idnits 2.17.1 draft-haller-otp-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There is 1 instance of too long lines in the document, the longest one being 4 characters in excess of 72. ** The abstract seems to contain references ([3], [5]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 95: '... - MUST...' RFC 2119 keyword, line 100: '... - SHOULD...' RFC 2119 keyword, line 107: '... - MAY...' RFC 2119 keyword, line 123: '...ons of both server and generators MUST...' RFC 2119 keyword, line 124: '...pport MD5. They SHOULD support SHA an...' (38 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 258 has weird spacing: '...at foal mug ...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The seed MUST consist of purely alphanumeric characters and MUST be of one to 16 characters in length. The seed is a string of characters that MUST not contain any blanks and SHOULD consist of strictly alphanumeric characters from the ISO-646 Invariant Code set. The seed MUST be case insensitive and MUST be internally converted to lower case before it is processed. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: In addition to accepting six-word and hexadecimal encodings of the 64 bit one-time password, servers SHOULD accept the alternate dictionary encoding described in Appendix B. The six words in this encoding MUST not overlap the set of words in the standard dictionary. To avoid ambiguity with the hexadecimal representation, words in the alternate dictionary MUST not be comprised solely of the letters A-F. Decoding words thus encoded does not require any knowledge of the alternative dictionary used so the acceptance of any alternate dictionary implies the acceptance of all alternate dictionaries. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0' is mentioned on line 492, but not defined == Unused Reference: '8' is defined on line 426, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. '1' ** Obsolete normative reference: RFC 1320 (ref. '2') (Obsoleted by RFC 6150) -- Possible downref: Non-RFC (?) normative reference: ref. '3' ** Downref: Normative reference to an Informational RFC: RFC 1704 (ref. '4') ** Downref: Normative reference to an Informational RFC: RFC 1760 (ref. '5') ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '6') -- Possible downref: Non-RFC (?) normative reference: ref. '7' -- Possible downref: Non-RFC (?) normative reference: ref. '8' -- Possible downref: Non-RFC (?) normative reference: ref. '9' Summary: 16 errors (**), 0 flaws (~~), 6 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET DRAFT Neil Haller 2 draft-haller-otp-04.txt Bellcore 3 October 23, 1995 Craig Metz 4 Kaman Sciences Corporation 6 A One-Time Password System 8 STATUS OF THIS MEMO 10 This document is an Internet Draft. Internet Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its Areas 12 and Working Groups. Note that other groups may also distribute 13 working documents as Internet Drafts. 15 Internet Drafts are draft documents valid for a maximum of six 16 months. Drafts may be updated, replaced, or obsoleted by other 17 documents at any time. It is not appropriate to use Internet Drafts 18 as reference material or to cite them other than as a "working 19 draft" or "work in progress." 21 To learn the current status of any Internet Draft, please check the 22 1id-abstracts.txt listing contained in the Internet-Drafts Shadow 23 Directories on ftp.is.co.za (Africa), ds.internic.net (US East 24 Coast), nic.nordu.net (Europe), ftp.isi.com (US West Coast), or 25 munnari.oz.au (Pacific Rim). 27 The distribution of this Internet Draft is unlimited. It is filed as 28 and it expires on April 23, 1996. 30 1.0 ABSTRACT 32 This document describes a one-time password authentication system 33 (OTP). The OTP system provides authentication for system access 34 (login) and other applications requiring authentication, that is 35 secure against passive attacks based on replaying captured reusable 36 passwords. OTP evolved from the S/KEY* One-Time Password System that 37 was released by Bellcore and is described in references [3] and [5]. 39 2.0 OVERVIEW 41 One form of attack on networked computing systems is eavesdropping 42 on network connections to obtain authentication information such as 43 the login IDs and passwords of legitimate users. Once this 44 information is captured, it can be used at a later time to gain 45 access to the computing system. One-time password systems are 46 designed to counter this type of attack, called a "replay attack" 47 [4]. 49 --------- 50 * S/KEY is a trademark of Bellcore 51 The authentication system described in this document uses a secret 52 pass-phase to generate a sequence of single use (one-time) 53 passwords. With this system, the user's secret pass-phrase never 54 crosses the network at any time such as during authentication or 55 during pass-phrase changes. Thus, it is not vulnerable to replay 56 attacks. Added security is provided by the property that no secret 57 information need be stored on any system, including the server being 58 protected. 60 The OTP system protects against external passive attacks against the 61 authentication subsystem. It does not prevent a network eavesdropper 62 from gaining access to private information and does not provide 63 protection against either "social engineering" or against active 64 attacks where the potential intruder is able to intercept and modify 65 the packet stream [9]. 