Trials@uspto. gov
`Tel: 571-272-7822
`
`Paper10
`Entered: September8, 2023
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`NETSKOPE,INC.,
`Petitioner,
`
`V.
`
`FORTINET,INC.,
`Patent Owner.
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Before JAMES P. CALVE, THOMAS L. GIANNETTI,and
`STEPHEN E. BELISLE, Administrative Patent Judges.
`
`CALVE,Administrative Patent Judge.
`
`DECISION
`Granting Institution ofInter Partes Review
`35 US.C. $314
`
`
`Tel: 571-272-7822
`
`Paper10
`Entered: September8, 2023
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`NETSKOPE,INC.,
`Petitioner,
`
`V.
`
`FORTINET,INC.,
`Patent Owner.
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Before JAMES P. CALVE, THOMAS L. GIANNETTI,and
`STEPHEN E. BELISLE, Administrative Patent Judges.
`
`CALVE,Administrative Patent Judge.
`
`DECISION
`Granting Institution ofInter Partes Review
`35 US.C. $314
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`I.
`
`BACKGROUND
`
`Netskope,Inc. (‘Petitioner’) filed a petition requesting an inferpartes
`
`review of claims 1-3, 6, 8-17, and 21—27 (the “challenged claims”)! ofU.S.
`
`Patent No. 9,280,678 B2 (“the 678 patent”) (Ex. 1001). Paper 2, 5 (“Pet.”).
`
`Fortinet, Inc. (“Patent Owner”) filed a Preliminary Response. Paper 6
`
`(Prelim. Resp.”).
`
`Wehave authority to determine whetherto institute an interpartes
`
`review. See 35U.S.C. §314 (2018); 37C.F.R. § 42.4(a) (2022) (“The
`
`Boardinstitutes the trial on behalf ofthe Director.”). An interpartes review
`
`may notbe instituted “unless... the information presented in the petition
`
`... showsthatthere is a reasonable likelihood that the petitioner would
`
`prevail with respect to at least 1 of the claims challenged in the petition.”
`
`35 U.S.C. §314(a). Upon consideration ofthe evidence and arguments in
`
`the record, we determinethat the information presented shows a reasonable
`
`likelihood that Petitioner would prevail with respect toat least one ofthe
`
`challenged claims. We therefore grantinstitution ofan interpartes review.
`
`A. RelatedProceedings
`
`Theparties identify the following proceeding involving the ’678
`
`patent: Netskope, Inc. v. Fortinet, Inc., No. 3:22-cv-01852-TLT (N.D.Cal. ).
`
`Pet. 5; Paper 3, 2. Petitioner identifies the following interpartes reviewsin
`
`whichPetitioner challenges other patents ofPatent Owner: IPR2022-01587,
`
`IPR2023-00030, IPR2023-00175, IPR2023-00456, IPR2023-00457, and
`
`IPR2023-00459. Pet.5.
`
`' Petitioner asserts the challenged claims are claims 1—3, 6, 8-19, and 21—27
`(Pet. 7) but makes no substantive argumentsagainst claims 18 and 19 and
`seeks to cancel claims 1—3, 6, 8-17, and 21—27 in the Introduction(id. at 5).
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`B. Real Parties in Interest
`
`Petitioner identifies Netskope,Inc. as the real party in interest. Pet. 5.
`
`Patent Owneridentifies Fortinet, Inc. as the real party in interest. Paper 3, 2.
`
`C.
`
`The ’678 Patent (Ex. 1001)
`
`The ’678 patent provides vendor independent secure cloud storage
`
`distribution and aggregation systems by interposing a cloud storage gateway
`
`device between third-party cloud storage platforms and enterprise users who
`
`access those platforms. Ex. 1001, 2:9-16. The gatewayincludes application
`
`programminginterfaces (APIs) thatfacilitate storage offiles, issue search
`
`requests forfiles, and retrieve contentof files on the cloud storage platforms.
`
`Id. at 2:11-17. The cloudstorage gateway devicealso assignsa file storage
`
`policy to each user.
`
`/d. at 2:17—18. “The assigned file storage policy
`
`defines access rights, storage diversity requirements and a type of encryption
`
`to be applied to files for the corresponding user.” /d. at 2:19—22.
`
`The gateway system “implement[s] a policy based frameworkfor
`
`encrypting, storing, accessing, querying and managing data across one or
`
`more cloud platforms.” Ex. 1001, 3:25—28. In one embodiment,
`
`a searchable encryption gateway frameworkprovides
`assignmentof a policy from a groupofpolicies stored in a
`policy database to one or more users such that the policy not
`only defines the mannerin whichthe users can access and
`process contentstored on the cloud, but can also configure the
`mode in which the datais encrypted, stored, searched, and
`accessed to ensure secure and vendorindependent cloud
`management.
