DEV Community

Ryo Suwito
Ryo Suwito

Posted on

Neuer Keyless™: The End of Passwords, Tokens, and Headaches

Say goodbye to the ancient ritual of username and password authentication—it's as outdated as dial-up internet. It's time for passwords, JWTs, and session keys to pack up and head to the retirement home. Because Neuer Keyless™ has entered the chat, and it’s changing all the rules.

Mr. Krabs couldn't have said it better:

“The secret formula? There is no secret you should store!”
Enter fullscreen mode Exit fullscreen mode

Let’s dive into the cryptographic genius of Neuer Keyless™ and why it's mathematically unbeatable.

JWTs vs. Neuer Keyless™

Feature JWTs Neuer Keyless™
Secrets Stored Yes (headers, payloads). None—everything is derived dynamically.
Replay Protection Vulnerable without extra claims. Built-in via device + salt.
Token Rotation Manual and error-prone. Salt evolution automates this.
Revocation Complexity Requires blacklists. Self-obsolescent by design.
Attack Surface Header hijacking, payload tampering. Stateless and untouchable.

Storing Secrets is for Amateurs

Here's the cold, hard truth: passwords and tokens are old news.

  • Passwords: Easy to guess, a nightmare to remember. If your password is “123456,” please, just log off.
  • JWTs & Sessions: They might sound fancy, but they’re just a buffet for hackers.
  • Token Rotations: They’re like that annoying relative who overstays their welcome—awkward, clunky, and nobody really likes dealing with them.

Neuer Keyless™: The Magic Trick of Security

  • Your private keys? Cooked up fresh on your device.
  • Your secrets? Whipped up on the spot and never stored.
  • Your server? Just chilling with a list of public keys, minding its own business.

Breaking into this system is like trying to rob a bank that only deals in Monopoly money. You might bust in, but you’re leaving with nothing worthwhile.


The Secret Sauce of Neuer Keyless™

This isn’t just another security trend. Neuer Keyless™ is a whole new philosophy—stateless, dynamic, and as tough as nails.

  1. Keyless Wonders: Forget storing keys; generate them when you need them using some neat tricks like device fingerprinting and dynamic salts. Think of it like magic—now you see it, now you don’t.

  2. Changing Flavors: The 'salt' in this recipe changes with time, user actions, and device details. It's like those fancy restaurants that change their menu every day—you can never order the same thing twice.

  3. A Unique Taste: Every login attempt is tied to a device fingerprint, making unauthorized access about as likely as finding a unicorn.

  4. Self-Cleaning Oven: Old keys auto-expire. It’s like having a fridge that throws out the expired stuff on its own—no fuss necessary.

  5. Fort Knox Communications: Every message is locked up tighter than your grandma’s secret cookie recipe.


Why Breaking Neuer Keyless™ is a Fantasy

Imagine trying to break a 2048-bit RSA key. You’d have a better chance of winning the lottery while getting struck by lightning. The math behind it? It’s a fortress guarded by a dragon—good luck getting past that.

Say Goodbye to Replay Attacks

Replay attacks? Not happening. Our dynamic salts are like constantly changing locks. If a hacker tries using an old key, it’s like trying to fit a square peg in a round hole. |

The Genius of Throwing Away the Key

Imagine a security system where you don’t need to store any secrets. That’s Neuer Keyless™. Each secret is used once and then disappears—like Snapchat for cybersecurity.


Registration and Login: A Breeze

Registration looks like this:

(async () => {
    const pin = "1234"; // Simple, but fortified by Neuer Keyless™.

    // Generate dynamic salt based on user ID and current date
    const userId = 10;
    const contextualKeyFactors = `${userId}${new Date().getFullYear()}${new Date().getMonth() + 1}`;
    const server_staticsalt = new TextEncoder("utf-8").encode(contextualKeyFactors);
    console.log('Salt:', server_staticsalt);

    // Generate Initialization Vectors
    const server_signingIV = crypto.getRandomValues(new Uint8Array(12));
    const server_encryptionIV = crypto.getRandomValues(new Uint8Array(12));

    // Derive wrapping key
    const server_wrappingKey = await deriveKey(pin, server_staticsalt);

    // Register the user
    const registrationData = await registerUser(
        pin,
        server_staticsalt,
        server_signingIV,
        server_encryptionIV
    );
    console.log("Registration Data:", registrationData);
})();

Enter fullscreen mode Exit fullscreen mode

What’s Happening Here:

  • Dynamic Salt: Tied to the user and the current date, making it impossible to replay stale keys.
  • Key Derivation: A 4-digit PIN is transformed into a cryptographic powerhouse through salting and stretching.

