DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are pending and herein considered.

Claim Rejections - 35 USC § 101
Claims 1-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter. The published specification US 2020/0213287 (e.g. par. 11, 35, 62, 82) describes the key distribution center (KDC) recited by claims 1-14 as software running (implemented) in an autonomous driving controller (ADC) or on a cloud server. Although the claims describe the key distribution center for a vehicle, the claims do not recite the key distribution center resides in the vehicle.  On the contrary, claim 14 recites the key distribution center can reside on a cloud server.  The broadest reasonable interpretation of a server encompasses software per se.  Software per se is not one of the four categories of patent eligible subject matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole 

Claims 1-4, 7, 11-13, 15 and 19-20 are rejected under 35 U.S.C. 103) as being unpatentable over Takemori et al. US 2020/0177398 A1 (hereinafter Takemori) in view of Nakagawa US 2018/0183773 A1 (hereinafter Nakagawa).
Regarding claim 1, Takemori substantially discloses:
A security platform for a vehicle, the security platform comprising: a key distribution center for the vehicle, the key distribution center configured to (A platform for a vehicle comprising a public key certificate and/or a key generation/distribution center located external to the vehicle (Takemori: server device 1300; Fig. 12-13; Fig. 9), or internal to the vehicle (Takemori: First ECU 1010; Fig. 14-15; Fig. 9), wherein the first ECU 1010 is also a gateway to the vehicle internal network, which is connected to external network(s) via a (telecommunication unit; Takemori: par. 95) TCU 1050):
verify that a digital certificate associated with a first electronic control unit (ECU) on the vehicle is a valid certificate,  (The hiererchical structure of Fig. 1 (Takemori: par: 44-45), is used to generate a valid public key (identification) certificate for the first ECU 1010 of a vehicle (Takemori: par. 86-92; Fig. 3). The first ECU (Takemory: par. 179-182; Fig. 15) or an external server (Takemori: par. 173-176; Fig. 13) generate and distribute public key (identification) certificates to all remaining (second) ECUs in the vehicle. In addition, a plurality of individual and a single group (common) cryptographic keys are generated for the second ECUs (Takemori: par. 115, 142-143; Fig. 9). Further, the public key certificates are verified for validity at least when used to perform “mutual authentication… between automobiles manufactured by different automobile ;
generate,  (“The initial key generator 33 generates initial keys of the second ECUs 1020. The in-vehicle key generator 34 generates an in-vehicle [common/group] key which is a key used inside the automobile 1001”. Each initial key is an identity based key derived from a master key and a corresponding ECU identifier. The HSM 1012 [of the first ECU] stores the initial key Ki5 of the second ECU 1020 in the storage 1013 in association with the identifier ECU_ID of the second ECU 1020. As a result, the first ECU 1010 shares the initial key Ki5 of the second ECU 1020 with the second ECU 1020”. Hence, the initial keys enable encrypted communications between second ECUs and the first ECU, while the in-vehicle common key enable encrypted communication between any ECUs (Takemori: par. 115, 138, 141-143, 145; Fig. 9)); and
provision the one or more security keys to the first ECU and the set of ECUs (The initial keys are stored in the tamper resistent (hardware security module) HSM of first ECU and (secure hardware extension) SHE of a corresponding second ECU, while the in-vehicle common (group) key is stored in all ECUs (Takemori: par. 106-107, 139-140, 143)).
Takemori does not expressly disclose a (first) security level. However, Nakagawa (par. 26-27) teaches that the “cipher strength [security level] of encrypted communication” for an ECU (and thus for the vehicle network) can be classified as “low”, “medium”, or “high” based at least on “the number of bits in an encryption key or security level of the encrypted communications (and thus of the networked ECUs in a vehicle). One would have done so, at least to determine the size (length) of the generated cryptographic keys. In view of Nakagawa (par. 22-23; and well-known in the art), Takemory is further modified to use the publick keys (in the public key certicates) to encrypt communications at least when shared symmetric keys are not (yet) available. Accordingly, Takemori in view of Nakagawa discloses 
the digital certificate indicating a first security level of the first ECU (The certificate identifies the “in-vehicle CA 300” (first ECU) (Takemori: par. 67), and thus indicates the security level of the first ECU (per. Nakagawa above); and further discloses
generate, based on the first security level of the first ECU, one or more security keys (the size of the generated keys is determined based on the security level, as outlined above). 
The aforementioned covers all the limitations of claim 1.

