encrypting service side, decrypting on client (aes)

Question

I hope this is clear enough:

I have an Authentication service which queries my aspnet role provider database. Authentication service passes the role details back to the client inside the User object. Using the role, I query my web.config to determine values that a user can see.

Security team has done a review, and they can see the Roles property of the User object. They intercept this reponse, spoof it with "administrator" role, and query my web config with this.

I am looking at AES to encrypt at service, decrypt back at client, but I'm running into read-only problems decrypting role within the User object.

Does anyone have any better ideas, suggestions?

Thanks, Mike

Answer 1

If you want to avoid spoofing, you could sign the response you send and have what receives the message with the role verify the signature. This would typically be done using public key cryptography (often with X.509 certificates).

On a more general note, have you considered using an existing infrastructure for this, such as Kerberos/ActiveDirectory?