SugarDaddy

Hello. Here's a quick breakdown of my problem. Any help would be greatly appreciated.

I have an application written in MFC that communicates via HTTP with a server running PHP 5. No problems there. However, the communication needs to be encrypted for reasons that are unimportant. On the server, a PHP script generates a unique identifier (using libmcrypt) that is used as a session key for the encryption / decryption. The session key is then encrypted using Triple DES, base64 encoded, the initialization vector attached to the front, then base64 encoded again. The client's username and password is used as the key to encrypt the session key.

Great, so that all works. On the client side is where the problem occurs. I am using Microsoft's CryptoAPI to do the decryption. After base64 decoding and parsing out the initialization vector and generating the decryption key, the decryption process fails. CryptoAPI's CryptDecrypt function shoots back NTE_BAD_DATA. The CryptDecrypt function has a flag used in block encryption/decryption that says whether the plain text to decrypt is the final block or not. Being that I'm not using block encryption, I set that flag to TRUE. The documentation for NTE_BAD_DATA says that when that flag is TRUE, then the padding is wrong. So I set the flag to FALSE and it decrypts without fail. However, the result is not correct. What's going on? I'm not crypto expert, so I'm hoping someone around here is.


Pseudo of what I'm doing to decrypt:

So it's basically by the book. One thing to note is that the doc for CryptDecrypt says "Decrypts data previously encrypted with CryptEncrypt"

That seems pretty weak to me if CryptDecrypt can ONLY decrypt data encrypted with CryptEncrypt. Shouldn't it be based on the algorithm, not the implementation? I would think so, but then I realize that it's Microsoft and I start to doubt that reasoning.

Any help would be greatly, greatly appreciated.