH & RICHARDSON P.C. (SD) P.O. BOX 1022 MINNEAPOLIS, MN 55440-1022 UNITED ST A TES OF AMERICA FIRST NAMED INVENTOR Paul Michael Martini UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 38097-0016002 4724 EXAMINER KORSAK, OLEG ART UNIT PAPER NUMBER 2492 NOTIFICATION DATE DELIVERY MODE 11/30/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): P ATDOCTC@fr.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte PAUL MICHAEL MARTINI Appeal2017-003485 Application 14/265,540 1 Technology Center 2400 Before JEREMY J. CURCURI, JUSTIN BUSCH, and PHILLIP A. BENNETT, Administrative Patent Judges. BENNETT, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellant appeals under 35 U.S.C. Â§ 134(a) from the Examiner's final rejection of claims 1---6, 8-13, and 15-20. Claims 7 and 14 have been cancelled. Oral Argument was heard before this panel on November 14, 2018. A copy of the Hearing Transcript will be placed in the record in due course. We have jurisdiction under 35 U.S.C. Â§ 6(b ). We reverse. 1 Appellant's Brief ("Br.") identifies iboss, Inc. as the real party in interest. Br. 1. Appeal2017-003485 Application 14/265,540 CLAIMED SUBJECT MATTER The claims are directed to selectively performing man in the middle decryption. More specifically, the claims are directed to inspecting outgoing DNS requests from a network to identify requests to certain specified websites, and redirecting those requests to a man in the middle gateway which spoofs the address of the requested website. The man in the middle establishes an encrypted connection with the requesting device, and it also establishes an encrypted connection with the requested website. When network traffic is transmitted over the connection, the man in the middle gateway decrypts the traffic in order to inspect it, and then re-encrypts the traffic so that it can be sent on to the destination website. The Specification explains that "[ t ]he MitM ( man in the middle) gateways ... act as man in the middle proxies ... allowing cryptographically secure communication that can be inspected when entering or exiting the network." Spec. ,r 19. Claim 1, reproduced below with the disputed limitation in italics, is illustrative of the claimed subject matter: 1. A method performed by data processing apparatus, the method comprising: receiving, from a device within a network, a domain name service (DNS) request for an address of a first resource outside the network; determining that the first resource is associated with a security policy of the network that specifies decrypting encrypted traffic between the device within the network and the first resource; responsive to the determination that the first resource is associated with a security policy of the network that specifies decrypting encrypted traffic between the device within the network and the first resource, returning, to the device within the network in response the DNS request, a DNS response comprising an address of a gateway within the network, the 2 Appeal2017-003485 Application 14/265,540 gateway address having previously been associated with the first resource address; establishing a first encrypted connection between the device and the gateway, and a second encrypted connection between the gateway and the first resource, to facilitate encrypted communication traffic between the device and the first resource; decrypting, by the gateway, all of the encrypted communication traffic passing between the device and the first resource such that all of the encrypted communication traffic passing between the device and the first resource is available to the gateway for inspection; and inspecting at least some of the encrypted communication traffic passing between the device and the first resource; receiving, from a second device within the network, a second domain name service (DNS) request for an address of a second resource outside the network; determining that the second resource is not associated with a security policy of the network that specifies decrypting encrypted traffic between the second device with the network and the second resource; responsive to the determination that the second resource is not associated with a security policy of the network that specifies decrypting encrypted traffic between the second device and the second resource, sending, to the DNS, the second DNS request; receiving, from the DNS, a DNS response; returning, to the second device within the network and in response to receiving the second DNS request, the second DNS request; and establishing a third encrypted connection between the second device and the second resource, to facilitate encrypted communication traffic between the second device and the second resource. Br. 11-12 (Claims Appendix). 3 Appeal2017-003485 Application 14/265,540 REFERENCES The prior art relied upon by the Examiner in rejecting the claims on appeal is: Aldor Altman US 2010/0138910 Al June 3, 2010 US 2012/0290829 Al Nov. 15, 2012 REJECTIONS Claims 1-6, 8-13, and 15-20 stand rejected under 35 U.S.C. Â§ I03(a) as being unpatentable over Aldor and Altman. ISSUE Has the Examiner erred in finding Aldor and Altman teach or suggest "decrypting, by the gateway, all of the encrypted communication traffic passing between the device and the first resource such that all of the encrypted communication traffic passing between the device and the first resource is available to the gateway for inspection," as recited in the independent claims? ANALYSIS The Examiner rejects the independent claims as being unpatentable over Aldor and Altman. Final Act. 2-7. The Examiner finds Aldor teaches most limitations of the independent claims, but does not teach the disputed limitation. Final Act. 4 ("Aldor does not teach all of the encrypted communication traffic passing."). The Examiner turns to Altman, finding that it teaches the disputed limitation because it describes using a secure data invention appliance ("SIA") to detect an encrypted connection that matches 4 Appeal2017-003485 Application 14/265,540 a rule table, and decryps the connection to allow for inspection by a network monitor center ("NMC"). Final Act. 4 (citing Altman ,r 14). Appellant argues the claimed invention differs from the prior art because the claimed invention requires that "all encrypted traffic passes through the MitM gateway 104 so that the traffic may be inspected." Br. 2. Appellant argues this feature "is an advantageously different configuration than ... a single encrypted communication link directly from the browser device 106 to the server 118, [that] is then eavesdropped on by a MitM," a flawed prior art approach that allows encrypted traffic to pass through from the client to the server while a mapping is established to allow for conventional man in the middle eavesdropping. Br. 2. Appellant argues that both Aldor and Altman implement the flawed prior art approach, and are insufficient to render obvious the invention recited in the claims. Br. 9. We agree. The disputed limitation recites "decrypting ... all of the encrypted communication traffic passing between the device and the first resource such that all of the encrypted communication traffic passing between the device and the first resource is available to the gateway for inspection." We construe the disputed limitation as requiring that the device does not directly connect to the first resource; rather, the device unknowingly directly connects to the (MitM) gateway. See Spec. ,r,r 24, 36, 42, 45; see also Fig. 3, element 310. Thus, in order to meet this limitation, all encrypted data passing between the client and the server must be decrypted and made available for inspection. Neither Aldor nor Altman supplies such a teaching. Aldor describes a methodology for "encrypted-traffic URL filtering using address-mapping interception." Aldor ,r 40. Aldor's system generally 5 Appeal2017-003485 Application 14/265,540 is configured to use a perimeter gateway server to intercept encrypted traffic and extract a network address from the traffic. In Aldor' s system, a client makes a request to access an encrypted website. In response to the request, a DNS query is submitted to a DNS server 18. Aldor ,r 39. The DNS server resolves the domain name and returns an address mapping (i.e., an IP address corresponding to the domain name). The perimeter gateway intercepts the DNS server response, and creates a mapping between the name and the IP address. Aldor explains that there is a delay that results from the mapping process such that"[ e ]stablishing such a mapping requires a period of time during which encrypted traffic ... is not rejected." Aldor ,r 40. Thus, in Aldor's system, the delay in setting up the mapping causes it to be unable to "decrypt[] by the gateway, all of the encrypted communication traffic passing between the device and the first resource ... is available to the gateway for inspection" as recited in the independent claims. Altman is similarly deficient. Altman generally discloses a system for selective SSL inspection. Altman describes creating a list of addresses for which encrypted communications are inspected so that only a selected subset of the network connections are decrypted and inspected. Altman ,r 13. Altman teaches the use of a secure data inspection appliance ("SIA") to identify secure connections made from the network that match one of the addresses in a rule table. Altman ,r 22 ("SIA 136 applies the selection rules to encrypted data that it transfers."). When a connection matching an address in the rule table is identified, the connection is cut and substituted with a pair of separate TCP connections, one toward the client and one toward the server. Altman ,r 31 ("SIA 136 carries out the termination at step 6 Appeal2017-003485 Application 14/265,540 222 by cutting the matching connection and substituting it with a pair of separate TCP connections, one toward the related client 104 . .. and the other toward the related server 124. "). We agree with Appellant that Altman does not teach that "all of the encrypted communication traffic passing between the device and the first resource ... is available to the gateway for inspection" because it only determines whether a matching address is present after a connection between the client and the server has already been made. Altman ,r 31 ("SIA 136 applies the selection rules, which it accepts from the NMC, to encrypted connections 160/164 that pass through it."). As that determination is made, Altman's initial direct connection between the client and server allows encrypted traffic to pass between the client and the server. Altman' s system, therefore, does not teach or suggest the disputed limitation under our construction because the encrypted traffic on Altman's initial direct connection between the server and client is neither decrypted by the gateway nor made available for inspection because the original TCP connection remains intact. It is only after the original TCP connection is severed and replaced by the two substitute connections that the encrypted traffic is made available for inspection by the gateway. Accordingly, we are persuaded the Examiner has erred in finding Aldor and Altman teach or suggest the disputed limitation, and we do not sustain the rejection of independent claims 1, 8, and 15. For the same reasons, we also do not sustain the rejection of dependent claims 2-6, 9-13, and 16-20. DECISION We reverse the Examiner's rejection of claims 1---6, 8-13, and 15-20. 7 Appeal2017-003485 Application 14/265,540 REVERSED 8