diff --git a/markbase-core/src/ssh_server/kex_exchange.rs b/markbase-core/src/ssh_server/kex_exchange.rs
index 81d8131..725f871 100644
--- a/markbase-core/src/ssh_server/kex_exchange.rs
+++ b/markbase-core/src/ssh_server/kex_exchange.rs
@@ -15,6 +15,9 @@ pub struct KexExchangeHandler {
     kex_algorithm: String,
     server_kex: Option<Curve25519Kex>,
     host_key: Ed25519HostKey,
+    shared_secret: Option<Vec<u8>>,
+    client_public_key: Option<Vec<u8>>,
+    server_public_key: Option<Vec<u8>>,
 }
 
 impl KexExchangeHandler {
@@ -27,6 +30,9 @@ impl KexExchangeHandler {
             kex_algorithm: kex_result.kex_algorithm,
             server_kex: None,
             host_key,
+            shared_secret: None,
+            client_public_key: None,
+            server_public_key: None,
         })
     }
     
@@ -200,20 +206,26 @@ impl KexExchangeHandler {
     }
     
     /// 计算会话密钥（参考OpenSSH kex.c: derive_keys()）
-    pub fn compute_session_keys(&self, shared_secret: &[u8]) -> Result<SessionKeys> {
-        if self.server_kex.is_none() {
-            return Err(anyhow!("No KEX exchange performed"));
+    pub fn compute_session_keys(&self) -> Result<SessionKeys> {
+        if self.shared_secret.is_none() {
+            return Err(anyhow!("No shared secret available"));
         }
         
-        // 参考OpenSSH kex.c: kex_derive_keys()
-        // 简化实现：实际需要更多参数
+        if self.server_public_key.is_none() || self.client_public_key.is_none() {
+            return Err(anyhow!("Missing public keys"));
+        }
+        
+        let shared_secret = self.shared_secret.as_ref().unwrap();
+        let server_public_key = self.server_public_key.as_ref().unwrap();
+        let client_public_key = self.client_public_key.as_ref().unwrap();
+        let host_key_blob = self.build_ssh_host_key()?;
         
         SessionKeys::derive(
             shared_secret,
-            "SHA256",  // curve25519-sha256
-            self.server_kex.as_ref().unwrap().public_key(),
-            &[],  // client public key（实际应传入）
-            &self.build_ssh_host_key()?,
+            "SHA256",
+            server_public_key,
+            client_public_key,
+            &host_key_blob,
         )
     }
 }
diff --git a/markbase-core/src/ssh_server/server.rs b/markbase-core/src/ssh_server/server.rs
index c96b1b5..bf54eeb 100644
--- a/markbase-core/src/ssh_server/server.rs
+++ b/markbase-core/src/ssh_server/server.rs
@@ -172,7 +172,10 @@ fn perform_complete_kex_exchange(
         return Err(anyhow::anyhow!("Encryption channel not ready"));
     }
     
-    Ok(EncryptionContext::default())
+    let session_keys = kex_state.exchange_handler.compute_session_keys()?;
+    let encryption_ctx = EncryptionContext::from_session_keys(&session_keys);
+    
+    Ok(encryption_ctx)
 }
 
 /// SSH认证流程（Phase 5）