Keys, Authentication, and Encryption
Before you start sending and receiving UMA payments, you'll need to generate keys which will be used to authenticate yourself to other VASPs and to receive encrypted blobs for sensitive information (like payment and Travel Rule data).
The keys used in UMA are secp256k1 keys. You can generate these keys any way you'd like, but keep them safe and private! They will need to be passed to some SDK functions later on in this guide to sign, verify, encrypt, and decrypt messages. As an example, to create secp256k1 keys using openssl, run:
# Generate a secp256k1 key:
$ openssl ecparam -genkey -name secp256k1 -out ec_key.pem
# Print out the key data:
$ openssl ec -in ec_key.pem -noout -text
# The above is enough for UMA 0.x, but for UMA 1.x+, you'll need to wrap the keys
# in an X.509 certificate. To get a self-signed certificate:
$ openssl req -new -x509 -key ec_key.pem -sha256 -nodes -out ec_crt.crt -days <expiration in days>
# Print cert in pem format
$ openssl x509 -in ec_crt.crt -outform PEM
You can then save the public and private key data somewhere secure so that it can be used with the UMA SDK as needed. Note: When saving these keys, be sure to remove the colons that openssl prints out between hex bytes. Most SDKs won't parse the string as valid hex if those are left in.
There are two secp256k1 key pairs used in the UMA standard, the signing key and encryption key. Like you'd expect, the signing key is used for signing messages sent to other VASPs and for verifying that other VASPs are who they claim to be. The encryption key is used to encrypt sensitive data sent to you, like payment and Travel Rule information. Note that these can actually be the same key if you'd like them to be.
You also have the option of setting an expiration time for your keys. See the "Fetching Public Keys and Verifying Signatures" section for more details on that.
Now that you have keys generated, let's walk through our first UMA payment!