Generally the sole existence of a chaining mode already reduces the theoretically security as chaining widens the attack surface and also make certain kind of attacks more feasible. On the other hand, without chaining, you can at most encrypt 16 bytes (128 bits) securely, as that's the block size of AES (also of AES-192 and AES-256) and if your input data exceeds that block size, what else would you do than using chaining? Just encrypting the data block by block? That would be ECB and ECB has the worst security to begin with. Anything is more secure than ECB.

Most security analyses recommend that you always use either CBC or CTR, unless you can name any reason why you cannot use one of these two modes. And out of these two modes, they recommend CBC if security is your main concern and CTR if speed is your main concern. That's because CTR is slightly less secure than CBC because it has a higher likeliness of IV (initialization vector) collision, since the presence of the CTR counter reduces the IV value space, and attackers can change some ciphertext bits to damage exactly the same bits in plaintext (which can be an issue if the attacker knows exact bit positions in the data). On the other hand, CTR can be fully parallelized (encryption and decryption) and requires no data padding to a multiple of the block size.

也就是说，他们仍然声称CFB和OFB是安全的，但稍微不太安全，他们一开始就没有真正的优势。CFB与CBC有相同的弱点，最重要的是不能防止重放攻击。OFB与CTR具有相同的弱点，但完全不能并行。所以CFB就像没有填充的CBC，但更不安全，OFB就像CTR，但没有速度优势和更宽的攻击面。

There is only one special case where you may want to use OFB and that's if you need to decrypt data in realtime (e.g. a stream of incoming data) on hardware that is actually too weak for doing so, yet you will know the decryption key way ahead of time. As in that case, you can pre-calculate all the XOR blocks in advance and store them somewhere and when the real data arrives, the entire decryption is just XOR'ing the incoming data with the stored XOR blocks and that requires very little computational power. That's the one thing you can do with OFB that you cannot do with any other chaining.

有关性能分析，请参阅本文。 有关详细的评估(包括安全性)，请参阅本文。

ECB should not be used if encrypting more than one block of data with the same key. CBC, OFB and CFB are similar, however OFB/CFB is better because you only need encryption and not decryption, which can save code space. CTR is used if you want good parallelization (ie. speed), instead of CBC/OFB/CFB. XTS mode is the most common if you are encoding a random accessible data (like a hard disk or RAM). OCB is by far the best mode, as it allows encryption and authentication in a single pass. However there are patents on it in USA.

你真正需要知道的唯一一件事是，除非你只加密1个区块，否则不要使用ECB。如果要加密随机访问的数据而不是流，则应该使用XTS。

每次加密时都应该使用唯一的IV，而且它们应该是随机的。如果你不能保证它们是随机的，使用OCB，因为它只需要一次，而不是静脉注射，两者有明显的区别。如果人们可以猜出下一个nonce，则nonce不会降低安全性，IV会导致这个问题。

Generally the sole existence of a chaining mode already reduces the theoretically security as chaining widens the attack surface and also make certain kind of attacks more feasible. On the other hand, without chaining, you can at most encrypt 16 bytes (128 bits) securely, as that's the block size of AES (also of AES-192 and AES-256) and if your input data exceeds that block size, what else would you do than using chaining? Just encrypting the data block by block? That would be ECB and ECB has the worst security to begin with. Anything is more secure than ECB.

Most security analyses recommend that you always use either CBC or CTR, unless you can name any reason why you cannot use one of these two modes. And out of these two modes, they recommend CBC if security is your main concern and CTR if speed is your main concern. That's because CTR is slightly less secure than CBC because it has a higher likeliness of IV (initialization vector) collision, since the presence of the CTR counter reduces the IV value space, and attackers can change some ciphertext bits to damage exactly the same bits in plaintext (which can be an issue if the attacker knows exact bit positions in the data). On the other hand, CTR can be fully parallelized (encryption and decryption) and requires no data padding to a multiple of the block size.

也就是说，他们仍然声称CFB和OFB是安全的，但稍微不太安全，他们一开始就没有真正的优势。CFB与CBC有相同的弱点，最重要的是不能防止重放攻击。OFB与CTR具有相同的弱点，但完全不能并行。所以CFB就像没有填充的CBC，但更不安全，OFB就像CTR，但没有速度优势和更宽的攻击面。

There is only one special case where you may want to use OFB and that's if you need to decrypt data in realtime (e.g. a stream of incoming data) on hardware that is actually too weak for doing so, yet you will know the decryption key way ahead of time. As in that case, you can pre-calculate all the XOR blocks in advance and store them somewhere and when the real data arrives, the entire decryption is just XOR'ing the incoming data with the stored XOR blocks and that requires very little computational power. That's the one thing you can do with OFB that you cannot do with any other chaining.

有关性能分析，请参阅本文。 有关详细的评估(包括安全性)，请参阅本文。

你可能想要根据广泛可用的来选择。我也有同样的问题，以下是我有限研究的结果。

硬件的限制

STM32L (low energy ARM cores) from ST Micro support ECB, CBC,CTR GCM
CC2541 (Bluetooth Low Energy) from TI supports ECB, CBC, CFB, OFB, CTR, and CBC-MAC

开源限制

Original rijndael-api source  - ECB, CBC, CFB1
OpenSSL - command line CBC, CFB, CFB1, CFB8, ECB, OFB
OpenSSL - C/C++ API    CBC, CFB, CFB1, CFB8, ECB, OFB and CTR
EFAES lib [1] - ECB, CBC, PCBC, OFB, CFB, CRT ([sic] CTR mispelled)  
OpenAES [2] - ECB, CBC 

[1] http://www.codeproject.com/Articles/57478/A-Fast-and-Easy-to-Use-AES-Library

[2] https://openaes.googlecode.com/files/OpenAES-0.8.0.zip

你有没有开始阅读维基百科上关于分组密码操作模式的信息?然后按照维基百科上的参考链接到NIST:分组密码操作模式的建议。

在CBC操作模式中存在新的定时漏洞。

https://learn.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode