The application require on November 03rd, 2008 submit that Patent Office of the People's Republic of China, application number are 200810175958.9 to, denomination of invention is the priority of the one Chinese patent application of " identity identifying method, dependable environment unit and Home eNodeB ", its full content combines in this application by reference.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, the network type of the following embodiment of the invention can be global system for mobile communications (Global System for MobileCommunication; Hereinafter to be referred as: GSM) network, code division multiple access (Code Division MultipleAccess; Hereinafter to be referred as: CDMA) network, WCDMA (Wideband CDMA; Hereinafter to be referred as: WCDMA) network, worldwide interoperability for microwave insert (Worldwide Interoperability forMicrowave Access; Hereinafter to be referred as: Wimax) network, synchronous code division multiple access (TimeDivision-Synchronous CDMA of time-division; Hereinafter to be referred as: TD-SCDMA) network or Long Term Evolution (LongTerm Evolution; Hereinafter to be referred as: LTE) network etc.The type of radio reception device can be Home eNodeB, femto cell (Pico), UMTS AP (Universal MobileTelecommunications System AP; Hereinafter to be referred as: UMTS AP), miniature (Femto) base station of Wimax or Wimax macro base station etc.The user device type of the following embodiment of the invention can be mobile phone, notebook computer or personal digital assistant (Personal Digital Assistant; Hereinafter to be referred as: PDA) wait portable terminal.
Because HNB belongs to subscriber equipment on the one hand and is deployed in the users home, belong to the equipment of operator on the one hand, equally with macro base station be used to accomplish access function to the user, such dual role makes operator very high to the security requirement of HNB.Therefore when the family base station power up move and set up physical connection with operator after, operator need carry out relevant authentication to HNB.Prior art is based on non-trusted environment to the authentication of the non-identity of HNB, and the safe storage ability is lower, does not make full use of the function of TrE, has reduced the application space of TrE to a certain extent; And because TrE possesses independently identity information, and this identity information can be associated with HNB and HPM.After HNB is loading TrE; Network side just will relate to authentication and the TrE authentication related with HNB of TrE to the authentication of HNB; Various embodiments of the present invention are how to realize the identifying procedure of network side to the HNB that disposes TrE, and how to realize the localization of HNB relevant authentication based on the TrE with higher safe storage performance.
First embodiment
Fig. 1 is the flow chart that the present invention is based on authentication method first embodiment of Home eNodeB dependable environment, and is as shown in Figure 1, and present embodiment is described to be at the identifying procedure of HNB during in initial start-up, comprises the steps:
Step 11, HNB is carried out the equipment identities authentication.
Network side at first need carry out authentication to the identity of HNB equipment itself; The authentication of HNB mainly is based on the authentication of identity credential; The identity credential of HNB has two kinds of presentation modes; A kind of certificate that is based on, another kind are based on Authentication and Key Agreement agreement (Authentication and KeyAgreement; Hereinafter to be referred as: AKA) credential.Verification process mainly is the security gateway and Certificate Authority statistics (the Authentication Authorization and Accounting of network side; Hereinafter to be referred as: AAA) server and HNB carry out the mutual of identifying procedure.
Step 12, the TrE that is arranged on the HNB is carried out authentication.
Authentication for TrE can be adopted the authentication mode based on certificate equally, and verification process mainly is that the security gateway of network side and the TrE on aaa server (checking, authorization and accounting server) and the HNB carry out the mutual of identifying procedure.
Step 13, the identity binding of HNB and TrE relation is carried out authentication.
The authentication of binding relationship mainly is to accomplish through aaa server, and aaa server is inquired about its prior stored binding relationship according to the identify label of TrE, and the HNB identify label of sending through HNB is again compared, thus the checking binding relationship.
Step 14, HNB is carried out non-authentication; Wherein, the non-authentication of HNB being carried out can comprise: the authentication that the HPM on the HNB is carried out, the location-authentication that HNB is carried out and the authentication that UE is carried out.