67 3.0 INTRODUCTION 69 There are two entities in the operation of the OTP one-time password 70 system. The client must generate the appropriate one-time password 71 from the user's secret pass-phrase and from information provided in 72 the challenge from the server. The server must send a challenge that 73 includes the appropriate generation parameters to the client, must 74 verify the one-time password received, must store the last valid 75 one-time password it received, and must store the corresponding 76 one-time password sequence number. The server must also facilitate 77 the changing of the user's secret pass-phrase in a secure manner. 79 The OTP system generator passes the user's secret pass-phrase, along 80 with a "seed" received from the server as part of the challenge, 81 through multiple iterations of a secure hash function to produce a 82 one-time password. On each use, the number of secure hash function 83 iterations is reduced by one. Thus, a unique sequence of passwords 84 is generated. The server verifies the one-time password received 85 from the client by computing the secure hash function once and 86 comparing the result with the previously accepted one-time password. 87 This technique was first suggested by Leslie Lamport [1]. 89 4.0 REQUIREMENTS TERMINOLOGY 91 In this document, the words that are used to define the significance 92 of each particular requirement are usually capitalized. These words 93 are: 95 - MUST 97 This word or the adjective "REQUIRED" means that the item is an 98 absolute requirement of the specification. 100 - SHOULD 102 This word or the adjective "RECOMMENDED" means that there might 103 exist valid reasons in particular circumstances to ignore this 104 item, but the full implications should be understood and the 105 case carefully weighed before taking a different course. 107 - MAY 109 This word or the adjective "OPTIONAL" means that this item is 110 truly optional. One vendor might choose to include the item 111 because a particular marketplace requires it or because it 112 enhances the product, for example; another vendor may omit the 113 same item. 115 5.0 SECURE HASH FUNCTION 117 The security of the OTP system is based on the non-invertability of 118 a secure hash function. Such a function must be tractable to compute 119 in the forward direction, but computationally infeasible to invert. 121 The interfaces are currently defined for three such hash algorithms, 122 MD4 [2] and MD5 [6] by Ronald Rivest, and SHA [7] by NIST. All 123 conforming implementations of both server and generators MUST 124 support MD5. They SHOULD support SHA and MAY also support MD4. 125 Clearly, the generator and server must use the same algorithm in 126 order to interoperate. Other hash algorithms may be specified for 127 use with this system by publishing the appropriate interfaces. 129 The secure hash algorithms listed above have the property that they 130 accept an input that is arbitrarily long and produce a fixed size 131 output. The OTP system folds this output to 64 bits using the 132 algorithms in the Appendix A. 64 bits is also the length of the 133 one-time passwords. This is believed to be long enough to be secure 134 and short enough to be entered manually (see below, Form of Output) 135 when necessary. 137 6.0 GENERATION OF ONE-TIME PASSWORDS 139 This section describes the generation of the one-time passwords. 140 This consists of an initial step in which all inputs are combined, a 141 computation step where the secure hash function is applied a 142 specified number of times, and an output function where the 64 bit 143 one-time password is converted to a human readable form. 145 Initial Step 147 In principle, the user's secret pass-phrase may be of any length. To 148 reduce the risk from techniques such as exhaustive search or 149 dictionary attacks, character string pass-phrases MUST contain at 150 least 10 characters (see Form of Inputs below). All implementations 151 MUST support a pass-phrase with a maximum of at least a 63 pass- 152 phrase. The secret pass-phrase is frequently, but is not required to 153 be, textual information provided by a user. 155 In this step, the pass phrase is concatenated with a seed that is 156 transmitted from the server in clear text. This non-secret seed 157 allows a client to use the same secret pass-phrase on multiple 158 machines (using different seeds) and to safely recycle secret 159 passwords by changing the seed. 161 The result of the concatenation is passed through the secure hash 162 function, and then is reduced to 64 bits using one of the function 163 dependent algorithms shown in Appendix A. 165 Computation Step 167 A sequence of one-time passwords is produced by applying the secure 168 hash function multiple times to the output of the initial step 169 (called S). That is, the first one-time password to be used is 170 produced by passing S through the secure hash function a number of 171 times (N) specified by the user. The next one-time password to be 172 used is generated by passing S though the secure hash function N-1 173 times. An eavesdropper who has monitored the transmission of a one- 174 time password would not be able to generate the next required 175 password because doing so would mean inverting the hash function. 