Regarding claim 15, it corresponds to claim 1, and claim 15 does not disclose beyond the features of claim 1. Therefore, claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Takemori in view of Nakagawa, for the same reasons outlined for the rejection of claim 1.

claim 20, it corresponds in part to claim 1. In addition, Takemori in view of Nakagawa discloses “authenticating, when the vehicle is powered up, the first ECU using a first security key in the one or more security keys” (Takemori: par. 141, 147-149, 153-155; Fig. 9. At power up, performing mutual authentication using a challenge-response protocol and an initial key Ki5)).
Therefore, claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Takemori in view of Nakagawa, for the reasons outline above and for the rejection of claim 1.

Regarding claims 2-4, 7 and 11-13 and 19 the rejection of claims 1 and 15 under 35 U.S.C 103 is incorporated herein. In addition, Takemori in view of Nakagawa discloses:
(2) The key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a highest security level; and
generating, for each respective ECU in the set of ECUs and having the highest security level, a unique security key for secure communication between the first ECU and the respective ECU, wherein the unique security key is only used for secure communication between the first ECU and the respective ECU (corresponds to an initial key that is stored in the first ECU and the corresponding second ECU of claim 1, where the security level is “high”; and is disclosed as outlined for the rejection of claim 1).
(3) The key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a highest security level (as outlined for the rejection of claims 1 and 2); and
generating an asymmetric security key pair that includes a public key and a private key, wherein provisioning the one or more security keys to the first ECU includes saving the private key in a full hardware security module that includes a non-volatile memory device and an asymmetric cryptographic engine on the first ECU (The first ECU 1010 includes, inter alia, a (hardware security module) HSM 1012 with storage 1013, and a key generator 37. “The key generator 37 generates a pair of a first ECU public key and a first ECU private key and stores the first ECU private key in the storage 1013” (Takemori: par. 111-112, 115).
(4) The key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a highest security level (as outlined for the rejection of claims 1 and 2);
selecting, from the set of ECUs, a subset of ECUs that has the highest security level (In one scenario, all ECUs in the subset of ECUs have the highest security level); and determining a group key for secure communication between the first ECU and any ECU in the subset ofECUs and between any two ECUs in the subset ofECUs (The common (group) cryptographic key outlined for the rejection of claim 1).
(7 and 19) The security platform of claim 1, wherein the key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a lowest security level (as outlined for the rejection of claims 1 and 2, where the first security level is “low”); and determining a unique security key for secure communication between the first ECU and any ECU in the set of ECUs (The common (group) cryptographic key outlined for the rejection of claim 1).
(11) The key distribution center is further configured to communicate with a cloud server to authenticate the key distribution center (The first ECU (local CA and key distribution center) communicates with the original manufacturer CA (OMCA) to authenticate the private/public key pair of the key distribution center (Takemori: par.86-94; Fig. 3).
(12) The key distribution center is further configured to maintain a security key configuration file, the security key configuration file comprising:
a list of ECUs on the vehicle; and for each respective ECU in the list of ECUs, one or more security keys for secure communication between the respective ECU and other ECUs in the list ofECUs (The first ECU, which is also a gateway and a local key distribution center, stores all device specific “initial keys” and an “in-vehicle common [group] key” in secure storage (as outlined for the rejection of claim 1). The initial keys are stored in association with corresponding ECU identifiers (ECU_ID). Thus, the stored initial keys include a list of ECUs in the vehicle and a list of initial keys used for encrypting one to one communications).
(13) Wherein the security key configuration file further comprises: one or more groups of ECU s; and for each respective group of ECUs in the one or more groups of ECU s, a group key for secure communication between any two ECUs in the respective group (the common (group) key outlined for the rejection of claim 1).

