| blob | 8d1d722222d984c1d54b8cffa11987289b6c4b18 |
7 Network Working Group N. Haller
8 Request for Comments: 2289 Bellcore
9 Obsoletes: 1938 C. Metz
10 Category: Standards Track Kaman Sciences Corporation
11 P. Nesser
12 Nesser & Nesser Consulting
13 M. Straw
14 Bellcore
15 February 1998
18 A One-Time Password System
20 Status of this Memo
22 This document specifies an Internet standards track protocol for the
23 Internet community, and requests discussion and suggestions for
24 improvements. Please refer to the current edition of the "Internet
25 Official Protocol Standards" (STD 1) for the standardization state
26 and status of this protocol. Distribution of this memo is unlimited.
28 Copyright Notice
30 Copyright (C) The Internet Society (1998). All Rights Reserved.
32 1.0 ABSTRACT
34 This document describes a one-time password authentication system
35 (OTP). The system provides authentication for system access (login)
36 and other applications requiring authentication that is secure
37 against passive attacks based on replaying captured reusable
38 passwords. OTP evolved from the S/KEY (S/KEY is a trademark of
39 Bellcore) One-Time Password System that was released by Bellcore and
40 is described in references [3] and [5].
42 2.0 OVERVIEW
44 One form of attack on networked computing systems is eavesdropping on
45 network connections to obtain authentication information such as the
46 login IDs and passwords of legitimate users. Once this information is
47 captured, it can be used at a later time to gain access to the
48 system. One-time password systems are designed to counter this type
49 of attack, called a "replay attack" [4].
51 The authentication system described in this document uses a secret
52 pass-phrase to generate a sequence of one-time (single use)
53 passwords. With this system, the user's secret pass-phrase never
54 needs to cross the network at any time such as during authentication
58 Haller Standards Track [Page 1]
59 \f
60 RFC 2289 A One-Time Password System February 1998
63 or during pass-phrase changes. Thus, it is not vulnerable to replay
64 attacks. Added security is provided by the property that no secret
65 information need be stored on any system, including the server being
66 protected.
68 The OTP system protects against external passive attacks against the
69 authentication subsystem. It does not prevent a network eavesdropper
70 from gaining access to private information and does not provide
71 protection against either "social engineering" or active attacks [9].
73 3.0 INTRODUCTION
75 There are two entities in the operation of the OTP one-time password
76 system. The generator must produce the appropriate one-time password
77 from the user's secret pass-phrase and from information provided in
78 the challenge from the server. The server must send a challenge that
79 includes the appropriate generation parameters to the generator, must
80 verify the one-time password received, must store the last valid
81 one-time password it received, and must store the corresponding one-
82 time password sequence number. The server must also facilitate the
83 changing of the user's secret pass-phrase in a secure manner.
85 The OTP system generator passes the user's secret pass-phrase, along
86 with a seed received from the server as part of the challenge,
87 through multiple iterations of a secure hash function to produce a
88 one-time password. After each successful authentication, the number
89 of secure hash function iterations is reduced by one. Thus, a unique
90 sequence of passwords is generated. The server verifies the one-time
91 password received from the generator by computing the secure hash
92 function once and comparing the result with the previously accepted
93 one-time password. This technique was first suggested by Leslie
94 Lamport [1].
96 4.0 REQUIREMENTS TERMINOLOGY
98 In this document, the words that are used to define the significance
99 of each particular requirement are usually capitalized. These words
100 are:
102 - MUST
104 This word or the adjective "REQUIRED" means that the item is an
105 absolute requirement of the specification.
114 Haller Standards Track [Page 2]
115 \f
116 RFC 2289 A One-Time Password System February 1998
119 - SHOULD
121 This word or the adjective "RECOMMENDED" means that there might
122 exist valid reasons in particular circumstances to ignore this
123 item, but the full implications should be understood and the case
124 carefully weighed before taking a different course.
126 - MAY
128 This word or the adjective "OPTIONAL" means that this item is
129 truly optional. One vendor might choose to include the item
130 because a particular marketplace requires it or because it
131 enhances the product, for example; another vendor may omit the
132 same item.
134 5.0 SECURE HASH FUNCTION
136 The security of the OTP system is based on the non-invertability of a
137 secure hash function. Such a function must be tractable to compute in
138 the forward direction, but computationally infeasible to invert.
140 The interfaces are currently defined for three such hash algorithms,
141 MD4 [2] and MD5 [6] by Ronald Rivest, and SHA [7] by NIST. All
142 conforming implementations of both server and generators MUST support
143 MD5. They SHOULD support SHA and MAY also support MD4. Clearly, the
144 generator and server must use the same algorithm in order to
145 interoperate. Other hash algorithms may be specified for use with
146 this system by publishing the appropriate interfaces.
148 The secure hash algorithms listed above have the property that they
149 accept an input that is arbitrarily long and produce a fixed size
150 output. The OTP system folds this output to 64 bits using the
151 algorithms in the Appendix A. 64 bits is also the length of the one-
152 time passwords. This is believed to be long enough to be secure and
153 short enough to be entered manually (see below, Form of Output) when
154 necessary.
156 6.0 GENERATION OF ONE-TIME PASSWORDS
158 This section describes the generation of the one-time passwords.
159 This process consists of an initial step in which all inputs are
160 combined, a computation step where the secure hash function is
161 applied a specified number of times, and an output function where the
162 64 bit one-time password is converted to a human readable form.
164 Appendix C contains examples of the outputs given a collection of
165 inputs. It provides implementors with a means of verification the
166 use of these algorithms.
170 Haller Standards Track [Page 3]
171 \f
172 RFC 2289 A One-Time Password System February 1998
175 Initial Step
177 In principle, the user's secret pass-phrase may be of any length. To
178 reduce the risk from techniques such as exhaustive search or
179 dictionary attacks, character string pass-phrases MUST contain at
180 least 10 characters (see Form of Inputs below). All implementations
181 MUST support a pass-phrases of at least 63 characters. The secret
182 pass-phrase is frequently, but is not required to be, textual
183 information provided by a user.
185 In this step, the pass phrase is concatenated with a seed that is
186 transmitted from the server in clear text. This non-secret seed
187 allows clients to use the same secret pass-phrase on multiple
188 machines (using different seeds) and to safely recycle their secret
189 pass-phrases by changing the seed.
191 The result of the concatenation is passed through the secure hash
192 function and then is reduced to 64 bits using one of the function
193 dependent algorithms shown in Appendix A.
195 Computation Step
197 A sequence of one-time passwords is produced by applying the secure
198 hash function multiple times to the output of the initial step
199 (called S). That is, the first one-time password to be used is
200 produced by passing S through the secure hash function a number of
201 times (N) specified by the user. The next one-time password to be
202 used is generated by passing S though the secure hash function N-1
203 times. An eavesdropper who has monitored the transmission of a one-
204 time password would not be able to generate the next required
205 password because doing so would mean inverting the hash function.
207 Form of Inputs
209 The secret pass-phrase is seen only by the OTP generator. To allow
210 interchangeability of generators, all generators MUST support a
211 secret pass-phrase of 10 to 63 characters. Implementations MAY
212 support a longer pass-phrase, but such implementations risk the loss
213 of interchangeability with implementations supporting only the
214 minimum.
216 The seed MUST consist of purely alphanumeric characters and MUST be
217 of one to 16 characters in length. The seed is a string of characters
218 that MUST not contain any blanks and SHOULD consist of strictly
219 alphanumeric characters from the ISO-646 Invariant Code Set. The
220 seed MUST be case insensitive and MUST be internally converted to
221 lower case before it is processed.