177 Form of Inputs 179 The secret pass-phrase is seen only by the OTP generator. To allow 180 interchangeability of generators, all generators MUST support a 181 secret pass-phrase of 10 to 63 characters. Implementations MAY 182 support a longer pass-phrase, but such implementations risk the loss 183 of interchangeability with implementations supporting only the 184 minimum. 186 To achieve a uniform minimum pass-phrase complexity, all generators 187 MUST enforce the following rules for character-string pass-phrases: 188 Pass-phrases MUST be at least 10 characters in length, MUST contain 189 at least one upper case alphabetic, MUST contain at least one lower 190 case alphabetic, and MUST contain at least one non-blank non- 191 alphabetic. 193 The seed MUST consist of purely alphanumeric characters and MUST be 194 of one to 16 characters in length. The seed is a string of 195 characters that MUST not contain any blanks and SHOULD consist of 196 strictly alphanumeric characters from the ISO-646 Invariant Code 197 set. The seed MUST be case insensitive and MUST be internally 198 converted to lower case before it is processed. 200 The sequence number and seed together constitute a larger unit of 201 data called the challenge. The challenge gives the generator the 202 parameters it needs to calculate the correct one-time password from 203 the secret pass-phrase. The challenge MUST be in a standard syntax 204 so that automated generators can recognize the challenge in context 205 and extract these parameters. The syntax of the challenge is: 207 otp- 209 The three tokens MUST be separated by a white space (defined as any 210 number of blanks and/or tabs) and the entire challenge string MUST 211 be terminated with either a space or a new line. The string "otp-" 212 MUST be in lower case. The algorithm identifier is case sensitive 213 (the existing identifiers are all lower case), and the seed is case 214 insensitive and converted before use to lower case. If additional 215 algorithms are defined, appropriate identifiers (short, but not 216 limited to three or four characters) must be defined. The currently 217 defined algorithm identifiers are: 219 md4 MD4 Message Digest 220 md5 MD5 Message Digest 221 sha1 NIST Secure Hash Algorithm 223 An example of an OTP challenge is: otp-md5 487 dog2 225 Form of Output 227 The one-time password generated by the above procedure is 64 bits 228 in length. Entering a 64 bit number is a difficult and error prone 229 process. Some generators insert this password into the input 230 stream and some others make it available for system "cut and 231 paste." Still other arrangements require the one-time password to 232 be entered manually. The OTP system is designed to facilitate this 233 manual entry without impeding automatic methods. The one-time 234 password therefore MAY be converted to, and all servers MUST 235 accept it as, a sequence of six short (1 to 4 letter) easily typed 236 words that only use characters from ISO-646 IVCS. Each word is 237 chosen from a dictionary of 2048 words; at 11 bits per word, all 238 one-time passwords may be encoded. 240 The two extra bits in this encoding are used to store a checksum. 241 The 64 bits of key are broken down into pairs of bits, then these 242 pairs are summed together. The two least significant bits of this 243 sum are encoded in the last two bits of the six word sequence with 244 the least significant bit of the sum as the last bit encoded. All 245 OTP generators MUST calculate this checksum and all OTP servers 246 MUST verify this checksum explicitly as part of the operation of 247 decoding this representation of the one-time password. 249 Generators that produce the six-word format MUST present the words 250 in upper case with single spaces used as separators. All servers 251 MUST accept six-word format without regard to case and white space 252 used as a separator. The two lines below represent the same one- 253 time password. The first is valid as output from a generator and 254 as input a server, the second is valid only as human input to a 255 server. 257 OUST COAT FOAL MUG BEAK TOTE 258 oust coat foal mug beak tote 260 Interoperability requires at all OTP servers and generators use 261 the same dictionary. The standard dictionary was originally 262 specified in the "S/KEY One Time Password System" that is 263 described in RFC 1760 [5]. This dictionary is included in this 264 document as Appendix C. 266 To facilitate the implementation of smaller generators, 267 hexadecimal output is an acceptable alternative for the 268 presentation of the one-time password. All implementations of the 269 server software MUST accept case-insensitive hexadecimal as well 270 as six-word format. The hexadecimal digits may be separated by 271 white space so servers are REQUIRED to ignore all white space. 272 Examples of hexadecimal format are: 274 3503785b369cda8b 275 e5cc a1b8 7c13 096b 276 C7 48 90 F4 27 7B A1 CF 278 In addition to accepting six-word and hexadecimal encodings of the 279 64 bit one-time password, servers SHOULD accept the alternate 280 dictionary encoding described in Appendix B. The six words in this 281 encoding MUST not overlap the set of words in the standard 282 dictionary. To avoid ambiguity with the hexadecimal representation, 283 words in the alternate dictionary MUST not be comprised solely of 284 the letters A-F. Decoding words thus encoded does not require any 285 knowledge of the alternative dictionary used so the acceptance of 286 any alternate dictionary implies the acceptance of all alternate 287 dictionaries. 