A final agent of the message provides a first encryption key to a first agent, interposed between a message sender and the final agent. The first agent but not the final agent knows an identity of the sender. The final agent provides a second encryption key to a second agent, interposed between the sender and the final agent. The second agent knows an identity of the sender. The first agent generates a third encryption key and provides the first encryption key and the third encryption key to the sender. The second agent generates a fourth encryption key and provides the second encryption key and the fourth encryption key to the sender. The first agent receives from the sender a message encrypted with the first, second, third and fourth keys, and in response, decrypts the message based on the third key. Afterwards, the first agent provides the message decrypted based on the third key to the second agent. In response, the second agent decrypts, based on the fourth key, the message provided by the first agent. The message decrypted based on the third and fourth keys is provided to the final agent. In response, the final agent decrypts, based on the first and second keys, the message decrypted based on the third and fourth keys.