226 Haller Standards Track [Page 4]
227 \f
228 RFC 2289 A One-Time Password System February 1998
231 The sequence number and seed together constitute a larger unit of
232 data called the challenge. The challenge gives the generator the
233 parameters it needs to calculate the correct one-time password from
234 the secret pass-phrase. The challenge MUST be in a standard syntax so
235 that automated generators can recognize the challenge in context and
236 extract these parameters. The syntax of the challenge is:
238 otp-<algorithm identifier> <sequence integer> <seed>
240 The three tokens MUST be separated by a white space (defined as any
241 number of spaces and/or tabs) and the entire challenge string MUST be
242 terminated with either a space or a new line. The string "otp-" MUST
243 be in lower case. The algorithm identifier is case sensitive (the
244 existing identifiers are all lower case), and the seed is case
245 insensitive and converted before use to lower case. If additional
246 algorithms are defined, appropriate identifiers (short, but not
247 limited to three or four characters) must be defined. The currently
248 defined algorithm identifiers are:
250 md4 MD4 Message Digest
251 md5 MD5 Message Digest
252 sha1 NIST Secure Hash Algorithm Revision 1
254 An example of an OTP challenge is: otp-md5 487 dog2
256 Form of Output
258 The one-time password generated by the above procedure is 64 bits in
259 length. Entering a 64 bit number is a difficult and error prone
260 process. Some generators insert this password into the input stream
261 and some others make it available for system "cut and paste." Still
262 other arrangements require the one-time password to be entered
263 manually. The OTP system is designed to facilitate this manual entry
264 without impeding automatic methods. The one-time password therefore
265 MAY be converted to, and all servers MUST be capable of accepting it
266 as, a sequence of six short (1 to 4 letter) easily typed words that
267 only use characters from ISO-646 IVCS. Each word is chosen from a
268 dictionary of 2048 words; at 11 bits per word, all one-time passwords
269 may be encoded.
271 The two extra bits in this encoding are used to store a checksum.
272 The 64 bits of key are broken down into pairs of bits, then these
273 pairs are summed together. The two least significant bits of this sum
274 are encoded in the last two bits of the six word sequence with the
275 least significant bit of the sum as the last bit encoded. All OTP
276 generators MUST calculate this checksum and all OTP servers MUST
277 verify this checksum explicitly as part of the operation of decoding
278 this representation of the one-time password.
282 Haller Standards Track [Page 5]
283 \f
284 RFC 2289 A One-Time Password System February 1998
287 Generators that produce the six-word format MUST present the words in
288 upper case with single spaces used as separators. All servers MUST
289 accept six-word format without regard to case and white space used as
290 a separator. The two lines below represent the same one-time
291 password. The first is valid as output from a generator and as input
292 a server, the second is valid only as human input to a server.
294 OUST COAT FOAL MUG BEAK TOTE
295 oust coat foal mug beak tote
297 Interoperability requires that all OTP servers and generators use
298 the same dictionary. The standard dictionary was originally
299 specified in the "S/KEY One Time Password System" that is described
300 in RFC 1760 [5]. This dictionary is included in this document as
301 Appendix D.
303 To facilitate the implementation of smaller generators, hexadecimal
304 output is an acceptable alternative for the presentation of the
305 one-time password. All implementations of the server software MUST
306 accept case-insensitive hexadecimal as well as six-word format. The
307 hexadecimal digits may be separated by white space so servers are
308 REQUIRED to ignore all white space. If the representation is
309 partitioned by white space, leading zeros must be retained.
310 Examples of hexadecimal format are:
312 Representation Value
314 3503785b369cda8b 0x3503785b369cda8b
315 e5cc a1b8 7c13 096b 0xe5cca1b87c13096b
316 C7 48 90 F4 27 7B A1 CF 0xc74890f4277ba1cf
317 47 9 A68 28 4C 9D 0 1BC 0x479a68284c9d01bc
319 In addition to accepting six-word and hexadecimal encodings of the
320 64 bit one-time password, servers SHOULD accept the alternate
321 dictionary encoding described in Appendix B. The six words in this
322 encoding MUST not overlap the set of words in the standard
323 dictionary. To avoid ambiguity with the hexadecimal representation,
324 words in the alternate dictionary MUST not be comprised solely of
325 the letters A-F. Decoding words thus encoded does not require any
326 knowledge of the alternative dictionary used so the acceptance of
327 any alternate dictionary implies the acceptance of all alternate
328 dictionaries. Words in the alternative dictionaries are case
329 sensitive. Generators and servers MUST preserve the case in the
330 processing of these words.
332 In summary, all conforming servers MUST accept six-word input that
333 uses the Standard Dictionary (RFC 1760 and Appendix D), MUST accept
334 hexadecimal encoding, and SHOULD accept six-word input that uses the
338 Haller Standards Track [Page 6]
339 \f
340 RFC 2289 A One-Time Password System February 1998
343 Alternative Dictionary technique (Appendix B). As there is a remote
344 possibility that a hexadecimal encoding of a one-time password will
345 look like a valid six-word standard dictionary encoding, all
346 implementations MUST use the following scheme. If a six-word
347 encoded one-time password is valid, it is accepted. Otherwise, if
348 the one-time password can be interpreted as hexadecimal, and with
349 that decoding it is valid, then it is accepted.
351 7.0 VERIFICATION OF ONE-TIME PASSWORDS
353 An application on the server system that requires OTP authentication
354 is expected to issue an OTP challenge as described above. Given the
355 parameters from this challenge and the secret pass-phrase, the
356 generator can compute (or lookup) the one-time password that is
357 passed to the server to be verified.
359 The server system has a database containing, for each user, the
360 one-time password from the last successful authentication or the
361 first OTP of a newly initialized sequence. To authenticate the user,
362 the server decodes the one-time password received from the generator
363 into a 64-bit key and then runs this key through the secure hash
364 function once. If the result of this operation matches the stored
365 previous OTP, the authentication is successful and the accepted
366 one-time password is stored for future use.
368 8.0 PASS-PHRASE CHANGES
370 Because the number of hash function applications executed by the
371 generator decreases by one each time, at some point the user must
372 reinitialize the system or be unable to authenticate.
374 Although some installations may not permit users to initialize
375 remotely, implementations MUST provide a means to do so that does
376 not reveal the user's secret pass-phrase. One way is to provide a
377 means to reinitialize the sequence through explicit specification
378 of the first one-time password.
380 When the sequence of one-time passwords is reinitialized,
381 implementations MUST verify that the seed or the pass-phrase is
382 changed. Installations SHOULD discourage any operation that sends
383 the secret pass-phrase over a network in clear-text as such practice
384 defeats the concept of a one-time password.
386 Implementations MAY use the following technique for
387 [re]initialization:
394 Haller Standards Track [Page 7]
395 \f
396 RFC 2289 A One-Time Password System February 1998
399 o The user picks a new seed and hash count (default values may
400 be offered). The user provides these, along with the
401 corresponding generated one-time password, to the host system.
403 o The user MAY also provide the corresponding generated one
404 time password for count-1 as an error check.
406 o The user SHOULD provide the generated one-time password for
407 the old seed and old hash count to protect an idle terminal
408 or workstation (this implies that when the count is 1, the
409 user can login but cannot then change the seed or count).
411 In the future a specific protocol may be defined for
412 reinitialization that will permit smooth and possibly automated
413 interoperation of all hosts and generators.
415 9.0 PROTECTION AGAINST RACE ATTACK
417 All conforming server implementations MUST protect against the race
418 condition described in this section. A defense against this attack
419 is outlined; implementations MAY use this approach or MAY select an
420 alternative defense.
422 It is possible for an attacker to listen to most of a one-time
423 password, guess the remainder, and then race the legitimate user to
424 complete the authentication. Multiple guesses against the last word
425 of the six-word format are likely to succeed.
427 One possible defense is to prevent a user from starting multiple
428 simultaneous authentication sessions. This means that once the
429 legitimate user has initiated authentication, an attacker would be
430 blocked until the first authentication process has completed. In
431 this approach, a timeout is necessary to thwart a denial of service
432 attack.
434 10.0 SECURITY CONSIDERATIONS
436 This entire document discusses an authentication system that
437 improves security by limiting the danger of eavesdropping/replay
438 attacks that have been used against simple password systems [4].