289 In summary, all conforming servers MUST accept six-word input that 290 uses the Standard Dictionary (RFC 1760), MUST accept hexadecimal 291 encoding, and SHOULD accept six-word input that uses the Alternative 292 Dictionary technique (Appendix B). As there is a remote possibility 293 that a hexadecimal encoding of a one-time password will look like a 294 valid six-word standard dictionary encoding, all implementations 295 MUST use the following scheme. If an six-word encoded one-time 296 password is valid, it is accepted. Otherwise, if the one-time 297 password can be interpreted as hexadecimal, and with that decoding 298 it is valid, then it is accepted. 300 7.0 VERIFICATION OF ONE-TIME PASSWORDS 302 An application on the server system that requires OTP authentication 303 is expected to issue an OTP challenge as described above. Given the 304 parameters from this challenge and the secret pass-phrase, the 305 generator can compute (or lookup) the one-time password that is 306 passed to the server to be verified. 308 The server system has a database containing, for each user, the 309 one-time password from the last successful authentication or the 310 first OTP of a newly initialized sequence. To authenticate the user, 311 the server decodes the one-time password received from the client 312 into a 64-bit key and then runs this key through the secure hash 313 function once. If the result of this operation matches the stored 314 previous OTP, the authentication is successful and the accepted 315 one-time password is stored for future use. 317 8.0 PASS-PHRASE CHANGES 319 Because the number of hash function applications executed by the 320 client decreases by one each time, at some point the user must 321 reinitialize the system or be unable to authenticate. 323 Implementations MUST provide clients with a means of reinitializing 324 a sequence through explicit specification of the first one-time 325 password of a sequence. This allows a client to initialize without 326 making it necessary to send a secret pass-phrase over the network as 327 only the one-time password is sent. When the sequence of one-time 328 passwords is reinitialized, implementations MUST verify that the 329 seed is changed. Installations SHOULD discourage any operation that 330 sends the secret pass-phrase over a network as such practice defeats 331 the concept of a one-time password. 333 Implementations MAY use the following technique for 334 [re]initialization: 336 o The user picks a new seed and hash count (default values may 337 be offered). The user provides these, along with the 338 corresponding generated one-time password, to the host system. 340 o The user MAY also provide the corresponding generated one 341 time password for count-1 as an error check. 343 o The user SHOULD provide the generated one-time password for 344 the old seed and old hash count to protect an idle terminal 345 or workstation (this implies that when the count is 1, the 346 user can login but cannot then change the seed or count). 348 In the future a specific protocol may be defined for 349 reinitialization that will permit smooth and possibly automated 350 interoperation of all hosts and generators. 352 9.0 PROTECTION AGAINST RACE ATTACK 354 All conforming server implementations MUST protect against the race 355 condition described in this section. A defense against this attack 356 is outlined; implementations MAY use this approach or MAY select an 357 alternative defense. 359 It is possible for an attacker to listen to most of a one-time 360 password, guess the remainder, and then race the legitimate user to 361 complete the authentication. Multiple guesses against the last word 362 of the six-word format are likely to succeed. 364 One possible defense is to prevent a user from starting multiple 365 simultaneous authentication sessions. This means that once the 366 legitimate user has initiated authentication, an attacker would be 367 blocked until the first authentication process has completed. In 368 this approach, a timeout is necessary to thwart a denial of service 369 attack. 371 10.0 SECURITY CONSIDERATIONS 373 This entire document discusses an authentication system that 374 improves security by limiting the danger of eavesdropping/replay 375 attacks that have been used against simple password systems [4]. 377 The use of the OTP system only provides protections against passive 378 eavesdropping/replay attacks. It does not provide for the privacy 379 of transmitted data, and it does not provide protection against 380 active attacks. Active attacks against TCP connections are known to 381 be present in the current Internet [9]. 383 The success of the OTP system to protect host systems is dependent 384 on the non-invertability of the secure hash functions used. To our 385 knowledge, none of the hash algorithms have been broken, but it is 386 generally believed [6] that MD4 is not as strong as MD5. If a 387 server supports multiple hash algorithms, it is only as secure as 388 the weakest algorithm. 390 11.0 ACKNOWLEDGMENTS 392 The idea behind OTP authentication was first proposed by Leslie 393 Lamport [1]. Bellcore's S/KEY system, from which OTP is derived, was 394 proposed by Phil Karn, who also wrote most of the Bellcore reference 395 implementation. 