diff --git a/Identity.cpp b/Identity.cpp
index eb107ca3..387eef50 100644
--- a/Identity.cpp
+++ b/Identity.cpp
@@ -53,6 +53,14 @@ namespace data
 		return keys;
 	}	
 
+	void CreateRandomDHKeysPair (DHKeysPair * keys)
+	{
+		if (!keys) return;
+		CryptoPP::AutoSeededRandomPool rnd;
+		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
+		dh.GenerateKeyPair(rnd, keys->privateKey, keys->publicKey);
+	}
+
 	RoutingKey CreateRoutingKey (const IdentHash& ident)
 	{
 		uint8_t buf[41]; // ident + yyyymmdd
diff --git a/Identity.h b/Identity.h
index 2aca019b..1dafdef4 100644
--- a/Identity.h
+++ b/Identity.h
@@ -11,6 +11,12 @@ namespace data
 {
 #pragma pack(1)
 
+	struct DHKeysPair // transient keys for transport sessions
+	{
+		uint8_t publicKey[256];
+		uint8_t privateKey[256];
+	};	
+
 	struct Keys
 	{
 		uint8_t privateKey[256];
@@ -71,6 +77,7 @@ namespace data
 
 	IdentHash CalculateIdentHash (const Identity& identity);
 	Keys CreateRandomKeys ();
+	void CreateRandomDHKeysPair (DHKeysPair * keys); // for transport sessions
 
 	// kademlia
 	struct RoutingKey
diff --git a/NTCPSession.cpp b/NTCPSession.cpp
index 1a72fdbc..7eb1614a 100644
--- a/NTCPSession.cpp
+++ b/NTCPSession.cpp
@@ -24,13 +24,19 @@ namespace ntcp
 		m_Socket (service), m_TerminationTimer (service), m_IsEstablished (false), 
 		m_RemoteRouterInfo (in_RemoteRouterInfo), m_ReceiveBufferOffset (0), m_NextMessage (nullptr)
 	{		
+		m_DHKeysPair = i2p::transports.GetNextDHKeysPair ();
 	}
 	
+	NTCPSession::~NTCPSession ()
+	{
+		delete m_DHKeysPair;
+	}
+
 	void NTCPSession::CreateAESKey (uint8_t * pubKey, uint8_t * aesKey)
 	{
 		CryptoPP::DH dh (elgp, elgg);
 		CryptoPP::SecByteBlock secretKey(dh.AgreedValueLength());
-		if (!dh.Agree (secretKey, i2p::context.GetPrivateKey (), pubKey))
+		if (!dh.Agree (secretKey, m_DHKeysPair->privateKey, pubKey))
 		{    
 		    LogPrint ("Couldn't create shared key");
 			Terminate ();
@@ -78,7 +84,7 @@ namespace ntcp
 	void NTCPSession::ClientLogin ()
 	{
 		// send Phase1
-		const uint8_t * x = i2p::context.GetRouterIdentity ().publicKey;
+		const uint8_t * x = m_DHKeysPair->publicKey;
 		memcpy (m_Phase1.pubKey, x, 256);
 		CryptoPP::SHA256().CalculateDigest(m_Phase1.HXxorHI, x, 256);
 		const uint8_t * ident = m_RemoteRouterInfo.GetIdentHash ();
@@ -143,7 +149,7 @@ namespace ntcp
 
 	void NTCPSession::SendPhase2 ()
 	{
-		const uint8_t * y = i2p::context.GetRouterIdentity ().publicKey;
+		const uint8_t * y = m_DHKeysPair->publicKey;
 		memcpy (m_Phase2.pubKey, y, 256);
 		uint8_t xy[512];
 		memcpy (xy, m_Phase1.pubKey, 256);
@@ -200,7 +206,7 @@ namespace ntcp
 			m_Decryption.ProcessData((uint8_t *)&m_Phase2.encrypted, (uint8_t *)&m_Phase2.encrypted, sizeof(m_Phase2.encrypted));
 			// verify
 			uint8_t xy[512], hxy[32];
-			memcpy (xy, i2p::context.GetRouterIdentity ().publicKey, 256);
+			memcpy (xy, m_DHKeysPair->publicKey, 256);
 			memcpy (xy + 256, m_Phase2.pubKey, 256);
 			CryptoPP::SHA256().CalculateDigest(hxy, xy, 512); 
 			if (memcmp (hxy, m_Phase2.encrypted.hxy, 32))
diff --git a/NTCPSession.h b/NTCPSession.h
index eb31951d..4202c5c9 100644
--- a/NTCPSession.h
+++ b/NTCPSession.h
@@ -7,6 +7,7 @@
 #include <cryptopp/modes.h>
 #include <cryptopp/aes.h>
 #include <cryptopp/adler32.h>
+#include "Identity.h"
 #include "RouterInfo.h"
 #include "I2NPProtocol.h"
 
@@ -66,7 +67,7 @@ namespace ntcp
 		public:
 
 			NTCPSession (boost::asio::io_service& service, i2p::data::RouterInfo& in_RemoteRouterInfo);
-			virtual ~NTCPSession () {};
+			virtual ~NTCPSession ();
 
 			boost::asio::ip::tcp::socket& GetSocket () { return m_Socket; };
 			bool IsEstablished () const { return m_IsEstablished; };
@@ -120,6 +121,7 @@ namespace ntcp
 			boost::asio::ip::tcp::socket m_Socket;
 			boost::asio::deadline_timer m_TerminationTimer;
 			bool m_IsEstablished;
+			i2p::data::DHKeysPair * m_DHKeysPair; // X - for client and Y - for server
 			
 			CryptoPP::CBC_Mode<CryptoPP::AES>::Decryption m_Decryption;
 			CryptoPP::CBC_Mode<CryptoPP::AES>::Encryption m_Encryption;
diff --git a/Transports.cpp b/Transports.cpp
index 60de2710..48462ae3 100644
--- a/Transports.cpp
+++ b/Transports.cpp
@@ -221,4 +221,11 @@ namespace i2p
 		}	
 	}	
 		
+	i2p::data::DHKeysPair * Transports::GetNextDHKeysPair ()
+	{
+		// TODO: use supplier with separate thread
+		i2p::data::DHKeysPair * pair = new i2p::data::DHKeysPair ();
+		i2p::data::CreateRandomDHKeysPair (pair);
+		return pair;
+	}
 }
diff --git a/Transports.h b/Transports.h
index aedd51b2..ed75cd60 100644
--- a/Transports.h
+++ b/Transports.h
@@ -10,6 +10,7 @@
 #include "SSU.h"
 #include "RouterInfo.h"
 #include "I2NPProtocol.h"
+#include "Identity.h"
 
 namespace i2p
 {
@@ -24,6 +25,7 @@ namespace i2p
 			void Stop ();
 			
 			boost::asio::io_service& GetService () { return m_Service; };
+			i2p::data::DHKeysPair * GetNextDHKeysPair ();	
 
 			void AddNTCPSession (i2p::ntcp::NTCPSession * session);
 			void RemoveNTCPSession (i2p::ntcp::NTCPSession * session);