Step 1: Generate an ECC Key Pair

You can complete each step using your preferred software or cryptographic library. For demonstration purposes, we used the OpenSSL library.

Generate a private key

Run the following command to generate a 256-bit ECC private key:

openssl ecparam -genkey -name prime256v1 -out private_key.pem

ℹ️

Remember, you'll need this Private key to create your secret. This is necessary for Qualified sealing in the production environment.

Generate a public key from the private key

Execute the following command to extract the public key:

openssl ec -in private_key.pem -pubout -out public_key.pem

Step 2: Sign a Message

Create a message to sign

Create a text file containing the message to sign (e.g., message.txt):

echo "This is a test message" > message.txt

Sign the message

Use the private key to sign the message by running the following command:

openssl dgst -sha256 -sign private_key.pem -out signature.bin message.txt

This command creates a signature.bin file containing the message's signature.

Step 3: Verify the Signature

Verify the signature with the public key

Use the public key to verify the signature. Execute the following command:

openssl dgst -sha256 -verify public_key.pem -signature signature.bin message.txt

If the signature is valid, you will see a message indicating "Verified OK".
If the signature is invalid, you will receive an error message.

Step 4: Private key protection in a Production Environment

To protect your private key, follow these best practices:

Private key storage

• Do not expose the private key: never store the private key in a publicly accessible location or your source code.
• Use strict file permissions: ensure that only authorized users have access to the private key file.
• Key vault: consider using a secret key vault to securely store your keys in a production environment.

Audits and monitoring

Perform regular audits to verify that your security practices are being followed and monitor access to your system.