`
`Id. at 3:28-35. “Cloud storage service providers” are companiesthat
`
`provide computer storage space and managementto other companies and
`
`include Dropbox, Google Drive, and Amazon WebServices. /d. at 6:9-14.
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Figure | of the 678 patent is reproduced belowtoillustrate an
`
`exemplary network architecture of sucha system. Ex. 1001, 6:51—52.
`
`
`tSoud Btorus
`
`fide
`
`t
`
`F
`
`§
`
`Claud Since
`
`CHowed Stare
`
`tf Ohi Stare
`
`i
`
`:
`{14h
`I
`HAs
`|
`i44e
`x,
`
`
`
`
`
`
` prrserenrenamaress93 |
`
`rage
`
`SELEY
`
`i
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Figure | of the ’678 patent depicts clients 102a—d operatively and
`
`communicatively coupled to oneothervia local area network (LAN) 104.
`
`Ex. 1001, 6:51—56. Clients 102 also couple to cloud stores 114a—d through
`
`gateway device 108 and Internet 112.
`
`/d. at 7:5—9. Gateway device 108 acts
`
`as an interface between clients 102 and cloudstores 114 to handle client
`
`file/data read/write requests and to identify the appropriate cloud stores 114
`
`to access to process the requests. /d. at 7:9-14. Figure 2 ofthe °678 patent
`
`is reproduced below toillustrate functional modules ofthe gateway device.
`[grrrnennnntna
`
`ateway
`eat
`
`Enterprise
`22
`
`
`
`Gloud Serving Provider
`258a
`
`21S
`
`Manageriant
`Maxhude
`
`
`
`Madiation
`Modules}
`
`Pioliny Datatwse
`
`|
`
`Fig. 2
`
`Figure 2 depicts a policy-based framework using gateway 204 and its
`
`functional modules to interface transactions and execute instructions for the
`
`read/write/search of content between enterprise users 202 and cloud service
`
`providers 206 based on users’ roles and responsibilities that require different
`
`access rights and privileges to access data and content. Ex. 1001, 8:27—65.
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Policy assignment module 208 assignspolicies from policy database
`
`218 toa useror groupofusers 202 based on their roles, responsibilities, and
`
`enterprise practices. It defines the way that data, metadata, and other content
`
`is accessed andprocessedby each useror group ofusers 202a—c. Ex. 1001,
`
`9:11—19. Each policy “defines the mannerin whichfiles can be uploaded,
`
`stored, downloaded, searched, and/or processed in the context of one or
`
`more cloudplatforms,” and also includes“any other configurable aspect of
`
`the mode in which the user 202 accesses data stored or to be stored in the
`
`namespaces, directories, folders, files or other storage containers of one or
`
`more cloudplatforms.” /d. at 9:19—26. A “[p]Jolicy assigned to a user 202
`
`can also be configured to manageaccessrights relating to encryption and
`
`decryption of content.” /d. at 9:34—-36(emphasis added).
`
`Encryption module 210 encryptsfiles to upload or store on a cloud
`
`platform(s) “based on the policies assigned by the policy assignment module
`
`208.” Ex. 1001, 9:53-56. “[G]ateway 204 can share encryption/decryption
`
`keys based on the policy assigned to the user,” but it does not share details
`
`of private or public keys with any user 202 who is not authorized by a policy
`
`to encrypt files to store in cloud containers. /d. at 9:61—67. Encryption
`
`module210 can encrypt eachfile orfile part using cryptographic key data so
`
`the encrypted content is searchable across and within cloud platformsso that
`
`encryption architecture is independentof a providerof the cloud platform.
`
`Id. at 10:1—6. Encryption module 210 also allowsusers 202, based on their
`
`assigned policy, to download searchable encryptedfiles onto a local device
`
`for offline applications. /d. at 10:6—10. Searchable encrypted files may
`
`encrypt the nameofa file as part ofthe folder name,or hashes of search
`
`terms may be used asfile namesin searchable indices. /d. at 10:29-38.
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`D. Challenged Claims
`
`Claims 1 and 16 are independent. Claims 2, 3, 6 and 8—15 depend
`
`from claim 1. Claims 17 and 21—27 depend from claim 16. Ex. 1001,
`
`19:57-22:22.
`
`Claim 1 is reproduced below with Petitioner’s annotations added to
`
`identify each limitation (see Pet. 23-49 (providing Petitioner’s contentions
`
`for the unpatentability of claim 1 under Ground1)).