Claims 5-6, 8 and 17-18 are rejected under 35 U.S.C. 103) as being unpatentable over Takemori in view of Nakagawa and further in view of Ichihara US 2016/0173505 A1 (hereinafter Ichihara).
Regarding claims 5-6, 8 and 17-18, the rejection of claims 1 and 15 under 35 U.S.C 103 is incorporated herein. In addition, Takemori in view of Nakagawa discloses:
(5 and 6) The key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a medium security level (as outlined for the rejection of claims 1 and 2, where the first security level is “medium”);
Takemori as modified by Nakagawa does not expressly disclose selecting a subset of ECUs that has the medium security level in the context of a second ECU in the set of ECUs that has a security level higher than the medium security level as recited by claim 6. However, Ichihara (par. 42, 44, 51, 70) teaches grouping ECUs that have the same security level and enforcing groups separation by using a different (common) group key for each group and using the group key at a transmitter “for assigning a message authentication code (MAC) to the data frame to be transmitted. The reception-side process is a process for verifying the message authentication code assigned to the received data frame”. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Takemori modified and Ichihara to at least implement grouping ECUs based on the security level 
selecting, from the set of ECUs, a subset of ECUs that has the medium security level (grouping ECUs by security level in view of Ichihara above); and determining a group key for secure communication between the first ECU and any ECU in the subset of ECUs and between any two ECUs in the subset ofECUs (The common (group) cryptographic key (outlined for the rejection of claim 1) for the medium security level group),
wherein the group key is further used for secure communication between the first ECU and a second ECU in the set of ECUs that has a security level higher than the medium security level (Ichihara: par. 42, 57-60; Fig. 5; where the ECU 14 is assigned to a group with a security level above the medium security level and can communicate with the medium security level group because it has the key (K2) for the medium security level group in addition to the key (K1) for the higher security level. Hence, K1 is not required or used to communicate with the medium security level group).
(8 and 17) Takemori as modified by Nakagawa does not expressly disclose the message authentication code as claimed. However, Ichihara discloses
generating, by the first ECU, a message authentication code based on a first security key for communication between the first ECU and a second ECU in the set of ECUs; sending, by the first ECU, the message authentication code and a command to the second ECU (Ichihara: On the transmitting side, “Each of the ECUs 11 to 15 uses a predetermined encryption key to generate a transmitter code from the communication information. Each of the ECUs 11 to 15 assigns the transmitter code to the communication information (message), and transmits, to the on-vehicle network 20, the data frame including the identifier, the communication information, and the transmitter code” (par. 45; Fig. 1, 2(a)). The “communication information [is] to be used by the ECU for controlling the corresponding on-vehicle device” (par. 41));
verifying, by the second ECU and using the first security key, the message authentication code; and executing, by the second ECU, the command after verifying the message authentication code (Ichihara: On the receiving side, “Each of the ECUs 11 to 15 uses a predetermined encryption key to generate a receiver code from the communication information extracted from the data area. Each of the ECUs 11 to 15 compares the transmitter code assigned to the received data frame, with the receiver code generated by the ECU itself. When the transmitter code and the receiver code match each other, each of the ECUs 11 to 15 determines that "the authentication has succeeded"” (par. 46, Fig. 1, 2(b)), and the received “controlling” data (par. 41) is processed). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Takemori modified and Ichihara to at least implement the message authentication by using message authentication codes. One would have done so at least because “In the on-vehicle communication system 10, message authentication is performed in order to improve security for the on-vehicle network 20” (Ichihara: par. 42). Accordingly, Takimori in view of Nakagawa and Ichihara discloses the features of claims 8 and 17.
(18) Claim 18 corresponds in part to claims 5-6, and all the features of claim 18, including the feature “wherein the group key… is not used for secure communication between the first ECU and a third ECU in the set of ECUs that has a security level lower than the first security level” are disclosed as outlined for the rejection of claims 5-6.