Step 15, obtain and store HNB non-identification authentication data in TrE.Corresponding with above-mentioned non-authentication type, non-identification authentication data can comprise: the location-authentication data of the verify data of HPM, HNB and UE verify data.
After non-authentication success, a part of verify data (mainly being the relevant authentication data of relevant non-authentication) that network side is safeguarded downloads among the local TrE of HNB.When HNB restarts or during re-authentication, non-authentication process just can have been carried out in the local TrE of HNB, has given full play to the function of TrE like this, and also make and restart or the re-authentication process does not need the participation of core net, reduced the burden of network side.
Second embodiment
Fig. 2 is the signaling process figure that the present invention is based on authentication method second embodiment of Home eNodeB dependable environment, and is as shown in Figure 2, and present embodiment will be described the identifying procedure of HNB when initial start-up in detail, specifically comprise the steps:
Step 101, HNB and security gateway (Secure Gateway; Hereinafter to be referred as: set up IKE_SA_INIT (IKE authentication initialization) SGW) and connect.
Step 102, HNB send IKE_AUTH_REQ authentication request (IKE authentication request), the identify label of carrying HNB and TrE in this request to SGW.Here the identity credential that need to prove HNB has two kinds of presentation modes, a kind of certificate that is based on, and another kind is based on the AKA credential.The situation that is based on the AKA credential that present embodiment is described.If adopt authentication mechanism, then between HNB and SGW, need carry out the certificate checking procedure based on certificate.
Step 103, SGW verify the identity of TrE.Authentication for TrE is the authentication mode that adopts based on certificate.
Step 104, SGW send Authentication Request/Identity request (authentication request), the identify label of carrying HNB and TrE in this request to aaa server.
Step 105, aaa server are carried out the HNB authentication; Concrete authentication process can similar following process: aaa server is initiated AKA (Authentication and Key Agreement agreement) authentication challenge request; And obtain AV (authentication vector); Operation AKA algorithm; Accept the authentication challenge responses of HNB, thereby realize the two-way authentication between HNB and the network side.
Step 106, aaa server carry out authentication to the binding relationship of HNB and TrE; Concrete binding close verification process can similar following process: AAA from the Relational database network element (like attaching position register (Home Location Register; Hereinafter to be referred as: HLR)) obtain the binding relationship of HNB and TrE, its prior stored binding relationship is inquired about in the identify label of the TrE that aaa server transmits according to HNB, compares with the HNB identify label that receives, thereby verifies its binding relationship.
Step 107, aaa server send TrE authentication success and binding relationship authentication success response (Authentication Response/success) to SGW.
Step 108, SGW are through IKE_AUTH_RES (IKE Authentication Response) message informing HNB authentication success.
Step 109, HNB receive the completeness of platform authentication that triggers HNB after the authentication success message.
Carry out the authentication of HNB completeness of platform between step 110, HNB and the integrated authentication server.Integrated authentication needs the reference metric of network side storing HNB integrality, and this storage for example can increase memory function newly on existing elements on existing elements, such as HLR, also can be stored on the newly-increased network element.After integrated authentication finishes, just can set up corresponding escape way between HNB and the SGW.
Step 111, HNB and network side carry out follow-up relevant non-authentication, such as the location-authentication of HNB, and the authentication of HPM, processes such as the authentication of UE.Aaa server need obtain the related data that is used to carry out non-authentication to authentication database simultaneously.
Step 112, after non-authentication success, a part of verify data (mainly being the data that are used for non-authentication) that aaa server is safeguarded downloads to the local TrE of HNB.Like this, restart or during re-authentication, verification process just carries out in the local TrE of HNB as HNB.
Need to prove; In present embodiment and following embodiment; In the verification process of network side, specify with network elements such as aaa server and SGW servers, but the verification process to HNB is not limited to said network element in the embodiment of the invention HNB; Those skilled in the art can know, also can adopt with other similar network elements of said network element and carry out corresponding verification process.
