2:I[3320,["464","static/chunks/app/whitepaper/page-5f358964864f8844.js"],"BeamCustomEventLink"]
3:I[9275,[],""]
4:I[1343,[],""]
5:I[231,["231","static/chunks/231-835e4e133e174214.js","931","static/chunks/app/page-5d776cda7f6de2ed.js"],""]
6:I[8173,["231","static/chunks/231-835e4e133e174214.js","336","static/chunks/336-7d95f706f99f5d97.js","185","static/chunks/app/layout-94ba229cb942bbac.js"],"Image"]
7:I[178,["231","static/chunks/231-835e4e133e174214.js","336","static/chunks/336-7d95f706f99f5d97.js","185","static/chunks/app/layout-94ba229cb942bbac.js"],"default"]
8:"$Sreact.suspense"
9:I[5730,["231","static/chunks/231-835e4e133e174214.js","336","static/chunks/336-7d95f706f99f5d97.js","185","static/chunks/app/layout-94ba229cb942bbac.js"],"default"]
0:["Xd04NOiY0_w4kHESI48g1",[[["",{"children":["whitepaper",{"children":["__PAGE__",{}]}]},"$undefined","$undefined",true],["",{"children":["whitepaper",{"children":["__PAGE__",{},[["$L1",["$","main",null,{"className":"container mx-auto py-12","children":[["$","div",null,{"children":[["$","h1",null,{"className":"text-4xl font-bold text-center mb-12","children":"Neulock Whitepaper"}],["$","div",null,{"children":"Author: Lucas Neves"}],["$","div",null,{"children":"Version: 1.0.0"}],["$","div",null,{"children":"First published: July 24, 2024"}],["$","div",null,{"children":"Last updated: October 10, 2024"}],["$","hr",null,{"className":"mt-4 mb-6"}],["$","p",null,{"children":["This document describes the Neulock Web3 Password Manager dapp, hosted at ",["$","a",null,{"target":"_blank","href":"https://neulock.app/","children":"neulock.app"}]," and ",["$","a",null,{"target":"_blank","href":"ipns://neulock.eth/","children":"neulock.eth on IPNS"}],"."]}],["$","p",null,{"children":["Neulock is fully functional as a progressive web app on the Arbitrum One, Base, and Optimism blockchains. ",["$","a",null,{"target":"_blank","href":"https://web.neulock.app/","children":"Open the app here"}],"."]}],["$","p",null,{"children":["The author can be contacted at the ",["$","a",null,{"target":"_blank","href":"https://discord.com/invite/u2uShJ5pht","children":"Neulock community on Discord"}],"."]}],["$","h2",null,{"className":"text-3xl font-bold mt-12 mb-6","children":"A decentralized, permissionless, Web3 native, on-chain password manager"}],["$","p",null,{"children":"The Neulock project has the stated goal of protecting people's privacy online by allowing them to have full custody of their passwords."}],["$","p",null,{"children":"Operating under the premise that security should never depend on trust, users should never have to rely on someone else to secure their 'password vault'. Neulock is perhaps the first online password manager that never exports secrets from the user's devices, not even under encryption, which may have unknown vulnerabilities and implementation faults."}],["$","p",null,{"children":"With Neulock, the user has full custody of their passwords. Even though Neulock syncs passwords seamlessly across all user devices, the only computers that ever touch any user secrets (passwords, private keys), in plaintext or ciphertext, are the user's own devices. Passwords couldn't possibly leak from any other source. It's within the user's reach to ensure the security of their devices, which is sufficient to guarantee the safety of their password vault."}],["$","h3",null,{"className":"text-2xl font-bold mt-8 mb-4","id":"the-problem-with-cloud-based-password-managers","children":"The problem with cloud-based password managers"}],["$","p",null,{"children":["The original Neulock Legacy app is a cloud-based password manager. Neulock Legacy achieved an unprecedented degree of password confidentiality for an online password manager (its security model is described ",["$","a",null,{"target":"_blank","href":"https://legacy.neulock.app/security/","children":"here"}],"). However, confidentiality is only one of the three pilars of information security. Admittedly, Neulock Legacy is only on-par with other cloud-based password managers in terms of:"]}],["$","ul",null,{"className":"list-disc list-inside mb-4","children":[["$","li",null,{"children":"Integrity: data stored on cloud providers could be tampered."}],["$","li",null,{"children":"Availability: both the cloud provider and Studio V, the company that owns all Neulock password managers, could potentially take the service down. Moreover, the subscription-based business model has resulted in many users getting locked out of premium features due to payment declined by a third-party processor."}]]}],["$","p",null,{"children":"These issues stem from Neulock Legacy's reliance on centralized infrastructure."