If the parties do not have common trusted information about each other, then any algorithm for setting up a session key - be it Diffie-Hellman or more complex - is still vulnerable to a "man-in-the-middle" attack: an attacker appears to one subscriber as supposedly a second one, and the second - as supposedly the first. At the same time, it creates two session keys - half of the traffic path is encrypted first, then it is decrypted at the attacker's point, possibly modified by him, and then the traffic is encrypted for the second half of the path with the second session key. Subscribers cannot detect fraud.
To protect against this, you need a "piece" of trusted information between subscribers:
- either PKI infrastructure
- or PSK (pre-shared key)
Ie . in fact the response is to authenticate the remote side.