DETAILED ACTION

Response to Arguments
Applicant's arguments (“REMARKS”) filed on July 28, 2021 have been fully considered but they are partly persuasive.
Claims 1-20 are currently pending. Claims 1, 9, 10, 14, and 20 were amended.

Re: Claim Rejections – 35 USC § 101
The rejection of claims 1-14 under 35 U.S.C. § 101 as being directed to non-statutory subject matter has been withdrawn in view of the amendments to claim 1.

Re: Claim Rejections 35 USC § 103
The Applicant presents the following arguments in the REMARKS:
 No teaching of generating keys based on ECU security level. The disclosed cipher strength in Nakagawa is described for external communications, not the security of ECU. See pp. 10-11 of the REMARKS.
No teaching of providing ECU security level in certificate. There is no motivation to combine Nakagawa with Takemori. See pg. 11 of the REMARKS.
Regarding claims 4-6, there is no suggestion that multiple ECUs have the same security level and no suggestion of using the same key for multiple ECUs of the same security level. Nakagawa is directed to using “unique” keys for the ECUs. See pp. 11 & 13.
Regarding claims 9-10, the authentication process of the ECUs occur each time the vehicle is powered up. Takemori is directed to a process when the power is turned on for the first time; see [0141]. See pg. 14 of the REMARKS.
Regarding claim 14, the claim has been amended with subject matter disclosed in [0050] of the specifications. See pg. 14 of the REMARKS.

In response to argument A: The Examiner respectfully disagrees with the arguments presented in A. The scope and role of the “security level” is not clearly recited in claim 1. Claim 1 merely states that an ECU has a “security level” associated with it, and one or more security keys are generated “based on” the “security level”. Due to the lack of features that further define a meaningful role to the “security level”, any prior arts that teach generally labeling a device or a component with some form of security categorization would read upon the “security level” limitations of claim 1, regardless of how that label is used in the prior arts.
Nakagawa discloses assigning “security level[s]” to ECUs in the form of cipher strengths as low, medium, and high. See [0026] and Figs. 3A-3B of Nakagawa. It is also noted that the rejection to the features of claim 1 relied on both Takemori and Nakagawa. As each ECU is assigned a cipher strength in Nakagawa, then the public certificates in Takemori identifies (“indicating”) the ECUs and their cipher strengths – each ECU stores a public key certificate; see [0115] & [0118] of Takemori. As understood by a person having ordinary skill in the art, the inherent property of public key certificates is providing verifiable identification of the assigned entity in each certificate.
based on” some undefined role and manner with the “first security level of the first ECU”. The extent of the involvement of an ECU’s security level in generating the key is not fully described in the claim. Under broadest reasonable interpretation, the scope of the “first security level” may simply just be generating a key for a specific ECU, which has a particular security level assigned to it. Takemori discloses generating keys for a specific ECU (a second ECU) using a master key and the corresponding ECU identifier (see [0141]-[0143] of Takemori). As stated in Nakagawa, e.g. Figs. 3A-3B, each ECU is associated with a cipher strength. Since each ECU has a cipher strength to it, identifying which ECU to generate the key for would read upon the claimed limitations. Furthermore, the cipher strength would have indicate how a key is generated (e.g. number of bits and algorithm – see [0026] of Nakagawa).
This response is also applicable to arguments for claim 15, which is a method claim of the security platform of claim 1.

In response to argument B: The Examiner respectfully disagrees with the arguments presented in B. In response to Applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, the motivation to combine Takemori and Nakagawa would to enable variable key generation for encrypted communications based on security levels of the entities. This would have enabled the distribution of more or less processing powers based on how secure the entities were.

In response to argument C: The Examiner agrees with the arguments presented in C. Therefore, the prior art rejection has been withdrawn to claims 4-6. After further consideration of the current prior arts and an updated search, claims 4-6 are objected as being allowable.

In response to argument D: The Examiner agrees with the arguments presented in D. Therefore, the prior art rejection has been withdrawn to claims 9 and 10. After further consideration of the current prior arts and an updated search, claims 9 and 10 are objected as being allowable.