}],["$","p",null,{"children":"The Neulock Project's mission is to grant users full custody of their secrets. Fulfilling this mission requires taking into account all three facets of information security, with the understanding that the owner of all data is the user alone."}],["$","h3",null,{"className":"text-2xl font-bold mt-8 mb-4","id":"decentralized-infrastructure-empowers-the-user","children":"Decentralized infrastructure empowers the user"}],["$","p",null,{"children":"Neulock Web3 Password Manager dapp is the result of adding the following requirements to the Neulock Project:"}],["$","ul",null,{"className":"list-disc list-inside mb-4","children":[["$","li",null,{"children":"All infrastructure must be decentralized and permissionless."}],["$","li",null,{"children":"All infrastructure must be publicly accessible from the internet out-of-the-box, but must also be self-hostable if the user so wishes."}],["$","li",null,{"children":"The integrity of data stored online must be guaranteed in an auditable fashion."}]]}],["$","p",null,{"children":"Public blockchains, especially the Ethereum ecosystem with its L2s and sidechains, are a perfect match for such requirements. Wallets enable users to easily interact with applications that have backend logic residing in smart contracts on the blockchain (dapps)."}],["$","p",null,{"children":"By using Ethereum-compatible wallets as the sole source of user authentication, we eliminate the need for users to create an account or remember a master key. The manually-entered master key, a staple of password managers, is a liability to confidentiality (it can be vulnerable to brute-force attacks or leaked if backed up) and to availability (it can be forgotten)."}],["$","p",null,{"children":"To minimize gas fees, bulk data must also be stored in decentralized infrastructure, but off-chain. The Interplanetary File System (IPFS) provides this capability with additional benefits:"}],["$","ul",null,{"className":"list-disc list-inside mb-4","children":[["$","li",null,{"children":"IPFS files can be easily replicated by the user, both by pinning on an external service, or by self-hosting an IPFS node."}],["$","li",null,{"children":"Content is referenced by its hash (the CID), ensuring data integrity."}]]}],["$","p",null,{"children":"In order to provide out-of-the-box availability guarantees, Neulock stores user data on an IPFS provider and then backs it up with at least 3 FileCoin unexpirable contracts. Should a contract stop being fulfilled (ie. that contract no longer pins the user data), the backend will procure a replacement contract. Even if users take no additional measures to back up their data, persistence is guaranteed for the foreseeable future."}],["$","p",null,{"children":"Neulock is the most secure online password manager because it addresses all aspects of information security:"}],["$","ul",null,{"className":"list-disc list-inside mb-4","children":[["$","li",null,{"children":[["$","strong",null,{"children":"Confidentiality"}],": building upon the principle of never exporting any user secrets, not even under encryption, user passwords in Neulock are as secure as the wallet itself."]}],["$","li",null,{"children":[["$","strong",null,{"children":"Integrity"}],": all blockchain transactions are signed by the user's wallet. Blockchain consensus mechanism ensures the integrity of on-chain data. Off-chain data integrity is verified by IPFS CID. All data is again end-to-end encrypted with tamper verification."]}],["$","li",null,{"children":[["$","strong",null,{"children":"Availability"}],": all infrastructure is decentralized, permissionless, publicly and immediately available on the internet, and can be replicated locally (self-hosted). Users are able to continue using Neulock even if Studio V, its parent company, goes out of business. Your passwords are available on any device where you can connect your wallet."]}]]}],["$","h4",null,{"className":"text-xl font-bold mt-4 mb-4","id":"neulock-vs-offline-password-managers","children":"Neulock vs. offline password managers"}],["$","p",null,{"children":"We would argue that, in most real-world applications, Neulock is also more secure than offline password managers. While, in theory, offline password managers could offer perfect confidentiality and integrity, they do so by offering poor availability guarantees. Attempts to increase their availability (eg. backups and replicas) can decrease confidentiality."}],["$","p",null,{"children":"Unless perfectly administered, offline password managers trade off availability for confidentiality and integrity. Your security depends on your logistical resources and abilities."