Adam Back <adam(_at_)cypherspace(_dot_)org> writes:
On use of CFB instead of CBC, I think this is actually goos because it avoids
the whole padding issue which people frequently get wrong with bad security
implications. Plus it's simpler to not have to pad. Error recovery is a
phantom property, as in no mode is it secure.
PKCS #5 padding is trivial to get right, any minor gains are more than made up
for by the painful and clunky pseudo-IV handling, particularly since most
crypto implementations have an "IV, data, go"-type interface which requires
error-prone manual handling of the pseudo-IV.
Peter.