Authentication:

The private key is unwrapped just-in-time for signing requests:
Signature = Sign(Message, PrivateKey)
When the salt updates (e.g., new month, status change), the system seamlessly heals itself.

try {
    console.log("Trying to unlock keys...");
    const unlockedKeys = await unlockKeys(pin, registrationData);
    console.log("Unlocked Keys:", unlockedKeys);
} catch (error) {
    console.error("Keys invalid. Re-authenticating...");

    const updatedKeyFactors = `${userId}${new Date().getFullYear()}${new Date().getMonth() + 2}`;
    const updatedSalt = new TextEncoder("utf-8").encode(updatedKeyFactors);

    // Re-register keys
    const newRegistrationData = await registerUser(pin, updatedSalt, server_signingIV, server_encryptionIV);
    console.log("New Registration Data:", newRegistrationData);

    const unlockedKeys = await unlockKeys(pin, newRegistrationData);
    console.log("New Unlocked Keys:", unlockedKeys);
}
Enter fullscreen mode Exit fullscreen mode

What’s Happening Here:

  • Dynamic Salt Evolution: When the context changes (e.g., new month), the salt invalidates old keys.
  • Self-Healing: The system regenerates keys in real-time, ensuring seamless security.

Secure Chats: Like Talking Through a Vault Door

const adapter = new UltraSecureAdapter(
    unlockedKeys.privateSigningKey,
    server_stored_SigningKey.publicKey,
    unlockedKeys.privateEncryptionKey,
    server_stored_EncryptionKey.publicKey
);

// Secure request with encrypted payload
const response = await adapter.sendRequest("/secure-endpoint", {
    message: "Hello, secure world!",
    timestamp: Date.now(),
});

const decryptedResponse = await adapter.decryptPayload(response);
console.log("Decrypted Response:", decryptedResponse);
Enter fullscreen mode Exit fullscreen mode

What’s Happening Here:

  • End-to-End Encryption: Payloads are signed and encrypted, ensuring tamper-proof communication.
  • Stateless Security: No tokens, no sessions, no baggage.

Neuer Keyless™ for Crayon-Eating Developers: A Crash Course in Cryptographic Greatness

Alright, champ, you’ve seen the code. You’ve read the reasons. Now it’s time for the real engineering talk.We’re going to break down each part of this code, explain what’s happening, and clarify why this approach leaves hackers crying into their keyboards. Ready? Let’s do it.


Phase 1: User Registration & Key Generation

What’s Happening?

We’re generating public and private key pairs on the client side. No, not on the server where a hacker can waltz in and steal your keys, but right inside the user’s device. If a hacker wants these keys, they need your device, your PIN, and a whole lot of luck.

Code Snippet:

const signingKeyPair = await crypto.subtle.generateKey(
  {
    name: "RSA-PSS",
    modulusLength: 2048,
    publicExponent: new Uint8Array([1, 0, 1]),
    hash: "SHA-256",
  },
  true,
  ["sign", "verify"]
);
Enter fullscreen mode Exit fullscreen mode

What’s the Point?

  • RSA-PSS for Signing: PSS is a padding scheme that makes signatures harder to mess with. No cheap “guess the signature” attacks here.
  • Client-Side Key Generation: Keys never leave the client’s machine as plain text. Your server ends up with just the public keys—harmless if stolen.
  • Hackers’ Reaction: “Where’s my easy database breach loot?” Sorry, not this time.

Phase 2: Deriving the Wrapping Key

What’s Happening?

We take the user’s PIN (weak secret) and run it through a PBKDF2 function with a dynamic salt. This turns a measly “1234” into a beefy cryptographic key.

Code Snippet:

async function deriveKey(pin, salt) {
  const encoder = new TextEncoder();
  const pinBuffer = encoder.encode(pin);

  const baseKey = await crypto.subtle.importKey(
    "raw",
    pinBuffer,
    "PBKDF2",
    false,
    ["deriveKey"]
  );

  return crypto.subtle.deriveKey(
    {
      name: "PBKDF2",
      salt: salt,
      iterations: 100000,
      hash: "SHA-256",
    },
    baseKey,
    { name: "AES-GCM", length: 256 },
    true,
    ["wrapKey", "unwrapKey"]
  );
}
Enter fullscreen mode Exit fullscreen mode

Why Does This Matter?

  • PBKDF2 + High Iterations: This makes brute forcing your PIN about as pleasant as doing 100,000 push-ups. Hackers hate cardio.
  • Dynamic Salt: The salt changes with context (time, user, etc.). If a hacker tries to replay old keys, they get nothing but digital dust.
  • Hacker Cry-Fest: Trying each guess is slow, expensive, and just not worth it.