}],["$","h2",null,{"className":"text-3xl font-bold mt-12 mb-6","children":"Specifications"}],["$","h3",null,{"className":"text-2xl font-bold mt-8 mb-4","id":"user-authentication","children":"User authentication"}],["$","p",null,{"children":"Authentication in Neulock involves choosing a blockchain where the Neulock smart contracts are deployed, connecting an Ethereum-compatible wallet and signing a fixed message to generate two application keys:"}],["$","ul",null,{"className":"list-disc list-inside mb-4","children":[["$","li",null,{"children":["The ",["$","strong",null,{"children":"password generation key"}],", used in the password derivation step; and"]}],["$","li",null,{"children":["The ",["$","strong",null,{"children":"encryption key"}],", used in the data saving and fetching steps."]}]]}],["$","p",null,{"children":"Since both keys are deterministically generated from the wallet signature of a fixed message (using HMAC-BLAKE2b), these keys never leave the user device, and can be replicated on other user devices by authenticating with the same wallet."}],["$","p",null,{"children":["$","img",null,{"className":"mx-auto my-6","alt":"A diagram showing how Neulock connects to the user Ethereum wallet via the WalletConnect protocol, asks the user to sign a fixed message, and then derives both the Password Generation key and the Encryption key from the wallet signature.","title":"Neulock auth diagram","src":"/Neulock_Auth_Diagram.svg"}]}],["$","p",null,{"children":"Neulock's authentication flow provides the following advantages over most password managers:"}],["$","ul",null,{"className":"list-disc list-inside mb-4","children":[["$","li",null,{"children":"Users do not create an account. Connecting the Ethereum wallet is sufficient for authentication, as with most dapps."}],["$","li",null,{"children":"Users do not create a master key manually. All 256-bit keys are automatically derived from the wallet signature. There's no need to backup these keys, and they are bruteforce-resistant."}]]}],["$","h3",null,{"className":"text-2xl font-bold mt-8 mb-4","id":"the-password-derivation-algorithm","children":"The password derivation algorithm"}],["$","p",null,{"children":"In Neulock, user data does not contain any secrets for Neulock-generated passwords."}],["$","p",null,{"children":"The two keys created in the \"User authentication\" step are the only secret information, and these keys never leave the user devices, not even under encryption. This clear separation between secret keys (derived directly from the user wallet) and non-secret user data (uploaded to decentralized storage under encryption) enables the secrecy of your passwords, even in the unlikely event that encryption gets broken."}],["$","p",null,{"children":"Neulock derives passwords by processing the password generation key and a random, password-specific 256-bit sequence through an HMAC-based Extract-and-Expand Key Derivation Function (HKDF) to generate a long sequence of statistically random bits. This sequence is used to generate the actual password, conforming to desired password length and charset definitions. Neulock uses HMAC-BLAKE2b as its HKDF. The chart below illustrates this process."}],["$","p",null,{"children":["$","img",null,{"className":"mx-auto my-6","alt":"A diagram showing how the Neulock app deterministically calculates passwords using an internal private key that is derived from the user's Ethereum wallet signature.","title":"Neulock password derivation diagram","src":"/Neulock_Password_Derivation_Diagram.svg"}]}],["$","p",null,{"children":[["$","em",null,{"children":"Note:"}]," User data is guaranteed to not include any secrets as long as all your passwords have been generated with Neulock. Imported or manually-entered passwords will be present in user data, and will be uploaded to decentralized storage under end-to-end encryption. While this should be safe for short-term adoption purposes, we recommend changing all your passwords to Neulock-generated ones at your earliest convenience."]}],["$","h3",null,{"className":"text-2xl font-bold mt-8 mb-4","id":"data-synchronization","children":"Data synchronization"}],["$","p",null,{"children":"Neulock seamlessly synchronizes user passwords across all devices using only decentralized infrastructure."}],["$","h4",null,{"className":"text-xl font-bold mt-4 mb-4","id":"data-saving","children":"Data saving"}],["$","p",null,{"children":"When the user decides to save local data online, the following steps are executed:"}],["$","ol",null,{"className":"list-decimal list-inside mb-4","start":1,"children":[["$","li",null,{"children":"The Neulock app encrypts all user data (this data is illustrated in the Password Derivation chart and does not include generated passwords or keys)."