Hi
It comes from Diffie-Hellman exchange. DH allows two peers communicating over insecure medium to generate a secret key that only they know.
However DH is vulnerable to man-in-the middle attack that's why either pre-shared key or certificates are needed to make sure you connect to the right peer...