Password Authenticated Key Exchange Protocol

This problem appeared in a past exam paper.

In PAKE (password authenticated key exchange) protocols, $A$ and $B$ authenticate each other by knowledge of a shared password that is too weak to allow an attacker to try out repeated guesses to try to find it by knowing how a single message of the protocol was constructed. There is no cryptographic signature or alternative shared secret or trusted third party they can use. Such a protocol typically works as follows:

• Phase 1: $A$ and $B$ exchange data that they have created for this session and values they have computed from this and their own assumed value for the password $p_{AB}$. Note that if they are A and B, they will both know the same $p_{AB}$ but if one or both of them are spoofing the values they assume will probably be different. From these computations they both obtain a key $k_A$ or $k_B$, which will be the same if their password values were the same.

• Phase 2: They compare $k_A$ and $k_B$ by an exchange of messages which allow them to see if they agree, but do not reveal $k_A$ or $k_B$ to the world, and do not allow either party to think they agree when they do not.

Why should $A$ not send, as part of this protocol, $hash(p_{AB}, N)$, where $N$ is a nonce known to $B$ until she is sure that $B$ is not an impostor and actually knows $p_{AB}$? Extend this to general guidance about what messages of the form hash($X$) should not be sent from $A$ to $B$ where $X$ involves $p_{AB}$ in its construction.

Now think about implementing Phase 2 only. How could you use hashing to achieve the objective of Phase 2, in such a way that if $A$ or $B$ has actually been talking to an impostor with a different password in Phase 1, the impostor cannot manipulate the messages to make her or him think the protocol has completed successfully.

My attempt:

a) $A$ should not send, $hash(p_{AB}, N)$ as an Impostor $I_B$ can reuse the same nonce and send the $hash(p_{AB}, N)$ back to A, pretending to know the password $p_{AB}$

b) $X$ should not be $p_{AB}$ (on it's own). It should also contains some sort of identification for each user, unique to what the other user sends ie. if Alice sends $hash(X_1)$ and Bob sends $hash(X_2)$, $X_1 \neq X_2$. Is this enough? I can't think of anything else.

c) For implementing phase 2, make Alice send $hash(E_{k_A}(Alice|k_A))$ and Bob send $hash(E_{k_B}(Bob|k_B))$. Where $E_k$ is an encryption function, encrypted using key $k$. Is this correct?