diff --git a/router/java/src/net/i2p/router/tunnel/pool/BuildRequestor.java b/router/java/src/net/i2p/router/tunnel/pool/BuildRequestor.java
index 2ac64b92876602cb3b8ce2b52b020469bff3781d..bba144f18c95bc0c8e22d4e5dec5ab1f31b7aee4 100644
--- a/router/java/src/net/i2p/router/tunnel/pool/BuildRequestor.java
+++ b/router/java/src/net/i2p/router/tunnel/pool/BuildRequestor.java
@@ -110,9 +110,8 @@ abstract class BuildRequestor {
             
             if (i > 0)
                 cfg.getConfig(i-1).setSendTunnelId(hop.getReceiveTunnelId());
-            byte iv[] = new byte[TunnelCreatorConfig.REPLY_IV_LENGTH];
-            ctx.random().nextBytes(iv);
-            cfg.setAESReplyKeys(i, ctx.keyGenerator().generateSessionKey(), iv);
+            // AES reply keys now set in createTunnelBuildMessage(),
+            // as we don't need them for short TBM
         }
         // This is in BuildExecutor.buildTunnel() now
         // And it was overwritten by the one in createTunnelBuildMessage() anyway!
@@ -357,6 +356,20 @@ abstract class BuildRequestor {
             order = new ArrayList<Integer>(ORDER);
         }
 
+        if (!useShortTBM) {
+            int len = cfg.getLength();
+            for (int i = 0; i < len; i++) {
+                HopConfig hop = cfg.getConfig(i);
+                // set IV/Layer keys (formerly in TunnelPool.configureNewTunnel())
+                hop.setIVKey(ctx.keyGenerator().generateSessionKey());
+                hop.setLayerKey(ctx.keyGenerator().generateSessionKey());
+                // set the AES reply keys (formerly in prepare())
+                byte iv[] = new byte[TunnelCreatorConfig.REPLY_IV_LENGTH];
+                ctx.random().nextBytes(iv);
+                cfg.setAESReplyKeys(i, ctx.keyGenerator().generateSessionKey(), iv);
+            }
+        }  // else keys are derived
+
         // This is in BuildExecutor.buildTunnel() now
         //long replyMessageId = ctx.random().nextLong(I2NPMessage.MAX_ID_VALUE);
         //cfg.setReplyMessageId(replyMessageId);
diff --git a/router/java/src/net/i2p/router/tunnel/pool/TunnelPool.java b/router/java/src/net/i2p/router/tunnel/pool/TunnelPool.java
index d3edfe311cfd5eb40a081ca1219578b01b196f06..b8fbe2b0d3a4a222dabd118c739d4c1880309c2e 100644
--- a/router/java/src/net/i2p/router/tunnel/pool/TunnelPool.java
+++ b/router/java/src/net/i2p/router/tunnel/pool/TunnelPool.java
@@ -1110,6 +1110,9 @@ public class TunnelPool {
     }
     
     /**
+     *  This only sets the peers and creation/expiration times in the configuration.
+     *  For the crypto, see BuildRequestor and BuildMessageGenerator.
+     *
      *  @return null on failure
      */
     PooledTunnelCreatorConfig configureNewTunnel() { return configureNewTunnel(false); }
@@ -1178,8 +1181,7 @@ public class TunnelPool {
             HopConfig hop = cfg.getConfig(j);
             hop.setCreation(now);
             hop.setExpiration(expiration);
-            hop.setIVKey(_context.keyGenerator().generateSessionKey());
-            hop.setLayerKey(_context.keyGenerator().generateSessionKey());
+            // IV and Layer key now set in BuildRequestor.createTunnelBuildMessage()
             // tunnelIds will be updated during building, and as the creator, we
             // don't need to worry about prev/next hop
         }