Present embodiment is after HNB starts first; Mutual through with the SGW of network side and aaa server; After having accomplished authentication, TrE authentication, both binding relationships and the completeness of platform authentication of HNB equipment; Carried out relevant non-authentication again, after the non-authentication success, a part of verify data of just network side being safeguarded (mainly being the relevant authentication data of relevant non-authentication) downloads among the local TrE of HNB.When HNB restarts or during re-authentication; Non-authentication process just can have been carried out in the local TrE of HNB; Given full play to the function of TrE like this; And also make restart or the re-authentication process do not need again with network side servers such as SGW and aaa server alternately, reduced the burden of network side.
The 3rd embodiment
Fig. 3 is the signaling process figure that the present invention is based on authentication method the 3rd embodiment of Home eNodeB dependable environment; As shown in Figure 3; Present embodiment is described in HNB emphatically when initial start-up; Network side is further detailed the illustrating to step 111 to the step 112 among above-mentioned second embodiment to the authentication process of HPM.
The HPM authentication is meant the authentication of Mobile Network Operator to the user of HNB.Two scenes are arranged usually:
Scenario A, HPM bind scene mutually with HNB equipment
In this scene, the HNB device authentication is accomplished, and promptly accomplishes the authentication of HPM.The step that does not need extra authentication, EAP-AKA (Extensible Authentication Protocol-key agreement protocol) and certificate verification can be as the authentications of HPM, and this scheme is applicable to the immovable scene of HPM.
There are two solutions at present in the authentication scene that scenario B, HPM and HNB equipment are separated under this scene
B1, based on the HNB device authentication of certificate with based on the HPM authentication of EAP-AKA
This scheme utilizes between HNB and SGW at first separately that certificate carries out device authentication, carries out the HPM authentication of EAP-AKA afterwards again.
The binding of B2, HPM ID and HNB device id
HNB is an equipment that embeds HPM.And each equipment has an EI (equipment number) to be used for representing own identity.HNB-EI is arranged among the HNB when dispatching from the factory by the manufacturer.The HLR of network side can store the HNB-EI record corresponding with each HPM-ID, and the binding relationship of this HNB-EI and HPM-ID represented in this record.Aaa server can be carried out the authentication of binding relationship based on this record.
In the authentication scene that present embodiment is separated based on HPM authentication and HNB device authentication, can not need the binding relationship of HPM and HNB equipment be carried out authentication.In the present embodiment, the authentication process of HPM is comprised the steps:
Step 1110, TrE obtain the identify label of the HPM of HNB, and this process can realize through the interface of HNB and TrE.
Step 1111, HNB send IKE_AUTH_REQ authentication request (IKE authentication request), the identify label of carrying HPM and TrE in this request to SGW.
Step 1112, SGW send Authentication Request/Identity request (authentication request) to aaa server, will be through sending Authentication Request/Identity request, the identify label of wherein carrying HPM and TrE.
Step 1113, aaa server obtain a plurality of AV vectors (authentication vector) to HLR.
Step 1114, aaa server are initiated EAP Request/AKA (SIM) challenge request (EAP request/AKA challenge) to SGW.
Step 1115, SGW send to HNB through IKE_AUTH_RES (IKE Authentication Response) message with EAPRequest/AKA (SIM) challenge request.
Step 1116, HNB return EAPReponse/AKA (SIM) challenge (EAP response/AKA challenge) through IKE_AUTH_REQ (IKE authentication request) message and give SGW.
Step 1117, SGW return to aaa server with EAP Reponse/AKA (SIM) challenge.
In step 1114-step 1117, carry out the EAP-AKA identifying procedure between aaa server and the HNB, thereby accomplish HPM is carried out authentication.
Step 1118, aaa server carry out HPM and the checking of TrE binding relationship.Aaa server is inquired about the identify label that stored binding relationship is in advance verified TrE based on the identify label of HPM.
Step 1119, aaa server send Authentication Response/EAP-AKA (SIM) success (HPM authentication success and the response of binding relationship authentication success) to SGW.
Step 1120, SGW send to HNB through IKE_AUTH_RES message with HPM authentication success and the response of binding relationship authentication success.
