Jon Callas writes:
The downside is that there are attacks on CFB mode that don't exist on CBC
mode. The Jallal/Katz/Schneier attack of last summer is really an attack on
CFB mode. It's possible there are interesting CBC attacks (one was published
at last year's Crypto), but no one's made anything practical with it yet.
(But heck, the JKS attack is almost impractical.)
I think that attack will work on CBC mode as well. Basically that paper
is an implementation of Katz and Schneier,
http://www.counterpane.com/chotext.html.
That earlier paper described attacks on both CFB and CBC mail systems.
Let's consider a simple full-shift-width CFB message, not including any of
PGP's peculiarities like resynching or using a 0 IV:
Encryption:
IV P1 P2
-> C1 C2
CFB:
C1 = E(IV) ^ P1
C2 = E(C1) ^ P2
CBC:
C1 = E(IV ^ P1)
C2 = E(C1 ^ P2)
Decryption:
IV C1 C2
-> P1 P2
CFB:
P1 = E(IV) ^ C1
P2 = E(C1) ^ C2
CBC:
P1 = D(C1) ^ IV
P2 = D(C2) ^ C1
For CFB, to recover P2 using a chosen ciphertext attack, supply IV C1 R,
and you will get P2' = E(C1) ^ R. You want P2 = E(C1) ^ C2, which is
P2' ^ R ^ C2.
For CBC, to recover P2 using a chosen ciphertext attack, supply IV R C2,
and you will get P2' = D(C2) ^ R. You want P2 = D(C2) ^ C1, which is
P2' ^ R ^ C1.
Notice how similar the descriptions are. It's exactly the same attack,
with the roles of C1 and C2 interchanged.
Of course in practice the PGP attack had to deal with the complexities of
PGP, but they were still able to make it work. I don't think it would
have been much different if PGP used CBC, although I have not thought
that through in detail.
Hal Finney