K <- 4. Definitions -> M
L English
- $ L2F
- (N) See: Layer 2 Forwarding Protocol.
$ L2TP- (N) See: Layer 2 Tunneling Protocol.
$ label- See: time stamp, security label.
$ laboratory attack- (O) "Use of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media." [C4009]
$ LAN- (I) Abbreviation for "local area network" [R1983]. (See: [FP191].)
$ land attack- (I) A denial-of-service attack that sends an IP packet that (a) has the same address in both the Source Address and Destination Address fields and (b) contains a TCP SYN packet that has the same port number in both the Source Port and Destination Port fields.
Derivation: This single-packet attack was named for "land", the program originally published by the cracker who invented this exploit. Perhaps that name was chosen because the inventor thought of multi-packet (i.e., flooding) attacks as arriving by sea.
$ Language of Temporal Ordering Specification (LOTOS)- (N) A language (ISO 8807-1990) for formal specification of computer network protocols; describes the order in which events occur.
$ lattice- (I) A finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound.
Example: A lattice is formed by a finite set S of security levels -- i.e., a set S of all ordered pairs (x,c), where x is one of a finite set X of hierarchically ordered classification levels X(1), non-hierarchical categories C(1), ..., C(M) -- together with the "dominate" relation. Security level (x,c) is said to "dominate" (x',c') if and only if (a) x is greater (higher) than or equal to x' and (b) c includes at least all of the elements of c'. (See: dominate, lattice model.)
Tutorial: Lattices are used in some branches of cryptography, both as a basis for hard computational problems upon which cryptographic algorithms can be defined, and also as a basis for attacks on cryptographic algorithms.
$ lattice model- 1. (I) A description of the semantic structure formed by a finite set of security levels, such as those used in military organizations. (See: dominate, lattice, security model.)
2. (I) /formal model/ A model for flow control in a system, based on the lattice that is formed by the finite security levels in a system and their partial ordering. [Denn]
$ Law Enforcement Access Field (LEAF)- (N) A data item that is automatically embedded in data encrypted by devices (e.g., CLIPPER chip) that implement the Escrowed Encryption Standard.
$ Layer 1, 2, 3, 4, 5, 6, 7- (N) See: OSIRM.
$ Layer 2 Forwarding Protocol (L2F)- (N) An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and transparent to the dial-up user. (See: L2TP.)
$ Layer 2 Tunneling Protocol (L2TP)- (N) An Internet client-server protocol that combines aspects of PPTP and L2F and supports tunneling of PPP over an IP network or over frame relay or other switched network. (See: VPN.)
Tutorial: PPP can in turn encapsulate any OSIRM Layer 3 protocol. Thus, L2TP does not specify security services; it depends on protocols layered above and below it to provide any needed security.
$ LDAP- (I) See: Lightweight Directory Access Protocol.
$ least common mechanism- (I) The principle that a security architecture should minimize reliance on mechanisms that are shared by many users.
Tutorial: Shared mechanisms may include cross-talk paths that permit a breach of data security, and it is difficult to make a single mechanism operate in a correct and trusted manner to the satisfaction of a wide range of users.
$ least privilege- (I) The principle that a security architecture should be designed so that each system entity is granted the minimum system resources and authorizations that the entity needs to do its work. (Compare: economy of mechanism, least trust.)
Tutorial: This principle tends to limit damage that can be caused by an accident, error, or unauthorized act. This principle also tends to reduce complexity and promote modularity, which can make certification easier and more effective. This principle is similar to the principle of protocol layering, wherein each layer provides specific, limited communication services, and the functions in one layer are independent of those in other layers.
$ least trust- (I) The principle that a security architecture should be designed in a way that minimizes (a) the number of components that require trust and (b) the extent to which each component is trusted. (Compare: least privilege, trust level.)
$ legacy system- (I) A system that is in operation but will not be improved or expanded while a new system is being developed to supersede it.
$ legal non-repudiation- (I) See: secondary definition under "non-repudiation".
$ leap of faith- 1. (I) /general security/ Operating a system as though it began operation in a secure state, even though it cannot be proven that such a state was established (i.e., even though a security compromise might have occurred at or before the time when operation began).