440 The use of the OTP system only provides protections against passive
441 eavesdropping/replay attacks. It does not provide for the privacy
442 of transmitted data, and it does not provide protection against
443 active attacks such as session hijacking that are known to be
444 present in the current Internet [9]. The use of IP Security
445 (IPsec), see [10], [11], and [12] is recommended to protect against
446 TCP session hijacking.
450 Haller Standards Track [Page 8]
451 \f
452 RFC 2289 A One-Time Password System February 1998
455 The success of the OTP system to protect host systems is dependent
456 on the non-invertability of the secure hash functions used. To our
457 knowledge, none of the hash algorithms have been broken, but it is
458 generally believed [6] that MD4 is not as strong as MD5. If a
459 server supports multiple hash algorithms, it is only as secure as
460 the weakest algorithm.
462 11.0 ACKNOWLEDGMENTS
464 The idea behind OTP authentication was first proposed by Leslie
465 Lamport [1]. Bellcore's S/KEY system, from which OTP is derived, was
466 proposed by Phil Karn, who also wrote most of the Bellcore reference
467 implementation.
469 12.0 REFERENCES
471 [1] Leslie Lamport, "Password Authentication with Insecure
472 Communication", Communications of the ACM 24.11 (November
473 1981), 770-772
475 [2] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320,
476 April 1992.
478 [3] Neil Haller, "The S/KEY One-Time Password System", Proceedings
479 of the ISOC Symposium on Network and Distributed System
480 Security, February 1994, San Diego, CA
482 [4] Haller, N., and R. Atkinson, "On Internet Authentication",
483 RFC 1704, October 1994.
485 [5] Haller, N., "The S/KEY One-Time Password System",
486 RFC 1760, February 1995.
488 [6] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
489 April 1992.
491 [7] National Institute of Standards and Technology (NIST),
492 "Announcing the Secure Hash Standard", FIPS 180-1, U.S.
493 Department of Commerce, April 1995.
495 [8] International Standard - Information Processing -- ISO 7-bit
496 coded character set for information interchange (Invariant Code
497 Set), ISO-646, International Standards Organization, Geneva,
498 Switzerland, 1983
506 Haller Standards Track [Page 9]
507 \f
508 RFC 2289 A One-Time Password System February 1998
511 [9] Computer Emergency Response Team (CERT), "IP Spoofing and
512 Hijacked Terminal Connections", CA-95:01, January 1995.
513 Available via anonymous ftp from info.cert.org in
514 /pub/cert_advisories.
516 [10] Atkinson, R., "Security Architecture for the Internet Protocol",
517 RFC 1825, August 1995.
519 [11] Atkinson, R., "IP Authentication Header", RFC 1826, August
520 1995.
522 [12] Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC
523 1827, August 1995.
562 Haller Standards Track [Page 10]
563 \f
564 RFC 2289 A One-Time Password System February 1998
567 13.0 AUTHORS' ADDRESSES
569 Neil Haller
570 Bellcore
571 MCC 1C-265B
572 445 South Street
573 Morristown, NJ, 07960-6438, USA
575 Phone: +1 201 829-4478
576 Fax: +1 201 829-2504
577 EMail: nmh@bellcore.com
580 Craig Metz
581 Kaman Sciences Corporation
582 For NRL Code 5544
583 4555 Overlook Avenue, S.W.
584 Washington, DC, 20375-5337, USA
586 Phone: +1 202 404-7122
587 Fax: +1 202 404-7942
588 EMail: cmetz@cs.nrl.navy.mil
591 Philip J. Nesser II
592 Nesser & Nesser Consulting
593 13501 100th Ave NE
594 Suite 5202
595 Kirkland, WA 98034, USA
597 Phone: +1 206 481 4303
598 EMail: pjnesser@martigny.ai.mit.edu
601 Mike Straw
602 Bellcore
603 RRC 1A-225
604 445 Hoes Lane
605 Piscataway, NJ 08854-4182
607 Phone: +1 908 699-5212
608 EMail: mess@bellcore.com
618 Haller Standards Track [Page 11]
619 \f
620 RFC 2289 A One-Time Password System February 1998
623 Appendix A - Interfaces to Secure Hash Algorithms
625 Original interoperability tests provided valuable insights into the
626 subtle problems which occur when converting protocol specifications
627 into running code. In particular, the manipulation of bit ordered
628 data is dependent on the architecture of the hardware, specifically
629 the way in which a computer stores multi-byte data. The method is
630 typically called big or little "endian." A big endian machine stores
631 data with the most significant byte first, while a little endian
632 machine stores the least significant byte first. Thus, on a big
633 endian machine data is stored left to right, while little endian
634 machines store data right to left.
636 For example, the four byte value 0x11AABBCC is stored in a big endian
637 machine as the following series of four bytes, "0x11", "0xAA",
638 "0xBB", and "0xCC", while on a little endian machine the value would
639 be stored as "0xCC", "0xBB", "0xAA", and "0x11".
641 For historical reasons, and to promote interoperability with existing
642 implementations, it was decided that ALL hashes incorporated into the
643 OTP protocol MUST store the output of their hash function in LITTLE
644 ENDIAN format BEFORE the bit folding to 64 bits occurs. This is done
645 in the implementations of MD4 and MD5 (see references [2] and [6]),
646 while it must be explicitly done for the implementation of SHA1 (see
647 reference [7]).
649 Any future hash functions implemented into the OTP protocol SHOULD
650 provide a similar reference fragment of code to allow independent
651 implementations to operate successfully.
654 MD4 Message Digest (see reference [2])
656 MD4_CTX md;
657 unsigned char result[16];
659 strcpy(buf, seed); /* seed must be in lower case */
660 strcat(buf, passwd);
661 MD4Init(&md);
662 MD4Update(&md, (unsigned char *)buf, strlen(buf));
663 MD4Final(result, &md);
665 /* Fold the 128 bit result to 64 bits */
666 for (i = 0; i < 8; i++)
667 result[i] ^= result[i+8];
674 Haller Standards Track [Page 12]
675 \f
676 RFC 2289 A One-Time Password System February 1998
679 MD5 Message Digest (see reference [6])
681 MD5_CTX md;
682 unsigned char result[16];
683 strcpy(buf, seed); /* seed must be in lower case */
684 strcat(buf, passwd);
685 MD5Init(&md);
686 MD5Update(&md, (unsigned char *)buf, strlen(buf));
687 MD5Final(result, &md);
689 /* Fold the 128 bit result to 64 bits */
690 for (i = 0; i < 8; i++)
691 result[i] ^= result[i+8];
694 SHA Secure Hash Algorithm (see reference [7])
696 SHA_INFO sha;
697 unsigned char result[16];
698 strcpy(buf, seed); /* seed must be in lower case */
699 strcat(buf, passwd);
700 sha_init(&sha);
701 sha_update(&sha, (unsigned char *)buf, strlen(buf));
702 sha_final(&sha); /* NOTE: no result buffer */
704 /* Fold the 160 bit result to 64 bits */
705 sha.digest[0] ^= sha.digest[2];
706 sha.digest[1] ^= sha.digest[3];
707 sha.digest[0] ^= sha.digest[4];
709 /*
710 * copy the resulting 64 bits to the result buffer in little endian
711 * fashion (analogous to the way MD4Final() and MD5Final() do).
712 */
713 for (i = 0, j = 0; j < 8; i++, j += 4)
714 {
715 result[j] = (unsigned char)(sha.digest[i] & 0xff);
716 result[j+1] = (unsigned char)((sha.digest[i] >> 8) & 0xff);
717 result[j+2] = (unsigned char)((sha.digest[i] >> 16) & 0xff);
718 result[j+3] = (unsigned char)((sha.digest[i] >> 24) & 0xff);
719 }
730 Haller Standards Track [Page 13]
731 \f
732 RFC 2289 A One-Time Password System February 1998
735 Appendix B - Alternative Dictionary Algorithm
737 The purpose of alternative dictionary encoding of the OTP one-time
738 password is to allow the use of language specific or friendly words.