In response to argument E: The arguments to claim 14 are now moot in view of a new ground of rejection. See Claim Rejections - 35 USC § 103 below for details.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/28/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 14 is objected to because of the following informalities:
The full version of a term should be recited prior to using its abbreviated form. Claim 14 should be amended as: “…a primary boot loader stored in an on-chip read-only memory (ROM), where the ROM code…”
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 14 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
wherein” clause. It is under the assumption that the usage of the term “wherein” would indicate further defining features previously recited from parent claim 1. However, claim 1 is silent on a “performing a secure boot upon power up” step. Therefore, claim 14 is further defining a non-existent step from claim 1.
Independent claim 20 recites: “…using a first security key in the one or more security keys…” There is a lack of sufficient antecedent basis to “the one or more security keys”. Furthermore, claim 20 recites “a first security key” and “a security key”. These terms appear to be directed to a single key in the context of the specifications, but it is unclear if the Applicant intended them to be the same key or distinct keys in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 7, 11-13, 15 and 19 are rejected under 35 U.S.C. 103) as being unpatentable over Takemori et al. US 2020/0177398 A1 (hereinafter “Takemori”) in view of Nakagawa US 2018/0183773 A1 (hereinafter “Nakagawa”).
Regarding claim 1: Takemori substantially discloses:
A security platform for a vehicle, the security platform comprising: a key distribution center for the vehicle, the key distribution center being mounted in a processing device in the vehicle and configured to (A platform for a vehicle comprising a public key certificate and/or a key generation/distribution center located external to the vehicle (Takemori: server device 1300; Fig. 12-13; Fig. 9), or internal to the vehicle (Takemori: First ECU 1010; Fig. 14-15; Fig. 9), wherein the first ECU 1010 is also a gateway to the vehicle internal network, which is connected to external network(s) via a (telecommunication unit; Takemori: par. 95) TCU 1050):
verify that a digital certificate associated with a first electronic control unit (ECU) on the vehicle is a valid certificate,  (The hierarchical structure of Fig. 1 (Takemori: par: 44-45), is used to generate a valid public key (identification) certificate for the first ECU 1010 of a vehicle (Takemori: par. 86-92; Fig. 3). The first ECU (Takemori: par. 179-182; Fig. 15) or an external server (Takemori: par. 173-176; Fig. 13) generate and distribute public key (identification) certificates to all remaining (second) ECUs in the vehicle. In addition, a plurality of individual and a single group (common) cryptographic keys are generated for the second ECUs (Takemori: par. 115, 142-143; Fig. 9). Further, the public key certificates are verified for validity at least when used to perform “mutual authentication… between automobiles manufactured by different automobile manufacturers, between ECUs and applications provided in each automobile, and between them and devices outside the automobiles” (Takemori: par. 49));
generate,  (“The initial key generator 33 generates initial keys of the second ECUs 1020. The in-vehicle key generator 34 generates an in-vehicle [common/group] key which is a key used inside the automobile 1001”. Each initial key is an identity based key derived from a master key and a corresponding ; and
provision the one or more security keys to the first ECU and the set of ECUs (The initial keys are stored in the tamper resistant (hardware security module) HSM of first ECU and (secure hardware extension) SHE of a corresponding second ECU, while the in-vehicle common (group) key is stored in all ECUs (Takemori: par. 106-107, 139-140, 143)).
Takemori does not expressly disclose a (first) “security level”. However, Nakagawa (par. 26-27) teaches that the “cipher strength (e.g. “security level”) of encrypted communication” for an ECU (and thus for the vehicle network) can be classified as “low”, “medium”, or “high” based at least on “the number of bits in an encryption key or an encryption algorithm”. 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Takemori and Nakagawa to at least determine the security level of the encrypted communications (and thus of the networked ECUs in a vehicle). One would have done so, at least to determine the size (length) of the generated cryptographic keys. In view of Nakagawa (par. 22-23; and well-known in the art), Takemori is further modified to use the public keys (in the public key certificates) to encrypt communications at least when shared symmetric keys are not (yet) available. Accordingly, Takemori in view of Nakagawa discloses 
the digital certificate indicating a first security level of the first ECU (The certificate identifies the “in-vehicle CA 300” (first ECU) (Takemori: par. 67), and thus indicates the security level of the first ECU (per. Nakagawa above); and further discloses
generate, based on the first security level of the first ECU, one or more security keys (the size of the generated keys is determined based on the security level, as outlined above). 
The aforementioned covers all the limitations of claim 1.

Regarding claim 15: Claim 15 corresponds to claim 1, and claim 15 does not disclose beyond the features of claim 1. Therefore, claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Takemori in view of Nakagawa, for the same reasons outlined for the rejection of claim 1.

Regarding claims 2, 3, 7 and 11-13 and 19 the rejection of claims 1 and 15 under 35 U.S.C 103 is incorporated herein. In addition, Takemori in view of Nakagawa discloses:
Regard claim 2: The key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a highest security level; and
generating, for each respective ECU in the set of ECUs and having the highest security level, a unique security key for secure communication between the first ECU and the respective ECU, wherein the unique security key is only used for secure communication between the first ECU and the respective ECU (corresponds to an initial key that is stored in the first ECU and the corresponding second ECU of claim 1, where the security level of both ECU .

Regarding claim 3: The key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a highest security level (as outlined for the rejection of claims 1 and 2); and
generating an asymmetric security key pair that includes a public key and a private key, wherein provisioning the one or more security keys to the first ECU includes saving the private key in a full hardware security module that includes a non-volatile memory device and an asymmetric cryptographic engine on the first ECU (The first ECU 1010 includes, inter alia, a (hardware security module) HSM 1012 with storage 1013, and a key generator 37. “The key generator 37 generates a pair of a first ECU public key and a first ECU private key and stores the first ECU private key in the storage 1013” (Takemori: par. 111-112, 115)).

Regarding claims 7 and 19: The security platform of claim 1, wherein the key distribution center is configured to generate the one or more security keys based on the first security level of the first ECU by:
determining that the first security level includes a lowest security level (as outlined for the rejection of claims 1 and 2, where the first security level (cipher strength) can be “low”); and determining a unique security key for secure communication between the first ECU and any ECU in the set of ECUs (The common (group) cryptographic key outlined for the rejection of claim 1).

