DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 03/06/2019, 05/09/2019, and 03/09/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
Preliminary amendments to the Abstract and the Claims have been fully considered and entered.

Specification
The disclosure is objected to because of the following informalities:
The phrase “an cryptographic processing unit” appears many times throughout the Abstract and Specification.  The phrase should be amended to “a cryptographic processing unit” to fix grammar issues. Appropriate correction is requested.

Claim Objections
Claims 1, 3, 5, 7, 8, and 9-12 are objected to because of the following informalities:  

Regarding claim 1, the term “encrypts” in line 10 should be “encrypt” and the term “configure” in lines 19 and 26 should be “configured” to correct grammar issues.
Regarding claim 3, the term “encrypts” mentioned twice in line 13 should be “encrypt”, the term “decrypts” in lines 22 and 24 should be “decrypt”, and the term “verifies” in line 29 should be “verify” to correct grammar issues.
Regarding claim 5, the term “configure” in lines 8, 11, and 20 should be “configured” and the term “encrypts” mentioned twice in line 13 should be “encrypt” to correct grammar issues.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 22-25 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 23 recites a method comprising a data providing device calculating an expected value of applied data and transmitting the applied data and the expected value to a vehicle, and 
The limitations of calculating an expected value, and calculating a measured value, and verifying the measured value on the basis of the expected value received, under its broadest reasonable interpretation, cover performance of the limitations in the mind but for the recitation of generic computer components. That is, other than reciting “a data providing device” and “an in-vehicle computer”, nothing in the claim element precludes the step from practically being performed in the human mind. For example, but for the “data providing device” and the “in-vehicle computer”, the limitations encompasses a user manually calculating the expected value and another user calculating the measured value. Additionally, the mere nominal recitation of a generic data providing device and a generic in-vehicle computer do not take the claim limitation out of the mental processes grouping. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites the combination of additional elements of 1) using a data providing device to calculate the expected value, 2) using a vehicle interface to transmit the applied data and the expected data, 3) using an in-vehicle computer to calculate a measured value and verify the measured value, and 4) using an interface unit to receive data from a device outside the in-vehicle computer and transmit a verification result. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of the abstract idea into a practical application, the additional elements of a data providing device and an in-vehicle computer amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
Independent claims 22, 24, and 25 include limitations similar to the limitation of independent claim 23 and are rejected under 35 U.S.C. 101 for being directed to an abstract idea for similar reasons as discussed above with respect to claim 23.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 

(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “key generation unit” (in claims 1, 3, 5, 7, 9, and 11), “cryptographic processing unit” (in claims 1, 3, 5, and 7-12), “expected value calculation unit” (in claims 1, 3, 5, 7, 9, 11, and 22), “verification unit” (in claims 1, 5, 7, and 11), “interface unit” (in claims 1, 3, 5, 8, 10, 12, and 22), “measured value calculation unit” (in claims 1 and 8), and “measurement unit” (in claims 3, 5, 10, 12, and 22).
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. See the rejection under 35 U.S.C. 112(b) below.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 3, 5, 7-12, and 22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim limitations “key generation unit” (in claims 1, 3, 5, 7, 9, and 11), “cryptographic processing unit” (in claims 1, 3, 5, and 7-12), “expected value calculation unit” (in claims 1, 3, 5, 7, 9, 11, and 22), “verification unit” (in claims 1, 5, 7, and 11), “interface unit” (in claims 1, 3, 5, 8, 10, 12, and 22), “measured value calculation unit” (in claims 1 and 8), and “measurement unit” (in claims 3, 5, 10, 12, and 22) invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. No association between the structure and the function can be found in the specification as filed. Examiner notes paragraphs [0046] and [0225] of the specification 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 

(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Regarding claims 5, 11, and 20, the limitation “a verification value” appears in lines 15 and 39 of claim 5, lines 13 and 15-16 of claim 11, and lines 13 and 15 of claim 20. It is confusing to the examiner whether the limitations refer to the same verification value or different verification values. Examiner suggests to change the second mention of “a verification value” of each claim to “the verification value” if they all refer to the same verification value or distinguish different verification values using “first verification value” and “second verification value” if they are different verification values to obviate this rejection.

