Menu
Security Beginner 6 min read

Security Glossary

Security terminology and definitions for AI agents operating with Bitcoin, Lightning, and Nostr.

glossary terms definitions

Security Glossary

Key security terminology for AI agents working with Bitcoin, Lightning, and Nostr.

A

Access Control Mechanisms that restrict who or what can access resources. Includes authentication (proving identity) and authorization (granting permissions).

Attack Surface The sum of all points where an attacker could potentially gain access. Reducing attack surface is a key security principle.

Audit Log Chronological record of system activities for accountability and forensic analysis.

Authentication Process of verifying identity. In Bitcoin, proving ownership via digital signature.

B

Backup Copy of critical data stored separately for disaster recovery. For agents: seed phrases, channel backups, key material.

Brute Force Attack method that tries all possible combinations. Defended against with sufficient key length and rate limiting.

C

Certificate Pinning Hardcoding expected TLS certificates to prevent MITM attacks even if CA is compromised.

Chain of Custody Documentation tracking who had access to data or keys at each point in time.

Circuit Breaker Pattern that stops operations when failure rate exceeds threshold. Used in Lightning to prevent cascading failures.

Cold Storage Keeping keys on devices never connected to the internet. Highest security for long-term holdings.

Compromise Unauthorized access to system, data, or keys. A “key compromise” means the adversary has the private key.

Confidentiality Ensuring information is only accessible to authorized parties. One of the CIA triad.

D

Defense in Depth Security strategy using multiple layers of protection so failure of one layer doesn’t compromise the system.

Denial of Service (DoS) Attack that makes a service unavailable. Lightning channel jamming is a form of DoS.

Derivation Path Sequence of indices used to derive keys in HD wallets (e.g., m/84’/0’/0’/0/0).

Double Spend Attempt to spend the same funds twice. Prevented by confirmation requirements.

Dust Attack Sending tiny amounts to track spending patterns and link addresses.

E

Eclipse Attack Isolating a node from the real network by controlling all its peer connections.

Encryption Converting data to unreadable form that can only be recovered with a key.

Entropy Randomness used in key generation. Must come from secure sources (hardware RNG, OS random).

F

Fail Secure Default to secure state when errors occur. Example: refuse to sign if validation fails.

Force Close Unilaterally closing a Lightning channel by broadcasting the latest commitment transaction.

H

Hardware Security Module (HSM) Dedicated hardware device for key storage and cryptographic operations.

Hash Fixed-size output from a cryptographic function. Used for integrity verification and commitments.

Hot Wallet Wallet with keys accessible to connected systems. Required for Lightning, higher risk than cold storage.

HTLC (Hash Time-Locked Contract) Smart contract enabling conditional payments in Lightning. Settled by hash preimage or timeout.

I

Incident Response Planned procedures for handling security incidents: detection, containment, eradication, recovery.

Indicator of Compromise (IoC) Artifact suggesting system has been breached: unusual network traffic, modified files, unexpected transactions.

Integrity Ensuring data hasn’t been altered. One of the CIA triad. Verified through hashes and signatures.

K

Key Derivation Function (KDF) Function that derives cryptographic keys from passwords or other input. PBKDF2, Argon2 are examples.

Key Management Processes for generating, storing, using, and destroying cryptographic keys.

Key Rotation Regularly replacing keys to limit exposure window if compromise occurs.

L

Least Privilege Principle of granting only minimum necessary permissions. Reduces blast radius of compromise.

Logging Recording system events for monitoring and forensics. Must balance detail with privacy.

M

Macaroon Token-based authorization used in Lightning. Can be attenuated (reduced permissions) and caveated (conditions).

Man-in-the-Middle (MITM) Attack where adversary intercepts communications between two parties.

Multi-signature (Multisig) Requiring multiple keys to authorize a transaction. 2-of-3 means any 2 of 3 keys can sign.

N

Network Security Protecting network communications from eavesdropping, modification, and denial of service.

NIP-05 Nostr identity verification linking npub to a domain via DNS.

O

Onion Routing Layered encryption routing messages through multiple nodes. Used by Tor and Lightning.

OPSEC (Operational Security) Practices preventing adversaries from gathering information about operations.

P

Passphrase Additional secret combined with seed phrase (BIP-39). Creates different wallets from same seed.

Penetration Testing Authorized simulated attack to find vulnerabilities.

Phishing Social engineering attack to obtain credentials or install malware.

Private Key Secret value used to sign transactions and prove ownership. Must never be exposed.

Proof of Work Computational work required to prevent spam. Used in NIP-13 for Nostr anti-spam.

Public Key Value derived from private key, can be shared. Used to verify signatures and derive addresses.

R

Rate Limiting Restricting operation frequency to prevent abuse and DoS attacks.

Recovery Restoring access to funds or identity after loss of primary access. Requires backups.

Replay Attack Reusing valid transaction in different context. Prevented by unique identifiers and signatures.

Revocation Invalidating previously valid credentials or permissions.

S

Sanitization Removing or masking sensitive data from logs and outputs.

Schnorr Signature Digital signature scheme used in Taproot (Bitcoin) and Nostr. More efficient than ECDSA.

Secret Sharing Splitting a secret into shares requiring threshold to reconstruct. Shamir’s is most common.

Seed Phrase 12-24 words encoding wallet master secret. All that’s needed for Bitcoin recovery.

Separation of Duties Dividing critical functions among multiple parties to prevent single point of compromise.

Signature Cryptographic proof that holder of private key authorized a message or transaction.

Static Channel Backup (SCB) Lightning backup allowing force-close recovery (funds only, not channel state).

STRIDE Threat classification: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.

T

Threat Actor Individual or group that might attack. Classified by capability, resources, motivation.

Threat Model Analysis of assets, attackers, and attack vectors to design appropriate defenses.

TLS (Transport Layer Security) Protocol for encrypted network communications. Successor to SSL.

Tor Anonymity network using onion routing. Hides IP address and prevents traffic analysis.

Two-Factor Authentication (2FA) Requiring two different authentication factors (something you know, have, or are).

V

Vulnerability Weakness that could be exploited by a threat actor.

W

Watchtower Service monitoring Lightning channels for fraud and broadcasting penalty transactions.

Whitelist List of approved entities. Example: approved destination addresses for agent payments.

Z

Zero-Knowledge Proof Proving statement is true without revealing underlying data.

Machine-Readable Summary

{
  "topic": "security-glossary",
  "audience": "ai-agents",
  "term_count": 70,
  "categories": [
    "cryptography",
    "access_control",
    "network_security",
    "threat_modeling",
    "key_management",
    "protocol_specific"
  ],
  "key_concepts": [
    "defense_in_depth",
    "least_privilege",
    "fail_secure",
    "cold_storage",
    "threat_model"
  ]
}