739 As case translation is not always well defined, the alternative
740 dictionary encoding is case sensitive. Servers SHOULD accept this
741 encoding in addition to the standard 6-word and hexadecimal
742 encodings.
745 GENERATOR ENCODING USING AN ALTERNATE DICTIONARY
747 The standard 6-word encoding uses the placement of a word in the
748 dictionary to represent an 11-bit number. The 64-bit one-time
749 password can then be represented by six words.
751 An alternative dictionary of 2048 words may be created such that
752 each word W and position of the word in the dictionary N obey the
753 relationship:
755 alg( W ) % 2048 == N
756 where
757 alg is the hash algorithm used (e.g. MD4, MD5, SHA1).
759 In addition, no words in the standard dictionary may be chosen.
761 The generator expands the 64-bit one-time password to 66 bits by
762 computing parity as with the standard 6-word encoding. The six 11-
763 bit numbers are then converted to words using the dictionary that
764 was created such that the above relationship holds.
766 SERVER DECODING OF ALTERNATE DICTIONARY ONE-TIME PASSWORDS
768 The server accepting alternative dictionary encoding converts each
769 word to an 11-bit number using the above encoding. These numbers
770 are then used in the same way as the decoded standard dictionary
771 words to form the 66-bit one-time password.
773 The server does not need to have access to the alternate dictionary
774 that was used to create the one-time password it is authenticating.
775 This is because the decoding from word to 11-bit number does not
776 make any use of the dictionary. As a result of the independence of
777 the dictionary, a server accepting one alternate dictionary accept
778 all alternate dictionaries.
786 Haller Standards Track [Page 14]
787 \f
788 RFC 2289 A One-Time Password System February 1998
791 Appendix C - OTP Verification Examples
793 This appendix provides a series of inputs and correct outputs for all
794 three of the defined OTP cryptographic hashes, specifically MD4, MD5,
795 and SHA1. This document is intended to be used by developers for
796 interoperability checks when creating generators or servers. Output
797 is provided in both hexadecimal notation and the six word encoding
798 documented in Appendix D.
800 GENERAL CHECKS
802 Note that the output given for these checks is not intended to be
803 taken literally, but describes the type of action that should be
804 taken.
806 Pass Phrase Length
808 Input:
809 Pass Phrase: Too_short
810 Seed: iamvalid
811 Count: 99
812 Hash: ANY
813 Output:
814 ERROR: Pass Phrase too short
816 Input:
817 Pass Phrase:
818 1234567890123456789012345678901234567890123456789012345678901234
819 Seed: iamvalid
820 Count: 99
821 Hash: ANY
822 Output:
823 WARNING: Pass Phrase longer than the recommended maximum length of
824 63
826 Seed Values
828 Input:
829 Pass Phrase: A_Valid_Pass_Phrase
830 Seed: Length_Okay
831 Count: 99
832 Hash: ANY
833 Output:
834 ERROR: Seed must be purely alphanumeric
836 Input:
837 Pass Phrase: A_Valid_Pass_Phrase
838 Seed: LengthOfSeventeen
842 Haller Standards Track [Page 15]
843 \f
844 RFC 2289 A One-Time Password System February 1998
847 Count: 99
848 Hash: ANY
850 Output:
851 ERROR: Seed must be between 1 and 16 characters in length
853 Input:
854 Pass Phrase: A_Valid_Pass_Phrase
855 Seed: A Seed
856 Count: 99
857 Hash: ANY
858 Output:
859 ERROR: Seed must not contain any spaces
861 Parity Calculations
863 Input:
864 Pass Phrase: A_Valid_Pass_Phrase
865 Seed: AValidSeed
866 Count: 99
867 Hash: MD5
868 Output:
869 Hex: 85c43ee03857765b
870 Six Word(CORRECT): FOWL KID MASH DEAD DUAL OAF
871 Six Word(INCORRECT PARITY): FOWL KID MASH DEAD DUAL NUT
872 Six Word(INCORRECT PARITY): FOWL KID MASH DEAD DUAL O
873 Six Word(INCORRECT PARITY): FOWL KID MASH DEAD DUAL OAK
898 Haller Standards Track [Page 16]
899 \f
900 RFC 2289 A One-Time Password System February 1998
903 MD4 ENCODINGS
905 Pass Phrase Seed Cnt Hex Six Word Format
906 ========================================================================
907 This is a test. TeSt 0 D185 4218 EBBB 0B51
908 ROME MUG FRED SCAN LIVE LACE
909 This is a test. TeSt 1 6347 3EF0 1CD0 B444
910 CARD SAD MINI RYE COL KIN
911 This is a test. TeSt 99 C5E6 1277 6E6C 237A
912 NOTE OUT IBIS SINK NAVE MODE
913 AbCdEfGhIjK alpha1 0 5007 6F47 EB1A DE4E
914 AWAY SEN ROOK SALT LICE MAP
915 AbCdEfGhIjK alpha1 1 65D2 0D19 49B5 F7AB
916 CHEW GRIM WU HANG BUCK SAID
917 AbCdEfGhIjK alpha1 99 D150 C82C CE6F 62D1
918 ROIL FREE COG HUNK WAIT COCA
919 OTP's are good correct 0 849C 79D4 F6F5 5388
920 FOOL STEM DONE TOOL BECK NILE
921 OTP's are good correct 1 8C09 92FB 2508 47B1
922 GIST AMOS MOOT AIDS FOOD SEEM
923 OTP's are good correct 99 3F3B F4B4 145F D74B
924 TAG SLOW NOV MIN WOOL KENO
954 Haller Standards Track [Page 17]
955 \f
956 RFC 2289 A One-Time Password System February 1998
959 MD5 ENCODINGS
961 Pass Phrase Seed Cnt Hex Six Word Format
962 ========================================================================
963 This is a test. TeSt 0 9E87 6134 D904 99DD
964 INCH SEA ANNE LONG AHEM TOUR
965 This is a test. TeSt 1 7965 E054 36F5 029F
966 EASE OIL FUM CURE AWRY AVIS
967 This is a test. TeSt 99 50FE 1962 C496 5880
968 BAIL TUFT BITS GANG CHEF THY
969 AbCdEfGhIjK alpha1 0 8706 6DD9 644B F206
970 FULL PEW DOWN ONCE MORT ARC
971 AbCdEfGhIjK alpha1 1 7CD3 4C10 40AD D14B
972 FACT HOOF AT FIST SITE KENT
973 AbCdEfGhIjK alpha1 99 5AA3 7A81 F212 146C
974 BODE HOP JAKE STOW JUT RAP
975 OTP's are good correct 0 F205 7539 43DE 4CF9
976 ULAN NEW ARMY FUSE SUIT EYED
977 OTP's are good correct 1 DDCD AC95 6F23 4937
978 SKIM CULT LOB SLAM POE HOWL
979 OTP's are good correct 99 B203 E28F A525 BE47
980 LONG IVY JULY AJAR BOND LEE
983 SHA1 ENCODINGS
985 Pass Phrase Seed Cnt Hex Six Word Format
986 ========================================================================
987 This is a test. TeSt 0 BB9E 6AE1 979D 8FF4
988 MILT VARY MAST OK SEES WENT
989 This is a test. TeSt 1 63D9 3663 9734 385B
990 CART OTTO HIVE ODE VAT NUT
991 This is a test. TeSt 99 87FE C776 8B73 CCF9
992 GAFF WAIT SKID GIG SKY EYED
993 AbCdEfGhIjK alpha1 0 AD85 F658 EBE3 83C9
994 LEST OR HEEL SCOT ROB SUIT
995 AbCdEfGhIjK alpha1 1 D07C E229 B5CF 119B
996 RITE TAKE GELD COST TUNE RECK
997 AbCdEfGhIjK alpha1 99 27BC 7103 5AAF 3DC6
998 MAY STAR TIN LYON VEDA STAN
999 OTP's are good correct 0 D51F 3E99 BF8E 6F0B
1000 RUST WELT KICK FELL TAIL FRAU
1001 OTP's are good correct 1 82AE B52D 9437 74E4
1002 FLIT DOSE ALSO MEW DRUM DEFY
1003 OTP's are good correct 99 4F29 6A74 FE15 67EC
1004 AURA ALOE HURL WING BERG WAIT
1010 Haller Standards Track [Page 18]
1011 \f
1012 RFC 2289 A One-Time Password System February 1998
1015 Appendix D - Dictionary for Converting Between 6-Word and Binary Formats
1017 This dictionary is from the module put.c in the original Bellcore
1018 reference distribution.