}],["$","li",null,{"children":"The Neulock app uploads the encrypted user data to IPFS and receives the corresponding content ID (CID)."}],["$","li",null,{"children":"If using the default IPFS provider, the backend will automatically procure at least 3 FileCoin contracts to guarantee the persistency of the uploaded user data."}],["$","li",null,{"children":"The Neulock app encrypts the CID."}],["$","li",null,{"children":"The Neulock app requests the user wallet to save the encrypted CID to the blockchain, calling the Neulock smart contract on-chain."}],["$","li",null,{"children":"The wallet app asks the user to authorize the write transaction to the Neulock smart contract (incurs gas fees)."}],["$","li",null,{"children":"The wallet app sends the transaction to the blockchain using its own RPC node."}],["$","li",null,{"children":"The wallet app sends the transaction hash back to the Neulock app."}],["$","li",null,{"children":"The Neulock app requests its blockchain RPC node to independently verify the success of the transaction."}]]}],["$","p",null,{"children":"The chart below illustrates the above steps."}],["$","p",null,{"children":["$","img",null,{"className":"mx-auto my-6","alt":"A diagram showing how the Neulock app uploads encrypted user data to decentralized storage (IPFS) and to the blockchain.","title":"Neulock data upload diagram","src":"/Neulock_Push_Diagram.svg"}]}],["$","h4",null,{"className":"text-xl font-bold mt-4 mb-4","id":"data-fetching","children":"Data fetching"}],["$","p",null,{"children":"The Neulock app retrieves data previously saved by the user (ie. by the same wallet address as currently connected) by following these steps:"}],["$","ol",null,{"className":"list-decimal list-inside mb-4","start":1,"children":[["$","li",null,{"children":"The Neulock app requests its blockchain RPC node to read the Neulock smart contract and retrieve the latest encrypted IPFS content ID (CID) for the saved user data."}],["$","li",null,{"children":"The Neulock app verifies and decrypts the response, obtaining the CID for the latest saved user data."}],["$","li",null,{"children":"The Neulock app requests the encrypted user data from the IPFS node by passing the CID."}],["$","li",null,{"children":"Upon receiving the encrypted user data, the Neulock app verifies and decrypts this data."}]]}],["$","p",null,{"children":"The chart below illustrates the above steps."}],["$","p",null,{"children":["$","img",null,{"className":"mx-auto my-6","alt":"A diagram showing how the Neulock app fetches the encrypted user data IPFS reference from the blockchain and then downloads encrypted user data from decentralized storage (IPFS).","title":"Neulock data download diagram","src":"/Neulock_Fetch_Diagram.svg"}]}],["$","h2",null,{"className":"text-3xl font-bold mt-12 mb-6","children":"Self-custody of data"}],["$","p",null,{"children":"Neulock grants the user out-of-box self-custody of data, similar to how an Ethereum wallet grants self-custody of currency, NFT, and other tokens. All data is stored on decentralized infrastructure, accessible only to the wallet owner."}],["$","h3",null,{"className":"text-2xl font-bold mt-8 mb-4","id":"user-data-self-hosting","children":"User data self-hosting"}],["$","p",null,{"children":"Neulock functions without additional customization. Users are free, however, to replace some or all of the underlying infrastructure with the ones provided by third parties or with their own. The following connections can be overriden:"}],["$","h4",null,{"className":"text-xl font-bold mt-4 mb-4","id":"blockchain-rpc-node","children":"Blockchain RPC node"}],["$","p",null,{"children":"Neulock currently uses RPC endpoints provided by Infura. The user can provide another HTTPS RPC URL that's reachable from the Neulock app. It's possible to use a self-hosted node running on the local network."}],["$","p",null,{"children":[["$","em",null,{"children":"Note:"}]," This setting does not affect the RPC node used by the wallet to send transactions! You must configure this separately on your wallet app."]}],["$","h4",null,{"className":"text-xl font-bold mt-4 mb-4","id":"ipfs-node","children":"IPFS node"}],["$","p",null,{"children":["Neulock currently uses the IPFS service provided by Fleek. You can change this by setting URLs that implement the /add and /get endpoints of the ",["$","a",null,{"target":"_blank","href":"https://docs.ipfs.tech/reference/kubo/rpc/","children":"Kubo RPC API v0"}],"."]}],["$","p",null,{"children":[["$","em",null,{"children":"Note:"}]," If you change the IPFS node, Neulock cannot procure FileCoin contracts to guarantee the availability of your data! You are responsible for making sure your data is available should you decide to use your own IPFS node."]}],["$","h4",null,{"className":"text-xl font-bold mt-4 mb-4","id":"ipfs-data-pinning","children":"IPFS data pinning"}],["$","p",null,{"children":"Even if you don't change the IPFS node settings, you can still pin (duplicate) your data in your own node or using third-party services. Neulock can show your current IPFS Content ID (CID). You can use the CID to retrieve your encrypted user data on any IPFS node and pin it. Neulock will be able to retrieve your pinned data through its own node, as long as your IPFS node is online."}]]}],["$","hr",null,{"className":"mt-8"}],["$","h2",null,{"id":"cta-section","className":"text-3xl font-bold mt-12 mb-6","children":"Get started now"}],["$","p",null,{"children":"Now that you know everything about Neulock Web3 Password Manager, it's time to take ownership of your security."}],["$","div",null,{"className":"flex flex-col sm:flex-row items-center justify-center","children":["$","$L2",null,{"eventName":"WebApp","href":"https://web.neulock.app/","children":["$","button",null,{"className":"btn btn-lg btn-accent mt-6 sm:mt-8","children":"Open Neulock in this browser"}]}]}]]}]],null],null]},["$","$L3",null,{"parallelRouterKey":"children","segmentPath":["children","whitepaper","children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L4",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","notFoundStyles":"$undefined","styles":null}],null]},[["$","html",null,{"lang":"en","data-theme":"synthwave","children":[["$","head",null,{"children":[["$","link",null,{"rel":"apple-touch-icon","sizes":"180x180","href":"/apple-touch-icon.png"}],["$","link",null,{"rel":"icon","type":"image/png","sizes":"32x32","href":"/favicon-32x32.png"}],["$","link",null,{"rel":"icon","type":"image/png","sizes":"16x16","href":"/favicon-16x16.png"}],["$","link",null,{"rel":"manifest","href":"/site.webmanifest"}],["$","link",null,{"rel":"mask-icon","href":"/safari-pinned-tab.svg","color":"#ea8445"}],["$","meta",null,{"name":"msapplication-TileColor","content":"#5e5f60"}],["$","meta",null,{"name":"theme-color","content":"#ebeff2"}]]}],["$","body",null,{"className":"flex flex-col min-h-screen __className_36bd41","children":[["$","header",null,{"className":"container mx-auto pt-2 pb-6 px-4","children":["$","div",null,{"className":"flex justify-between items-center","children":[["$","$L5",null,{"href":"/","className":"flex items-center","children":[["$","$L6",null,{"src":{"src":"/_next/static/media/neulock-logo.7a212946.svg","height":500,"width":500,"blurWidth":0,"blurHeight":0},"alt":"Neulock logo","priority":true,"className":"w-8 lg:w-14"}],["$","span",null,{"className":"font-medium ml-3 text-2xl sm:text-3xl","children":"Neulock"}]]}],["$","$L7",null,{}]]}]}],["$","$L3",null,{"parallelRouterKey":"children","segmentPath":["children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L4",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":[["$","title",null,{"children":"404: This page could not be found."}],["$","div",null,{"style":{"fontFamily":"system-ui,\"Segoe UI\",Roboto,Helvetica,Arial,sans-serif,\"Apple Color Emoji\",\"Segoe UI Emoji\"","height":"100vh","textAlign":"center","display":"flex","flexDirection":"column","alignItems":"center","justifyContent":"center"},"children":["$","div",null,{"children":[["$","style",null,{"dangerouslySetInnerHTML":{"__html":"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}"}}],["$","h1",null,{"className":"next-error-h1","style":{"display":"inline-block","margin":"0 20px 0 0","padding":"0 23px 0 0","fontSize":24,"fontWeight":500,"verticalAlign":"top","lineHeight":"49px"},"children":"404"}],["$","div",null,{"style":{"display":"inline-block"},"children":["$","h2",null,{"style":{"fontSize":14,"fontWeight":400,"lineHeight":"49px","margin":0},"children":"This page could not be found."}]}]]}]}]],"notFoundStyles":[],"styles":null}],["$","footer",null,{"className":"mt-auto py-6","children":["$","div",null,{"className":"text-center","children":["$","p",null,{"children":"© 2024 Studio V | Neulock"}]}]}],["$","$8",null,{"fallback":null,"children":["$","$L9",null,{}]}]]}]]}],null],null],[[["$","link","0",{"rel":"stylesheet","href":"/_next/static/css/fc6a90ae93852873.css","precedence":"next","crossOrigin":"$undefined"}]],"$La"]]]]
a:[["$","meta","0",{"name":"viewport","content":"width=device-width, initial-scale=1"}],["$","meta","1",{"charSet":"utf-8"}],["$","title","2",{"children":"Neulock Web3 Password Manager"}],["$","meta","3",{"name":"description","content":"Neulock Web3 Password Manager Dapp. Self-custody your passwords, backed by Ethereum & FileCoin."}],["$","meta","4",{"name":"next-size-adjust"}]]
1:null