397 12.0 REFERENCES 399 [1] Leslie Lamport, "Password Authentication with Insecure 400 Communication", Communications of the ACM 24.11 (November 401 1981), 770-772 403 [2] R. L. Rivest, The MD4 Message-Digest Algorithm, "Request For 404 Comments (RFC) 1320", MIT and RSA Data Security, Inc., April 405 1992 407 [3] Neil Haller, "The S/KEY One-Time Password System", Proceedings 408 of the ISOC Symposium on Network and Distributed System 409 Security, February 1994, San Diego, CA 411 [4] Neil Haller & Ran Atkinson, On Internet Authentication, 412 "Request for Comments (RFC) 1704", Bellcore and Naval Research 413 Laboratory, October 1994 415 [5] Neil Haller, The S/KEY One-Time Password System, "Request for 416 Comments (RFC) 1760", Bellcore, February 1995 418 [6] R. L. Rivest, The MD5 Message-Digest Algorithm, "Request For 419 Comments (RFC) 1321", MIT and RSA Data Security, Inc., April 420 1992 422 [7] National Institute of Standards and Technology (NIST), 423 "Announcing the Secure Hash Standard", FIPS 180-1, U.S. 424 Department of Commerce, April 1995. 426 [8] International Standard - Information Processing -- ISO 7-bit 427 coded character set for information interchange (Invariant Code 428 Set), ISO-646, International Standards Organization, Geneva, 429 Switzerland, 1983 431 [9] Computer Emergency Response Team (CERT), "IP Spoofing and 432 Hijacked Terminal Connections", CA-95:01, January 1995. 433 Available via anonymous ftp from info.cert.org in 434 /pub/cert_advisories. 436 13.0 AUTHOR'S ADDRESS 438 Neil Haller 439 Bellcore 440 MRE 2Q-280 441 445 South Street 442 Morristown, NJ, 07960-6438, USA 444 Phone: +1 201 829-4478 445 Fax: +1 201 829-2504 446 Email: nmh@bellcore.com 448 Craig Metz 449 Kaman Sciences Corporation 450 For NRL Code 5544 451 4555 Overlook Avenue, S.W. 452 Washington, DC, 20375-5337, USA 454 Phone: +1 202 404-7122 455 Fax: +1 202 404-7942 456 Email: cmetz@cs.nrl.navy.mil 457 Appendix A - Interfaces to Secure Hash Algorithms 459 MD4 Message Digest (see reference [2]) 461 strcpy(buf,seed); 462 strcat(buf,passwd); 463 MDbegin(&md) 464 MDupdate(&md,(unsigned char *)buf,8*buflen); 466 /* Fold result to 64 bits */ 467 md.buffer[0] ^= md.buffer[2]; 468 md.buffer[1] ^= md.buffer[3]; 470 MD5 Message Digest (see reference [6]) 472 MD5_CTX mdCxt; 474 strcpy(buf,seed); 475 strcat(buf,passwd); 477 /* Crunch the key through MD5 */ 478 MD5Init(&mdCxt); 479 MD5Update(&mdCxt,(unsigned char *)bits,strlen(bits)); 480 MD5Update(&mdCxt,(unsigned char *)buf,buflen); 481 MD5Final(&mdCxt); 483 /* Fold result to 64 bits */ 484 for( i = 0; i < 8; i++ ) 485 result[i] = mdCxt.digest[i] ^ mdCxt.digest[i+8]; 487 SHA Secure Hash Algorithm (see reference [7]) 489 /* Fold 160 bit result to 64 bits */ 490 md.buffer[0] ^= md.buffer[2]; 491 md.buffer[1] ^= md.buffer[3]; 492 md.buffer[0] ^= md.buffer[4]; 493 Appendix B - Alternative Dictionary Algorithm 495 The purpose of alternative dictionary encoding of the OTP one-time 496 password is to allow the use of language specific or friendly words. 497 Servers SHOULD accept this encoding in addition to the standard 6-word 498 and hexadecimal encodings. 500 GENERATOR ENCODING USING AN ALTERNATE DICTIONARY 502 The standard 6-word encoding uses the placement of a word in the 503 dictionary to represent an 11-bit number. The 64-bit one-time 504 password can then be represented by six words. 506 An alternative dictionary of 2048 words may be created such that 507 each word W and position of the word in the dictionary N obey the 508 relationship: 510 alg( uppercase( W ) ) % 2048 == N 511 where 512 alg is the hash algorithm used (e.g. MD4, MD5, SHA). 514 In addition, no words in the standard dictionary may be chosen. 516 The generator expands the 64-bit one-time password to 66 bits by 517 computing parity as with the standard 6-word encoding. The six 11- 518 bit numbers are then converted to words using the dictionary that 519 was created such that the above relationship holds. 521 SERVER DECODING OF ALTERNATE DICTIONARY ONE-TIME PASSWORDS 523 The server accepting alternative dictionary encoding converts each 524 word to an 11-bit number using the above encoding. These numbers are 525 then used in the same way as the decoded standard dictionary words 526 to form the 66-bit one-time password. 528 The server does not need to have access to the alternate dictionary 529 that was used to create the one-time password it is authenticating. 530 This is because the decoding from word to 11-bit number does not 531 make any use of the dictionary. As a result of the independence of 532 the dictionary, a server accepting one alternate dictionary accept 533 all alternate dictionaries. 