1020 { "A", "ABE", "ACE", "ACT", "AD", "ADA", "ADD",
1021 "AGO", "AID", "AIM", "AIR", "ALL", "ALP", "AM", "AMY",
1022 "AN", "ANA", "AND", "ANN", "ANT", "ANY", "APE", "APS",
1023 "APT", "ARC", "ARE", "ARK", "ARM", "ART", "AS", "ASH",
1024 "ASK", "AT", "ATE", "AUG", "AUK", "AVE", "AWE", "AWK",
1025 "AWL", "AWN", "AX", "AYE", "BAD", "BAG", "BAH", "BAM",
1026 "BAN", "BAR", "BAT", "BAY", "BE", "BED", "BEE", "BEG",
1027 "BEN", "BET", "BEY", "BIB", "BID", "BIG", "BIN", "BIT",
1028 "BOB", "BOG", "BON", "BOO", "BOP", "BOW", "BOY", "BUB",
1029 "BUD", "BUG", "BUM", "BUN", "BUS", "BUT", "BUY", "BY",
1030 "BYE", "CAB", "CAL", "CAM", "CAN", "CAP", "CAR", "CAT",
1031 "CAW", "COD", "COG", "COL", "CON", "COO", "COP", "COT",
1032 "COW", "COY", "CRY", "CUB", "CUE", "CUP", "CUR", "CUT",
1033 "DAB", "DAD", "DAM", "DAN", "DAR", "DAY", "DEE", "DEL",
1034 "DEN", "DES", "DEW", "DID", "DIE", "DIG", "DIN", "DIP",
1035 "DO", "DOE", "DOG", "DON", "DOT", "DOW", "DRY", "DUB",
1036 "DUD", "DUE", "DUG", "DUN", "EAR", "EAT", "ED", "EEL",
1037 "EGG", "EGO", "ELI", "ELK", "ELM", "ELY", "EM", "END",
1038 "EST", "ETC", "EVA", "EVE", "EWE", "EYE", "FAD", "FAN",
1039 "FAR", "FAT", "FAY", "FED", "FEE", "FEW", "FIB", "FIG",
1040 "FIN", "FIR", "FIT", "FLO", "FLY", "FOE", "FOG", "FOR",
1041 "FRY", "FUM", "FUN", "FUR", "GAB", "GAD", "GAG", "GAL",
1042 "GAM", "GAP", "GAS", "GAY", "GEE", "GEL", "GEM", "GET",
1043 "GIG", "GIL", "GIN", "GO", "GOT", "GUM", "GUN", "GUS",
1044 "GUT", "GUY", "GYM", "GYP", "HA", "HAD", "HAL", "HAM",
1045 "HAN", "HAP", "HAS", "HAT", "HAW", "HAY", "HE", "HEM",
1046 "HEN", "HER", "HEW", "HEY", "HI", "HID", "HIM", "HIP",
1047 "HIS", "HIT", "HO", "HOB", "HOC", "HOE", "HOG", "HOP",
1048 "HOT", "HOW", "HUB", "HUE", "HUG", "HUH", "HUM", "HUT",
1049 "I", "ICY", "IDA", "IF", "IKE", "ILL", "INK", "INN",
1050 "IO", "ION", "IQ", "IRA", "IRE", "IRK", "IS", "IT",
1051 "ITS", "IVY", "JAB", "JAG", "JAM", "JAN", "JAR", "JAW",
1052 "JAY", "JET", "JIG", "JIM", "JO", "JOB", "JOE", "JOG",
1053 "JOT", "JOY", "JUG", "JUT", "KAY", "KEG", "KEN", "KEY",
1054 "KID", "KIM", "KIN", "KIT", "LA", "LAB", "LAC", "LAD",
1055 "LAG", "LAM", "LAP", "LAW", "LAY", "LEA", "LED", "LEE",
1056 "LEG", "LEN", "LEO", "LET", "LEW", "LID", "LIE", "LIN",
1057 "LIP", "LIT", "LO", "LOB", "LOG", "LOP", "LOS", "LOT",
1058 "LOU", "LOW", "LOY", "LUG", "LYE", "MA", "MAC", "MAD",
1059 "MAE", "MAN", "MAO", "MAP", "MAT", "MAW", "MAY", "ME",
1060 "MEG", "MEL", "MEN", "MET", "MEW", "MID", "MIN", "MIT",
1061 "MOB", "MOD", "MOE", "MOO", "MOP", "MOS", "MOT", "MOW",
1062 "MUD", "MUG", "MUM", "MY", "NAB", "NAG", "NAN", "NAP",
1066 Haller Standards Track [Page 19]
1067 \f
1068 RFC 2289 A One-Time Password System February 1998
1071 "NAT", "NAY", "NE", "NED", "NEE", "NET", "NEW", "NIB",
1072 "NIL", "NIP", "NIT", "NO", "NOB", "NOD", "NON", "NOR",
1073 "NOT", "NOV", "NOW", "NU", "NUN", "NUT", "O", "OAF",
1074 "OAK", "OAR", "OAT", "ODD", "ODE", "OF", "OFF", "OFT",
1075 "OH", "OIL", "OK", "OLD", "ON", "ONE", "OR", "ORB",
1076 "ORE", "ORR", "OS", "OTT", "OUR", "OUT", "OVA", "OW",
1077 "OWE", "OWL", "OWN", "OX", "PA", "PAD", "PAL", "PAM",
1078 "PAN", "PAP", "PAR", "PAT", "PAW", "PAY", "PEA", "PEG",
1079 "PEN", "PEP", "PER", "PET", "PEW", "PHI", "PI", "PIE",
1080 "PIN", "PIT", "PLY", "PO", "POD", "POE", "POP", "POT",
1081 "POW", "PRO", "PRY", "PUB", "PUG", "PUN", "PUP", "PUT",
1082 "QUO", "RAG", "RAM", "RAN", "RAP", "RAT", "RAW", "RAY",
1083 "REB", "RED", "REP", "RET", "RIB", "RID", "RIG", "RIM",
1084 "RIO", "RIP", "ROB", "ROD", "ROE", "RON", "ROT", "ROW",
1085 "ROY", "RUB", "RUE", "RUG", "RUM", "RUN", "RYE", "SAC",
1086 "SAD", "SAG", "SAL", "SAM", "SAN", "SAP", "SAT", "SAW",
1087 "SAY", "SEA", "SEC", "SEE", "SEN", "SET", "SEW", "SHE",
1088 "SHY", "SIN", "SIP", "SIR", "SIS", "SIT", "SKI", "SKY",
1089 "SLY", "SO", "SOB", "SOD", "SON", "SOP", "SOW", "SOY",
1090 "SPA", "SPY", "SUB", "SUD", "SUE", "SUM", "SUN", "SUP",
1091 "TAB", "TAD", "TAG", "TAN", "TAP", "TAR", "TEA", "TED",
1092 "TEE", "TEN", "THE", "THY", "TIC", "TIE", "TIM", "TIN",
1093 "TIP", "TO", "TOE", "TOG", "TOM", "TON", "TOO", "TOP",
1094 "TOW", "TOY", "TRY", "TUB", "TUG", "TUM", "TUN", "TWO",
1095 "UN", "UP", "US", "USE", "VAN", "VAT", "VET", "VIE",
1096 "WAD", "WAG", "WAR", "WAS", "WAY", "WE", "WEB", "WED",
1097 "WEE", "WET", "WHO", "WHY", "WIN", "WIT", "WOK", "WON",
1098 "WOO", "WOW", "WRY", "WU", "YAM", "YAP", "YAW", "YE",
1099 "YEA", "YES", "YET", "YOU", "ABED", "ABEL", "ABET", "ABLE",
1100 "ABUT", "ACHE", "ACID", "ACME", "ACRE", "ACTA", "ACTS", "ADAM",
1101 "ADDS", "ADEN", "AFAR", "AFRO", "AGEE", "AHEM", "AHOY", "AIDA",
1102 "AIDE", "AIDS", "AIRY", "AJAR", "AKIN", "ALAN", "ALEC", "ALGA",
1103 "ALIA", "ALLY", "ALMA", "ALOE", "ALSO", "ALTO", "ALUM", "ALVA",
1104 "AMEN", "AMES", "AMID", "AMMO", "AMOK", "AMOS", "AMRA", "ANDY",