`
`1[pre] A method comprising:
`
`1/a]{i] assigning to one or moreusers, by a gateway device, a
`policy for managing access to and processinga file to be
`stored on one or more cloudplatforms, 1[a][11] wherein the
`policy defines access rights ofthe one or moreusers;
`
`//b/ encrypting, by the gateway device, using cryptographic
`key information defined by the policy, content ofthefile to
`produce a searchable encrypted file by:
`
`1/6/fi] dividing thefile intoa plurality of chunks;
`
`1[6/fii] creating namespacesfor one or moreofthe plurality
`of chunks; and
`
`1[b/fiii] configuring the namespaces ofthe one or more
`chunks such that content ofthe file is encryptedin a
`manner that makesit searchable;
`
`1/c] storing, by the gateway device, the searchable
`encrypted file on the one or more cloud platforms based
`on the policy; and
`
`1/d] managingaccess to the searchable encryptedfile by the
`one or more users based on the policy.
`
`Ex. 1001, 19:57—20:8.
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`EI. Asserted Grounds ofUnpatentability
`
`Petitioner asserts unpatentability on the following grounds (Pet. 7):
`
`1-3, 8-14, 16, 17, 21-27
`
`
`
`Cidon » Shikta ,
`Herrmann
`Cidon, Shikfa,
`
`Cidon, Shikfa,
`
`Auradkar’, Chiueh??,
`
`Chambers, Inoue!”
`
`Petitioner also relies on a Declaration ofDr. Wenke Lee. Ex. 1002.
`
`Patent Ownerrelies on a Declaration ofDr. John Black Jr. Ex. 2001.
`
`* Petitionerlists claims 18 and 19 in Grounds 1 and 4, but no substantive
`arguments are provided for either claim. See Pet. 7, 15-69, 72-135.
`3 The Leahy-Smith America Invents Act (“AIA”) revised35 U.S.C. § 103
`effective on March 16, 2013. Because the °678 patent has an effectivefiling
`date after March 16, 2013, we use the AJAversion of 35 U.S.C. § 103.
`* US 2014/0013112 Al, published Jan. 9, 2014 (Ex. 1004, “Cidon’).
`> US 2014/0359282 A1, published Dec. 4, 2014 (Ex. 1006, “Shikfa”).
`° US 2003/0055994 A1, published Mar. 20, 2003 (Ex. 1005, “Herrmann’’).
`TUS 2005/0010593 A1, published Jan. 13, 2005 (Ex. 1007, “Fellenstein’’).
`® US 6,622,248 B1, issued Sept. 16, 2003 (Ex. 1008, “Hirai’”).
`” US 2011/0119481 A1, published May 19, 2011 (Ex. 1009, “Auradkar’”).
`10 US 2013/0159694 A1, published June 20, 2013 (Ex. 1011, “Chiueh’”).
`'T US 2014/0068030 A1, published Mar. 6, 2014 (Ex. 1010, “Chambers”).
`2 US 2003/0063321 A1, published Apr. 3, 2003 (Ex. 1012,“Inoue”).
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`I. DISCUSSION
`
`A. Level ofOrdinary Skill in the Art
`
`The parties substantially agree on the level of ordinary skill in theart.
`
`Petitioner asserts that a skilled artisan “would have had aB.S. in computer
`
`science, computer engineering, or electrical engineering, with at least two
`
`years’ experience in computer networking/security.” Pet. 15. Patent Owner
`
`asserts that a skilled artisan “would have hada Bachelorof Science degree
`
`in electrical en gineering and/or computerscience, and two years ofwork or
`
`research experience in the fields ofnetwork and datasecurity, ora Master’s
`
`degree in electrical engineering and/or computer science and one yearof
`
`workor research experiencein related fields.” Prelim. Resp. 15—16. Patent
`
`Ownerasserts that the positionsset forth in the Preliminary Response would
`
`be the same undereither parties’ proposal. /d. at 16. We adoptPetitioner’s
`
`proposal as more consistent with the prior art and the 678 patent. Our
`
`decision would be the same undereither formulation.
`
`B. Claim Interpretation
`
`Weinterpret claims “using the same claim construction standard that
`
`would be used to construe the claims in a civil action [held] under 35 U.S.C.
`
`282(b).” 37C.F.R. § 42.100(b). Under this standard, we construe claims
`
`“in accordance with the ordinary and customary meaning of such claim as
`
`understood by oneof ordinary skill in the art and the prosecution history
`
`pertaining to the patent.” /d. Weconstruethe claims only to the extent
`
`necessary to determine whetherto institute interpartes review. See Nidec
`
`Motor Corp. v. Zhongshan Broad Ocean Motor Co. , 868 F.3d 1013, 1017
`
`(Fed. Cir. 2017) (“[W]e need only construe terms‘that are in controversy,
`
`and only to the extent necessary to resolve the controversy.’”’).
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`The parties assert that the claims should be given their ordinary and
`
`customary meaningin light ofthe specification and no claim constructions
`
`are necessary at thistime. Pet. 15; Prelim. Resp. 16.
`
`Weagree that no express claim constructionsare required at this time
`
`to renderour decision.
`
`C. Principles ofLaw
`
`A patent claim is unpatentable under 35 U.S.C. § 103 if differences
`
`between the claimed subject matter andtheprior art are such that the subject
`
`matter, as a whole, would have been obviousat the time the invention was
`
`made to a person having ordinary skill in the art to which said subject matter
`
`pertains. 35 U.S.C. § 103; KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 406
`
`(2007). “The combination of familiar elements according to known methods
`
`is likely to be obvious whenit does no morethan yield predictable results.”
`
`KSR,550 U.S. at 416. Similarly, “ifa technique has been used to improve
`
`one device, and a person ofordinary skill in the art would recognizethatit
`
`would improve similar devices in the same way, using thetechniqueis
`
`obvious unlessits actual application is beyondhis or herskill.” /d. at 417.
`
`The question of obviousnessis resolved based on underlying factual
`
`determinations including: (1) the scope and content ofthe prior art; (2) any
`
`differences between the claimed subject matter and the priorart; (3) the level
`
`of ordinary skill in the art; and (4) when in evidence, objective evidence of
`
`non-obviousness. Graham v. John Deere Co., 383 U.S. 1, 17-18 (1966).
`
`Neither party presents any objective evidence ofnon-obviousnessat this
`
`stage ofthe proceeding.
`
`10
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`D. Ground 1: Alleged Obviousness Over Cidon, Shikfa, Herrmann
`
`Petitioner asserts unpatentability of claims 1—3, 8-14, 16, 17, and 21—
`
`27 under 35 U.S.C. § 103 over Cidon, Shikfa, and Herrmann. Pet. 7, 15-69.
`
`1.
`
`Cidon (Ex. 1004)
`
`Cidon discloses managementserver 100 that stores encryptedfiles in
`
`segments using policiesfor file placement, access, and sharing as shownin
`
`Figure 2, reproducedbelow. Ex. 1004 9] 10, 102, 108, 206-212, 221-223.
`
`'3 Petitionerlists claims 1-3, 8-14, and 16-27 as the challenged claims in
`Ground 1 (Pet. 15) but provides no substantive argumentfor claims 18—20
`(id. at 15-69). Cf, id. at 5 (seeking to cancel claims 1-3, 6, 8-14, 16-19,
`and 21-27), 7 (listing claims 1—3, 8-14, 16-19, and 21—27 for Ground1).
`
`11
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Figure 2 depicts managementserver 100 that encrypts cloud files and
`
`controls accessto the files by providing decryption keys. Ex. 1004 4 102.
`
`System metadata module 115 managesfile metadata.
`
`/d. J] 105, 106. IP
`
`Policy Enforcement Module 120 allows administrators to organize users into
`
`groupsandassign different access policies to each group. /d. 4108. Data
`
`Manager and Login Module 130 processes requests to access a securefile.
`
`Id. § 109. Encryption Key Manager140 generates, stores, and retrieves
`
`encryption keys. /d. 4110. Policies specify placementoffiles in specific
`
`directories, access and sharing permissions, copy control, and encryption.
`
`Ex. 1004 9] 206-212. Files may be segmented, and each segment may be
`
`encrypted and stored. /d. 9305, 309, 383, Fig. 13.
`
`2.
`
` Shikfa (Ex. 1006)
`
`Shikfa’s broker system encrypts and searches encrypted documents
`
`using encryption keys and indexes as shownin Figure 2, reproduced below.
`
`}
`
`Cloud
`Providers
`
`Searchabie
`Encryption
`Broker
`
`12
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Figure 2 of Shikfa depicts a broker system for searchable encryption.
`
`Client 16 encrypts documents 26, generates indexes 24 for documents 26,
`
`encrypts indexes 24, and stores encrypted documents and indexesin cloud
`
`storage providers 18. Ex. 1006 43, 10, 12,29. Broker server 12 receives
`
`encrypted documents 14, encrypted indexes 28, and encryption information
`
`and generates a translation table T1 to identify which encrypted document
`
`14 is stored on which cloud storage provider 18.
