> > I'd start this trial with CFB. > > Is it possible to know the reason of such preference?
CFB mixes in the previous ciphertext - thus propagating the error a little, and thus being "more able" to detect mucking with the ciphertext. > Are there reason to think CTR is not as secure ? No. But CTR is pure XOR of the keystream with the plaintext - thus genreating MDC (Modification Detection Code) is a-must. With CFB you also need MDC, but to some very limited extent CFB itself will reveal modification. Finally, that is my personal preference. :-)