1105 "ANEW", "ANNA", "ANNE", "ANTE", "ANTI", "AQUA", "ARAB", "ARCH",
1106 "AREA", "ARGO", "ARID", "ARMY", "ARTS", "ARTY", "ASIA", "ASKS",
1107 "ATOM", "AUNT", "AURA", "AUTO", "AVER", "AVID", "AVIS", "AVON",
1108 "AVOW", "AWAY", "AWRY", "BABE", "BABY", "BACH", "BACK", "BADE",
1109 "BAIL", "BAIT", "BAKE", "BALD", "BALE", "BALI", "BALK", "BALL",
1110 "BALM", "BAND", "BANE", "BANG", "BANK", "BARB", "BARD", "BARE",
1111 "BARK", "BARN", "BARR", "BASE", "BASH", "BASK", "BASS", "BATE",
1112 "BATH", "BAWD", "BAWL", "BEAD", "BEAK", "BEAM", "BEAN", "BEAR",
1113 "BEAT", "BEAU", "BECK", "BEEF", "BEEN", "BEER", "BEET", "BELA",
1114 "BELL", "BELT", "BEND", "BENT", "BERG", "BERN", "BERT", "BESS",
1115 "BEST", "BETA", "BETH", "BHOY", "BIAS", "BIDE", "BIEN", "BILE",
1116 "BILK", "BILL", "BIND", "BING", "BIRD", "BITE", "BITS", "BLAB",
1117 "BLAT", "BLED", "BLEW", "BLOB", "BLOC", "BLOT", "BLOW", "BLUE",
1118 "BLUM", "BLUR", "BOAR", "BOAT", "BOCA", "BOCK", "BODE", "BODY",
1122 Haller Standards Track [Page 20]
1123 \f
1124 RFC 2289 A One-Time Password System February 1998
1127 "BOGY", "BOHR", "BOIL", "BOLD", "BOLO", "BOLT", "BOMB", "BONA",
1128 "BOND", "BONE", "BONG", "BONN", "BONY", "BOOK", "BOOM", "BOON",
1129 "BOOT", "BORE", "BORG", "BORN", "BOSE", "BOSS", "BOTH", "BOUT",
1130 "BOWL", "BOYD", "BRAD", "BRAE", "BRAG", "BRAN", "BRAY", "BRED",
1131 "BREW", "BRIG", "BRIM", "BROW", "BUCK", "BUDD", "BUFF", "BULB",
1132 "BULK", "BULL", "BUNK", "BUNT", "BUOY", "BURG", "BURL", "BURN",
1133 "BURR", "BURT", "BURY", "BUSH", "BUSS", "BUST", "BUSY", "BYTE",
1134 "CADY", "CAFE", "CAGE", "CAIN", "CAKE", "CALF", "CALL", "CALM",
1135 "CAME", "CANE", "CANT", "CARD", "CARE", "CARL", "CARR", "CART",
1136 "CASE", "CASH", "CASK", "CAST", "CAVE", "CEIL", "CELL", "CENT",
1137 "CERN", "CHAD", "CHAR", "CHAT", "CHAW", "CHEF", "CHEN", "CHEW",
1138 "CHIC", "CHIN", "CHOU", "CHOW", "CHUB", "CHUG", "CHUM", "CITE",
1139 "CITY", "CLAD", "CLAM", "CLAN", "CLAW", "CLAY", "CLOD", "CLOG",
1140 "CLOT", "CLUB", "CLUE", "COAL", "COAT", "COCA", "COCK", "COCO",
1141 "CODA", "CODE", "CODY", "COED", "COIL", "COIN", "COKE", "COLA",
1142 "COLD", "COLT", "COMA", "COMB", "COME", "COOK", "COOL", "COON",
1143 "COOT", "CORD", "CORE", "CORK", "CORN", "COST", "COVE", "COWL",
1144 "CRAB", "CRAG", "CRAM", "CRAY", "CREW", "CRIB", "CROW", "CRUD",
1145 "CUBA", "CUBE", "CUFF", "CULL", "CULT", "CUNY", "CURB", "CURD",
1146 "CURE", "CURL", "CURT", "CUTS", "DADE", "DALE", "DAME", "DANA",
1147 "DANE", "DANG", "DANK", "DARE", "DARK", "DARN", "DART", "DASH",
1148 "DATA", "DATE", "DAVE", "DAVY", "DAWN", "DAYS", "DEAD", "DEAF",
1149 "DEAL", "DEAN", "DEAR", "DEBT", "DECK", "DEED", "DEEM", "DEER",
1150 "DEFT", "DEFY", "DELL", "DENT", "DENY", "DESK", "DIAL", "DICE",
1151 "DIED", "DIET", "DIME", "DINE", "DING", "DINT", "DIRE", "DIRT",
1152 "DISC", "DISH", "DISK", "DIVE", "DOCK", "DOES", "DOLE", "DOLL",
1153 "DOLT", "DOME", "DONE", "DOOM", "DOOR", "DORA", "DOSE", "DOTE",
1154 "DOUG", "DOUR", "DOVE", "DOWN", "DRAB", "DRAG", "DRAM", "DRAW",
1155 "DREW", "DRUB", "DRUG", "DRUM", "DUAL", "DUCK", "DUCT", "DUEL",
1156 "DUET", "DUKE", "DULL", "DUMB", "DUNE", "DUNK", "DUSK", "DUST",
1157 "DUTY", "EACH", "EARL", "EARN", "EASE", "EAST", "EASY", "EBEN",
1158 "ECHO", "EDDY", "EDEN", "EDGE", "EDGY", "EDIT", "EDNA", "EGAN",
1159 "ELAN", "ELBA", "ELLA", "ELSE", "EMIL", "EMIT", "EMMA", "ENDS",
1160 "ERIC", "EROS", "EVEN", "EVER", "EVIL", "EYED", "FACE", "FACT",
1161 "FADE", "FAIL", "FAIN", "FAIR", "FAKE", "FALL", "FAME", "FANG",
1162 "FARM", "FAST", "FATE", "FAWN", "FEAR", "FEAT", "FEED", "FEEL",
1163 "FEET", "FELL", "FELT", "FEND", "FERN", "FEST", "FEUD", "FIEF",
1164 "FIGS", "FILE", "FILL", "FILM", "FIND", "FINE", "FINK", "FIRE",
1165 "FIRM", "FISH", "FISK", "FIST", "FITS", "FIVE", "FLAG", "FLAK",
1166 "FLAM", "FLAT", "FLAW", "FLEA", "FLED", "FLEW", "FLIT", "FLOC",
1167 "FLOG", "FLOW", "FLUB", "FLUE", "FOAL", "FOAM", "FOGY", "FOIL",
1168 "FOLD", "FOLK", "FOND", "FONT", "FOOD", "FOOL", "FOOT", "FORD",
1169 "FORE", "FORK", "FORM", "FORT", "FOSS", "FOUL", "FOUR", "FOWL",
1170 "FRAU", "FRAY", "FRED", "FREE", "FRET", "FREY", "FROG", "FROM",
1171 "FUEL", "FULL", "FUME", "FUND", "FUNK", "FURY", "FUSE", "FUSS",
1172 "GAFF", "GAGE", "GAIL", "GAIN", "GAIT", "GALA", "GALE", "GALL",
1173 "GALT", "GAME", "GANG", "GARB", "GARY", "GASH", "GATE", "GAUL",
1174 "GAUR", "GAVE", "GAWK", "GEAR", "GELD", "GENE", "GENT", "GERM",
1178 Haller Standards Track [Page 21]
1179 \f
1180 RFC 2289 A One-Time Password System February 1998
1183 "GETS", "GIBE", "GIFT", "GILD", "GILL", "GILT", "GINA", "GIRD",
1184 "GIRL", "GIST", "GIVE", "GLAD", "GLEE", "GLEN", "GLIB", "GLOB",
1185 "GLOM", "GLOW", "GLUE", "GLUM", "GLUT", "GOAD", "GOAL", "GOAT",
1186 "GOER", "GOES", "GOLD", "GOLF", "GONE", "GONG", "GOOD", "GOOF",
1187 "GORE", "GORY", "GOSH", "GOUT", "GOWN", "GRAB", "GRAD", "GRAY",
1188 "GREG", "GREW", "GREY", "GRID", "GRIM", "GRIN", "GRIT", "GROW",
1189 "GRUB", "GULF", "GULL", "GUNK", "GURU", "GUSH", "GUST", "GWEN",
1190 "GWYN", "HAAG", "HAAS", "HACK", "HAIL", "HAIR", "HALE", "HALF",
1191 "HALL", "HALO", "HALT", "HAND", "HANG", "HANK", "HANS", "HARD",
1192 "HARK", "HARM", "HART", "HASH", "HAST", "HATE", "HATH", "HAUL",
1193 "HAVE", "HAWK", "HAYS", "HEAD", "HEAL", "HEAR", "HEAT", "HEBE",
1194 "HECK", "HEED", "HEEL", "HEFT", "HELD", "HELL", "HELM", "HERB",
1195 "HERD", "HERE", "HERO", "HERS", "HESS", "HEWN", "HICK", "HIDE",
1196 "HIGH", "HIKE", "HILL", "HILT", "HIND", "HINT", "HIRE", "HISS",
1197 "HIVE", "HOBO", "HOCK", "HOFF", "HOLD", "HOLE", "HOLM", "HOLT",
1198 "HOME", "HONE", "HONK", "HOOD", "HOOF", "HOOK", "HOOT", "HORN",
1199 "HOSE", "HOST", "HOUR", "HOVE", "HOWE", "HOWL", "HOYT", "HUCK",
1200 "HUED", "HUFF", "HUGE", "HUGH", "HUGO", "HULK", "HULL", "HUNK",
1201 "HUNT", "HURD", "HURL", "HURT", "HUSH", "HYDE", "HYMN", "IBIS",
1202 "ICON", "IDEA", "IDLE", "IFFY", "INCA", "INCH", "INTO", "IONS",
1203 "IOTA", "IOWA", "IRIS", "IRMA", "IRON", "ISLE", "ITCH", "ITEM",
1204 "IVAN", "JACK", "JADE", "JAIL", "JAKE", "JANE", "JAVA", "JEAN",
1205 "JEFF", "JERK", "JESS", "JEST", "JIBE", "JILL", "JILT", "JIVE",
1206 "JOAN", "JOBS", "JOCK", "JOEL", "JOEY", "JOHN", "JOIN", "JOKE",
1207 "JOLT", "JOVE", "JUDD", "JUDE", "JUDO", "JUDY", "JUJU", "JUKE",
1208 "JULY", "JUNE", "JUNK", "JUNO", "JURY", "JUST", "JUTE", "KAHN",
1209 "KALE", "KANE", "KANT", "KARL", "KATE", "KEEL", "KEEN", "KENO",
1210 "KENT", "KERN", "KERR", "KEYS", "KICK", "KILL", "KIND", "KING",
1211 "KIRK", "KISS", "KITE", "KLAN", "KNEE", "KNEW", "KNIT", "KNOB",
1212 "KNOT", "KNOW", "KOCH", "KONG", "KUDO", "KURD", "KURT", "KYLE",
1213 "LACE", "LACK", "LACY", "LADY", "LAID", "LAIN", "LAIR", "LAKE",
1214 "LAMB", "LAME", "LAND", "LANE", "LANG", "LARD", "LARK", "LASS",
1215 "LAST", "LATE", "LAUD", "LAVA", "LAWN", "LAWS", "LAYS", "LEAD",
1216 "LEAF", "LEAK", "LEAN", "LEAR", "LEEK", "LEER", "LEFT", "LEND",
1217 "LENS", "LENT", "LEON", "LESK", "LESS", "LEST", "LETS", "LIAR",
1218 "LICE", "LICK", "LIED", "LIEN", "LIES", "LIEU", "LIFE", "LIFT",
1219 "LIKE", "LILA", "LILT", "LILY", "LIMA", "LIMB", "LIME", "LIND",
1220 "LINE", "LINK", "LINT", "LION", "LISA", "LIST", "LIVE", "LOAD",
1221 "LOAF", "LOAM", "LOAN", "LOCK", "LOFT", "LOGE", "LOIS", "LOLA",
1222 "LONE", "LONG", "LOOK", "LOON", "LOOT", "LORD", "LORE", "LOSE",
1223 "LOSS", "LOST", "LOUD", "LOVE", "LOWE", "LUCK", "LUCY", "LUGE",
1224 "LUKE", "LULU", "LUND", "LUNG", "LURA", "LURE", "LURK", "LUSH",
1225 "LUST", "LYLE", "LYNN", "LYON", "LYRA", "MACE", "MADE", "MAGI",
1226 "MAID", "MAIL", "MAIN", "MAKE", "MALE", "MALI", "MALL", "MALT",
1227 "MANA", "MANN", "MANY", "MARC", "MARE", "MARK", "MARS", "MART",
1228 "MARY", "MASH", "MASK", "MASS", "MAST", "MATE", "MATH", "MAUL",
1229 "MAYO", "MEAD", "MEAL", "MEAN", "MEAT", "MEEK", "MEET", "MELD",
1230 "MELT", "MEMO", "MEND", "MENU", "MERT", "MESH", "MESS", "MICE",
1234 Haller Standards Track [Page 22]
1235 \f
1236 RFC 2289 A One-Time Password System February 1998
1239 "MIKE", "MILD", "MILE", "MILK", "MILL", "MILT", "MIMI", "MIND",
1240 "MINE", "MINI", "MINK", "MINT", "MIRE", "MISS", "MIST", "MITE",
1241 "MITT", "MOAN", "MOAT", "MOCK", "MODE", "MOLD", "MOLE", "MOLL",
1242 "MOLT", "MONA", "MONK", "MONT", "MOOD", "MOON", "MOOR", "MOOT",
1243 "MORE", "MORN", "MORT", "MOSS", "MOST", "MOTH", "MOVE", "MUCH",
1244 "MUCK", "MUDD", "MUFF", "MULE", "MULL", "MURK", "MUSH", "MUST",
1245 "MUTE", "MUTT", "MYRA", "MYTH", "NAGY", "NAIL", "NAIR", "NAME",
1246 "NARY", "NASH", "NAVE", "NAVY", "NEAL", "NEAR", "NEAT", "NECK",
1247 "NEED", "NEIL", "NELL", "NEON", "NERO", "NESS", "NEST", "NEWS",
1248 "NEWT", "NIBS", "NICE", "NICK", "NILE", "NINA", "NINE", "NOAH",
1249 "NODE", "NOEL", "NOLL", "NONE", "NOOK", "NOON", "NORM", "NOSE",
1250 "NOTE", "NOUN", "NOVA", "NUDE", "NULL", "NUMB", "OATH", "OBEY",
1251 "OBOE", "ODIN", "OHIO", "OILY", "OINT", "OKAY", "OLAF", "OLDY",
1252 "OLGA", "OLIN", "OMAN", "OMEN", "OMIT", "ONCE", "ONES", "ONLY",
1253 "ONTO", "ONUS", "ORAL", "ORGY", "OSLO", "OTIS", "OTTO", "OUCH",
1254 "OUST", "OUTS", "OVAL", "OVEN", "OVER", "OWLY", "OWNS", "QUAD",
1255 "QUIT", "QUOD", "RACE", "RACK", "RACY", "RAFT", "RAGE", "RAID",
1256 "RAIL", "RAIN", "RAKE", "RANK", "RANT", "RARE", "RASH", "RATE",
1257 "RAVE", "RAYS", "READ", "REAL", "REAM", "REAR", "RECK", "REED",
1258 "REEF", "REEK", "REEL", "REID", "REIN", "RENA", "REND", "RENT",
1259 "REST", "RICE", "RICH", "RICK", "RIDE", "RIFT", "RILL", "RIME",
1260 "RING", "RINK", "RISE", "RISK", "RITE", "ROAD", "ROAM", "ROAR",
1261 "ROBE", "ROCK", "RODE", "ROIL", "ROLL", "ROME", "ROOD", "ROOF",
1262 "ROOK", "ROOM", "ROOT", "ROSA", "ROSE", "ROSS", "ROSY", "ROTH",
1263 "ROUT", "ROVE", "ROWE", "ROWS", "RUBE", "RUBY", "RUDE", "RUDY",