`
`/d. 931,32. Index 28
`
`includes keywords for encrypted documents 14 and pointers to documents
`
`containing the keywords. /d. 429. Broker server 12 maystore encrypted
`
`indexes 28 locally or send them to cloud storage providers 18.
`
`/d. 432.
`
`To search for encrypted document 14 that contains certain keywords,
`
`client 16 generates encrypted search query 30 for the keywords using the
`
`searchable encryption mechanism that encrypted indexes 28 and sendsthe
`
`encrypted query 30 to broker server 12. Ex. 1006 434. Broker server 12
`
`uses the searchable encryption mechanism that was used to encrypt query 30
`
`and to encrypt indexes 28 as inputto identify (via identifiers D1, D2, D3)
`
`encrypted documents 14 that satisfy the encrypted search query. /d. 4] 34—
`
`36. Broker server 12 thereby allowsclients 16 to store secure, encrypted
`
`documents 14 on cloud storage providers 18 and also provides searchable
`
`encryption so clients 16 can search andretrieve encrypted documents by
`
`using translation tables T1, T2 or encrypted indexes 28. Jd. 937.
`
`3. Herrmann (Ex. 1005)
`
`Herrmanndiscloses a gateway server 350 that controls accessof client
`
`machinesto protected data resources 390 by verifying accessis authorized
`
`as illustrated in Figure 3, which is reproduced below. Ex. 1005 460.
`
`13
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`GLEENT COMPUTER SYSTEM 210
`
`AS
`GOLSENT BAER
`
`
`
`
`GATEWAY
`
`
`BATESY
`SERVER
`
`
`
`350
`
`ARTIAARUS
`POLICY
`CPTIONS
`3P8
`
`
`
`
`
`é
`
`
`ANTIVIRUS APPLICATION
`
`
`MIRUS PROTECTION
`MODULE}
`340
`
`
`
`
`
`
`[oo
`ANTEMIBUS ENGINE
`
`
`
`VERSION 1.2.34)
`
`
`¢
`o
` ANTLVE 7.
`
`:
`344
`
`
`fvarsinn 236
`
`
`
`Date
`3 Jan, 202
`
`34 por GP)
`
`
`
`
`
`
`}
`if
`fe
`
`FIG. 3
`
`Figure 3 depicts gateway client 330 of client computer 310 connected
`
`to gateway server 350 to access protected data390. Gateway server 350
`
`grants access whenintegrity server 370 indicates access is permissible under
`
`a policy specification applicable to client computer 310. Ex. 1005 9] 60, 67.
`
`14
`
`
`
`
`eewevevar
`;
`TruaVector
`SERVICE i INTEGRITY SERVER
`320
`{SUPERVISOR MODULE}
`a70
`
`
`
` ANTEVIRES
`
`INFORMAFIC
`
`BROMADER
` POLY
`
`PLUGIN
`
`
`
` POLY STORE
`
`oft
`
`y
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`4.
`
`Independent Claim I
`
`a.
`
`IL[pre]: “A method comprising:”
`
`Petitioner asserts that Cidon discloses a method of “encryptingafile”
`
`by segmenting the file into multiple file segments, encrypting eachfile
`
`segmentto yield multiple encryptedfile segments, and sending the multiple
`
`encryptedfile segments to a storage service. Pet. 23 (citing Ex. 1004 44 10,
`
`309, Fig. 15). Petitioner cites Figure 15 of Cidon, whichis a flowchart for
`
`retrieving a file from storage service 1610, segmentingthefile, calculating
`
`signatures for each segment, encrypting eachfile segment, and sending
`
`encryptedfile segments to storage service 1650.
`
`/d. This contention, which
`
`Patent Ownerdoesnot contestat this stage, 1s supported by record evidence.
`
`b.
`
`Lfa]fi]: “assigning to one or more users, by a
`gateway device, apolicyfor managing access to and
`processing afile to be stored on one or more cloud
`platforms”
`
`Petitioner contends that Cidon discloses a managementserverthat
`
`providesaccesspolicy configurations for users, implementsaccesspolicies,
`
`and processesfiles to be stored on cloud platforms. Petitioner contendsthat
`
`Cidon’s managementserver configures a user access policy and enforces the
`
`access policy for secure file access, and the policy dictates whether certain
`
`files are encrypted. Petitioner contends that Cidon’s managementserver
`
`allows an administrator to organize users into groups and define different
`
`securefile access policies for each group. Pet. 24—25 (citing Ex. 1004 4499,
`
`100, 102, 108, 224, 227; Ex. 1002 4] 74-79). These contentions, which
`
`Patent Ownerdoesnot contestat this stage, are supported by record
`
`evidence. IT Policy Enforcement Module 120 allows administrators to
`
`define accesspolicies for different users and groups. Ex. 1004 4 108.
