Abstract: Providing consistent cryptographic operations across several applications using secure structured data objects includes a security middleware component, using an application programming interface, receiving a data input from an originating application operating in application space. Both the application and the middleware component execute in the data processing system. A security schema object is retrieved by the security middleware component from an object store, the security schema object describing a sequence of cryptographic operations and includes several components describing aspects of the cryptographic operations. The data input is transformed from a first format to a second format where one of the formats is a secure structured data object formed using the sequence of cryptographic operations. A property of the secure structured data object contains data about the security schema object. The data input is transmitted in the second format to a consumer application operating in application space.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: A virtual capacity acquisition unit acquires a size of virtual capacity of a save data area from an application. A storage capacity acquisition unit acquires a size of save data of the application. A writing control unit prohibits the application from writing the save data exceeding the virtual capacity in a recording device. A free space acquisition unit acquires a size of free space of the recoding device, and the writing control unit prohibits the writing of save data whose size is larger than that of the free space.

Abstract: Computer-executable instructions that are directed to the performance of consequential actions and automatically elevate to execute at a higher privilege level to do so can perform such consequential actions only after user notification. Doing so can enable monitoring processes to avoid presenting duplicative user notification upon detection of such auto-elevation. In addition, prior to presenting user notification, input from the execution environment can be ignored and access to DLLs for performing consequential actions can be avoided. A static analyzer can identify non-conforming computer-executable instructions. A wrapper can be utilized to provide compliance by otherwise unknown or non-conforming computer-executable instructions.

Abstract: A multi-context mobile unit includes a processor, a user interface coupled to the processor and configured to accept user input, a storage component coupled to the processor, and an input/output module coupled to the processor and configured to interact with at least one external network, wherein the processor is configured to selectively execute a plurality of virtual devices stored within the storage component in response to the user input, and wherein the plurality of virtual devices includes a first virtual device and a second virtual device having separate and isolated data access.

Abstract: A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.

Abstract: Mechanisms are provided for performing centralized control of application sessions across a distributed computing environment comprising a plurality of application servers. A request to perform an application session control operation to control the application sessions associated with a specified user account identifier across the plurality of application servers in the distributed computing environment is received. A plurality of application instances upon which to perform the requested application session control operation are identified. An application session control request is transmitted to a plurality of session control clients associated with the application instances on the plurality of application servers of the distributed computing environment.

Abstract: Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.

Abstract: A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key.

Abstract: In an apparatus and method for protecting resources of a computing system from a malicious code by selective virtualization, at least a part of the resources is classified as compulsory resources for executing a program on the computing system. When a vulnerable program executed in a separate space attempts to access one of the compulsory resources, an operating system level virtualization is performed. Further, when the vulnerable program attempts to access one of the resources of the computing system which is other than the compulsory resources, the vulnerable program is permitted to access a modified resource which is generated by modifying content of the resource.

Abstract: Some embodiments disclose a method, an apparatus, and a system for implementing media data processing. A method includes dividing media data into several data blocks and selecting a part of the several data blocks using a preset rule shared with a requester. The method also includes encrypting the selected part of the several data blocks and sending the encrypted part of the several data blocks and another unencrypted part of the several data blocks to the requester. The requester can determine the encrypted part of the several data blocks according to the preset rule.

Abstract: A computer-implemented method for creating a rights management system (RMS) with superior layers and subordinate layers is described. A separate trust network for one or more layers of the RMS is established. The trust network includes one or more computing nodes within the one or more layers. A data object is created on a computing node that is a member of trust network in a superior layer. The data object is encrypted to a ciphertext data object. A publishing license is created for each of the one or more layers of the RMS. Access rights and attributes associated with the ciphertext data object are controlled within each layer based on the publishing license of each of the one or more layers of the RMS.