Claims 9-10 and 16 are rejected under 35 U.S.C. 103) as being unpatentable over Takemori in view of Nakagawa and further in view of Buffard et al. US 2019/0238555 A1 (hereinafter Buffard).
Regarding claims 9-10 and 16, the rejection of claims 1 and 15 under 35 U.S.C 103 is incorporated herein. In addition, Takemori in  view of Nakagawa discloses:
(9 and 16) The key distribution center is further configured to, at a time when the vehicle is powered up (At power up, “the server device 1300 performs mutual authentication with the first ECU 1010 using an initial key (="digest (Master_Secret, ECU_ID)") generated from the ECU_ID of the first ECU 1010 and the master key (Master_Secret)” (Takemori: par. 141, 175; Fig. 13). The mutual authentication details are disclosed with respect to Fig. 9. In fig.9, the first ECU 1010 and the second ECU1020 corespond to the server 1300 and the first ECU 1010 of Fig. 13, respectively):
send, to the first ECU, an authentication request message that is encrypted or authenticated with a first security key in the one or more security keys (Takemori: par. 153-154; Fig. 9 step S912);
determine that: an authentication response message is not sent by the first ECU to the key distribution center; or the authentication response message sent by the first ECU to the key distribution center is not encrypted or authenticated with the first security key (Takemori: par. 148-149, 151-152; Fig. 9. “if the verification of the response value Ki5(Rm) fails, the process of FIG. 9 ends. If the verification of the response value Ki5(Rm) fails, predetermined error processing may be performed”).
Takemori as modified by Nakagawa does not expressly disclose “report, to a cloud server…” However, Buffard (par. 38, 83-84) discloses that “When an ECU determines that another ECU has been compromised (e.g., because of lack of keys [which may be because the ECU has been replaced]), the ECU can report such information to the main ECU 116” and “the main ECU 116 may provide a report of the compromised ECU to the backend server 112”. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Takemori modified and  Buffard to at least report replaced or otherwise compromised ECUs to a “backend” server. One would have done so to increase the security and safety of a vehicle by providing to the server information to be used for remediation and/or countermeasures. Accordingly, Takemori in view of Nakagawa and Buffard discloses report, to a cloud server, that the first ECU has been changed.
(10) Claim 10 corresponds to claim 9, where the encryption is performed with the device specific private keys of the distribution center and the first ECU, which is an obvious alternative to using device specific symmetric keys. One would have used the private keys to increase the security of the authentication (e.g. private keys do not require sharing and are not shared, while symmetric keys must be shared). Accordingly, claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Takemori in view of Nakagawa and Buffard, for the reasons outline above and for the rejection of claim 9. 

Claim 14 is rejected under 35 U.S.C. 103) as being unpatentable over Takemori in view of Nakagawa and further in view of Kojo et al. US 2020/0249682 A1 (hereinafter Kojo).
Regarding claim 14, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. In addition, Takemori in  view of Nakagawa does not expressly disclose the features of claim 15. However, Kojo discloses an autonomous driving controller 30 in an autonomous vehicle implemented in an ECU 90 (corresponding to the local key distribution center of Takemori modified), where the autonomous driving controller is in communication and cooperates with a server to perform autonomous driving (Kojo: par. 16-17, 23-25, 74-75; Fig. 1, 7). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Takemori modified and  Kojo to implement the security measures taught by takemori modified to autonomous driving vehicles. One would have done so to improve the security of autonomous vehicles which cooperate with remote servers and are thus exposed to potential attacks. Accordingly, Takemori in view of Nakagawa and Kojo discloses:
The security platform of claim 1, wherein: the vehicle includes an autonomous vehicle; and the key distribution center is in an autonomous driving controller of the vehicle or is on a cloud server (As outlined above).
	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Walrant US 2018/0167393 A1

Forest US 2013/0111582 A1

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/ADRIAN STOICA/Examiner, Art Unit 2494                                                                                                                                                                                                        
/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494