Priority
While receipt is acknowledged of certified copies of papers required by 37 CFR 1.55, the foreign priority is not perfected because there is no English translation of the certified copy of the foreign priority application filed. Therefore, the effective filing date of the instant application is the PCT filing date (i.e., 03/28/2017) for prior art purposes. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 7, 9, 10, 13, 14, 16, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dottax et al. (US 20170353315 A1; hereinafter “Dottax”), as disclosed in the IDS filed 03/09/2020, in view of Takemori (Takemori, K., “Automotive Security Using Secure Element”, KDDI, 2015, pgs. 11 and 14-15) and further in view of Jung et al. (US 20150180840 A1; hereinafter “Jung”) as disclosed in the IDS filed 03/09/2020. 
As per claims 1 and 13, Dottax discloses: a management system and a method of managing a management system, the management system comprising: 
a key generation device (Dottax, Fig. 1 and [0049], third party auditor TP); and 
an in-vehicle computer which is installed in a vehicle (Dottax, Fig. 1 and [0044], electronic apparatus A is an embedded electronic system in a motor vehicle), 
wherein the key generation device includes 
a key generation unit that generates a key which is stored in an in-vehicle computer installed in the vehicle (Dottax, [0129] and [0130], secret SECINT (i.e., key) is generated by the third party auditor TP (i.e., key generation device) and sent and stored at the electronic entity E, [0044], wherein electronic entity E is part of electronic INT is a cryptographic key), 
an expected value calculation unit configured to calculate an expected value of stored data which is stored in advance in the in-vehicle computer using the key (Dottax, [0151]-[0152], determines/calculates a MAC integrity value VALINT* (i.e., expected value) of the 8-bit-byte structure image data (i.e., stored data) using the secret SECINT (i.e., key), [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance), 
a verification unit configured to verify a measured value received from the vehicle on the basis of the expected value (Dottax, [0146], third party auditor TP receives an integrity value VALINT (i.e., measure value) from the electronic entity E of the vehicle, [0151]-[0152], and verifies the integrity value VALINT (i.e., measure value) on the basis of the integrity value VALINT* (i.e., expected value)), and
wherein the in-vehicle computer includes 
an interface unit configured to transmit and receive data to and from a device outside of the in-vehicle computer (Dottax, [0043] and Fig. 1, electronic apparatus A (i.e., in-vehicle computer) comprises a communication module COM (i.e., interface unit) in order to exchange data with other electronic devices outside the vehicle (e.g., ISS)), and 
a measured value calculation unit configured to calculate a measured value of stored data which is stored in advance in the in-vehicle computer using a key (Dottax, [0143] and [0146], integrity value VALINT (i.e., measured value) is calculated based on 8-bit-byte structure image data (i.e., stored data) and cryptographic key SECINT by the 
wherein the measured value is transmitted to the key generation device through the interface unit (Dottax, [0146], integrity value VALINT (i.e., measured value) is transmitted to the third party auditor TP (i.e., key generation device)).
Dottax does not disclose, however, Takemori teaches or suggests: wherein the key generation device includes
generating a first key and a second key (Takemori, pg. 11 and pg. 15, generates both a key exchange key Kx2 (i.e., first key) and a new session key k8 (i.e., second key)), 
encrypting the first key with an initial key which is stored in advance in the in-vehicle computer to generate first encrypted data (Takemori, pg. 14, key exchange key Kx2 (i.e., first key) is encrypted with an initial key Ki5 which is stored in advance in the ECU, generating the first encrypted data Ki5(Kx2)), and encrypt the second key with the first key to generate second encrypted data (Takemori, pg. 15, new session key k8 (i.e., second key) is encrypted with the key exchange key Kx2 (i.e., first key), generating the second encrypted data Kx2(k8)), and
wherein the first encrypted data and the second encrypted data are transmitted to the vehicle (Takemori, pg. 14, encrypted key exchange key Ki5(Kx2) (i.e., first encrypted data) is sent to the ECU, pg. 15, encrypted new session key Kx2(k8) (i.e., second encrypted data) is sent to the ECU), and
wherein the in-vehicle includes

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Dottax to include  generating a plurality of keys, encrypting a first key with an initial key, encrypting a second key with the first key, and sending both the encrypted first and encrypted second keys to the in-vehicle computer as taught by Takemori for the benefit of protecting keys being shared in the vehicle network from attacks by malicious parties (Takemori, pgs. 4-6). Furthermore, encrypting the session key (i.e., second key) increases the difficulty for a malicious party to generate the MAC integrity value, enhancing security in the vehicle network (Takemori, pg. 16).
The combination of Dottax and Takemori does not explicitly disclose, however, Jung teaches or suggests: a vehicle interface and sending data through the vehicle interface (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus)
KSR).

As per claim 2, claim 1 is incorporated and while the modified Dottax discloses transmitting the first encrypted data and the second encrypted data from the key generation device to the in-vehicle computer (see rejection of claim 1), the modified Dottax does not disclose, however, Jung teaches or suggests: wherein a plurality of the in-vehicle computers are installed in the vehicle, and a first in-vehicle computer out of the plurality of in-vehicle computers relays data, transmitted from the key generation device, to a second in-vehicle computer out of the plurality of in-vehicle computers (Jung, Fig. 3, data sent from the server would reach the gateway (i.e., first in-vehicle computer) and the data would be relayed to the appropriate ECU (i.e., second in-vehicle computer)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a gateway for relaying data to an appropriate in-vehicle computer of a plurality of in-vehicle computers as taught by Jung for the benefit of authenticating an external diagnostic apparatus, thereby enhancing the security of the vehicle network (Jung, [0061]).

