The chart below shows an authentication protocol, followed by data exchange, followedby disconnection. Only an initial part of the authentication protocol is shown; here,

pw is A$\text{'}$s password, J is a key derived from pw$,$ and L is a high$-$quality key. Assume

an attacker that can $(1)$ eavesdrop messages and $(2)$ intercept and spoof messages sent

by A $($but not those sent by B$).$ Complete the authentication protocol $($i$.$e$.,$ Supply

the part indicated by the $"**....**")$ so that in spite of this attacker

B authenticates A$,$

this authentication is not vulnerable to off$-$line password guessing, and

A and B establish a session key S $($for encrypting data$)$ such that after A and

B disconnect and forget $S,$ even if the attacker learns pw$,$ the attacker cannot

decrypt the data exchanged.