[Breaking Change] TripleDES.Create().FeedbackSize now defaults to 8

[bartonjs]

TripleDES.Create().FeedbackSize now defaults to 8

The default value for the FeedbackSize property on the instance returned from TripleDES.Create() has changed from 64 to 8 to make for an easier migration from .NET Framework. This property, unless used directly in caller code, is used only when the Mode property is CipherMode.CFB.

Support for the CFB mode was first added to .NET for the 5.0 RC1 release, so only .NET 5.0 RC1 and .NET 5.0 RC2 applications should be impactec.

Version introduced

.NET 5.0 (RTM)

Old behavior

TripleDES.Create().FeedbackSize had a default value of 64.

New behavior

TripleDES.Create().FeedbackSize has a default value of 8.

Reason for change

In .NET Framework the TripleDES base class defaults the FeedbackSize value to 64, but the TripleDESCryptoServiceProvider class overwrites the default to 8. When the FeedbackSize property was introduced to .NET Core 2.0 this same behavior was preserved. However, in .NET Framework TripleDES.Create() returns an instance of TripleDESCryptoServiceProvider, therefore the default value from the algorithm factory is 8 in .NET Framework. For .NET the algorithm factory returns a non-public implementation, which had a default value of 64.

Changing the TripleDES implementation class' FeedbackSize value to 8 allows for applications written for .NET Framework which specified the cipher mode as CFB but did not explicitly assign the FeedbackSize property to continue to function on .NET 5.

Recommended action

Applications that encrypted (or decrypted) data in .NET 5.0 RC1 or .NET 5.0 RC2 with an instance from TripleDES.Create() with a default FeedbackSize property value and explicitly changed the Mode property to CipherMode.CFB did so with CFB64. In order to maintain this behavior you will need to explicitly assign the FeedbackSize property to 64.

Because not all TripleDES implementations use the same default for FeedbackSize, we recommend that anyone using the CFB cipher mode on TripleDES instances always explicitly assign the FeedbackSize property.

TripleDES cipher = TripleDES.Create();
cipher.Mode = CipherMode.CFB;
// Explicitly set the FeedbackSize for CFB to control between CFB8 and CFB64.
cipher.FeedbackSize = 8;

Category

• ASP.NET Core
• C#
• Code analysis
• Core .NET libraries
• Cryptography
• Data
• Debugger
• Deployment
• Globalization
• Interop
• JIT
• LINQ
• Managed Extensibility Framework (MEF)
• MSBuild
• Networking
• Printing
• Security
• Serialization
• Visual Basic
• Windows Forms
• Windows Presentation Foundation (WPF)
• XML, XSLT

Affected APIs

• TripleDES.Create()
• SymmetricAlgorithm.FeedbackSize

---

Issue metadata

• Issue type: breaking-change

[bartonjs]

The real break only applies for .NET 5.0 RC1 or .NET 5.0 RC2 to .NET 5.0 RTM.

I had some trouble with identifying the .NET Core "line" since it's now ".NET", so there's probably some clunky wording that can be significantly de-clunked.