As per claims 3 and 14, Dottax discloses: a management system and a method of managing a management system, the management system comprising: 
a key generation device (Dottax, Fig. 1 and [0049], third party auditor TP); and 
an in-vehicle computer which is installed in a vehicle (Dottax, Fig. 1 and [0044], electronic apparatus A is an embedded electronic system in a motor vehicle), 
wherein the key generation device includes 
a key generation unit that generates a key which is stored in an in-vehicle computer installed in the vehicle (Dottax, [0129] and [0130], secret SECINT (i.e., key) is generated by the third party auditor TP (i.e., key generation device) and sent and stored at the electronic entity E, [0044], wherein electronic entity E is part of electronic apparatus A which is an embedded electronic system in a motor vehicle (i.e., in-vehicle computer installed in the vehicle), [0143], wherein SECINT is a cryptographic key), and 
an expected value calculation unit configured to calculate an expected value of stored data which is stored in advance in the in-vehicle computer using the key (Dottax, [0151]-[0152], determines/calculates a MAC integrity value VALINT* (i.e., expected value) of the 8-bit-byte structure image data (i.e., stored data) using the secret SECINT (i.e., key), [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance), and 
wherein the in-vehicle computer includes 
an interface unit configured to transmit and receive data to and from a device outside of the in-vehicle computer (Dottax, [0043] and Fig. 1, electronic apparatus A (i.e., in-vehicle computer) comprises a communication module COM (i.e., interface unit) 
a measurement unit configured to calculate a measured value of stored data which is stored in advance in the in-vehicle computer using a key (Dottax, [0143] and [0146], integrity value VALINT (i.e., measured value) is calculated based on 8-bit-byte structure image data (i.e., stored data) and cryptographic key SECINT by the secure electronic entity E, [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance).
Dottax does not disclose, however, Takemori teaches or suggests: wherein the key generation device includes 
generating a first key and a second key (Takemori, pg. 11 and pg. 15, generates both a key exchange key Kx2 (i.e., first key) and a new session key k8 (i.e., second key)), and
an cryptographic processing unit configured to encrypt the first key with an initial key which is stored in advance in the in-vehicle computer to generate first encrypted data (Takemori, pg. 14, key exchange key Kx2 (i.e., first key) is encrypted with an initial key Ki5 which is stored in advance in the ECU, generating the first encrypted data Ki5(Kx2)), and encrypt the second key with the first key to generate second encrypted data (Takemori, pg. 15, new session key k8 (i.e., second key) is encrypted with the key exchange key Kx2 (i.e., first key), generating the second encrypted data Kx2(k8)); and
wherein the first encrypted data and the second encrypted data are transmitted to the vehicle (Takemori, pg. 14, encrypted key exchange key Ki5(Kx2) (i.e., first 
wherein the in-vehicle includes
an cryptographic processing unit configured to decrypt first encrypted data received from a key generation device through the interface unit with an initial key which is stored in advance in the in-vehicle computer to acquire a first key (Takemori, pg. 14, end ECU decrypts first encrypted data Ki5(Kx2) received from the central GW with an initial key Ki5 to obtain key exchange key Kx2 (i.e., first key)), and decrypt second encrypted data received from the key generation device through the interface unit with the acquired first key to acquire a second key (Takemori, pg. 15, decrypt second encrypted data Kx2(k8) received from the central GW with obtained key exchange key Kx2 (i.e., first key) to obtain session key k8 (i.e., second key) which is used to calculate a MAC (pg. 16)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Dottax to include  generating a plurality of keys, encrypting a first key with an initial key, encrypting a second key with the first key, and sending both the encrypted first and encrypted second keys to the in-vehicle computer as taught by Takemori for the benefit of protecting keys being shared in the vehicle network from attacks by malicious parties (Takemori, pgs. 4-6). Furthermore, encrypting the session key (i.e., second key) increases the difficulty for a malicious party to generate the MAC integrity value, enhancing security in the vehicle network (Takemori, pg. 16).

a vehicle interface and sending data through the vehicle interface (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus), 
encrypting the expected value with a key to generate fourth encrypted data (Jung, [0097]-[0098], hash value of firmware (i.e., expected value) is encrypted using the server private key (i.e., key) resulting in third data (i.e., fourth encrypted data); and 
transmitting the fourth encrypted data to the vehicle (Jung, [0097]-[0098], wherein the third data (i.e., fourth encrypted data) is subsequently transmitted to the vehicle via the diagnostic apparatus), and
wherein the in-vehicle includes
decrypting fourth encrypted data received from the key generation device through the interface unit with the acquired first key to acquire an expected value (Jung, [0091], ECU 340 may acquire a second hash value (i.e., expected value) generated by the server by decrypting the third data (i.e., fourth encrypted data) using the server public key (i.e., acquired first key)); and 
verifying the measured value on the basis of the acquired expected value (Jung, [0092], ECU confirms whether or not the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are the same). 
wherein a verification result for the measured value is transmitted through the interface unit (Jung, [0093], if the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are not the same, transmit a designated message (i.e., 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a vehicle interface as taught by Jung because combining the prior art element of a vehicle/communication interface (e.g., receiver/transmitter) according to known methods yields the predictable result of sending and receiving data which is well known in the art (KSR). Furthermore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include encrypting and transmitting, by the key generation device, the expected value to the in-vehicle computer and decrypting, by the in-vehicle computer, the encrypted expected value, verifying the measured value on the basis of the acquired expected value, and transmitting a verification result for the measured value to the key generation device as taught by Jung for the benefit of guaranteeing confidentiality and integrity when upgrading firmware of a vehicle’s ECU (Jung, [0012]). 

