Abstract: A common vulnerability during a Diffie-Hellman key exchange is a man-in-the-middle attack, where Eve is able to pretend she is Bob to Alice and also pretend that she is Alice to Bob. In an embodiment, after a key exchange is completed, visual image authentication between Alice and Bob can notify Alice and Bob that Eve has launched a man-in-the-middle attack. When Alice's sequence of visual images derived from her shared secret do not match Bob's sequence of visual images, Alice and Bob know that their key exchange has been compromised by Eve. In this case, Alice and Bob should perform their key exchange again. Our invention provides a malware resistant alternative to not using a root certificate during a key exchange. It is well-known that a root certificate can be compromised by an dishonest or corrupt insider. Since the institution has access to the root certificate, there is no guarantee that a rogue network administrator will not use it to personally profit, or breach the security of the system.