In message <d4f1333a0510172118t48fcab2bi81134605fb9ee5d1@mail.gmail.com>, "Trav
is H." writes:
>> >It's not clear that 3des-cfb >> des-cfb (assuming it's still using
>> >cfb).
>>
>> Why do you say this?  As far as I know, there are no generic attacks
>> against CFB, and the weakness of DES is (and always has been) against
>> brute-force key search, which 3DES defends against.
>
>I have been trying to remember the quote about CFB and I finally found it;
>Ross Anderson says of CFB:
>
>"Cipher feedback is not used much any more. It is a specialized mode of
>operation for applications such as military HF radio links, which are
>vulnerable to fading, in the days when digital electronics were relatively
>expensive. Now that silicon is cheap, people use dedicated link-layer
>protocols for synchronization and error correction rather than trying to
>combine them with the cryptography."
>
Right, which is different than saying that it's less secure.  What Ross 
is saying is that one of its strengths is resynchronization, which 
isn't nearly as important.  But it's sometimes used because it can 
avoid length extension; see, for example, RFC 3826.  

But Ross isn't completely right, either.  For things like some forms of 
digitized voice, you can't afford retransmission or jitter, so it can 
still be used.  There's an awful lot of legacy gear out there to which 
one has to refit crytpo!  Certainly, it's not how you'd design a 
digitized voice protocol today, but that's different than saying it 
isn't used.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb