FIG. 1 depicts a block diagram of telecommunications system 100 in the prior art. There are three types of data-processing systems that are present in telecommunications system 100: (i) those that use resources (i.e., user systems), (ii) the resources themselves, and (iii) the security systems that determine if the user systems may use the resources. System 100 comprises, interconnected as shown: (i) user 111, which is the user system; (ii) resources 114 and 124; and (iii) authentication servers 112 and 122, and ticket-granting servers 113 and 123, which are the security systems.
To determine if a user system may use a resource, such as one that is associated with a service, the user system has to be (i) authenticated and (ii) authorized to use the resource. Authentication is the process by which the security system verifies that a user system is what it is supposed to be. Authorization is the process by which the security system grants a privilege to the user system to go ahead and use the resource.
Authentication and authorization are well-understood processes in data communications, and many protocols exist in the prior art that provide a level of security through authentication or authorization, or both. Telecommunications system 100 uses one such protocol called Kerberos to determine whether to grant a privilege to user 111.
In a first example, user 111, a client machine, needs to use resource 114, a database server that is local to the client. Resource 114 contains sensitive information, so user 111 has to be first authenticated and authorized before it is allowed to use the resource. User 111 is authenticated by authentication server 112 through local area network 115 and is issued a “ticket” by ticket-granting server 113 to be used by the user for showing proof of identity to resource 114. User 111 presents the ticket to resource 114 and is then permitted to access the information stored on resource 114. The process is reasonably straightforward, partly because user 111 and resource 114 are local to each other and, as a result, are able to use the same authentication and authorization systems, namely authentication server 112 and ticket-granting server 113. In fact, user 111, servers 112 and 113, resource 114, and network 115 are said to be in their own Kerberos realm, which is depicted in FIG. 1 as realm 110, because of the common authentication server and ticket-granting server.
In a second example, user 111 now needs to use a different resource, resource 124, a database server that is distant from the client. Resource 124 also contains sensitive information, so user 111 has to be authenticated and authorized before it is allowed to user resource 124. However, resource 124 is in a different realm than that of user 111, in that access to resource 124 is controlled by a different security system than the one that is local to user 111. For this reason, resource 124 is considered to be in a different realm, depicted in FIG. 1 as realm 120, than that of user 111. To get a ticket for resource 124 in the different realm, user 111 has to request—from ticket-granting server 113—a ticket accepted by ticket-granting server 123. If distant ticket-granting server 123 has registered with local ticket-granting server 113, then server 113 gives user 111 a first ticket that is valid at server 123. User 111 presents the first ticket to server 123 via networks 115 and 125, and is then permitted to get a second ticket from server 123 to access the information stored on resource 124 (or to access other resources in realm 120).
The problem with the security protocol used by telecommunications system 100 is that it requires ticket-granting servers 113 and 123 to have a trust relationship, as indicated by association 130 in FIG. 1. That is, servers 113 and 123 must be aware of each other, must share information, and must trust each other with that information. However, the trust relationship can be difficult to manage and, in addition, is more than what is sufficient for some telecommunications systems.