535 Appendix C - Dictionary for Converting Between 6-Word and Binary Formats 537 This dictionary is from the module put.c. 539 { "A", "ABE", "ACE", "ACT", "AD", "ADA", "ADD", 540 "AGO", "AID", "AIM", "AIR", "ALL", "ALP", "AM", "AMY", 541 "AN", "ANA", "AND", "ANN", "ANT", "ANY", "APE", "APS", 542 "APT", "ARC", "ARE", "ARK", "ARM", "ART", "AS", "ASH", 543 "ASK", "AT", "ATE", "AUG", "AUK", "AVE", "AWE", "AWK", 544 "AWL", "AWN", "AX", "AYE", "BAD", "BAG", "BAH", "BAM", 545 "BAN", "BAR", "BAT", "BAY", "BE", "BED", "BEE", "BEG", 546 "BEN", "BET", "BEY", "BIB", "BID", "BIG", "BIN", "BIT", 547 "BOB", "BOG", "BON", "BOO", "BOP", "BOW", "BOY", "BUB", 548 "BUD", "BUG", "BUM", "BUN", "BUS", "BUT", "BUY", "BY", 549 "BYE", "CAB", "CAL", "CAM", "CAN", "CAP", "CAR", "CAT", 550 "CAW", "COD", "COG", "COL", "CON", "COO", "COP", "COT", 551 "COW", "COY", "CRY", "CUB", "CUE", "CUP", "CUR", "CUT", 552 "DAB", "DAD", "DAM", "DAN", "DAR", "DAY", "DEE", "DEL", 553 "DEN", "DES", "DEW", "DID", "DIE", "DIG", "DIN", "DIP", 554 "DO", "DOE", "DOG", "DON", "DOT", "DOW", "DRY", "DUB", 555 "DUD", "DUE", "DUG", "DUN", "EAR", "EAT", "ED", "EEL", 556 "EGG", "EGO", "ELI", "ELK", "ELM", "ELY", "EM", "END", 557 "EST", "ETC", "EVA", "EVE", "EWE", "EYE", "FAD", "FAN", 558 "FAR", "FAT", "FAY", "FED", "FEE", "FEW", "FIB", "FIG", 559 "FIN", "FIR", "FIT", "FLO", "FLY", "FOE", "FOG", "FOR", 560 "FRY", "FUM", "FUN", "FUR", "GAB", "GAD", "GAG", "GAL", 561 "GAM", "GAP", "GAS", "GAY", "GEE", "GEL", "GEM", "GET", 562 "GIG", "GIL", "GIN", "GO", "GOT", "GUM", "GUN", "GUS", 563 "GUT", "GUY", "GYM", "GYP", "HA", "HAD", "HAL", "HAM", 564 "HAN", "HAP", "HAS", "HAT", "HAW", "HAY", "HE", "HEM", 565 "HEN", "HER", "HEW", "HEY", "HI", "HID", "HIM", "HIP", 566 "HIS", "HIT", "HO", "HOB", "HOC", "HOE", "HOG", "HOP", 567 "HOT", "HOW", "HUB", "HUE", "HUG", "HUH", "HUM", "HUT", 568 "I", "ICY", "IDA", "IF", "IKE", "ILL", "INK", "INN", 569 "IO", "ION", "IQ", "IRA", "IRE", "IRK", "IS", "IT", 570 "ITS", "IVY", "JAB", "JAG", "JAM", "JAN", "JAR", "JAW", 571 "JAY", "JET", "JIG", "JIM", "JO", "JOB", "JOE", "JOG", 572 "JOT", "JOY", "JUG", "JUT", "KAY", "KEG", "KEN", "KEY", 573 "KID", "KIM", "KIN", "KIT", "LA", "LAB", "LAC", "LAD", 574 "LAG", "LAM", "LAP", "LAW", "LAY", "LEA", "LED", "LEE", 575 "LEG", "LEN", "LEO", "LET", "LEW", "LID", "LIE", "LIN", 576 "LIP", "LIT", "LO", "LOB", "LOG", "LOP", "LOS", "LOT", 577 "LOU", "LOW", "LOY", "LUG", "LYE", "MA", "MAC", "MAD", 578 "MAE", "MAN", "MAO", "MAP", "MAT", "MAW", "MAY", "ME", 579 "MEG", "MEL", "MEN", "MET", "MEW", "MID", "MIN", "MIT", 580 "MOB", "MOD", "MOE", "MOO", "MOP", "MOS", "MOT", "MOW", 581 "MUD", "MUG", "MUM", "MY", "NAB", "NAG", "NAN", "NAP", 582 "NAT", "NAY", "NE", "NED", "NEE", "NET", "NEW", "NIB", 583 "NIL", "NIP", "NIT", "NO", "NOB", "NOD", "NON", "NOR", 584 "NOT", "NOV", "NOW", "NU", "NUN", "NUT", "O", "OAF", 585 "OAK", "OAR", "OAT", "ODD", "ODE", "OF", "OFF", "OFT", 586 "OH", "OIL", "OK", "OLD", "ON", "ONE", "OR", "ORB", 587 "ORE", "ORR", "OS", "OTT", "OUR", "OUT", "OVA", "OW", 588 "OWE", "OWL", "OWN", "OX", "PA", "PAD", "PAL", "PAM", 589 "PAN", "PAP", "PAR", "PAT", "PAW", "PAY", "PEA", "PEG", 590 "PEN", "PEP", "PER", "PET", "PEW", "PHI", "PI", "PIE", 591 "PIN", "PIT", "PLY", "PO", "POD", "POE", "POP", "POT", 592 "POW", "PRO", "PRY", "PUB", "PUG", "PUN", "PUP", "PUT", 593 "QUO", "RAG", "RAM", "RAN", "RAP", "RAT", "RAW", "RAY", 594 "REB", "RED", "REP", "RET", "RIB", "RID", "RIG", "RIM", 595 "RIO", "RIP", "ROB", "ROD", "ROE", "RON", "ROT", "ROW", 596 "ROY", "RUB", "RUE", "RUG", "RUM", "RUN", "RYE", "SAC", 597 "SAD", "SAG", "SAL", "SAM", "SAN", "SAP", "SAT", "SAW", 598 "SAY", "SEA", "SEC", "SEE", "SEN", "SET", "SEW", "SHE", 599 "SHY", "SIN", "SIP", "SIR", "SIS", "SIT", "SKI", "SKY", 600 "SLY", "SO", "SOB", "SOD", "SON", "SOP", "SOW", "SOY", 601 "SPA", "SPY", "SUB", "SUD", "SUE", "SUM", "SUN", "SUP", 602 "TAB", "TAD", "TAG", "TAN", "TAP", "TAR", "TEA", "TED", 603 "TEE", "TEN", "THE", "THY", "TIC", "TIE", "TIM", "TIN", 604 "TIP", "TO", "TOE", "TOG", "TOM", "TON", "TOO", "TOP", 605 "TOW", "TOY", "TRY", "TUB", "TUG", "TUM", "TUN", "TWO", 606 "UN", "UP", "US", "USE", "VAN", "VAT", "VET", "VIE", 607 "WAD", "WAG", "WAR", "WAS", "WAY", "WE", "WEB", "WED", 608 "WEE", "WET", "WHO", "WHY", "WIN", "WIT", "WOK", "WON", 609 "WOO", "WOW", "WRY", "WU", "YAM", "YAP", "YAW", "YE", 610 "YEA", "YES", "YET", "YOU", "ABED", "ABEL", "ABET", "ABLE", 611 "ABUT", "ACHE", "ACID", "ACME", "ACRE", "ACTA", "ACTS", "ADAM", 612 "ADDS", "ADEN", "AFAR", "AFRO", "AGEE", "AHEM", "AHOY", "AIDA", 613 "AIDE", "AIDS", "AIRY", "AJAR", "AKIN", "ALAN", "ALEC", "ALGA", 614 "ALIA", "ALLY", "ALMA", "ALOE", "ALSO", "ALTO", "ALUM", "ALVA", 615 "AMEN", "AMES", "AMID", "AMMO", "AMOK", "AMOS", "AMRA", "ANDY", 616 "ANEW", "ANNA", "ANNE", "ANTE", "ANTI", "AQUA", "ARAB", "ARCH", 617 "AREA", "ARGO", "ARID", "ARMY", "ARTS", "ARTY", "ASIA", "ASKS", 618 "ATOM", "AUNT", "AURA", "AUTO", "AVER", "AVID", "AVIS", "AVON", 619 "AVOW", "AWAY", "AWRY", "BABE", "BABY", "BACH", "BACK", "BADE", 620 "BAIL", "BAIT", "BAKE", "BALD", "BALE", "BALI", "BALK", "BALL", 621 "BALM", "BAND", "BANE", "BANG", "BANK", "BARB", "BARD", "BARE", 622 "BARK", "BARN", "BARR", "BASE", "BASH", "BASK", "BASS", "BATE", 623 "BATH", "BAWD", "BAWL", "BEAD", "BEAK", "BEAM", "BEAN", "BEAR", 624 "BEAT", "BEAU", "BECK", "BEEF", "BEEN", "BEER", "BEET", "BELA", 625 "BELL", "BELT", "BEND", "BENT", "BERG", "BERN", "BERT", "BESS", 626 "BEST", "BETA", "BETH", "BHOY", "BIAS", "BIDE", "BIEN", "BILE", 627 "BILK", "BILL", "BIND", "BING", "BIRD", "BITE", "BITS", "BLAB", 628 "BLAT", "BLED", "BLEW", "BLOB", "BLOC", "BLOT", "BLOW", "BLUE", 629 "BLUM", "BLUR", "BOAR", "BOAT", "BOCA", "BOCK", "BODE", "BODY", 630 "BOGY", "BOHR", "BOIL", "BOLD", "BOLO", "BOLT", "BOMB", "BONA", 631 "BOND", "BONE", "BONG", "BONN", "BONY", "BOOK", "BOOM", "BOON", 632 "BOOT", "BORE", "BORG", "BORN", "BOSE", "BOSS", "BOTH", "BOUT", 633 "BOWL", "BOYD", "BRAD", "BRAE", "BRAG", "BRAN", "BRAY", "BRED", 634 "BREW", "BRIG", "BRIM", "BROW", "BUCK", "BUDD", "BUFF", "BULB", 635 "BULK", "BULL", "BUNK", "BUNT", "BUOY", "BURG", "BURL", "BURN", 636 "BURR", "BURT", "BURY", "BUSH", "BUSS", "BUST", "BUSY", "BYTE", 637 "CADY", "CAFE", "CAGE", "CAIN", "CAKE", "CALF", "CALL", "CALM", 638 "CAME", "CANE", "CANT", "CARD", "CARE", "CARL", "CARR", "CART", 639 "CASE", "CASH", "CASK", "CAST", "CAVE", "CEIL", "CELL", "CENT", 640 "CERN", "CHAD", "CHAR", "CHAT", "CHAW", "CHEF", "CHEN", "CHEW", 641 "CHIC", "CHIN", "CHOU", "CHOW", "CHUB", "CHUG", "CHUM", "CITE", 642 "CITY", "CLAD", "CLAM", "CLAN", "CLAW", "CLAY", "CLOD", "CLOG", 643 "CLOT", "CLUB", "CLUE", "COAL", "COAT", "COCA", "COCK", "COCO", 644 "CODA", "CODE", "CODY", "COED", "COIL", "COIN", "COKE", "COLA", 645 "COLD", "COLT", "COMA", "COMB", "COME", "COOK", "COOL", "COON", 646 "COOT", "CORD", "CORE", "CORK", "CORN", "COST", "COVE", "COWL", 647 "CRAB", "CRAG", "CRAM", "CRAY", "CREW", "CRIB", "CROW", "CRUD", 648 "CUBA", "CUBE", "CUFF", "CULL", "CULT", "CUNY", "CURB", "CURD", 649 "CURE", "CURL", "CURT", "CUTS", "DADE", "DALE", "DAME", "DANA", 650 "DANE", "DANG", "DANK", "DARE", "DARK", "DARN", "DART", "DASH", 651 "DATA", "DATE", "DAVE", "DAVY", "DAWN", "DAYS", "DEAD", "DEAF", 652 "DEAL", "DEAN", "DEAR", "DEBT", "DECK", "DEED", "DEEM", "DEER", 653 "DEFT", "DEFY", "DELL", "DENT", "DENY", "DESK", "DIAL", "DICE", 654 "DIED", "DIET", "DIME", "DINE", "DING", "DINT", "DIRE", "DIRT", 655 "DISC", "DISH", "DISK", "DIVE", "DOCK", "DOES", "DOLE", "DOLL", 656 "DOLT", "DOME", "DONE", "DOOM", "DOOR", "DORA", "DOSE", "DOTE", 657 "DOUG", "DOUR", "DOVE", "DOWN", "DRAB", "DRAG", "DRAM", "DRAW", 658 "DREW", "DRUB", "DRUG", "DRUM", "DUAL", "DUCK", "DUCT", "DUEL", 659 "DUET", "DUKE", "DULL", "DUMB", "DUNE", "DUNK", "DUSK", "DUST", 660 "DUTY", "EACH", "EARL", "EARN", "EASE", "EAST", "EASY", "EBEN", 661 "ECHO", "EDDY", "EDEN", "EDGE", "EDGY", "EDIT", "EDNA", "EGAN", 662 "ELAN", "ELBA", "ELLA", "ELSE", "EMIL", "EMIT", "EMMA", "ENDS", 663 "ERIC", "EROS", "EVEN", "EVER", "EVIL", "EYED", "FACE", "FACT", 664 "FADE", "FAIL", "FAIN", "FAIR", "FAKE", "FALL", "FAME", "FANG", 665 "FARM", "FAST", "FATE", "FAWN", "FEAR", "FEAT", "FEED", "FEEL", 666 "FEET", "FELL", "FELT", "FEND", "FERN", "FEST", "FEUD", "FIEF", 667 "FIGS", "FILE", "FILL", "FILM", "FIND", "FINE", "FINK", "FIRE", 668 "FIRM", "FISH", "FISK", "FIST", "FITS", "FIVE", "FLAG", "FLAK", 669 "FLAM", "FLAT", "FLAW", "FLEA", "FLED", "FLEW", "FLIT", "FLOC", 670 "FLOG", "FLOW", "FLUB", "FLUE", "FOAL", "FOAM", "FOGY", "FOIL", 671 "FOLD", "FOLK", "FOND", "FONT", "FOOD", "FOOL", "FOOT", "FORD", 672 "FORE", "FORK", "FORM", "FORT", "FOSS", "FOUL", "FOUR", "FOWL", 673 "FRAU", "FRAY", "FRED", "FREE", "FRET", "FREY", "FROG", "FROM", 674 "FUEL", "FULL", "FUME", "FUND", "FUNK", "FURY", "FUSE", "FUSS", 675 "GAFF", "GAGE", "GAIL", "GAIN", "GAIT", "GALA", "GALE", "GALL", 676 "GALT", "GAME", "GANG", "GARB", "GARY", "GASH", "GATE", "GAUL", 677 "GAUR", "GAVE", "GAWK", "GEAR", "GELD", "GENE", "GENT", "GERM", 678 "GETS", "GIBE", "GIFT", "GILD", "GILL", "GILT", "GINA", "GIRD", 679 "GIRL", "GIST", "GIVE", "GLAD", "GLEE", "GLEN", "GLIB", "GLOB", 680 "GLOM", "GLOW", "GLUE", "GLUM", "GLUT", "GOAD", "GOAL", "GOAT", 681 "GOER", "GOES", "GOLD", "GOLF", "GONE", "GONG", "GOOD", "GOOF", 682 "GORE", "GORY", "GOSH", "GOUT", "GOWN", "GRAB", "GRAD", "GRAY", 683 "GREG", "GREW", "GREY", "GRID", "GRIM", "GRIN", "GRIT", "GROW", 684 "GRUB", "GULF", "GULL", "GUNK", "GURU", "GUSH", "GUST", "GWEN", 685 "GWYN", "HAAG", "HAAS", "HACK", "HAIL", "HAIR", "HALE", "HALF", 686 "HALL", "HALO", "HALT", "HAND", "HANG", "HANK", "HANS", "HARD", 687 "HARK", "HARM", "HART", "HASH", "HAST", "HATE", "HATH", "HAUL", 688 "HAVE", "HAWK", "HAYS", "HEAD", "HEAL", "HEAR", "HEAT", "HEBE", 689 "HECK", "HEED", "HEEL", "HEFT", "HELD", "HELL", "HELM", "HERB", 690 "HERD", "HERE", "HERO", "HERS", "HESS", "HEWN", "HICK", "HIDE", 691 "HIGH", "HIKE", "HILL", "HILT", "HIND", "HINT", "HIRE", "HISS", 692 "HIVE", "HOBO", "HOCK", "HOFF", "HOLD", "HOLE", "HOLM", "HOLT", 693 "HOME", "HONE", "HONK", "HOOD", "HOOF", "HOOK", "HOOT", "HORN", 694 "HOSE", "HOST", "HOUR", "HOVE", "HOWE", "HOWL", "HOYT", "HUCK", 695 "HUED", "HUFF", "HUGE", "HUGH", "HUGO", "HULK", "HULL", "HUNK", 696 "HUNT", "HURD", "HURL", "HURT", "HUSH", "HYDE", "HYMN", "IBIS", 697 "ICON", "IDEA", "IDLE", "IFFY", "INCA", "INCH", "INTO", "IONS", 698 "IOTA", "IOWA", "IRIS", "IRMA", "IRON", "ISLE", "ITCH", "ITEM", 699 "IVAN", "JACK", "JADE", "JAIL", "JAKE", "JANE", "JAVA", "JEAN", 700 "JEFF", "JERK", "JESS", "JEST", "JIBE", "JILL", "JILT", "JIVE", 701 "JOAN", "JOBS", "JOCK", "JOEL", "JOEY", "JOHN", "JOIN", "JOKE", 702 "JOLT", "JOVE", "JUDD", "JUDE", "JUDO", "JUDY", "JUJU", "JUKE", 703 "JULY", "JUNE", "JUNK", "JUNO", "JURY", "JUST", "JUTE", "KAHN", 704 "KALE", "KANE", "KANT", "KARL", "KATE", "KEEL", "KEEN", "KENO", 705 "KENT", "KERN", "KERR", "KEYS", "KICK", "KILL", "KIND", "KING", 706 "KIRK", "KISS", "KITE", "KLAN", "KNEE", "KNEW", "KNIT", "KNOB", 707 "KNOT", "KNOW", "KOCH", "KONG", "KUDO", "KURD", "KURT", "KYLE", 708 "LACE", "LACK", "LACY", "LADY", "LAID", "LAIN", "LAIR", "LAKE", 709 "LAMB", "LAME", "LAND", "LANE", "LANG", "LARD", "LARK", "LASS", 710 "LAST", "LATE", "LAUD", "LAVA", "LAWN", "LAWS", "LAYS", "LEAD", 711 "LEAF", "LEAK", "LEAN", "LEAR", "LEEK", "LEER", "LEFT", "LEND", 712 "LENS", "LENT", "LEON", "LESK", "LESS", "LEST", "LETS", "LIAR", 713 "LICE", "LICK", "LIED", "LIEN", "LIES", "LIEU", "LIFE", "LIFT", 714 "LIKE", "LILA", "LILT", "LILY", "LIMA", "LIMB", "LIME", "LIND", 715 "LINE", "LINK", "LINT", "LION", "LISA", "LIST", "LIVE", "LOAD", 