Peter Gutmann wrote:
"Hal Finney" <hal(_at_)finney(_dot_)org> writes:
I think this may have been the reason that Phil chose CFB. As for the non-
standard "sync" operation, I don't remember why he did that. Probably it just
seemed to be a natural way of handling CFB given his understanding of its
rationale in terms of the way it interfaced with the underlying cipher.
I believe it was an implementation bug/quirk, not a deliberate design
decision.
I had heard that it was an attempt to make it
"more secure", like the salting of the Unix
password (DES) :-)
Either way, their appears
to be no justification for continuing its use,
and a good reason for deprecating it: it is
rather complex to document and program up, this
conversation about the munged CFB mode has been
had many times in the past (here and elsewhere)
and will be had many times in the future.
In the spirit of improving the codability of
OpenPGP, I'd suggest it be replaced with a
standard textbook or FIPS mode.
(Not in the current version of course, but at
the next convenient moment.)
--
iang