Kontekst uses a form of one-time key encryption for communication between users, agents and Apps. A new encryption key is used for each message and once the message has been received the key is destroyed. If someone were to monitor or intercept messages sent and received they would have to gain access to the key in almost real-time to be able to decrypt the message. Even if they gained access to one key, it would only unlock a single message.

There are two case variations on the one-time key encryption concept. (Authentication, assuring the identity of A and B is left out)

Agent A wants to send a message to agent B (push)

1. Agent A sends a request for a one-time key to agent B.
2. Agent B generates a one-time key consisting of a private key, a public key and a GUID. Then sends the public key and GUID to agent A and stores the private key and GUID.
3. Agent A encrypts the message using the public key and sends it to agent B along with the GUID.
4. Agent B receives and decrypts the message with the private key belonging to the GUID.
5. Agent B destroys the private key.

Agent A requests information from agent B (pull)

1. Agent A generates a one-time key consisting of a private key, a public key and a GUID. Then sends a request for information to agent B, including the public key and GUID.
2. Agent B encrypts the reply message using the public key and sends it to agent A along with the GUID.
3. Agent A receives and decrypts the message with the private key belonging to the GUID.
4. Agent A destroys the private key.

In both cases the private key that can decrypt a message never leaves the receiver and only exists during the message exchange. A time-to-live value can be set on a key to further reduce the risk of interception. In reality gaining access to the private key would mean having access to the device the agent is running on, which most likely would mean being able to read the decrypted messages directly.