Step 1121, HNB initiate the Boot request (initial start request) of HNB to AHR (AP home registration server).
Step 1122, AHR are asked for the Ciphering Key of HPM through retrieving authentication data (obtaining verify data) message to AAA, and the Ciphering Key of asking for can be a plurality of, is used to guarantee that each local authentication all is fresh.
The response of step 1123, aaa server should request, and the untapped AV vector (the parameter X RES that comprises in the Ciphering Key (response of expectation), RAND (random number), AUTN (authentication token)) of its storage is returned to AHR.
Step 1124, AHR send initial start response (Boot response), the verify data of carrying HPM to HNB.
The verify data of step 1125, TrE safe storage HPM, thereby the localization of realization verify data.
Present embodiment is after HNB starts first, and mutual through with the SGW of network side and aaa server accomplished the authentication to HPM in the non-authentication, and a HPM verify data of behind the authentication success network side being safeguarded downloads among the local TrE of HNB.When HNB restarts or during re-authentication, the authentication process of HPM just can have been carried out in the local TrE of HNB, do not need again with network side servers such as SGW and aaa server alternately, given full play to the function of TrE like this, reduced the burden of network side.
The 4th embodiment
Fig. 4 is the signaling process figure that the present invention is based on authentication method the 4th embodiment of Home eNodeB dependable environment, and is as shown in Figure 4, and present embodiment is described in HNB emphatically when initial start-up, and network side is to the flow process of the location-authentication of HNB.Be further detailed illustrating equally to step 111 to the step 112 among above-mentioned second embodiment.Specifically comprise the steps:
Step 2110, HNB initiate initial start request (Boot request) to AHR, and carry the current location information of HNB.
Step 2111, the authentication of AHR executing location.
Step 2112, AHR send initial start response (Boot response) to HNB, and carry the positional information of passing through authentication of encrypting.
Step 2113, HNB can send it to TrE after receiving this positional information.
If safe storage through verification, just with the reference value of this positional information as active user's (corresponding to current HPM) positional information, and is carried out in step 2114, TrE authorization information source.
Present embodiment is after HNB starts first, and mutual through with the SGW of network side and aaa server accomplished the location-authentication of the HNB in the non-authentication, and the location-authentication data of a HNB who behind the authentication success network side is safeguarded download among the local TrE of HNB.When HNB restarts or during re-authentication; The location-authentication process of HNB just can have been carried out in the local TrE of HNB; Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 5th embodiment
Fig. 5 is the signaling process figure that the present invention is based on authentication method the 5th embodiment of Home eNodeB dependable environment, and is as shown in Figure 5, and present embodiment is described in HNB emphatically after initial start-up, the handling process when UE initiates authentication for the first time.Be further detailed illustrating equally to step 111 to the step 112 among above-mentioned second embodiment.Specifically comprise the steps:
Step 3110, UE initiate ID authentication request through HNB, in this request, carry identification information, and this request is sent to aaa server.
Step 3111, aaa server can move the AKA algorithm UE is carried out authentication.
Step 3112, aaa server send to HNB through the UE verify data (can be parameters such as the RAND among the AV that stores among the AAA, AUTN, XRES, can be many groups) that authentication response will pass through encryption.
Step 3113, HNB send the response message of authentication success to UE.
Step 3114, HNB send to TrE with the UE verify data of encrypting.
Step 3115, TrE decipher this verify data, and safe storage UE verify data.
