ACE Working Group R. Corbel Internet-Draft Orange Group Updates: 2289 (if approved) 22 February 2025 Independent submission Category: Informational Expires: 26 August 2025 Improvements to the One-Time Password System defined by RFC2289 draft-corbel-ietf-ace-one-time-passwords-00 Abstract This document aims to submit a few improvements to the RFC2289, which describes a One-Time Password System : interfaces to Secure Hash Algorithms, folding hashes to 64 bits, alternate dictionaries and automatic renewal of authentication parameters will be studied in detail. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 26 August 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Corbel Expires 26 August 2025 [Page 1] Internet-Draft Improvements to One Time Passwords March 2025 Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Interfaces to Secure Hash Algorithms . . . . . . . . . . . . 2 3. Folding hashes to 64 bits . . . . . . . . . . . . . . . . . . 3 4. Holes in Alternate Dictionaries . . . . . . . . . . . . . . . 4 5. Automatic renewal of authentication parameters . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 Appendix A - OTP Verification Examples . . . . . . . . . . . . . 7 Appendix B - French Alternate Dictionary . . . . . . . . . . . . 10 Appendix C - Statistical analysis of EN and FR dictionaries . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction When RFC2289 [0] was published in 1998, and became a Standards Track specification in 2000, it described a powerful One-Time Password system. Many things have changed since that time, notably the way hashes are computed : one distinct interface for each hash algorithm yesterday, only one today. We describe here that unique interface. As a consequence, folding hashes to 64 bits (the length of an One- Time Password or OTP) requires a different technique, which is also described. Finally, we propose a technique for automatically renewing authentication parameters between a user and an OTP authentication server. Understanding RFC2289 is a requirement. 2. Interfaces to Secure Hash Algorithms In 1998, only three secure hash algorithms were commonly used : MD4 [1], MD5 [2] and SHA1 [3]. As the security of those algorithms became insufficient, three new secure hash algorithms appeared : SHA256, SHA384 and SHA512 [4]. MD4 is not used anymore. A common interface has been defined by OpenSSL for those five hash algorithms : Corbel Expires 26 August 2025 [Page 2] Internet-Draft Improvements to One Time Passwords March 2025 EVP_MD_CTX * mdctx; unsigned int dlen; const EVP_MD * md; unsigned char digest[EVP_MAX_MD_SIZE+1]; /* algo is a string naming the desired hash. Case insensitive. Name is one of "md5", "sha1", "sha256", "sha384" and "sha512".*/ md = EVP_get_digestbyname(algo); mdctx = EVP_MD_CTX_new(); /* Compute the hash. */ memset(digest, 0, sizeof digest); EVP_DigestInit_ex(mdctx, md, NULL); EVP_DigestUpdate(mdctx, data, sizeof(data)); EVP_DigestFinal_ex(mdctx, digest, &dlen); /* Free the memory used by the context */ EVP_MD_CTX_free(mdctx); 3. Folding hashes to 64 bits The lengths of the hashes produced by MD5, SHA1, SHA256, SHA384 and SHA512 are, respectively, 128, 160, 256, 384 and 512 bits. Since the length of an OTP is 64 bits, it is necessary to fold the hashes. The technique for folding MD5 hashes to 64 bits is taken as is from RFC2289 (Appendix A, pp.12-13) : /* The MD5 hash */ unsigned char result[16]; /* Fold the 128 bit result to 64 bits */ for (i = 0; i < 8; i++) result[i] ^= result[i+8]; The technique for folding SHA hashes to 64 bits is a generalization of the one presented in RFC2289 for SHA1. It is designed to be compiled and to run on a 64-bit, Little Endian platform : /* dlen is the number of BYTES contained in the array pointed to by d1. d2 is the array that receives the result of the folding. */ void foldShaTo64(unsigned int dlen, unsigned char * d1, unsigned char d2[8]) { /* Size of the array pointed to by d1 in number of 32-bit words*/ unsigned int dlen32 = dlen / 4; Corbel Expires 26 August 2025 [Page 3] Internet-Draft Improvements to One Time Passwords March 2025 /* Typecast digest d1 to an array of 32-bit words. */ unsigned int ld[dlen32]; unsigned int * pl = (unsigned int *)d1; for (unsigned int i = 0; i < dlen32; i++) { ld[i] = *(pl + i); } /* Actual folding to 64 bits. */ for (unsigned int i = 2; i < dlen32; i++) { ld[i % 2] ^= ld[i]; } /* Store the result as a Big Endian value in the output array.*/ int i, j; for (i = 0, j = 0; j < 8; i++, j += 4) { d2[j+0] = (unsigned char)((ld[i] >> 24) & 0xFF); d2[j+1] = (unsigned char)((ld[i] >> 16) & 0xFF); d2[j+2] = (unsigned char)((ld[i] >> 8) & 0xFF); d2[j+3] = (unsigned char)((ld[i] ) & 0xFF); } } We now have the tools for producing 64-bits OTP from hashes computed by any of the five algorithms. Appendix A gives a series of inputs and correct outputs to check the behavior of an implementation of an OTP generator (RFC2289 gives such information for MD5 and SHA1, while Appendix A here gives the information for the same inputs hashed by SHA256, SHA384 and SHA512 hash algorithms). The conversion of a 64-bit OTP to a set of six words taken from the RFC2289 Standard Dictionary is based upon the same process (compute a 2-bit checksum from the 64-bit OTP, stick those two bits at the end of the OTP thus producing a 66-bit value; this value is then divided into six slices of 11 bits that allow to address six different words in a 2048-word dictionary). 