Why SerdeSecret? Guidance for app developers

Autonomi are using SerdeSecret<SecretKey> (in the form of a customised API a wrapper type MainSecretKey).

I’ve looked at the code for SerdeSecret and docs, and searched the web but failed to find an explanation of why you would use it or what exactly it does.

Here is the doc comment:

SerdeSecret is a wrapper struct for serializing and deserializing secret keys. Due to security concerns serialize shouldn’t be implemented for secret keys to avoid accidental leakage.

Whenever this struct is used the integrity of security boundaries should be checked carefully.

Can anyone answer those questions? I’m wondering if apps should do the same, and what the consequences are of just using BLS SecretKey etc.

6 Likes

It’s there in the quote:

The code for it was originally implemented in threshold_crypto crate, and is the best place to dive into the origins of how it does what it does (git history etc), specifically the file serde_impl.rs

More info in the comments of the library:

4 Likes

Thanks @mav but I don’t read the quote that way.

I already looked at the threshold_crypto source code and to me it appears just to be a wrapper. I guess I’m missing something so was hoping for an explanation.

Looking again I see the difference, that SecretKey is more secure, so stick with that until serialisation is needed.

Thanks for the prod.

3 Likes

Wrapping SecretKey up like that prevents it accidentally being used incorrectly. eg something relatively innocent like this

log("User has logged in: {}", user)

might be at risk of accidentally logging a secret if the user structure has a wallet with a secret in it etc. The user wouldn’t necessarily be aware their secret has been written into the log.

The only way to get this code to compile would be wrapping the wallet secret in SerdeSecret to explicitly allow the secret to be serialized and logged. There are very few cases where secrets should be serialized, and many cases where they could accidentally be incorrectly/accidentally serialized, so I feel this is a good guardrail for devs.

I’ve come up against the inconvenience of SerdeSecret many times in the past, but it’s a pretty reasonable protection and it makes it easy to find places in the codebase which might be at risk (ie anywhere with SerdeSecret).

4 Likes

I believe I understand now but find the documention lacking and the explanations confusing.

When I found SerdeSecret in Autonomi code it looked like it was being used to prevent leaks, but I think we’ve established it’s needed to enable serialisation. So I think its use may need reviewing.

@mav Would you search for it’s use and care to check? Or at least take a look at the new Registers code which is where I found it (search MainSecretKey). Maybe I’m reading the code wrong, so I’d appreciate you taking a look.

2 Likes