The algorithm I use is very simple -- I combine a variety of pieces
of information (including parts of the current message, the local
system name, the current date/time string, etc.) and feed the
resulting very long string into a digital signature algorithm. Such
an algorithm produces a 128-bit key as its output -- deducing an
input string that would produce the same output is computationally
infeasible. Digital signature algorithms are really very good, and
there are a variety of ones to choose from (I think MD4 is good
enough for this, but there is always MD5 if you are really
paranoid). The resulting key is encoded into a printable form that's
roughly 40 characters long.
Sorry, but hashing is NOT a digital signature. MD4 and MD5 are hashing
algorithms. They provide a 128 bit "fingerprint" of an input stream. It is
true that deducing an input stream given only a "fingerprint" is
computationally infeasible, and while this is necessary in a digital
signature, it is not sufficient. A digital signature is also unforgeable,
thus guaranteeing the origin of an input stream.
To cast this in a real example, if I give you an input stream and its hash,
you can construct the input stream of your choice and its hash, and
substitute it for the original. This is because the hashing algorithm is
well known and computable by anyone.
However, if I give you an input stream and a digital signature you can
verify the digital signature, but you can not substitute another input
stream with its digital signature. The reason is because you can not create
"my signature", only verify it.
Jim