As per claim 4, claim 3 is incorporated and while the modified Dottax discloses transmitting the first encrypted data,  the second encrypted data, and the fourth encrypted data from the key generation device to the in-vehicle computer (see rejection of claim 3), the modified Dottax does not disclose, however, Jung teaches or suggests: wherein a plurality of the in-vehicle computers are installed in the vehicle, and a first in-vehicle computer out of the plurality of in-vehicle computers relays data, transmitted 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a gateway for relaying data to an appropriate in-vehicle computer of a plurality of in-vehicle computers as taught by Jung for the benefit of authenticating an external diagnostic apparatus, thereby enhancing the security of the vehicle network (Jung, [0061]).

As per claims 7 and 16, Dottax discloses: a key generation device and a non-transitory computer-readable medium storing a computer program, the key generation device comprising: 
a key generation unit that generates a key which is stored in an in-vehicle computer installed in the vehicle (Dottax, [0129] and [0130], secret SECINT (i.e., key) is generated by the third party auditor TP (i.e., key generation device) and sent and stored at the electronic entity E, [0044], wherein electronic entity E is part of electronic apparatus A which is an embedded electronic system in a motor vehicle (i.e., in-vehicle computer installed in the vehicle), [0143], wherein SECINT is a cryptographic key); 
an expected value calculation unit configured to calculate an expected value of stored data which is stored in advance in the in-vehicle computer using the key (Dottax, [0151]-[0152], determines/calculates a MAC integrity value VALINT* (i.e., expected value) INT (i.e., key), [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance); and 
a verification unit configured to verify a measured value received from the vehicle on the basis of the expected value (Dottax, [0146], third party auditor TP receives an integrity value VALINT (i.e., measure value) from the electronic entity E of the vehicle, [0151]-[0152], and verifies the integrity value VALINT (i.e., measure value) on the basis of the integrity value VALINT* (i.e., expected value)).
Dottax does not disclose, however, Takemori teaches or suggests: generating a first key and a second key (Takemori, pg. 11 and pg. 15, generates both a key exchange key Kx2 (i.e., first key) and a new session key k8 (i.e., second key)); and
an cryptographic processing unit configured to encrypt the first key with an initial key which is stored in advance in the in-vehicle computer to generate first encrypted data (Takemori, pg. 14, key exchange key Kx2 (i.e., first key) is encrypted with an initial key Ki5 which is stored in advance in the ECU, generating the first encrypted data Ki5(Kx2)), and encrypt the second key with the first key to generate second encrypted data (Takemori, pg. 15, new session key k8 (i.e., second key) is encrypted with the key exchange key Kx2 (i.e., first key), generating the second encrypted data Kx2(k8)); and
wherein the first encrypted data and the second encrypted data are transmitted to the vehicle (Takemori, pg. 14, encrypted key exchange key Ki5(Kx2) (i.e., first encrypted data) is sent to the ECU, pg. 15, encrypted new session key Kx2(k8) (i.e., second encrypted data) is sent to the ECU).

The combination of Dottax and Takemori does not explicitly disclose, however, Jung teaches or suggests: a vehicle interface and sending data through the vehicle interface (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus)
The combination of Dottax and Takemori does not explicitly disclose, however, Jung teaches or suggests: a vehicle interface and sending data through the vehicle interface (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a vehicle interface as taught by Jung because combining the prior art element of a vehicle/communication interface (e.g., receiver/transmitter) according to known methods yields the predictable result of sending and receiving data which is well known in the art (KSR).

As per claims 9 and 18, Dottax discloses: a key generation device and a non-transitory computer-readable medium storing a computer program, the key generation device comprising: 
a key generation unit that generates a key which is stored in an in-vehicle computer installed in the vehicle (Dottax, [0129] and [0130], secret SECINT (i.e., key) is generated by the third party auditor TP (i.e., key generation device) and sent and stored at the electronic entity E, [0044], wherein electronic entity E is part of electronic apparatus A which is an embedded electronic system in a motor vehicle (i.e., in-vehicle computer installed in the vehicle), [0143], wherein SECINT is a cryptographic key); and 
an expected value calculation unit configured to calculate an expected value of stored data which is stored in advance in the in-vehicle computer using the key (Dottax, [0151]-[0152], determines/calculates a MAC integrity value VALINT* (i.e., expected value) of the 8-bit-byte structure image data (i.e., stored data) using the secret SECINT (i.e., key), [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance).
Dottax does not disclose, however, Takemori teaches or suggests: generating a first key and a second key (Takemori, pg. 11 and pg. 15, generates both a key exchange key Kx2 (i.e., first key) and a new session key k8 (i.e., second key)); and
an cryptographic processing unit configured to encrypt the first key with an initial key which is stored in advance in the in-vehicle computer to generate first encrypted data (Takemori, pg. 14, key exchange key Kx2 (i.e., first key) is encrypted with an initial key Ki5 which is stored in advance in the ECU, generating the first encrypted data 
wherein the first encrypted data and the second encrypted data are transmitted to the vehicle (Takemori, pg. 14, encrypted key exchange key Ki5(Kx2) (i.e., first encrypted data) is sent to the ECU, pg. 15, encrypted new session key Kx2(k8) (i.e., second encrypted data) is sent to the ECU).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Dottax to include  generating a plurality of keys, encrypting a first key with an initial key, encrypting a second key with the first key, and sending both the encrypted first and encrypted second keys to the in-vehicle computer as taught by Takemori for the benefit of protecting keys being shared in the vehicle network from attacks by malicious parties (Takemori, pgs. 4-6). Furthermore, encrypting the session key (i.e., second key) increases the difficulty for a malicious party to generate the MAC integrity value, enhancing security in the vehicle network (Takemori, pg. 16).
The modified Dottax does not disclose, however, Jung teaches or suggests: a vehicle interface and sending data through the vehicle interface (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus); 
encrypting the expected value with a key to generate fourth encrypted data (Jung, [0097]-[0098], hash value of firmware (i.e., expected value) is encrypted using the server private key (i.e., key) resulting in third data (i.e., fourth encrypted data); and 