Abstract: A cloud computing system includes a native client; and a platform system providing distributed resources and dynamic resource allocation, for receiving raw data uploaded by the native client and returning computed results, including: a data extracting module for receiving the raw data; an encrypting and decrypting module, wherein only a single user is permitted to simultaneously invoke the data extracting module and the encrypting and decrypting module and process the raw data; the encrypting and decrypting module generates a key during encrypting and returns the key to the user for keeping and the computed results to the native client after receiving the key inputted by the user; and a data computing module, for computing raw data encrypted by the encrypting and decrypting module and returning results to the encrypting and decrypting module, wherein the data computing module is shared by all users and can be invoked simultaneously by several users.

Abstract: This invention provides a method and system for data encryption and decryption in data transmission through the web. The method includes: a browser sends a cryptographic information acquisition request to a cryptographic information providing equipment; the cryptographic information providing equipment sends cryptographic information back to the browser via an HTTPS channel; the cryptographic information includes a cryptographic algorithm and a cryptographic index; the browser uses the cryptographic algorithm to encrypt the data to be transmitted, and sends the encrypted data and the cryptographic index to the web server via an HTTP channel; the web server obtains the cryptographic algorithm corresponding to the cryptographic index from the cryptographic information providing equipment, then decrypts the encrypted data. Embodiments of the present invention can alleviate the load in the HTTPS channel, and improve the overall performance.

Abstract: A system, method and machine readable medium for automated policy building in a policy module of a network traffic management device is disclosed. Parsed network traffic data is received at a policy builder of a network traffic management device. The received network traffic data is analyzed in accordance with one or more threshold conditions specified by a user, via a user interface, for an existing policy. The existing policy is modified by the policy builder if the one or more threshold conditions for the network traffic have been met.

Abstract: Method, apparatus, and system for qualifying CPU transactions with security attributes. Immutable security attributes are generated for transactions initiator by a CPU or processor core that identifying the execution mode of the CPU/core being trusted or untrusted. The transactions may be targeted to an Input/Output (I/O) device or system memory via which a protected asset may be accessed. Policy enforcement logic blocks are implemented at various points in the apparatus or system that allow or deny transactions access to protected assets based on the immutable security attributes generated for the transactions. In one aspect, a multiple-level security scheme is implemented under which a mode register is updated via a first transaction to indicate the CPU/core is operating in a trusted execution mode, and security attributes are generated for a second transaction using execution mode indicia in the mode register to verify the transaction is from a trusted initiator.

Abstract: A method is provided for transferring data linked to an application installed on a security module associated with a mobile terminal, the data being stored in a first secure memory area of the security module, suitable for receiving a request to access the data, to read the data, and to transmit or store the data after encryption. A method is also provided for accessing these data suitable for transmitting a request to access, to receive and to decrypt the encrypted data. A security module, a management server, and a system implementing the transfer and access methods are also provided.

Abstract: A method and system for segmented architecture for managing access to electronic documents having private data and public data is disclosed herein. A request for an electronic document is sent to a segmentation server, and the request becomes two queries: one for the public or non-confidential data of the electronic document and one for the private or confidential data of the electronic document. The segmentation server determines if the request is made over a private network or a public network to determine whether private data should be sent in response to the request.

Abstract: A method is used in validating association of client devices with sessions. Information of a client device executing a user agent is gathered by a server for creating a device identifier for the client device upon receiving a request from the user agent for establishing a session between the user agent and the server. The device identifier includes information identifying the client device. The device identifier is associated with the session. The client device is validated by the server upon receiving subsequent requests from the client device during the session. Validating the client device includes gathering information of the client device sending each subsequent request for creating a device identifier for the client device and comparing the device identifier created from the information gathered during each subsequent request with the device identifier associated with the session.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: Adware and viruses are examples of objects that may be embedded in a web page or linked to a web page. When such an object is detected to be associated with a web page loading on a browser, an analysis may be performed to determine a trust level for the object. The object is suppressed based on the trust level. A prompt is displayed to advise a user that the object has been suppressed, and to provide an opportunity to interactively accept or decline activation of an action for the object.

Abstract: A host system integrity monitor for monitoring memory, operating systems, applications, domain manager, and other host system's structures of interest is isolated and independent of the CPU and operating system of commodity systems. The system requires no modifications to the protected (monitored) host's software, and operates correctly even when the host system is compromised. Either arranged as a stand-alone computer on the add-in card which communicates with the monitored host system through the PCI bus, or as the co-processor based monitor located on the motherboard of the host system, or residing on one of the virtual CPU while the monitored system resides on another virtual CPU, or residing within the domain manager of the host system, the monitor monitors the integrity of the examined structure by calculating hash values of the structure, comparing them with expected hash values, and sending error reports once the discrepancy between these values is detected.

Abstract: A location-trace comparison system can perform privacy-preserving computations on locations traces for two or more users, for example, to determine a location-visit overlap for these users. During operation, the system obtains location-event descriptions for locations that a local user has visited and/or is likely to visit, such that a respective location-event description indicates a location identifier and a time-interval identifier. The system encrypts the location-event descriptions to generate a corresponding set of encrypted local-user events, and receives encrypted remote-user events from a remote device, for at least one remote user. The system compares the encrypted location events to determine an overlap between the set of encrypted local-user events and the set of encrypted remote-user events.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: A terminal to assign permission to an application includes a storage device to store an application list including information of applications authorized to receive manager permission, and an application processor to receive a request for the manager permission from the application and to determine to allow the manager permission to the application in response to a determination that the application is included in the application list. A method that uses a processor to assign permission to an application includes receiving a request for manager permission from the application, determining, using the processor, whether the application is included in an application list including information of applications authorized to receive manager permission, and determining whether to allow the manager permission to the application if the application is included in the application list.

Abstract: A method for authentication of a high-security client and a low-security client in a high-security mobile radio network includes: transmitting a request for authentication from a base station to the high-security client, wherein the request for authentication comprises a random number as a challenge; receiving a response from the high-security client at the base station, wherein the response from the high-security client comprises a generated number generated by performing a keyed cryptographic function on the challenge; providing a fixed number to the low-security client; and receiving a response from the low-security client at the base station, wherein the response from the low-security client comprises the fixed number. Limited access to the mobile radio network is granted for the low-security client relative to an access of the high-security client.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object includes creating in the storage device an encrypted logical data object including a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into the encrypted sections in accordance with an order the chunks are received, wherein the encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: A method, system, and medium are provided for operating a computing device and a mobile device to access computer software with a secure access and to access a packet network, and for operating a computer software on a mobile device with different computing devices. A mobile device is used to authenticate a user's access to computer software. The computer software may reside on the mobile device, the user's computing device, or another computing device. A unique identifier is stored in the mobile device associated with the computer software to enable the authentication.

Abstract: A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.

Abstract: A system and method for using a declarative approach to enforce instance based security in a distributed environment is presented. The invention described herein includes security logic in declarative specifications that, in turn, decouples the security logic from distributed object administration logic. An access manager identifies access requirements by combining object name property keys included in a distributed object with property key specifications included in a declarative specification. In turn, the access manager compares a caller's access attributes with the access requirements to determine whether to create a distributed object instance and allow the caller to invoke a method on the distributed object instance. The access requirements may also include role specifications and method parameter specifications.

Abstract: Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function.

Abstract: The present invention relates to a method for transferring content to a device, the method including the steps of: receiving a request for content from the device; delivering a uniquely identifiable, ephemeral player to the device; and transferring content to the device, for presentation on the device by the player. The invention has particular application to digital rights management in respect of the distribution of audiovisual content such as film and television programs, advertisements and live event broadcasts over communication networks such as the Internet.