`
`15
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Petitioner asserts that Herrmanndiscloses a gateway server 350 that
`
`acts as a gatewayto protect data or resources 390 and accept access requests
`
`to the resources from client machines. Pet. 25 (citing Ex. 1005 4 60, Fig. 3).
`
`Petitioner contends that Herrmann’s gatewayserver 350 verifies that a client
`
`computer 310 is authorized to access protected data 390, assigns an access
`
`policy to the connection/session between the gateway server 350 and client
`
`computer 310 from policy store 371, and maintains an “appropriate policy
`
`specification 373 applicable to the client computer 310.” Pet. 26—27 (citing
`
`Ex. 1005 {[ 60, 67, 77, claim 16; Ex. 1002 4 79). Policies can be retrieved
`
`by a user, group, or computer. /d. These contentions, which Patent Owner
`
`does not contest at this stage, are supported by record evidence. Gateway
`
`server 350 prevents session access until integrity server 370 indicates access
`
`is permissible by retrieving policy specification 373 for client computer 310
`
`from policy store 371 to ensure that users comply with security policies,
`
`access rights, and anti-virus enforcement. Ex. 1005 4] 60, 66, 67.
`
`c. Motivation to combine Cidon and Herrmann
`
`Petitioner asserts that a skilled artisan would haveadded Herrmann’s
`
`gatewayserverand its functionsof assigning an access policy and accepting
`
`requests for access to resources from clients to Cidon’s managementserver
`
`so “the modified system would have allowed automatic policy assignment
`
`and implementation, improving system efficiencies” and “would have
`
`allowed better real-time protection”“instead ofwaiting for an administrator
`
`to assign a policy manually.” Pet. 26—29 (citing Ex. 1004, Figs. 2; Ex. 1005
`
`44 18, 60, 65, 77, claim 21; Ex. 1010 9§ 66, 82; Ex. 1002 §§| 80-82); id. at 22
`
`(combining Herrmann’s gateway with Cidon’s server would allow automatic
`
`policy assignment to improve system efficiency and reduce humanerrors).
`
`16
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`d.
`
`Lfa]fii]: “wherein thepolicy defines access rights
`ofthe one or moreusers”
`
`Petitioner contends that Cidon’s managementserver provides and
`
`enforces secure access policy configurations for secure file access and can
`
`assign different policies “by user or by group.” Pet. 29 (citing Ex. 1004
`
`99 67, 102, 108, 112, 115; Ex. 1002 § 83).
`
`e. Does Cidon disclose a single policy
`
`Patent Ownerarguesthat elements 1[a][11], 1[b], 1[c], and 1[d] recite a
`
`single “policy”that defines (1) access rights ofusers, (2) thefile contents to
`
`be encrypted “using cryptographic key information defined by the policy,”
`
`(3) storing searchable encryptedfiles on cloud platforms, and (4) managing
`
`access to a searchable encrypted file. Prelim. Resp. 17. Patent Owneralso
`
`asserts that Petitioner treats disparate policies in Cidon “as if they were one
`
`andthe same.” /d. Patent Owner arguesthat Petitioner combines “access
`
`policies” that control access to securefiles with “placementpolicies”that
`
`store encryptedfiles, and these policies are different.
`
`/d. at 18.
`
`For reasons that follow, we find these arguments unavailing.
`
`“As a general rule, the words‘a’ or ‘an’ in a patent claim carry
`the meaning of ‘one or more.’” 7iVo, Inc. v. EchoStar
`Commce’ns Corp., 516 F.3d 1290, 1303 (Fed. Cir .2008). “The
`exceptionsto thisrule are extremely limited: a patentee must
`evince aclear intentto limit ‘a’ or ‘an’ to ‘one.’” Baldwin
`Graphic Sys., Inc. v. Siebert, Inc., 512 F.3d 1338, 1342 (Fed.
`Cir. 2008)... . “The subsequentuse of definite articles ‘the’ or
`‘said’ in a claim to refer back to the same claim term. . . simply
`reinvokes that non-singular meaning.” /d.
`
`01 Communique Lab., Inc. v. LogMeIn, Inc. , 687 F.3d 1292, 1297 (Fed. Cir.
`
`2012). At this stage, Patent Owner has not demonstrated a clear intent to
`
`limit “a policy” to a single policy as asserted. See Prelim. Resp. 3—6, 17-20.
