The take-home lesson that you should get from this chapter is that if you want your data to be proofed against others looking at it, you need to take some fairly strong precautions to keep others from seeing the content. If you try to hide it via encryption, you need to make certain that that the encryption is strong enough to stand up to a concerted attack. Although any key may theoretically be guessed with sufficient computing power, with a secure algorithm it is possible to make the amount of power required to guess the key so large that it cannot be practically accomplished, regardless of the length of time or amount of software thrown at the problem.
To accomplish this level of protection, however, requires an algorithm that has no weaknesses, that can allow the key to be back-calculated from the ciphertext only through the application of large amounts of computing power, and in which the key really is as secure as its size or complexity would imply. Experience has shown, time and time again, that unless an algorithm has been exhaustively examined and tested by a large population of experts, it is very likely to be trivially compromised within a short time of its release. For every algorithm that proves to be secure against attacks for a few years, thousands are developed, tested, revised, tested , and eventually abandoned as insecure . Security implementations arrived at and not tested to the point of exhaustion are found to be lacking, over and over and over. The top authors of security methods will tell you, without hesitation, that you shouldn't trust even their algorithms until they've been proven for at least a few years in the field.
Mac OS X provides you with several alternatives for how you might accomplish such protection, and more are likely to become available. However, as cryptography and steganography become the next hot arena of conflict for the hacker and corporate cultures, many of these might not be things that the government and/or the corporate lobbyists want you to see.
The government and mega-media-conglomerate corporations would have you believe that legal restrictions on the development or exploration of cryptography, cryptanalysis, and other information-hiding or - disguising technology is for your own good. They would insist that it protects the American economy, protects you from evil crackers on the Internet, and in the latest round of attempting to capitalize on any available bandwagon, that darn it, it's just plain patriotic and will help the country fight the terrorists. When you consider whether you want to believe them or not, don't even think about the fact that in the last government foray into attempting to legislate cryptography, they would have mandated a "private" backdoor into any encrypted data by imposing a legal requirement that all encryption be done by one government-sanctioned application, to which they held the keys, and making all others illegal. Just keep in mind that the encryption methodology that the government would have imposed upon everyone uses a 40-bit key, and that the DES algorithm with its 56-bit key can be brute-force cracked in as little as 22 hours (depending on how much hardware you have to throw at it). A 40-bit key should be able to be cracked 2^16 times faster. That's about 65000 times faster. Reports are that in 1996, when some of this lunacy was being proposed, it could be done in about 5 hours for $20 in hardware from Radio Shack, or in about 26 seconds if you were willing to spend a little more (http://www.pff.org/encry.html).
Make no mistake; it is not impossible to invent a secure algorithm "in the dark," and those who make the laws aren't universally in collusion with either the mega-corporate interests or with the ultraconservative faction who wants a camera in every room of every house. Nor are they universally ignorant. Past experience, however, indicates that it is incredibly unlikely that good security can be either pulled from thin air or legislated into existence. Therefore, you should have come in this chapter to understand that legal proscriptions against examining security, such as have been put in place by the DMCA, are nothing but an attempt to protect others' agendas at your expense. This is one case where the people evading or completely disobeying the laws regarding computing security just might be your best hope for a secure computing future.