I am building a system comprising of 3 parts. System A, system B, system C.
System A cannot directly talk to system C and needs to go through system B. System B may contain many System Cs. One more concern here is that it's possible for system B to create a copy/clone of itself and have it be included under itself (as a system C).
I would like to broadcast messages to all system Cs from system A. System B contains a list of all system Cs that it encapsulates. I would like to add logic in System C wherein only messages originating from system A are considered as valid (and hence marked as safe for further processing).
As a first cut I was thinking of having a private key negotiated via the diffie-hellman algorithm. But realized that system B can create a copy of itself, have it be included as an instance of system C and obtain the private key. Is there a better/standard way to do this such that the veracity of the source can be verified on the system C's side?
Sounds to me like a simple private/public key for every system A is all you need.
DH is not involved in this at all.
System A creates the keypair. System A uses its secret key to sign the hash of the message and sends it out through as many system Bs as needed. System B cannot change the message nor derive the private key, so all they could do is not pass on the message or replay them (you'll need precautions for those if that's a problem). System C needs to verify the signature of A on the message it either knows the public key of system A somehow, and verifies the signature.
To have more than one system A, it quickly becomes impractical to have (all) system Cs know all System A public keys, to solve that you create trust in a certificate authority (CA) that signs certificates for system As, and system C then trusts signed certificates by that CA. (it doesn't need to be online nor need to be able to talk to the CA to do that, the trust can easily be offline).
If you do go for an offline thing, take care that the keys (and/or certificates) might need to get updated, so foresee a mechanism for that.
As you see B is merely a transport in it all.