716 "LOAF", "LOAM", "LOAN", "LOCK", "LOFT", "LOGE", "LOIS", "LOLA", 717 "LONE", "LONG", "LOOK", "LOON", "LOOT", "LORD", "LORE", "LOSE", 718 "LOSS", "LOST", "LOUD", "LOVE", "LOWE", "LUCK", "LUCY", "LUGE", 719 "LUKE", "LULU", "LUND", "LUNG", "LURA", "LURE", "LURK", "LUSH", 720 "LUST", "LYLE", "LYNN", "LYON", "LYRA", "MACE", "MADE", "MAGI", 721 "MAID", "MAIL", "MAIN", "MAKE", "MALE", "MALI", "MALL", "MALT", 722 "MANA", "MANN", "MANY", "MARC", "MARE", "MARK", "MARS", "MART", 723 "MARY", "MASH", "MASK", "MASS", "MAST", "MATE", "MATH", "MAUL", 724 "MAYO", "MEAD", "MEAL", "MEAN", "MEAT", "MEEK", "MEET", "MELD", 725 "MELT", "MEMO", "MEND", "MENU", "MERT", "MESH", "MESS", "MICE", 726 "MIKE", "MILD", "MILE", "MILK", "MILL", "MILT", "MIMI", "MIND", 727 "MINE", "MINI", "MINK", "MINT", "MIRE", "MISS", "MIST", "MITE", 728 "MITT", "MOAN", "MOAT", "MOCK", "MODE", "MOLD", "MOLE", "MOLL", 729 "MOLT", "MONA", "MONK", "MONT", "MOOD", "MOON", "MOOR", "MOOT", 730 "MORE", "MORN", "MORT", "MOSS", "MOST", "MOTH", "MOVE", "MUCH", 731 "MUCK", "MUDD", "MUFF", "MULE", "MULL", "MURK", "MUSH", "MUST", 732 "MUTE", "MUTT", "MYRA", "MYTH", "NAGY", "NAIL", "NAIR", "NAME", 733 "NARY", "NASH", "NAVE", "NAVY", "NEAL", "NEAR", "NEAT", "NECK", 734 "NEED", "NEIL", "NELL", "NEON", "NERO", "NESS", "NEST", "NEWS", 735 "NEWT", "NIBS", "NICE", "NICK", "NILE", "NINA", "NINE", "NOAH", 736 "NODE", "NOEL", "NOLL", "NONE", "NOOK", "NOON", "NORM", "NOSE", 737 "NOTE", "NOUN", "NOVA", "NUDE", "NULL", "NUMB", "OATH", "OBEY", 738 "OBOE", "ODIN", "OHIO", "OILY", "OINT", "OKAY", "OLAF", "OLDY", 739 "OLGA", "OLIN", "OMAN", "OMEN", "OMIT", "ONCE", "ONES", "ONLY", 740 "ONTO", "ONUS", "ORAL", "ORGY", "OSLO", "OTIS", "OTTO", "OUCH", 741 "OUST", "OUTS", "OVAL", "OVEN", "OVER", "OWLY", "OWNS", "QUAD", 742 "QUIT", "QUOD", "RACE", "RACK", "RACY", "RAFT", "RAGE", "RAID", 743 "RAIL", "RAIN", "RAKE", "RANK", "RANT", "RARE", "RASH", "RATE", 744 "RAVE", "RAYS", "READ", "REAL", "REAM", "REAR", "RECK", "REED", 745 "REEF", "REEK", "REEL", "REID", "REIN", "RENA", "REND", "RENT", 746 "REST", "RICE", "RICH", "RICK", "RIDE", "RIFT", "RILL", "RIME", 747 "RING", "RINK", "RISE", "RISK", "RITE", "ROAD", "ROAM", "ROAR", 748 "ROBE", "ROCK", "RODE", "ROIL", "ROLL", "ROME", "ROOD", "ROOF", 749 "ROOK", "ROOM", "ROOT", "ROSA", "ROSE", "ROSS", "ROSY", "ROTH", 750 "ROUT", "ROVE", "ROWE", "ROWS", "RUBE", "RUBY", "RUDE", "RUDY", 751 "RUIN", "RULE", "RUNG", "RUNS", "RUNT", "RUSE", "RUSH", "RUSK", 752 "RUSS", "RUST", "RUTH", "SACK", "SAFE", "SAGE", "SAID", "SAIL", 753 "SALE", "SALK", "SALT", "SAME", "SAND", "SANE", "SANG", "SANK", 754 "SARA", "SAUL", "SAVE", "SAYS", "SCAN", "SCAR", "SCAT", "SCOT", 755 "SEAL", "SEAM", "SEAR", "SEAT", "SEED", "SEEK", "SEEM", "SEEN", 756 "SEES", "SELF", "SELL", "SEND", "SENT", "SETS", "SEWN", "SHAG", 757 "SHAM", "SHAW", "SHAY", "SHED", "SHIM", "SHIN", "SHOD", "SHOE", 758 "SHOT", "SHOW", "SHUN", "SHUT", "SICK", "SIDE", "SIFT", "SIGH", 759 "SIGN", "SILK", "SILL", "SILO", "SILT", "SINE", "SING", "SINK", 760 "SIRE", "SITE", "SITS", "SITU", "SKAT", "SKEW", "SKID", "SKIM", 761 "SKIN", "SKIT", "SLAB", "SLAM", "SLAT", "SLAY", "SLED", "SLEW", 762 "SLID", "SLIM", "SLIT", "SLOB", "SLOG", "SLOT", "SLOW", "SLUG", 763 "SLUM", "SLUR", "SMOG", "SMUG", "SNAG", "SNOB", "SNOW", "SNUB", 764 "SNUG", "SOAK", "SOAR", "SOCK", "SODA", "SOFA", "SOFT", "SOIL", 765 "SOLD", "SOME", "SONG", "SOON", "SOOT", "SORE", "SORT", "SOUL", 766 "SOUR", "SOWN", "STAB", "STAG", "STAN", "STAR", "STAY", "STEM", 767 "STEW", "STIR", "STOW", "STUB", "STUN", "SUCH", "SUDS", "SUIT", 768 "SULK", "SUMS", "SUNG", "SUNK", "SURE", "SURF", "SWAB", "SWAG", 769 "SWAM", "SWAN", "SWAT", "SWAY", "SWIM", "SWUM", "TACK", "TACT", 770 "TAIL", "TAKE", "TALE", "TALK", "TALL", "TANK", "TASK", "TATE", 771 "TAUT", "TEAL", "TEAM", "TEAR", "TECH", "TEEM", "TEEN", "TEET", 772 "TELL", "TEND", "TENT", "TERM", "TERN", "TESS", "TEST", "THAN", 773 "THAT", "THEE", "THEM", "THEN", "THEY", "THIN", "THIS", "THUD", 774 "THUG", "TICK", "TIDE", "TIDY", "TIED", "TIER", "TILE", "TILL", 775 "TILT", "TIME", "TINA", "TINE", "TINT", "TINY", "TIRE", "TOAD", 776 "TOGO", "TOIL", "TOLD", "TOLL", "TONE", "TONG", "TONY", "TOOK", 777 "TOOL", "TOOT", "TORE", "TORN", "TOTE", "TOUR", "TOUT", "TOWN", 778 "TRAG", "TRAM", "TRAY", "TREE", "TREK", "TRIG", "TRIM", "TRIO", 779 "TROD", "TROT", "TROY", "TRUE", "TUBA", "TUBE", "TUCK", "TUFT", 780 "TUNA", "TUNE", "TUNG", "TURF", "TURN", "TUSK", "TWIG", "TWIN", 781 "TWIT", "ULAN", "UNIT", "URGE", "USED", "USER", "USES", "UTAH", 782 "VAIL", "VAIN", "VALE", "VARY", "VASE", "VAST", "VEAL", "VEDA", 783 "VEIL", "VEIN", "VEND", "VENT", "VERB", "VERY", "VETO", "VICE", 784 "VIEW", "VINE", "VISE", "VOID", "VOLT", "VOTE", "WACK", "WADE", 785 "WAGE", "WAIL", "WAIT", "WAKE", "WALE", "WALK", "WALL", "WALT", 786 "WAND", "WANE", "WANG", "WANT", "WARD", "WARM", "WARN", "WART", 787 "WASH", "WAST", "WATS", "WATT", "WAVE", "WAVY", "WAYS", "WEAK", 788 "WEAL", "WEAN", "WEAR", "WEED", "WEEK", "WEIR", "WELD", "WELL", 789 "WELT", "WENT", "WERE", "WERT", "WEST", "WHAM", "WHAT", "WHEE", 790 "WHEN", "WHET", "WHOA", "WHOM", "WICK", "WIFE", "WILD", "WILL", 791 "WIND", "WINE", "WING", "WINK", "WINO", "WIRE", "WISE", "WISH", 792 "WITH", "WOLF", "WONT", "WOOD", "WOOL", "WORD", "WORE", "WORK", 793 "WORM", "WORN", "WOVE", "WRIT", "WYNN", "YALE", "YANG", "YANK", 794 "YARD", "YARN", "YAWL", "YAWN", "YEAH", "YEAR", "YELL", "YOGA", 795 "YOKE" };