I'm working on a crypto wallet app and I need help with these following questions;
when creating a new wallet, how do the Blockchain network check if a certain mnemonic seed phrase has been used before for creating another wallet?
is it ever possible for two independent wallets to have the same mnemonic seed phrase?. If Yes, what's the implication? If No, why?
tips on security measures to observe when providing mnemonic seed phrases for crypto wallets?
Thanks
when creating a new wallet, how do the Blockchain network check if a certain mnemonic seed phrase has been used before for creating another wallet?
The network doesn't check previous usage of the seed.
If you're importing a seed into a wallet and the wallet automatically imports used accounts generated from this seed - this check is performed on the wallet level.
It keeps iterating the index number in the derivation path - each iteration results in one account. The wallet checks if the account has > 0 sent / received transactions. If there are transactions on the account, the account is imported to the wallet. If there are no transactions on the account, the loop stops.
Sometimes the import also already contains the number of accounts - then the check of number of transactions is not required.
is it ever possible for two independent wallets to have the same mnemonic seed phrase?. If Yes, what's the implication? If No, why?
Theoretically possible.
Bug in implementation of generating randomness. If both wallets decide that "random number is 6", then the same "random" seed is generated on both.
Statistical probability that both generate truly random seed and the seed is the same, is very very very low. Practically impossible even if the machine was trying to generate seeds over and over for trillions of years until it finds the same seed. But statistically, the probability is non-zero.
tips on security measures to observe when providing mnemonic seed phrases for crypto wallets?
If possible, use input from the user to help generate the seed. For example some apps collect user mouse movements (presumably unique for each user / session) when generating the seed.
Encryption. Keep the raw data stored in an encrypted form, with access control - e.g. short-lived or one-time-access tokens.
Can we use the Ethereum network just like a database to store data. What might be the possible issues that can occur if it is used as a database.
Yes, it's possible. Just write a smart contract to store and retrieve your data.
Google the term "Solidity CRUD" for articles and tutorials for storing data in on Ethereum.
The downsides are:
Speed - Blockchains are slow to write and not fast to read. Ethereum will never be able to compete with even low performance databases like SQLite much less go against Postgres, Oracle or MongoDB.
Cost - Reading from Ethereum is free but writes cost Ether. The exact cost depends on the size of the data you want to store. For small amounts of data this does not matter much. For services you can even make this part of the API that your users will pay writes (such as buying a ticket form you) so it doesn't cost you anything. But if you have gigabytes of legacy data migrating it to the blockchain can be very expensive.
On top of that, doing large data transfer to the blockchain will see demand for transactions spike which will increase the cost per transaction. This is not just theoretical, it has happened before - when the cryptokitties smart contract was launched the game suddenly became so popular that transactions went from less than one cent per transaction to tens of dollars per transaction (USD).
In general you'd want to store only the core data that you need to be secure on Ethereum and link it to other data sources (for example store a URL link and hash of the object but store the object itself on Amazon S3 or Azure Storage)
I am offering a Restful API to clients that access it by webservice. Now I would like to be able to count the API call per month.
What would be the best way to count the calls? Incrmenting a DB field would mean on DB call more. Is there a workaround? We are talking about millions of API calls per month.
You can also log to text file and use log analytics tools such as Webalizer(http://www.webalizer.org/) to analyze the text files
HTH
You can use a separate in-memory database to track these values, and write them to disk occasionally. Or store calls in a collection and batch-write them to the database occasionally.
I'm working on a SaaS application. Each user will buy a plan on this application and he will be given a certain amount of storage corresponding to amount of information on the app. For example, the Free user will get 1GB free storage, the Basic user will get 5GB storage.
Currently, all information are stored in MySQL database and it is just plain text without any binary data on disk such as images or videos.
Let's imaging Gmail without attachment as an example of this application.
How can I implement this function on my application? Do we need a method that somehow calculates the amount of info contains in database for a specific user and does some validation on that?
Thank you in advance!
You should keep a running tally of how much space each user has consumed, which is then updated every time a write is made against their quota. Continually computing it is not going to be very efficient.
In my country the online payments are not an old thing, the first time i saw a web application taking payments directly to a local bank account was last year.
So, Im a newbie coding web payment system.
My question is, what are the best practices to store creditcard information into the database...
I have many ideas: encrypting the creditcard, database security restriction, etc.
What have you done?
DON'T DO IT
There is simply far too much risk involved, and you will typically need to be externally audited to ensure that you're complying with all the relevant local laws and security practises.
There are many third-party companies that do it for you that have already gone through all trouble of making sure their system is secure, that they comply with local laws and so on. An example in the US that I have used in the past is authorize.net. Some banks also have systems that you can hook into to store credit card data and process payments.
I realise the country you're in may not have as strict laws as the U.S., but in my opinion that's no excuse for rolling your own. When you're dealing with other people's money, the risk is just too much to warrant.
In 2020, use Stripe, and avoid storing payment information yourself.
HISTORICAL ANSWER:
For this, I recommend a comprehensive, layered approach.
First, storing credit card info should be an option.
Secondly, the data should be stored securely, using a strong form of encryption. I recommend AES with 256bit key size. Make sure when choosing your key, you use the entire keyspace (it's a rookie mistake to just use a randomly generated alphanumericsymbol string as a key).
Third, the AES key needs to be properly secured. Do not embed the value inside your code. If you are using windows, consider using DPAPI.
Fourth, you will want to setup database permissions so that applications and computers will have access on a need to know basis.
Fifth, secure the connection string to your database.
Sixth, ensure that any application that will have access to the credit card data, will properly secure it.
At miniumum follow the PA DSS (Payment Appliction Data Security Standard). More info can be found here:
https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml
Also it would be wise to look at PCI DSS, which could be found here:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
You should avoid storing any credit card information due to the risks to you and to customers of doing so.
Encrypt encrypt encrypt. Don't decrypt if you don't absolutely have to - don't decrypt to show the last 4 digits. Don't decrypt to tell the user what their card was.
In fact, if you can, don't even keep the encrypted card numbers in the same physical server as the rest of the user information.
Authorize.net has a Customer Information Manager API that allows you to store customer information in their system. It costs $20/mo. as an add-on to your account.
I suggest you encrypt card numbers with a strong algorithm( similar AES) and a long secret key.
Then,keep your secret key in a secure place similar an external hard or optical disk.
When you need to secret key,use external hard.
If you are using a shared host, you have to store your secret key in an external device.
Strict your database
Define strict users for your database
Remove root user of your database if it is not needed.