Regarding claim 11: The key distribution center is further configured to communicate with a cloud server to authenticate the key distribution center (The first ECU (local CA and key distribution center) communicates with the original manufacturer CA (OMCA) to authenticate the private/public key pair of the key distribution center (Takemori: par.86-94; Fig. 3).

Regarding claim 12: The key distribution center is further configured to maintain a security key configuration file, the security key configuration file comprising:
a list of ECUs on the vehicle; and for each respective ECU in the list of ECUs, one or more security keys for secure communication between the respective ECU and other ECUs in the list of ECUs (The first ECU, which is also a gateway and a local key distribution center, stores all device specific “initial keys” and an “in-vehicle common [group] key” in secure storage (as outlined for the rejection of claim 1). The initial keys are stored in association with corresponding ECU identifiers (ECU_ID). Thus, the stored initial keys include a list of ECUs in the vehicle and a list of initial keys used for encrypting one to one communications).

Regarding claim 13: Wherein the security key configuration file further comprises: one or more groups of ECUs; and for each respective group of ECUs in the one or more groups of ECUs, a group key for secure communication between any two ECUs in the respective group (there may be one group and a group may be all the ECUs (no limiting features to what a group .

Claims 8 and 17 are rejected under 35 U.S.C. 103) as being unpatentable over Takemori in view of Nakagawa and further in view of Ichihara, US 2016/0173505 A1 (hereinafter “Ichihara”).
Regarding claims 8 and 17 the rejection of claims 1 and 15 under 35 U.S.C 103 is incorporated herein. In addition, Takemori in view of Nakagawa discloses:
Regarding claims 8 and 17: Takemori as modified by Nakagawa does not expressly disclose the message authentication code as claimed. However, Ichihara discloses
generating, by the first ECU, a message authentication code based on a first security key for communication between the first ECU and a second ECU in the set of ECUs; sending, by the first ECU, the message authentication code and a command to the second ECU (Ichihara: On the transmitting side, “Each of the ECUs 11 to 15 uses a predetermined encryption key to generate a transmitter code from the communication information. Each of the ECUs 11 to 15 assigns the transmitter code to the communication information (message), and transmits, to the on-vehicle network 20, the data frame including the identifier, the communication information, and the transmitter code” (par. 45; Fig. 1, 2(a)). The “communication information [is] to be used by the ECU for controlling the corresponding on-vehicle device” (par. 41));
verifying, by the second ECU and using the first security key, the message authentication code; and executing, by the second ECU, the command after verifying the message authentication code (Ichihara: On the receiving side, “Each of the ECUs 11 to 15 uses  determines that "the authentication has succeeded"” (par. 46, Fig. 1, 2(b)), and the received “controlling” data (par. 41) is processed). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Takemori modified and Ichihara to at least implement the message authentication by using message authentication codes. One would have done so at least because “In the on-vehicle communication system 10, message authentication is performed in order to improve security for the on-vehicle network 20” (Ichihara: par. 42). Accordingly, Takemori in view of Nakagawa and Ichihara discloses the features of claims 8 and 17.

Claim 14 is rejected under 35 U.S.C. 103) as being unpatentable over Takemori in view of Nakagawa and further in view of Ho et al. US 2019/0042757 A1 (hereinafter “Ho”).
Regarding claim 14: The rejection of claim 1 under 35 U.S.C 103 is incorporated herein. In addition, Takemori in view of Nakagawa does not expressly disclose the features of claim 15. However, Ho discloses entering a power on state and accessing boot code in a non-volatile memory device (Ho: par. 50). The memory device can be read-only memory (where code is not modifiable) and the boot code is authenticated (Ho: par. 42-43. 56). Any computer device may carry out the booting process in Ho, such as an autonomous driving vehicle (Ho: par. 27).

The security platform of claim 1, wherein: the vehicle includes an autonomous vehicle; and performing a secure boot upon power up, wherein the secure boot verifies all layers of codes and utilizes a primary boot loader stored in an on-chip ROM, where the ROM code may not be modifiable (As outlined above).
	
Allowable Subject Matter
Claims 4-6, 9, 10, 16, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 20 would be allowable if rewritten or amended to overcome the rejection under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action.
These claims present subject matter that are not taught in the prior arts of record. See also the arguments in the REMARKS regarding these claims. See also additional prior arts cited in the following section. 

Conclusion

US 2019/0028281: Discloses issuing a digital certificate onto a hardware security module (HSM) to establish a first level of identity trust to said module. The certificate format contains device specific characteristics, include a field that identifies a level of assurance.
US 2019/0372944: Discloses secure booting of an ECU in a vehicle communication network.
Henniger O, Ruddle A, Seudié H, Weyl B, Wolf M, Wollinger T. Securing vehicular on-board it systems: The evita project. In VDI/VW Automotive Security Conference 2009 Oct (p. 41). (Discloses the EVITA project, which defines security requirements for automotive on-board IT systems. This includes defining three different classes of HSMs.)
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453.  The examiner can normally be reached on Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        9-15-2021