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a vehicle interface as taught by Jung because combining the prior art element of a vehicle/communication interface (e.g., receiver/transmitter) according to known methods yields the predictable result of sending and receiving data which is well known in the art (KSR). Furthermore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include encrypting the expected value and transmitting the encrypted expected value as taught by Jung for the benefit of guaranteeing confidentiality and integrity when upgrading firmware of a vehicle’s ECU (Jung, [0012]). 

As per claims 10 and 19, Dottax discloses: an in-vehicle computer which is installed in a vehicle, and a non-transitory computer-readable medium storing a computer program, the in-vehicle computer comprising: 
an interface unit configured to transmit and receive data to and from a device outside of the in-vehicle computer (Dottax, [0043] and Fig. 1, electronic apparatus A (i.e., in-vehicle computer) comprises a communication module COM (i.e., interface unit) in order to exchange data with other electronic devices outside the vehicle (e.g., ISS)); and
a key (Dottax, [0143] and [0146], integrity value VALINT (i.e., measured value) is calculated based on 8-bit-byte structure image data (i.e., stored data) and cryptographic key SECINT by the secure electronic entity E, [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance).
Dottax does not disclose, however, Takemori teaches or suggests: an cryptographic processing unit configured to decrypt first encrypted data received from a key generation device through the interface unit with an initial key which is stored in advance in the in-vehicle computer to acquire a first key (Takemori, pg. 14, end ECU decrypts first encrypted data Ki5(Kx2) received from the central GW with an initial key Ki5 to obtain key exchange key Kx2 (i.e., first key)), and decrypt second encrypted data received from the key generation device through the interface unit with the acquired first key to acquire a second key (Takemori, pg. 15, decrypt second encrypted data Kx2(k8) received from the central GW with obtained key exchange key Kx2 (i.e., first key) to obtain session key k8 (i.e., second key) which is used to calculate a MAC (pg. 16)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Dottax to include  generating a plurality of keys, encrypting a first key with an initial key, encrypting a second key with the first key, and sending both the encrypted first and encrypted second keys to the in-vehicle computer as taught by Takemori for the benefit of protecting keys being shared in the vehicle network from attacks by malicious parties (Takemori, pgs. 4-6). Furthermore, encrypting the session key (i.e., second key) 
The combination of Dottax and Takemori does not disclose, however, Jung teaches or suggest: decrypting fourth encrypted data received from the key generation device through the interface unit with the acquired first key to acquire an expected value (Jung, [0091], ECU 340 may acquire a second hash value (i.e., expected value) generated by the server by decrypting the third data (i.e., fourth encrypted data) using the server public key (i.e., acquired first key)); and 
verifying the measured value on the basis of the acquired expected value (Jung, [0092], ECU confirms whether or not the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are the same). 
wherein a verification result for the measured value is transmitted through the interface unit (Jung, [0093], if the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are not the same, transmit a designated message (i.e., verification result) indicating that re-programming is impossible to the diagnostic apparatus 320).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include decrypting the fourth encrypted value to acquire the expected value, verify the measured value on the basis of the acquired expected value, and transmitting a verification result for the measured value as taught by Jung for the benefit of guaranteeing confidentiality and integrity when upgrading firmware of a vehicle’s ECU (Jung, [0012]). 

Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Dottax in view of Takemori. 
As per claims 8 and 17, Dottax discloses: an in-vehicle computer which is installed in a vehicle, and a non-transitory computer-readable medium storing a computer program, the in-vehicle computer comprising: 
an interface unit configured to transmit and receive data to and from a device outside of the in-vehicle computer (Dottax, [0043] and Fig. 1, electronic apparatus A (i.e., in-vehicle computer) comprises a communication module COM (i.e., interface unit) in order to exchange data with other electronic devices outside the vehicle (e.g., ISS)); and 
a measured value calculation unit configured to calculate a measured value of stored data which is stored in advance in the in-vehicle computer using a key (Dottax, [0143] and [0146], integrity value VALINT (i.e., measured value) is calculated based on 8-bit-byte structure image data (i.e., stored data) and cryptographic key SECINT by the secure electronic entity E, [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance), 
wherein the measured value is transmitted to the key generation device through the interface unit (Dottax, [0146], integrity value VALINT (i.e., measured value) is transmitted to the third party auditor TP (i.e., key generation device)).
Dottax does not disclose, however, Takemori teaches or suggests: an cryptographic processing unit configured to decrypt first encrypted data received from a key generation device through the interface unit with an initial key which is stored in 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Dottax to include  generating a plurality of keys, encrypting a first key with an initial key, encrypting a second key with the first key, and sending both the encrypted first and encrypted second keys to the in-vehicle computer as taught by Takemori for the benefit of protecting keys being shared in the vehicle network from attacks by malicious parties (Takemori, pgs. 4-6). Furthermore, encrypting the session key (i.e., second key) increases the difficulty for a malicious party to generate the MAC integrity value, enhancing security in the vehicle network (Takemori, pg. 16).

