Using the Diffie-Hellman key agreement protocol
In this case, Alice and Bob want to agree on a shared secret key using the Diffie-Hellman key agreement protocol.

1. Alice generates a random private value a and Bob generates a random private value b. Both a and b are drawn from the set of integers {1, ¼, p-2}.
2. They derive their public values using parameters p and g and their private values. Alice's public value is g^a mod p and Bob's public value is g^b mod p.
3. They exchange their public values.
4. Alice computes g^ab = (g^b)^a mod p, and Bob computes g^ba = (g^a)^b mod p.
5. Since g^ab = g^ba = k, Alice and Bob now have a shared secret key k.

The protocol depends on the discrete logarithm problem for its security. It assumes that it is computationally infeasible to calculate the shared secret key k = g^ab mod p given the two public values g^a mod p and g^b mod p when the prime p is sufficiently large. Maurer has shown that breaking the Diffie-Hellman protocol is equivalent to computing discrete logarithms under certain assumptions.

The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack.

1. In this attack, an opponent Carol intercepts Alice's public value and sends her own public value to Bob.
2. When Bob transmits his public value, Carol substitutes it with her own and sends it to Alice.
3. Carol and Alice thus agree on one shared key and Carol and Bob agree on another shared key.
4. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party.

This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants. Possible solutions include the use of digital signatures and other protocol variants.

The authenticated Diffie-Hellman key agreement protocol, or Station-to-Station (STS) protocol, was developed by Diffie, van Oorschot, and Wiener in 1992 to defeat the man-in-the-middle attack on the Diffie-Hellman key agreement protocol. The immunity is achieved by allowing the two parties to authenticate themselves to each other by the use of digital signatures and public-key certificates which are digital documents attesting to the binding of a public key to an individual or other entity.

Prior to execution of the protocol, the two parties Alice and Bob each obtain a public/private key pair and a certificate for the public key. During the protocol, Alice computes a signature on certain messages, covering the public value g^a mod p. Bob proceeds in a similar way. Even though Carol is still able to intercept messages between Alice and Bob, she cannot forge signatures without Alice's private key and Bob's private key. Hence, the enhanced protocol defeats the man-in-the-middle attack.