The chart below shows an authentication protocol, followed by data exchange, followed by disconnection. Only an initial part of the authentication protocol is shown; here, pw is A$?$s password, J is a key derived from pw$,$ ?and L is a high$-$quality key. Assume an attacker that can $(1)$ ?eavesdrop messages and $(2)$ ?intercept and spoof messages sent by A $($but not those sent by B$).$ ?Complete the authentication protocol $($i$.$e$.,$ ?Supply the part indicated by the $?**....**?)$ ?so that in spite of this attacker

$?$ ?B authenticates A$,$

$?$ ?this authentication is not vulnerable to off$-$line password guessing, and

$?$ ?A and B establish a session key S $($for encrypting data$)$ ?such that after A and B disconnect and forget S$,$ ?even if the attacker learns pw$,$ ?the attacker cannot decrypt the data exchanged.$\backslash$table$[[,$A $($has pw$),$B $($has J$,$ ?L$)],[,$send $[$ ?conn $]$ ?to B$,\backslash$table$[[$X encrypt$($L$)$ ?with$],[$key J$],[$send $[$ ?X $]]]],[,\backslash$table$[[$compute J from pw$],[$J$\text{'}$ ?larr decrypt$($X$)$ ?with key$]],],[**,,],[**,,],[**,,],[**,,],[**,,],[**,,],[**,,],[**,\backslash$table$[[$A and B exchange$],[$data $?$

******* * A (has pw) send [ conn] to B compute J from pw L' decrypt(X) with key J -A and B exchange data A and B disconnect B (has J, L) X encrypt(L) with key J send [X]