Abstract: A security model restricts binary behaviors on a machine based on identified security zones. Binary behaviors can be attached to an element of a document, web-page, or email message. The binary behavior potentially threatens security on the local machine. A security manager intercepts download requests and/or execution requests, identifies a security zone for the requested binary behavior, and restricts access based on the security zone. The binary behavior can identify a security zone according to the related URL. In one example, all binary behaviors associated with a security zone are handled identically. In another example, a list of permissible binary behaviors is associated with a security zone such that only specified binary behaviors are granted access. In still another example, a list of impermissible binary behaviors is associated with a security zone such that binary behaviors that are found in the list cannot initiate access.

Abstract: A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key.

Abstract: The present disclosure is directed to a collaborative streaming system for protected media. A presentation device may interact with a group of trusted devices over a network to stream multimedia content. The presentation device may obtain a presentation content encryption key for presenting the content. Each trusted device in a group of trusted devices may obtain a download content encryption key allowing for download without presentation. A leader may be selected for managing the operation of the trusted devices. The leader may determine trusted device condition and assign one or more of the trusted devices to download portions of the content based on the condition. The leader may then consolidate the portions of the content and provide them to the presentation device. If the presentation device is the leader, the presentation device may perform similar operations and collect the portions of the content directly from the group of trusted devices.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A location-trace comparison system can perform privacy-preserving computations on locations traces for two or more users, for example, to determine a location-visit overlap for these users. During operation, the system obtains location-event descriptions for locations that a local user has visited and/or is likely to visit, such that a respective location-event description indicates a location identifier and a time-interval identifier. The system encrypts the location-event descriptions to generate a corresponding set of encrypted local-user events, and receives encrypted remote-user events from a remote device, for at least one remote user. The system compares the encrypted location events to determine an overlap between the set of encrypted local-user events and the set of encrypted remote-user events.

Abstract: Methods and systems for managing access to stored data resources assign one or more wrapped (encrypted) encryption keys to each data resource. The resources are encrypted, and the keys may be stored in an access control list (ACL) in association with the encrypted data resources. The keys may be wrapped with metadata that indicates who or what is authorized to use the resource and what role the user or users may have with respect to the resource. The keys may be unwrapped upon receipt of access requests from authorized users, and may be used to decrypt the data resources.

Abstract: A security initialization system obtains load data that identifies a first database storing security data to be opened. The initialization system determines that a PKCS-based module for opening the first database is already initialized, where the PKCS-based module is already initialized from previously opening a second database. The initialization system causes the PKCS-based module to create a slot to open the first database, without shutting down the PKCS-based module, in response to determining that the PKCS-based module is already initialized.

Abstract: Techniques for encrypting documents in a search index may include: receiving a document for inclusion in a search index of a search system, where the document has an associated access control list (ACL), and the ACL includes data for use in restricting access to the document to users of the search system having credentials that match corresponding data in the ACL; encrypting the document using a first key to produce an encrypted document; generating a wrapped key for the document by encrypting both the first key and the ACL using a second key; and storing, along with the search index, the encrypted document in association with the wrapped key and an identifier for the document.

Abstract: A technique for secure computation obfuscates program execution such that observers cannot detect what instructions are being run at any given time. Rather, program execution and memory access patterns are made to appear uniform. A processor operates based on encrypted inputs and produces encrypted outputs. In various examples, obfuscation is achieved by exercising computational circuits in a similar way for a wide range of instructions, such that all such instructions, regardless of their operational differences, affect the processor's power dissipation and processing time substantially uniformly. Obfuscation is further achieved by limiting memory accesses to predetermined time intervals, with memory interface circuits exercised regardless of whether a running program requires a memory access or not. The resulting processor thus reduces leakage of any meaningful information relating to the program or its inputs, which could otherwise be detectable to observers.

