How to using AES-ECB on Cloudflare Workers

Dear all,

I saw that Cloudflare’s Web Crypto does not support AES-ECB [1]. However, this algorithm is already implemented on our system (We have greater than 260TB data file implemented on AES-ECB).

We using AES-ECB to decrypt file. And we are needing this algorithm to create a workers. Does Cloudflare intend to have AES-ECB implemented? Or someone can suggest for me about solution to implement AES-ECB algorithm on Cloudflare Workers?

Thank you in advance.

Regards,

Hai

[1] https://developers.cloudflare.com/workers/runtime-apis/web-crypto#supported-algorithms

Thanks for the feedback.
I’m tagging @KentonVarda here for visibility.

2 Likes

Thanks for the suggestion! I’m on the Workers team and will pass this to the right people. Would love if you could share more how you’d like to use Workers with this crypto algo? Would it be using Workers to decrypt a file? Also could you explain more on needing it to “create a workers”?

1 Like

Dear @azhao. I’m using Workers to fetch encrypt the file from the Storage server (same as S3, Backblaze) and respond to the Client. And I want to decrypt file responses for the Client during Cloudflare Workers processing.

I have considered using Cloudflare Workers this solution many times and it’s fit in this case.

Thank you for your help.

Hi, I’m also from the Workers team & wanted to get a better understanding of the request.

Is my understanding correct that you have a single 260TB AES-ECB encrypted file that you want to decrypt via a Worker or do you have 260TB of data total split up across smaller files & a much smaller subset of this is returned for each individual request?

I’m also curious if you’ve seen/tried out pure JavaScript implementation of AES-ECB? For example, aes-ecb - npm but there are many others.

Finally, you may already be aware, as a best-practices note, cryptographers will generally recommend against AES-ECB because it’s largely considered insecure (that’s why it’s omitted from WebCrypto). Is it at all possible to migrate your source data to a more secure cipher (e.g. AES-CTR is probably better for your use-cases & is well-supported in the WebCrypto standard)?

3 Likes

To add to what @vlovich said, AES-ECB is not part of the WebCrypto standard. This makes it much harder for us to implement as there is no spec to follow and no test vectors to verify we got it right. As such we probably will not be able to implement this, sorry.

I would strongly recommend switching to AES-CTR or AES-GCM instead, as they are supported and much more secure.

1 Like

There’s no denying that AES is not secure. After considering the suggestions of @vlovich and @KentonVarda. I will workaround to implement AES-ECB on my worker. But, it’s is not easy to manually develop. I will try to do this.

I do not permission to switching algorithms and that’s why I try to implement it.

Regards

Another request :)) @KentonVarda. Can you help me to change the username to Hai Le Phu :slight_smile:

This feature not available on Cloudflare for end-user.

Thank you so much.