Key update
A process used to replace a previously active key with a new key that is related to the old key.
Key validate
A process by which cryptographic parameters (e.g., domain parameters, private keys, public keys, certificates, and symmetric keys) are tested as being appropriate for use by a particular cryptographic algorithm for a specific security service and application and that they can be trusted.
Key value (key)
The secret code used to encrypt and decrypt a message.
Key wrapping
A method of encrypting keys (along with associated integrity information) that provides both confidentiality and integrity protection using a symmetric key algorithm.
Keyboard attack
A data scavenging method, using resources available to normal system users, which may include advanced software diagnostic tools.
Keyed-hash based message authentication code (HMAC)
A message authentication code that uses a cryptographic key in conjunction with a hash function. It creates a hash based on both a message and a secret key.
Keying material
The data (e.g., keys and initialization vectors) necessary to establish and maintain cryptographic keying relationships.
Keystroke logger
A form of malware that monitors a keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker.
Keystroke monitoring
The process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.
Killer packets
A method of disabling a system by sending Ethernet or Internet Protocol (IP) packets that exploit bugs in the networking code to crash the system. A similar action is done by synchronized floods (SYN floods), which is a method of disabling a system by sending more SYN packets than its networking code can handle.
Knapsack algorithm
Uses an integer programming technique. In contrast to RSA, the encryption and decryption functions are not inverse. It requires a high bandwidth and generally is insecure due to documented security breaches.
L
Label
(1) An explicit or implicit marking of a data structure or output media associated with an information system representing the FIPS 199 security category, or distribution limitations or handling caveats of the information contained therein. (2) A piece of information that represents the security level of an object and that describes the sensitivity of the information in the object. Similar to security label.
Labeling
Process of assigning a representation of the sensitivity of a subject or object.
Laboratory attack
A data scavenging method through the aid of what could be precise or elaborate powerful equipment.
Latency
Measures the delay from first bit in to first bit out. It is the time delay of data traffic through a network, switch, port, and link. Also, see data latency and packet latency.
Lattice
A partially ordered set for which every pair of elements has a greatest lower bound and a least upper bound.
Layered solution
The judicious placement of security protection and attack countermeasures that can provide an effective set of safeguards (controls) that are tailored to the unique needs of a customer’s situation. It is a part of security-in-depth or defense-in-depth strategy.
Layering
It uses multiple, overlapping protection mechanisms so that failure or circumvention of any individual protection approach will not leave the system unprotected. It is a part of security-in-depth or defense-in-depth strategy.
Least functionality
The information system security function should configure the information system to provide only essential capabilities and specifically prohibits or restricts the use of risky (by default) and unnecessary functions, ports, protocols, and/or services. This is based on the principle of least functionality or minimal functionality.
Least privilege
(1) Offering only the required functionality to each authorized user so that no one can use functions that are not necessary. (2) The security objective of granting users only those accesses they need to perform their official duties.
Least significant bit(s)
The right-most bit(s) of a bit string.
Legacy environment
It is a typical custom environment usually involving older systems or applications.
Letter bomb
A logic bomb, contained in electronic mail, triggered when the mail is read.
Library
A collection of related data files or programs.
License
An agreement by a contractor to permit the use of copyrighted software under certain terms and conditions.
Life cycle management
The process of administering an automated information system throughout its expected life, with emphasis on strengthening early decisions that affect system costs and utility throughout the system’s life.
Lightweight directory access protocol (LDAP)
LDAP is a software protocol for enabling anyone to locate organizations, individuals, and other resources (e.g., files and devices in a network) whether on the Internet or on a corporate intranet.
Line of defenses
A variety of security mechanisms deployed for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy. They can be grouped into four categories—first, second, last, and multiple depending on their action priorities and needs. A first line-of-defense is always preferred over the second or the last. If the first line-of-defense is not available for any reason, the second line-of-defense should be applied. If the second line-of-defense is not available or does not work, then the last line-of-defense must be applied. Note that multiple lines-of-defenses are stronger than a single line-of-defense, whether the single defense is first, second, or last.
Linear cryptanalysis attacks
Uses pairs of known plaintext and corresponding ciphertext to generate keys.
Link control protocol (LCP)
One of the features of the point-to-point protocol (PPP) used for bringing lines up, testing them, and taking them down gracefully when they are not needed. It supports synchronous and asynchronous circuits and byte-oriented and bit-oriented encodings (Tanenbaum).
Link encryption
Link encryption (online encryption) encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T3 line). Since link encryption also encrypts routing data (i.e., headers, trailers, and addresses), communications nodes need to decrypt the data to continue routing so that all information passing over the link is encrypted in its entirety. It provides good protection against external threats such as traffic analysis, packet sniffers, and eavesdroppers. This is a technical and preventive control.
List-oriented protection system