CS1b AES-128-CBC padding?

[fd]

AES-128-CBC uses padding to fit the last partial block in. How should this be detected when decrypting messages?

See: https://github.com/telehash/telehash.org/blob/master/v3/e3x/cs/1b.md

[quartzjer]

I created 1b based on a quick survey of what hardware-accelerated options there are available and haven't had a chance to do more research there yet, see issue #42 for more background.

In retrospect, I'm not sure why I put CBC on the list since it is not useful for a lossy message stream, and all the hardware aes engines support ECB which can be used to do CTR in software efficiently if required. So, any concerns with just making 1b use the same AES-128-CTR as 1a, but with P256 and HMAC-SHA256?

[fd]

I've done some quick reading on CBC vs CTR (this answer is particularly helpful). CTR seems to be the safer choice as long as an HMAC is added. As HMAC-256 is used on the ciphertext CTR should be good.

I'm not a cryptographer so don't take my word on this ;)