1264 "RUIN", "RULE", "RUNG", "RUNS", "RUNT", "RUSE", "RUSH", "RUSK",
1265 "RUSS", "RUST", "RUTH", "SACK", "SAFE", "SAGE", "SAID", "SAIL",
1266 "SALE", "SALK", "SALT", "SAME", "SAND", "SANE", "SANG", "SANK",
1267 "SARA", "SAUL", "SAVE", "SAYS", "SCAN", "SCAR", "SCAT", "SCOT",
1268 "SEAL", "SEAM", "SEAR", "SEAT", "SEED", "SEEK", "SEEM", "SEEN",
1269 "SEES", "SELF", "SELL", "SEND", "SENT", "SETS", "SEWN", "SHAG",
1270 "SHAM", "SHAW", "SHAY", "SHED", "SHIM", "SHIN", "SHOD", "SHOE",
1271 "SHOT", "SHOW", "SHUN", "SHUT", "SICK", "SIDE", "SIFT", "SIGH",
1272 "SIGN", "SILK", "SILL", "SILO", "SILT", "SINE", "SING", "SINK",
1273 "SIRE", "SITE", "SITS", "SITU", "SKAT", "SKEW", "SKID", "SKIM",
1274 "SKIN", "SKIT", "SLAB", "SLAM", "SLAT", "SLAY", "SLED", "SLEW",
1275 "SLID", "SLIM", "SLIT", "SLOB", "SLOG", "SLOT", "SLOW", "SLUG",
1276 "SLUM", "SLUR", "SMOG", "SMUG", "SNAG", "SNOB", "SNOW", "SNUB",
1277 "SNUG", "SOAK", "SOAR", "SOCK", "SODA", "SOFA", "SOFT", "SOIL",
1278 "SOLD", "SOME", "SONG", "SOON", "SOOT", "SORE", "SORT", "SOUL",
1279 "SOUR", "SOWN", "STAB", "STAG", "STAN", "STAR", "STAY", "STEM",
1280 "STEW", "STIR", "STOW", "STUB", "STUN", "SUCH", "SUDS", "SUIT",
1281 "SULK", "SUMS", "SUNG", "SUNK", "SURE", "SURF", "SWAB", "SWAG",
1282 "SWAM", "SWAN", "SWAT", "SWAY", "SWIM", "SWUM", "TACK", "TACT",
1283 "TAIL", "TAKE", "TALE", "TALK", "TALL", "TANK", "TASK", "TATE",
1284 "TAUT", "TEAL", "TEAM", "TEAR", "TECH", "TEEM", "TEEN", "TEET",
1285 "TELL", "TEND", "TENT", "TERM", "TERN", "TESS", "TEST", "THAN",
1286 "THAT", "THEE", "THEM", "THEN", "THEY", "THIN", "THIS", "THUD",
1290 Haller Standards Track [Page 23]
1291 \f
1292 RFC 2289 A One-Time Password System February 1998
1295 "THUG", "TICK", "TIDE", "TIDY", "TIED", "TIER", "TILE", "TILL",
1296 "TILT", "TIME", "TINA", "TINE", "TINT", "TINY", "TIRE", "TOAD",
1297 "TOGO", "TOIL", "TOLD", "TOLL", "TONE", "TONG", "TONY", "TOOK",
1298 "TOOL", "TOOT", "TORE", "TORN", "TOTE", "TOUR", "TOUT", "TOWN",
1299 "TRAG", "TRAM", "TRAY", "TREE", "TREK", "TRIG", "TRIM", "TRIO",
1300 "TROD", "TROT", "TROY", "TRUE", "TUBA", "TUBE", "TUCK", "TUFT",
1301 "TUNA", "TUNE", "TUNG", "TURF", "TURN", "TUSK", "TWIG", "TWIN",
1302 "TWIT", "ULAN", "UNIT", "URGE", "USED", "USER", "USES", "UTAH",
1303 "VAIL", "VAIN", "VALE", "VARY", "VASE", "VAST", "VEAL", "VEDA",
1304 "VEIL", "VEIN", "VEND", "VENT", "VERB", "VERY", "VETO", "VICE",
1305 "VIEW", "VINE", "VISE", "VOID", "VOLT", "VOTE", "WACK", "WADE",
1306 "WAGE", "WAIL", "WAIT", "WAKE", "WALE", "WALK", "WALL", "WALT",
1307 "WAND", "WANE", "WANG", "WANT", "WARD", "WARM", "WARN", "WART",
1308 "WASH", "WAST", "WATS", "WATT", "WAVE", "WAVY", "WAYS", "WEAK",
1309 "WEAL", "WEAN", "WEAR", "WEED", "WEEK", "WEIR", "WELD", "WELL",
1310 "WELT", "WENT", "WERE", "WERT", "WEST", "WHAM", "WHAT", "WHEE",
1311 "WHEN", "WHET", "WHOA", "WHOM", "WICK", "WIFE", "WILD", "WILL",
1312 "WIND", "WINE", "WING", "WINK", "WINO", "WIRE", "WISE", "WISH",
1313 "WITH", "WOLF", "WONT", "WOOD", "WOOL", "WORD", "WORE", "WORK",
1314 "WORM", "WORN", "WOVE", "WRIT", "WYNN", "YALE", "YANG", "YANK",
1315 "YARD", "YARN", "YAWL", "YAWN", "YEAH", "YEAR", "YELL", "YOGA",
1316 "YOKE" };
1346 Haller Standards Track [Page 24]
1347 \f
1348 RFC 2289 A One-Time Password System February 1998
1351 Full Copyright Statement
1353 Copyright (C) The Internet Society (1998). All Rights Reserved.
1355 This document and translations of it may be copied and furnished to
1356 others, and derivative works that comment on or otherwise explain it
1357 or assist in its implementation may be prepared, copied, published
1358 and distributed, in whole or in part, without restriction of any
1359 kind, provided that the above copyright notice and this paragraph are
1360 included on all such copies and derivative works. However, this
1361 document itself may not be modified in any way, such as by removing
1362 the copyright notice or references to the Internet Society or other
1363 Internet organizations, except as needed for the purpose of
1364 developing Internet standards in which case the procedures for
1365 copyrights defined in the Internet Standards process must be
1366 followed, or as required to translate it into languages other than
1367 English.
1369 The limited permissions granted above are perpetual and will not be
1370 revoked by the Internet Society or its successors or assigns.
1372 This document and the information contained herein is provided on an
1373 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1374 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1375 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1376 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1377 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1402 Haller Standards Track [Page 25]
1403 \f