`
`17
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Wefind insufficient record evidenceat this stage that the °678 patent
`
`limits “a policy”to a single policy or what sucha single policy comprises.
`
`Afile storagepolicy “defines accessrights, storage diversity requirements
`
`and a type of encryption to be appliedto files for the correspondinguser.”
`
`Ex. 1001, 2:18—22. It does not define cryptographic key information for
`
`element 1[b] or manage access for element 1[d]. Apolicy-basedframework
`
`for encrypting, storing, accessing, querying, and managing data across cloud
`
`platforms can assign a policy that “defines the mannerin which the users can
`
`access and process content stored on the cloud, [and] the mode in which the
`
`data is encrypted, stored, searched, and accessed.” /d. at 3:25—34. Policies
`
`of this framework do not define cryptographic key information in element
`
`1[b] or manageaccess to a searchable encryptedfile in element 1[d].
`
`A policy of a policy assignment module can be used to define howa
`
`file is uploaded, stored, searched, downloaded, and/or processed, and it can
`
`“be used to configure access rights” that dictate howusersprocess uploaded
`
`encrypted files. Ex. 1001, 3:45—52. Claim 1 recites that “the policy defines
`
`access rights ofthe one or more users” (emphasis added) in element1[a][11].
`
`The ’678 patent describes a policy of a policy assignment module is “used to
`
`configure access rightsof... users.” /d. (emphasis added). The policy does
`
`not define or configure accessrights. It is used to define or configurerights.
`
`An encryption module can encryptfiles to upload or store on cloud
`
`platforms based ona policy defined by the policy assignment module and a
`
`selectedpolicy can be used to define encryption keys. Ex. 1001, 4:1-7. The
`
`policy does not define cryptographic key information as in element1[b]; it is
`
`used by an encryption module to define encryption keys. On this record, we
`
`find insufficient evidence to depart from the general rule described above.
`
`18
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Cidon’s managementserverdefines, assigns, manages, and enforces
`
`secure accessrights to encrypted cloud files. Ex. 10049102. A policy can
`
`(1) provide accesstofile repositories, (2) store file repository information,
`
`(3) analyze and encryptfiles, (4) store andretrieve encryption keys,
`
`(5) provide access policy configuration for securefile access, (6) enforce a
`
`securefile access policy, and (7) report file access use and devices used for
`
`access.
`
`/d. Each access policy has a numberof components that control
`
`securefile access, encryption, storage, andmanagement. /d. J] 102, 108.
`
`Cidon’s managementserver 100 includes an IT Policy Enforcement
`
`Module 120 that allows enterprise administrators to define and enforce the
`
`policies for accessing securefiles by different users/groups. Ex. 1004 § 108.
`
`Different encryption parameters are used to encryptdifferentfiles associated
`
`with different users and groups. /d. 99324, 326; see Pet. 24-25, 30-34.
`
`Cidon also defines placementpolicies that control (1) file placement
`
`(storage) in specific directories, (2) file access and sharing permissions,
`
`(3) encrypting file content, and (4) managing user access. Ex. 1004 9] 206—
`
`217. A placementpolicy defines directoriesto store files, access and sharing
`
`permissions, copying, and file encryption. /d. §]206—212. A policy covers
`
`user “[a|ccess and sharing permissions”to files.
`
`/d. 99 210,212. A policy
`
`detects and handles accessviolationsby alerting users and administrators so
`
`they can changethepolicy. Id. J§ 213-217. Althoughfi/es are placed in
`
`directories (Prelim. Resp. 18; Ex. 2001 § 63), a policy controls and manages
`
`user access to encryptedfiles, encryption, and policy changesas claimed
`
`(Ex. 1004 §§] 206-217). Atthis stage, Petitioner has madeasufficient
`
`showing that Cidon teachesor suggests a policy of element1[a][11].
`
`19
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`f.
`
`1/b]: “encrypting, by the gateway device, using
`cryptographic key information defined by thepolicy,
`content ofthefile to produce a searchable encrypted
`file by:”
`
`Petitioner asserts that a skilled artisan would have combined Cidon’s
`
`managementserver with Herrmann’s gatewayserver to perform Cidon’s
`
`operationsat a gateway. Petitioner contendsthat the gateway would encrypt
`
`cloudfiles as a searchable encryptedfile by segmenting and encryptingfile
`
`segments to form an encryptedfile ofthe multiple encrypted file segments.
