OFB and CTS cipher modes in AES, DES, TripleDES

[xairaven]

Why the OFB and CTS cipher modes are not implemented in AES, DES and TripleDES (.NET 7)? Tried googling, but didn't find anything clear. Also, why does the CTS mode in enum CipherMode (Link) not have the [EditorBrowsable(EditorBrowsableState.Never)] attribute, if OFB has one, but both modes don't work?

@vcsjones @bartonjs Can you please shed some light into this? Thank you very much in advance!

[vcsjones]

Why the OFB and CTS cipher modes are not implemented in AES, DES and TripleDES (.NET 7)?

.NET's stance on cryptography is that cryptographic primitives like AES, 3DES, etc; and modes of symmetric algorithms like CBC, GCM, or CFB need to be provided by the platform. We don't implement the actual cryptography ourselves.

Currently, only OpenSSL and Android supports CTS and OFB, which means only we can only implement those modes on those platforms. Windows nor macOS/iOS support these modes. Ideally, implementing a new primitive or mode would be supported by all platforms. However, we sometimes implement new primitives when at least two of OpenSSL, macOS, and Windows support it. Of those three, only OpenSSL supports it.

If we implemented it today, then Windows, macOS, iOS would all throw PlatformNotSupportedException for those modes, which we try not to do. Sometimes this is expected where there are "new" primitives like AES-GCM and we need to wait for the platform to catch up. In the case of OFB and CTS though, those symmetric modes have existed for a long time, and those platforms have not implemented them, so it's not likely to expect them to implement it any time soon.

why does the CTS mode in enum CipherMode attribute, if OFB has one, but both modes don't work?

I couldn't say. Maybe @bartonjs or @steveharter remember why we didn't add it to CTS.

[bartonjs]

Looks mainly like because CTS was in the original commit (OFB and CFB got left out): dotnet/corefx#1746, and way back then it wasn't marked EB-Never. When OFB and CFB got added during .NET Core 2.0 they were EB-Never because they weren't wired up. When CFB got wired up we removed EB-Never.

I'm vaguely guessing we left CTS just to remind ourselves that we'd already used the value 5 and anything newer needed to be a higher number.