Claims 11 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dottax in view of Takemori, Jung, and further in view of Ishida et al. (US 20110083161 A1, hereinafter “Ishida”) as disclosed in the IDS filed 03/06/2019. 
As per claims 11 and 20, Dottax discloses: a key generation device and a non-transitory computer-readable medium storing a computer program, the key generation device comprising: 
a key which is stored in an in-vehicle computer installed in the vehicle (Dottax, [0129] and [0130], secret SECINT (i.e., key) is generated by the third party auditor TP (i.e., key generation device) and sent and stored at the electronic entity E, [0044], wherein electronic entity E is part of electronic apparatus A which is an embedded electronic system in a motor vehicle (i.e., in-vehicle computer installed in the vehicle), [0143], wherein SECINT is a cryptographic key); 
an expected value calculation unit configured to calculate an expected value of stored data which is stored in advance in the in-vehicle computer using the key (Dottax, [0151]-[0152], determines/calculates a MAC integrity value VALINT* (i.e., expected value) of the 8-bit-byte structure image data (i.e., stored data) using the secret SECINT (i.e., key), [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance).
Dottax does not disclose, however, Takemori teaches or suggests: generating a first key and a second key (Takemori, pg. 11 and pg. 15, generates both a key exchange key Kx2 (i.e., first key) and a new session key k8 (i.e., second key)); and
an cryptographic processing unit configured to encrypt the first key with an initial key which is stored in advance in the in-vehicle computer to generate first encrypted data (Takemori, pg. 14, key exchange key Kx2 (i.e., first key) is encrypted with an initial key Ki5 which is stored in advance in the ECU, generating the first encrypted data Ki5(Kx2)), and encrypt the second key with the first key to generate second encrypted data (Takemori, pg. 15, new session key k8 (i.e., second key) is encrypted with the key exchange key Kx2 (i.e., first key), generating the second encrypted data Kx2(k8)); and

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Dottax to include  generating a plurality of keys, encrypting a first key with an initial key, encrypting a second key with the first key, and sending both the encrypted first and encrypted second keys to the in-vehicle computer as taught by Takemori for the benefit of protecting keys being shared in the vehicle network from attacks by malicious parties (Takemori, pgs. 4-6). Furthermore, encrypting the session key (i.e., second key) increases the difficulty for a malicious party to generate the MAC integrity value, enhancing security in the vehicle network (Takemori, pg. 16).
The modified Dottax does not disclose, however, Jung teaches or suggests: a vehicle interface and sending data through the vehicle interface (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus); 
encrypting the expected value with a key to generate fourth encrypted data (Jung, [0097]-[0098], hash value of firmware (i.e., expected value) is encrypted using the server private key (i.e., key) resulting in third data (i.e., fourth encrypted data); and 
transmitting the fourth encrypted data to the vehicle (Jung, [0097]-[0098], wherein the third data (i.e., fourth encrypted data) is subsequently transmitted to the vehicle via the diagnostic apparatus). 
KSR). Furthermore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include encrypting the expected value and transmitting the encrypted expected value as taught by Jung for the benefit of guaranteeing confidentiality and integrity when upgrading firmware of a vehicle’s ECU (Jung, [0012]). 
The modified Dottax does not explicitly disclose, however, Ishida teaches or suggests: transmitting a verification value to the vehicle (Ishida, [0054]-[0055], at step S19, maintenance device generates a challenge code (i.e., verification value) and sends it to automobile); and
verifying a verification value received from the vehicle through the vehicle interface on the basis of the verification value supplied to the vehicle (Ishida, [0054]-[0055], at step S23, the automobile transmits the encrypted challenge code to the maintenance device and at step S24 the maintenance device decrypts the encrypted challenge code and verifies the challenge code on the basis of the challenge code sent the automobile during step S19).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the key generation device of the .