`
`Petitioner asserts that encrypted file segments wouldbe searchable by a web
`
`service API fora documentsearch and using metadata text/tags. Petitioner
`
`contends that Cidon taught or suggested searchable encryptedfiles because
`
`users could accessa file or folder by browsing a webservice accountusing
`
`an API to perform a document search. Petitioner asserts that Cidon’s
`
`managementserver extracted metadata from files uploadedto it, and the
`
`metadata could be used to help in file search operations using text or tags for
`
`searching. Pet. 29-32 (citing Ex. 1004 9991, 102, 166, 171, 222, 303-305,
`
`309, 337, Figs. 13, 15; Ex. 1002 99 84-91).
`
`Petitioner contends that Cidon usesdifferent encryption parameters to
`
`encryptfiles for different users. Petitioner also asserts that a skilled artisan
`
`would have foundit obvious that these encryption parameters would include
`
`“cryptographic key information”defined by the policy, and the encryption
`
`parameters would vary for specific users and groups. Petitioner asserts that
`
`Cidon also describes using encryption parametersto encrypt files, and an
`
`encryption key was a well-known encryption parameter. Pet. 33-34 (citing
`
`Ex. 1004 ff 108, 207, 208, 212, 324, 326; Ex. 1002 49 89-91; Ex. 1001,
`
`4:4—7, 10:1-3).
`
`20
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`Patent Ownerarguesthat the references do not disclose “encrypting
`
`... content ofthe file to produce a searchable encryptedfile.” Patent Owner
`
`asserts that Cidon “contains no such disclosure”of encryption processes that
`
`produceasearchable encryptedfile and searching the encrypted content of a
`
`file was highly unconventional. Prelim. Resp. 21. Patent Ownerasserts that
`
`Cidon’s ability to accessafile, search a document, andbrowsea file using
`
`metadata and text or tags does not teach or suggest the contents of encrypted
`
`documents are searchable. /d. at 22 (“As Dr. Black explains, a [skilled
`
`artisan] would have understood that the ability to search for andfindfiles in
`
`a system is distinctly different from the ability to search the contents ofthe
`
`files themselves.”).
`
`Element1[b] of claim 1 recites “a searchable encryptedfile.” It does
`
`not recite that the encrypted contents ofthe encryptedfile are searchable as
`
`Patent Ownerargues. See Prelim. Resp.22.
`
`This argumentalso ignoresPetitioner’s reliance on Shikfa to teach the
`
`use of indexes ofkeywords ofthe encrypted content of documentsto search
`
`the contents ofencrypted documents as discussed at element 1[b][111] below.
`
`Pet. 40-43. The ’678 patent system similarly uses indexes of encrypted
`
`keywordsto search encrypted file content. Ex. 1001, 11:29-12:57, Figs. 3A,
`
`3B. Obviousnessis not determined on an element-by-element basis but on
`
`the claim as a whole based on the combined teachings ofthe references. See
`
`Inre Merck, 800 F.2d 1091, (Fed. Cir. 1986) (“Non-obviousness cannot be
`
`established by attacking references individually where the rejection is based
`
`upon the teachings of a combination ofreferences.”’).
`
`At this stage, Petitioner has made a sufficient showing that Cidon
`
`discloses element1[b].
`
`21
`
`
`
`IPR2023-00458
`Patent 9,280,678 B2
`
`g.
`
`1[b]fi]: “dividing thefile into a plurality ofchunks”
`
`Petitioner contends that Cidon segmentsa file into multiple segments,
`
`and Figure 13 of Cidon illustrates a segmentation that dividesfile 1410 into
`
`three segments 1430. Pet. 34—36 (citing Ex. 1004 44 35, 305, 309, Figs. 13,
`
`15). This contention, which Patent Ownerdoesnot contestat this stage, is
`
`supported by record evidence.
`
`h.
`
`1[b]fii]: “creating namespacesfor one or more of
`the plurality ofchunks; and”
`
`Petitioner contends that Cidon describes calculating and creating a
`
`unique file segmentidentifier or signature for each file segment (chunk)
`
`based on the content ofthe file segmentusing aSHA2signature. Petitioner
`
`asserts that a skilled artisan would have understood that a signature would
`
`identify the segments, and the segmentidentifiers are “namespaces” because
`
`they are “theset ofnames available for naming”file segments. Pet. 36—40
`
`(citing Ex. 1004 F¥ 106, 305, 309, 383, Figs. 13, 15; Ex. 1002 J 96, 98).
`
`These contentions, which Patent Owner doesnot contest at this stage, are
`
`supported by record evidence. File metadatamay include the name, content
`
`type, and description of each file. Ex. 1004 9§ 104-107, 113-121.
`
`i.=L[b][iti]: “configuring the namespacesofthe one or
`more chunks such that contentofthefile
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
