Is this going to be as secure as I hope?

Lonnie Olson lists at kittypee.com
Fri Feb 14 14:42:14 MST 2014


On Fri, Feb 14, 2014 at 1:30 PM, S. Dale Morrey <sdalemorrey at gmail.com> wrote:
> To do this I've devised an algorithm to derive the private key on the
> client.

When working with crypto, it's usually a bad idea to devise your own
algorithms.  There are likely smarter people that have already solved,
tested, and verified the problem you are having.

That said, your search for entropy is a good one, but your usage of
SHA256 to derive a key from some set of entropy is inadequate.  There
is a whole section of cryptography dedicated to achieving this goal.
There are several key derivation functions
(http://en.wikipedia.org/wiki/Key_derivation_function) available which
are much stronger than simple SHA256.  Perhaps look at the most
popular PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2), since you are
very likely to find an easy implementation already written for
whatever platform you are writing for.


More information about the PLUG mailing list