Server-owner:
Create Private key (sPRIV-server)
Create Public key from Private (sPUB-server)
User:
Create Private key (pPRIV-user)
Create Public key from Private (pPUB-user)
User give {pPUB-user} to Server-owner,
Server-owner give {sPUB-server} to user.
Then, User encrypt the payload with {sPUB-server}
Server decrypt the payload with {sPRIV-server}
Server encrypt the response with {pPUB-user}
User decrypt the answer with {pPUB-user}
The point is current password mechanism is weak. Both side shares identical value therefore
if the other side leak the key, the other side are f*cked.
Please, consider adding public-private authentication properly.