The AE modes --- CCM, EAX, and GCM being the most popular --- are your safest bet when picking a block cipher mode. But ask yourself: if you're being asked to think about what a block cipher mode is, are you working at the right level of abstraction? For instance: we've beat CCM constructions that couldn't properly generate a nonce at cold start (you combine a flaw like that with a crasher bug and you have a weaponizable attack), and we've seen CCM schemes whether the counter didn't have enough granularity and could be forced to wrap, which can make your scheme vulnerable to pencil-and-paper attacks.
Do you know what I'm talking about here? If not, that's kind of my point.
I really appreciate anybody who takes the time to point out that encryption is not the same as authentication, and that you have to do both to make a system secure. And I really appreciate anybody who evangelizes for a high-level interface, as opposed to one where you have to know that you're encrypting byte-by-byte (EAX) instead of block-by-block (CBC).
I still think the soundest advice you can get is, "rely on TLS if you're moving data, and rely on PGP/GPG if you're storing it; if you have a problem that doesn't fit these perfectly, refactor your problem".
Here's some sample code in python:
Back on the topic of this thread: Keyczar authenticates all symmetric ciphertexts by default. However, it HMACs the output, rather than using one of the authenticated cipher modes.