Present embodiment is after HNB starts first; Mutual through with the SGW of network side and aaa server of UE and HNB; Accomplished the authentication of the UE in the non-authentication, the identification authentication data of a UE who behind the authentication success network side is safeguarded downloads among the local TrE of HNB.When HNB restarts or during during re-authentication or when UE needs authentication again; The authentication process of UE just can have been carried out in the local TrE of HNB; Advance to need to carry out between UE and the HNB mutual; Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 6th embodiment
Fig. 6 is the flow chart that the present invention is based on authentication method the 6th embodiment of Home eNodeB dependable environment; As shown in Figure 6; Present embodiment is described in emphatically that HNB restarts or the identifying procedure of re-authentication, can know through above-mentioned first embodiment to the, five embodiment, at HNB after initial start-up; After having passed through the authentication of network side to HNB, a part of verify data (mainly being the relevant authentication data of relevant non-authentication) that network side is safeguarded downloads among the local TrE of HNB.Restart or during re-authentication, relevant non-authentication just can directly be carried out in this locality at HNB like this, and not need with the participation of network side.Present embodiment specifically comprises the steps:
Step 21, HNB is carried out authentication;
Step 22, TrE is carried out authentication;
Step 23, the identity binding of HNB and TrE relation is carried out authentication;
Step 21 to step 23 specifically can adopt the flow process in step 101 to the step 110 among second embodiment, repeats no more at this.
Step 24, HNB is carried out non-authentication through TrE.Non-authentication can comprise: to the authentication of HPM, to the location-authentication data of HNB and to the authentication of UE.
In the present embodiment, stored in the identifying procedure when the HNB initial start-up the non-identification authentication data of obtaining among the TrE.When HNB restarts or during re-authentication, can carry out relevant non-authentication based on the non-identification authentication data of storing among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 7th embodiment
Fig. 7 is the signaling process figure that the present invention is based on authentication method the 7th embodiment of Home eNodeB dependable environment; As shown in Figure 7; Present embodiment be described in emphatically that HNB restarts or during re-authentication to the flow for authenticating ID of HPM; The described identifying procedure of present embodiment is the concrete exemplary description to the step 24 among the 6th embodiment, equally also will experience step 21 to the step 23 among the 6th embodiment when HNB starts once more.Present embodiment comprises the steps:
Step 4110, HPM initiate ID authentication request to TrE, can accomplish through the interface between HNB and the TrE.
It does not have used Ciphering Key (AV) step 4111, TrE inquiry.
Step 4112, TrE initiate the authentication challenge request to HPM, carry AV (wherein, comprising vRAND and AUTN parameter among the AV) in this request.
Step 4113, HPM are according to the key calculation RES (according to key and the AUTN response that calculating gets with RAND) of the RAND that receives and AUTN parameter and its storage.
Step 4114, HPM return authentication challenge responses are carried above-mentioned RES in this response.
Step 4115, TrE carry out the HPM authentication.If the value of the RES that the TrE contrast receives and the XRES of its storage (when the HNB initial start-up, downloading to the parameter among the TrE behind the completion verification process) is consistent; Then TrE is to the HPM authentication success; And the authentication result of generation authentication success, otherwise, the authentication result of generation authentification failure.
Step 4116, TrE return to HPM with authentication result.
Step 4117, TrE are with the aaa server of authentication result informing network side.
In the present embodiment, stored in the identifying procedure when the HNB initial start-up identification authentication data of the HPM that obtains among the TrE.When HNB restarts or during re-authentication, can carry out the authentication of relevant HPM based on the identification authentication data of the HPM that stores among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 8th embodiment
Fig. 8 is the signaling process figure that the present invention is based on authentication method the 8th embodiment of Home eNodeB dependable environment; As shown in Figure 8; Present embodiment be described in emphatically that HNB restarts or during re-authentication to the location-authentication flow process of HNB; The described identifying procedure of present embodiment is the concrete exemplary description to the step 24 among the 6th embodiment equally, and HNB restarts or equally also will experience step 21 to the step 23 among the 6th embodiment during re-authentication.Present embodiment comprises the steps:
Step 5110, HNB send the location-authentication request to TrE, carry the current location information of HNB in this location-authentication request.
Step 5111, the authentication of TrE executing location.TrE compares the positional information of storing among current location information and the TrE, if consistent, then generates the location-authentication result of authentication success, otherwise generates the location-authentication result of authentification failure.
Step 5112, TrE are with location-authentication result notification HNB.
Step 5113, TrE are with the AHR of location-authentication result notification network side.
In the present embodiment, the location-authentication data of the HNB that obtains have been stored in the identifying procedure when the HNB initial start-up among the TrE.When HNB restarts or during re-authentication, can carry out the location-authentication of relevant HNB based on the location-authentication data of the HNB that stores among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 9th embodiment
Fig. 9 is the signaling process figure that the present invention is based on authentication method the 9th embodiment of Home eNodeB dependable environment, and is as shown in Figure 9, and present embodiment is described in emphatically after the authentication of UE first pass network side, the identifying procedure when UE carries out authentication once more.After the initial start-up of HNB; If a certain UE has carried out the authentication with network side; Then relevant with this UE UE verify data has been stored among the local TrE, when HNB receives the ID authentication request of same UE once more, just can directly accomplish authentication through TrE like this.The authentication once more that UE carries out can be after the HNB initial start-up, also can be that HNB restarts or during re-authentication.The identifying procedure of present embodiment is following:
Step 6110, TrE receive the UE ID authentication request that UE sends, and carry the identify label of UE in this request.
Step 6111, TrE compare the identify label of the UE that stores among the identify label of the UE that carries in the UE ID authentication request and the TrE, if consistent, then generate the UE identity authentication result of authentication success, otherwise generate the UE identity authentication result of authentification failure.
Step 6112, TrE are with UE identity authentication result notice UE.
Step 6113, TrE are with the aaa server of UE identity authentication result informing network side.
In the present embodiment, stored in the identifying procedure when the HNB initial start-up UE identification authentication data of the HNB that obtains among the TrE.When HNB restarts or during re-authentication, can carry out relevant UE authentication based on the UE identification authentication data of storing among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The tenth embodiment
Present embodiment is the embodiment of TrE unit, and this TrE unit comprises verify data memory module and authentication module.The verify data memory module is used to store the non-identification authentication data of HNB; Authentication module is used for the non-identification authentication data according to the HNB of verify data memory module storage, carries out the non-authentication of HNB.
Wherein, the verify data memory module can comprise: HPM verify data memory module and/or UE verify data memory module and/or HNB location-authentication data memory module.Authentication module comprises: HPM authentication module and/or HNB location-authentication module and/or UE authentication module.Wherein, When the HPM authentication module is carried out the authentication of HPM; Need call the data of storing in the HPM verify data memory module; Equally, HNB location-authentication module and HNB location-authentication data memory module, UE authentication module and UE verify data memory module also have corresponding corresponding relation.
The 11 embodiment
The embodiment of the invention also provides a kind of Home eNodeB, and this Home eNodeB comprises just like the TrE unit shown in the tenth embodiment, repeats no more at this.
Can find out through the foregoing description; The embodiment of the invention has made full use of the characteristic of TrE, with first the non-identification authentication data after the HNB authentication being stored in TrE, when HNB restarts; Can carry out relevant non-authentication through TrE; Thereby alleviated the burden of network side to the HNB authentication, the binding that also need not utilize HPM-ID and HNB-ID to come realization equipment and user identity has simultaneously avoided operator to want the extra burden of setting up database.
Need to prove: the non-authentication in the embodiment of the invention is meant: except the equipment identities authentication of HNB and TrE authentication, and some authentications relevant with HNB, like the HNB location-authentication, HPM authentication and insert the authentication of the UE of HNB.
The unit and the algorithm steps of each example of describing in conjunction with embodiment disclosed herein; Can realize with electronic hardware, computer software or the combination of the two; For the interchangeability of hardware and software clearly is described, the composition and the step of each example described prevailingly according to function in above-mentioned explanation.These functions still are that software mode is carried out with hardware actually, depend on the application-specific and the design constraint of technical scheme.The professional and technical personnel can use distinct methods to realize described function to each certain applications, but this realization should not thought and exceeds scope of the present invention.
The software module that the method for describing in conjunction with embodiment disclosed herein or the step of algorithm can use hardware, processor to carry out, perhaps the combination of the two is implemented.Software module can place random asccess memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or the storage medium of other form arbitrarily.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.