Phase 3: Wrapping and Unwrapping Keys

What’s Happening?

We never store private keys in plain form. We wrap (encrypt) the private keys using the derived key. To use them, you must “unwrap” (decrypt) them again. No PIN, no unwrap. Period.

Code Snippet:

const wrappedSigningKey = await crypto.subtle.wrapKey(
  "pkcs8",
  signingKeyPair.privateKey,
  server_wrappingKey,
  { name: "AES-GCM", iv: server_signingIV }
);
Enter fullscreen mode Exit fullscreen mode

The Genius Here:

  • Key Wrapping: Think of it like putting your valuables inside a locked box. The wrapping key (derived from your PIN and dynamic salt) is that lock.
  • Stateless Server: The server doesn’t hold any secret keys. It only stores the public keys and the wrapped keys that are useless without your PIN-derived wrapping key.
  • Hacker’s Mood: “I got the wrapped keys, but I can’t open them. This is worse than a Piñata without a stick.”

Phase 4: Dynamic Salt & Self-Obsolescence

What’s Happening?

We frequently change the salt. That means an old wrapping key is dead on arrival. If a hacker records your traffic and tries to replay it later, the environment’s changed. The old salt doesn’t work anymore, rendering old wrapped keys useless.

Code Snippet (Conceptual):

let keyFactors = `${imaginaryUser.id}${new Date().getFullYear()}${new Date().getMonth() + 1}`;
window.server_staticsalt = new TextEncoder("utf-8").encode(keyFactors);
window.server_wrappingKey = await deriveKey(pin, server_staticsalt);
Enter fullscreen mode Exit fullscreen mode

Why This is Devilishly Clever:

  • Time-Based Salt: Each month (or any chosen interval), keys derived from old salts vanish into irrelevance.
  • No Need for Token Rotation Rituals: Unlike JWTs, you don’t have to rotate secrets manually. The salt handles expiration automatically.
  • Hackers: They finally realize their replay attacks are about as effective as shouting passwords at a locked door.

Phase 5: End-to-End Encryption with UltraSecureAdapter

What’s Happening?

We wrap everything inside an UltraSecureAdapter that handles encryption, signing, and verification. When you send a request, it’s fully encrypted and signed. The server can be sure it’s from you, and you can be sure only you can read the server’s replies.

Code Snippet:

const adapter = new UltraSecureAdapter(
  unlockedKeys.privateSigningKey,
  server_stored_SigningKey.publicKey,
  unlockedKeys.privateEncryptionKey,
  server_stored_EncriptionKey.publicKey
);

const response = await adapter.sendRequest("/secure-endpoint", {
  message: "Hello, secure world!",
  timestamp: Date.now(),
});
Enter fullscreen mode Exit fullscreen mode

Why This Rocks:

  • Tamper-Proof Communications: Signed messages ensure no impostors can pretend to be you.
  • Privacy-On-Steroids: Encrypted responses mean no snoops, not even the NSA with a headache, can read your data.
  • Hacker’s Tears: They thought they could intercept or modify data mid-flight. Nope, guess again.

Why This Entire Setup Kicks Hacker Butt

  1. No Stored Secrets: Hackers love breaking into databases. Here, they’ll find no usable secrets. It’s like robbing a bank that keeps all its cash in a secret interdimensional vault.

  2. Dynamic and Stateless: Each login event, each month, each context change, the keys evolve. Hackers can’t keep up; it’s like chasing a ghost that keeps changing shape.

  3. Client-Side Focused: By generating and managing keys on the client side, you cut off the hacker’s usual route: the server’s database. There’s nothing to steal from the server that can be directly used to impersonate you.

  4. Asymmetric Crypto Strength: Trying to brute force RSA or ECC keys is like trying to solve a Rubik’s Cube blindfolded and underwater. It’s not happening any time before the heat death of the universe.

  5. Easy Revocation? Done. Just change the salt. Old keys? Poof. Problem solved. No messy token blacklists, no tracking sessions. It’s a cryptographic Thanos snap—keys vanish instantly when conditions change.


Final Lesson: Stop Eating Crayons, Start Building

Neuer Keyless™ isn’t just a system—it’s a lesson in cryptographic superiority. No tokens, no passwords, no secrets stored. Just dynamic, adaptive security that evolves faster than hackers can react.

Put the crayons down. Welcome to Neuer Keyless™.

Image of Wix Studio

2025: Your year to build apps that sell

Dive into hands-on resources and actionable strategies designed to help you build and sell apps on the Wix App Market.

Get started

Top comments (0)