Claims 12 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Dottax in view of Takemori, Jung, and further in view of Fisher et al. (US 20150120560 A1, hereinafter “Fisher”). 
As per claims 12 and 21, Dottox discloses: an in-vehicle computer which is installed in a vehicle, and a non-transitory computer-readable medium storing a computer program, the in-vehicle computer comprising: 
an interface unit configured to transmit and receive data to and from a device outside of the in-vehicle computer (Dottax, [0043] and Fig. 1, electronic apparatus A (i.e., in-vehicle computer) comprises a communication module COM (i.e., interface unit) in order to exchange data with other electronic devices outside the vehicle (e.g., ISS)); and
a measurement unit configured to calculate a measured value of stored data which is stored in advance in the in-vehicle computer using a key (Dottax, [0143] and [0146], integrity value VALINT (i.e., measured value) is calculated based on 8-bit-byte structure image data (i.e., stored data) and cryptographic key SECINT by the secure 
Dottax does not disclose, however, Takemori teaches or suggests: an cryptographic processing unit configured to decrypt first encrypted data received from a key generation device through the interface unit with an initial key which is stored in advance in the in-vehicle computer to acquire a first key (Takemori, pg. 14, end ECU decrypts first encrypted data Ki5(Kx2) received from the central GW with an initial key Ki5 to obtain key exchange key Kx2 (i.e., first key)), and decrypt second encrypted data received from the key generation device through the interface unit with the acquired first key to acquire a second key (Takemori, pg. 15, decrypt second encrypted data Kx2(k8) received from the central GW with obtained key exchange key Kx2 (i.e., first key) to obtain session key k8 (i.e., second key) which is used to calculate a MAC (pg. 16)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Dottax to include  generating a plurality of keys, encrypting a first key with an initial key, encrypting a second key with the first key, and sending both the encrypted first and encrypted second keys to the in-vehicle computer as taught by Takemori for the benefit of protecting keys being shared in the vehicle network from attacks by malicious parties (Takemori, pgs. 4-6). Furthermore, encrypting the session key (i.e., second key) increases the difficulty for a malicious party to generate the MAC integrity value, enhancing security in the vehicle network (Takemori, pg. 16).
The combination of Dottax and Takemori does not disclose, however, Jung teaches or suggest: decrypting fourth encrypted data received from the key generation 
verifying the measured value on the basis of the acquired expected value (Jung, [0092], ECU confirms whether or not the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are the same). 
wherein a verification result for the measured value is transmitted through the interface unit (Jung, [0093], if the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are not the same, transmit a designated message (i.e., verification result) indicating that re-programming is impossible to the diagnostic apparatus 320).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include decrypting the fourth encrypted value to acquire the expected value, verify the measured value on the basis of the acquired expected value, and transmitting a verification result for the measured value as taught by Jung for the benefit of guaranteeing confidentiality and integrity when upgrading firmware of a vehicle’s ECU (Jung, [0012]). 
The modified Dottax does not disclose, however, Fisher teaches or suggests: the in-vehicle computer transmits the verification result which is inclusive of a verification value received from the key generation device through the interface unit in a case where the verification of the measured value has been passed, and transmits the 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a verification value in the verification result if verification of the measured value was successful, otherwise, not include the verification value in the verification result as taught by Fisher for the benefit of allowing the receiver of the verification result to verify that the verification was indeed successful by the verification value being included in the verification result. 

Claims 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Dottax in view of Jung. 
As per claims 22 and 23, Dottax discloses: a management system and a method, the management system comprising: 
a data providing device (Dottax, Fig. 1 and [0049], third party auditor TP); and 
an in-vehicle computer which is installed in a vehicle (Dottax, Fig. 1 and [0044], electronic apparatus A is an embedded electronic system in a motor vehicle), 
wherein the data providing device includes 
an expected value calculation unit configured to calculate an expected value of applied data which is applied to the in-vehicle computer (Dottax, [0151]-[0152], INT* (i.e., expected value) of the 8-bit-byte structure image data (i.e., stored data) using the secret SECINT (i.e., key), [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance), and
wherein the in-vehicle computer includes 
an interface unit configured to transmit and receive data to and from a device outside of the in-vehicle computer (Dottax, [0043] and Fig. 1, electronic apparatus A (i.e., in-vehicle computer) comprises a communication module COM (i.e., interface unit) in order to exchange data with other electronic devices outside the vehicle (e.g., ISS)), and 
a measurement unit configured to calculate a measured value of the applied data received from the data providing device through the interface unit (Dottax, [0143] and [0146], integrity value VALINT (i.e., measured value) is calculated based on 8-bit-byte structure image data (i.e., applied data) and cryptographic key SECINT by the secure electronic entity E of the electronic apparatus A).
Dottax does not explicitly disclose, however, Jung teaches or suggests: 
wherein the data providing device includes: a vehicle interface configured to transmit and receive data to and from the vehicle (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus), 
wherein the applied data and the expected value are transmitted to the vehicle through the vehicle interface (Jung, [0082], [0080], [0077], server 310 transmits first 
wherein the in-vehicle computer includes: verifying the measured value on the basis of the expected value received from the data providing device through the interface unit (Jung, [0090], ECU calculates a first hash value (i.e., measure value) by inputting the acquired original firmware to a designated hash function, [0092], ECU confirms whether or not the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are the same)), and
wherein a verification result for the measured value is transmitted to the data providing device through the interface unit (Jung, [0093], if the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are not the same, transmit a designated message (i.e., verification result) indicating that re-programming is impossible to the diagnostic apparatus 320).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a vehicle interface as taught by Jung because combining the prior art element of a vehicle/communication interface (e.g., receiver/transmitter) according to known methods yields the predictable result of sending and receiving data which is well known in the art (KSR). Furthermore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include verifying the measured value on the basis of the expected value received from the data providing device and transmitting a verification result for the measured value to the data providing device as taught by Jung 

As per claim 24, Dottax discloses: a non-transitory computer-readable recording medium storing a computer program causing a computer of a data providing device (Dottax, [0049], computer device third party auditor TP) to execute the following processes of: 
calculating an expected value of applied data which is applied to an in-vehicle computer which is installed in the vehicle (Dottax, [0151]-[0152], determines/calculates a MAC integrity value VALINT* (i.e., expected value) of the 8-bit-byte structure image data (i.e., stored data) using the secret SECINT (i.e., key), [0124], [0132]-[0134] and [0136], wherein the image data is stored in the electronic entity E in advance).
Dottax does not explicitly disclose, however, Jung teaches or suggests: wherein the data providing device includes a vehicle interface configured to transmit and receive data to and from the vehicle (Jung, Fig. 9 and [0123], communication unit 980 (i.e., vehicle interface) receives/transmits data from/to vehicle via diagnostic apparatus), 
transmitting the applied data and the expected value to the vehicle through the vehicle interface (Jung, [0082], [0080], [0077], server 310 transmits first data which comprises encrypted firmware (i.e., applied data) and third data which comprises encrypted hash value of the firmware (i.e., expected value)); and 
receiving a verification result for a measured value of the applied data from the vehicle through the vehicle interface (Jung, [0093], if the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are not the same, transmit a 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include a vehicle interface as taught by Jung because combining the prior art element of a vehicle/communication interface (e.g., receiver/transmitter) according to known methods yields the predictable result of sending and receiving data which is well known in the art (KSR). Furthermore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include transmitting the applied data and the expected value to the vehicle and receiving a verification result for the measured value from the vehicle as taught by Jung for the benefit of guaranteeing confidentiality and integrity when upgrading firmware of a vehicle’s ECU (Jung, [0012]). 

As per claim 25, Dottax discloses: a non-transitory computer-readable recording medium storing a computer program causing an in-vehicle computer which is installed in a vehicle (Dottax, Fig. 1 and [0044], electronic apparatus A is an embedded electronic system in a motor vehicle) to execute the following processes of: 
calculating a measured value of applied data received from a data providing device through an interface unit that transmits and receives data to and from a device outside of the in-vehicle computer (Dottax, [0143] and [0146], integrity value VALINT (i.e., measured value) is calculated based on 8-bit-byte structure image data (i.e., applied INT by the secure electronic entity E of the electronic apparatus A).
Dottax does not disclose, however, Jung teaches or suggests: verifying the measured value on the basis of an expected value received from the data providing device through the interface unit (Jung, [0090], ECU calculates a first hash value (i.e., measure value) by inputting the acquired original firmware to a designated hash function, [0092], ECU confirms whether or not the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are the same)); and 
transmitting a verification result for the measured value to the data providing device through the interface unit (Jung, [0093], if the first hash value (i.e., measured value) and the second hash value (i.e., expected value) are not the same, transmit a designated message (i.e., verification result) indicating that re-programming is impossible to the diagnostic apparatus 320).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Dottax to include verifying the measured value on the basis of the expected value received from the data providing device and transmitting a verification result for the measured value to the data providing device as taught by Jung for the benefit of guaranteeing confidentiality and integrity when upgrading firmware of a vehicle’s ECU (Jung, [0012]).



Allowable Subject Matter
Claims 5, 6, and 15 would be allowable if the claim objections and 112(b) rejections are obviated.
The following is a statement of reasons for the indication of allowable subject matter:  
The closest art of record Dottax et al (US 20170353315 A1) teaches a secure element designed to receive data from an electronic device and further designed to determine a proof-of-integrity element in accordance with the data received and at least one portion of the stored multiplets, and to transmit the proof-of-integrity element to the electronic device (Dottax, Abstract).
Another art of record, Takemori (Takemori, K., “Automotive Security Using Secure Element”, KDDI, 2015, pgs. 11 and 14-15) teaches a key management system for in-vehicle keys where keys and generated, encrypted and distributed to a plurality of electronic control units (ECUs) in the vehicle to be used for authenticating and verifying communication received within the vehicle network (Takemori, pgs. 11, and 14-15). 
The prior arts mentioned above taken alone or in combination fails to reasonably teach or suggest the combination set forth in independent claim 5, specifically “wherein the in-vehicle computer includes… an cryptographic processing unit configured to decrypt the first encrypted data received from the key generation device through the interface unit with the initial key which is stored in advance in the in-vehicle computer to acquire the first key, decrypt the second encrypted data received from the key generation device through the interface unit with the acquired first key to acquire the second key, and decrypt the fourth encrypted data received from the key generation 
Similar reasoning is applied to independent claim 15. Claim 6 depends from claim 5 and is allowable by virtue of their dependencies.




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Oshida (US 10142311 B2) teaches the use of message authentication codes within a vehicle network for the purpose of preventing spoofing of a message being communicated and to improve the confidentiality and the integrity of communications (Oshida, col. 9 lines 21-24).
Ye (US 20170060559 A1) teaches a vehicle ECU generating a hash value based on a software install after an application of the software update to an inactive storage and sending the hash value to a server to verify the hash value of the software install at the server (Ye, [0044]-[0046]).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437     

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437