Abstract: A data object is encoded in a redundant code. The redundant code defines a decoding scheme for reconstructing the data object from a sub-set of the encoded data parts. At least the sub-set of the encoded data parts is encrypted using a homomorphic encryption scheme, which allows equivalents of the arithmetic operations of a reconstruction process to be performed on encrypted encoded data parts. The data parts are stored distributed over a plurality of source terminals of a communication network, for use by a target terminal of the communication network. Upon a retrieval command from the target terminal, an upload management module determines which source terminals are available and the upload management module determines causes a selected set of terminals to transmit the encrypted encoded data parts each via its own connection to the network to a decoder server.

Abstract: A contact management method, apparatus and system for a third-party application are described. The contact management method includes: detecting an instruction to obtain a contact, wherein the instruction is input by a user operating the third-patty application; reading contact data in an address book in responsive to the instruction to obtain the contact; encrypting the contact data and obtaining an encrypted contact data; importing the encrypted contact data into a contact data table of the third-party application; and uploading the encrypted contact data in the contact data table to a cloud server, so that a mapping relationship between account information of the user and the encrypted contact data is established at the cloud server, wherein the account information of the user is used for logging in the third-party application. In the method, the apparatus and the system, safety and reliability of the contact data can be improved.

Abstract: A method and apparatus is disclosed herein for secure search and retrieval. In one embodiment, the method comprises receiving an encrypted, permuted search tree with nodes that have been permuted and encrypted, the encrypted permuted search tree having been encrypted with a first private encryption key; receiving, at a server, a query from a client, the query comprising a set of keywords, wherein each query term is encrypted with the first private encryption key; performing a search using the query, including performing an oblivious matching keyword test in which an evaluation occurs at each node of the tree to determine if one or more matches exist; and returning results based on a match of keywords for each document, the results including one or more encrypted leaf nodes of the tree, the encrypted leaf nodes encrypted with the first private encryption key.

Abstract: A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists.

Abstract: An information processing device includes an external connection unit which connects to an external device; and a communication control unit which obtains data from a first virtual machine, transmits the data to a second virtual machine, and transmits, to the external connection unit, transmission completion information indicating that the data is already transmitted to the second virtual machine. The external connection unit (i) determines, based on the transmission completion information, whether or not a virtual machine is the second virtual machine to which the data is already transmitted, when the external connection unit receives, from the virtual machine, a request for a connection to the external device, and (ii) permits a connection between the virtual machine and the external device, when the external connection unit determines that the virtual machine is not the second virtual machine to which the data is already transmitted.

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data that may be communicated using multiple communications paths.

Abstract: Cross-site request forgeries (“XSRF”) can be prevented using a client-side plugin on a client computer. The client computer accesses a content provided by a third party host via a network and generates a request to a web application as directed by the content. The client-side plugin determines whether the request is associated with suspicious activities based on the content, a source of the request and a list of approved hosts associated with the target host. In response to a determination that the request is associated with suspicious activities, the plugin removes authentication credentials from the request and sends the request to the web application.

Abstract: Sensitive information is hashed using a hash key, salting key and additional logic. Upon receiving a credit card authorization request with a credit card number (or other sensitive information), the present technology may select a hash key. The credit card number may then be hashed using the hash key. A cryptographic salting key may be selected and salting modification logic may be accessed. The selected salting key may then be applied to the hashed credit card number. After the salting, the salting modification logic may be applied to the salted hash string. The resulting hash output may be used as an index to store encrypted credit card information with authorization information, settlement information, and other data within one or more tables.

Abstract: A method enables selected features of a software product residing on an end user electronic device with a license delivered from a licensing provider to a service provider of the end user electronic device. The method includes requesting at least one license to authorize a first service provider. An encrypted installation key uniquely associated with the first service provider is received as well as an authorization agent module for installation on one or more authorization agent devices associated with the first service provider. The encrypted installation key and the authorization agent module are installed on the authorization agent devices. A device-unique identifier (DUID) is generated for each authorization agent device based on hardware characteristics of the respective authorization agent devices. The DUID and the encrypted installation key are sent from the authorization agent device to a licensing provider to obtain the requested license.