2. (I) /COMSEC/ The initial part, i.e., the first communication step, or steps, of a protocol that is vulnerable to attack (especially a man-in-the-middle attack) during that part but, if that part is completed without being attacked, is subsequently not vulnerable in later steps (i.e., results in a secure communication association for which no man-in-the-middle attack is possible).
Usage: This term is listed in English dictionaries, but their definitions are broad and can be interpreted in many ways in Internet contexts. Similarly, the definition stated here can be interpreted in several ways. Therefore, IDOCs that use this term (especially IDOCs that are protocol specifications) SHOULD state a more specific definition for it.
Tutorial: In a protocol, a leap of faith typically consists of accepting a claim of peer identity, data origin, or data integrity without authenticating that claim. When a protocol includes such a step, the protocol might also be designed so that if a man-in- the-middle attack succeeds during the vulnerable first part, then the attacker must remain in the middle for all subsequent exchanges or else one of the legitimate parties will be able to detect the attack.
$ level of concern- (N) /U.S. DoD/ A rating assigned to an information system that indicates the extent to which protective measures, techniques, and procedures must be applied. (See: critical, sensitive, level of robustness.)
$ level of robustness- (N) /U.S. DoD/ A characterization of (a) the strength of a security function, mechanism, service, or solution and (b) the assurance (or confidence) that it is implemented and functioning. [Cons, IATF] (See: level of concern.)
$ Liberty Alliance- (O) An international consortium of more than 150 commercial, nonprofit, and governmental organizations that was created in 2001 to address technical, business, and policy problems of identity and identity-based Web services and develop a standard for federated network identity that supports current and emerging network devices.
$ Lightweight Directory Access Protocol (LDAP)- (I) An Internet client-server protocol (RFC 3377) that supports basic use of the X.500 Directory (or other directory servers) without incurring the resource requirements of the full Directory Access Protocol (DAP).
Tutorial: Designed for simple management and browser applications that provide simple read/write interactive directory service. Supports both simple authentication and strong authentication of the client to the directory server.
$ link- 1a. (I) A communication facility or physical medium that can sustain data communications between multiple network nodes, in the protocol layer immediately below IP. (RFC 3753)
1b. (I) /subnetwork/ A communication channel connecting subnetwork relays (especially one between two packet switches) that is implemented at OSIRM Layer 2. (See: link encryption.)
Tutorial: The relay computers assume that links are logically passive. If a computer at one end of a link sends a sequence of bits, the sequence simply arrives at the other end after a finite time, although some bits may have been changed either accidentally (errors) or by active wiretapping.
2. (I) /World Wide Web/ See: hyperlink.
$ link encryption- (I) Stepwise (link-by-link) protection of data that flows between two points in a network, provided by encrypting data separately on each network link, i.e., by encrypting data when it leaves a host or subnetwork relay and decrypting when it arrives at the next host or relay. Each link may use a different key or even a different algorithm. [R1455] (Compare: end-to-end encryption.)
$ liveness- (I) A property of a communication association or a feature of a communication protocol that provides assurance to the recipient of data that the data is being freshly transmitted by its originator, i.e., that the data is not being replayed, by either the originator or a third party, from a previous transmission. (See: fresh, nonce, replay attack.)
$ logic bomb- (I) Malicious logic that activates when specified conditions are met. Usually intended to cause denial of service or otherwise damage system resources. (See: Trojan horse, virus, worm.)
$ login- 1a. (I) An act by which a system entity establishes a session in which the entity can use system resources. (See: principal, session.)
1b. (I) An act by which a system user has its identity authenticated by the system. (See: principal, session.)
Usage: Usually understood to be accomplished by providing an identifier and matching authentication information (e.g., a password) to a security mechanism that authenticates the user's identity; but sometimes refers to establishing a connection with a server when no authentication or specific authorization is involved.
Derivation: Refers to "log" file, a security audit trail that records (a) security events, such as the beginning of a session, and (b) the names of the system entities that initiate events.
$ long title- (O) /U.S. Government/ "Descriptive title of [an item of COMSEC material]." [C4009] (Compare: short title.)
$ low probability of detection- (I) Result of TRANSEC measures used to hide or disguise a communication.
$ low probability of intercept- (I) Result of TRANSEC measures used to prevent interception of a communication.
$ LOTOS- (N) See: Language of Temporal Ordering Specification.
K <- 4. Definitions -> M