There were a bunch of ways you could approach the crypto portion of this project. I went with CMAC for authentication and AES OFB mode for encryption.

The big knock against OFB (so far as my research has led me to believe) is that it's possible to wind up with cycles, or weaknesses if you pick crappy IVs, but our CMAC PRNG ought to be good enough, and the messages we're using are going to be far too short for any risk of cycles. The upside is that I had a CMAC implementation already and OFB is both easy to implement, requires only ECB encryption mode, and is the same for both encryption and decryption.

Counter mode is a decent alternative to OFB, but it requires an extra encryption operation (to turn the IV into the base counter value), and - again - we're really splitting hairs considering the impracticality of the theoretical attacks on these relatively short messages.

GCM or CCM were also options to combine the authentication and encryption into one step, but in fact, the actual number of ECB operations required (which is the slow part) is comparable.

Keep in mind that none of this is the most viable attack on DRM-114. More applicable would be to attack the key protection mechanism. But, of course, that's illegal. So there.