Fixes #964: Validate key against allowed types for Algorithm family

[pachewise]

• [ ] add tests, make sure current test suite passes
• [ ] remove TODOs

Following discussion in #964, this PR adds checks to make sure the key loaded by any of the has_crypto = True Algorithm children is of the correct type for that Algorithm family. I still need to figure out how to check whether it's the right "flavor" of the algo family (for example, that the SHA256 algo is encoding/decoding using a key generated via SHA256).