4. Holes in Alternate Dictionaries RFC2289 specifies a 2048 English word dictionary (Appendix D p. 19) that can be used by OTP generators for converting a raw OTP expressed in hexadecimal into a set of six different words taken from that dictionary. This feature is designed to ease the authentication by human users. RFC2289 also specifies a way to use Alternate Dictionaries, that is dictionaries made of 2048 words taken from a language different than English, no word appearing in more than one dictionary. As stated in Corbel Expires 26 August 2025 [Page 4] Internet-Draft Improvements to One Time Passwords March 2025 RFC2289 Appendix B p.14 : "An alternative dictionary of 2048 words may be created such that each word W and position of the word in the dictionary N obey the relationship: alg( W ) % 2048 == N where alg is the hash algorithm used (e.g. MD4, MD5, SHA1). In addition, no words in the standard dictionary may be chosen." Let's consider the RFC2289 Standard Dictionary and the Alternate Dictionary defined in this document (Appendix B), made of 2048 French words, and let's apply the above algorithm to both lists of words, using the five hash algorithms. The results can be found in this document (Appendix C). For both lists, the collision rate varies from 35% to 37%. This means that on 10 words taken from one of the lists, almost 4 of them share at least two equal (alg(W) % 2048) values. Concretely, every word W of a n-uplet that share the same (alg(W) % 2048) value will be written in the same slot of the 2048-word alternate dictionary, the last word of the n-uplet taking over the first ones. Finally, this techniques leaves (n-1) empty slots or "holes" in the final alternate dictionary. This MAY lead to a security weakness if an attacker gets to know the alternate dictionary computed, as shown above, from an initial list of 2048 words (every one being different from words in the Standard Dictionary). The alternate dictionary is reduced by 35%, eventually easing the task of guessing one or more words that will appear in the next OTP. 5. Automatic renewal of authentication parameters By design, OTP's cannot be used forever by the same user : when the sequence number, decreased at each successful authentication, reaches zero, the user can't authenticate anymore. A reset of user's parameters must be done by providing the server with, at least, a new sequence number and the matching OTP but this is dangerous because this can lead to the generation of the same sequence of OTP's. This would expose the user to race attacks. It is then highly recommended that the user provides the server with: - a different hash algorithm name (at most 10 characters plus the Corbel Expires 26 August 2025 [Page 5] Internet-Draft Improvements to One Time Passwords March 2025 ending zero); - a new seed (at most 16 characters plus the ending zero); - a new sequence number (a 4-byte Little Endian unsigned integer); - and the (first) matching OTP (64 bits i.e. 8 bytes). 1. So, when the user, just authenticated, sees that his sequence number has reached zero, he can simply generate the above values (with the help of a good random number generator when it comes to the new seed and the new sequence number), store them in a 1+40 bytes block, where the first byte codes for the request to renew the authentication parameters, and send the block to the server. The block MAY be encoded in Base 64. 2. Upon receiving the renewal request, the server reads the new values (possibly encoded in Base 64) stored in the block and sends the block back to the user with its first byte indicating the renewal request has been received. 3. Upon receiving the acknowledge block from the server, the user checks that it contains the same values as those stored in the original block. If they are different, the user tries again to send the original block, until three failures occur, or the transmission has succeeded. If the values are the same, the user finally sends the server the original block with its first byte indicating the transaction is ok. 4. The server finally updates the user's authentication parameters. The user can authenticate again. This three-way handshake ensures that the server has updated the user's record with correct data, and that no field receives impossible values (like a corrupted hash algorith name). This algorithm above does not describe the first time initialization of a new user. 6. Security Considerations Note that the technique described in 5. above allows the user to update his authent parameters anytime, whatever the value of the sequence. It is then possible to design the user client program so that it requests a renewal of its authentication parameters on a regular basis (every hour, every twelve hours,...). The client program can also choose a random number between 1 and the current sequence number, and require a renewal when the sequence number reaches the random number. These techniques would constitute a good protection against race attacks, because they prevent an attacker Corbel Expires 26 August 2025 [Page 6] Internet-Draft Improvements to One Time Passwords March 2025 from accumulating data on the sequences of OTP's he may see. 7. IANA Considerations This document has no actions for IANA. 8. References [0] Haller, N., "A One-Time Password System", RFC 2289, February 1998, . [1] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992, . [2] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992, . [3] National Institute of Standards and Technology, NIST, "Announcing the Secure Hash Standard", FIPS 180-4, April 1995, . [4] Eastlake, D., Hansen, T., "US Secure Hash Algorithms", RFC 6234, May 2011, . Appendix A - OTP Verification Examples This appendix provides a series of inputs and correct outputs for all three of the new OTP cryptographic hashes, specifically SHA256, SHA384 and SHA512. This document is intended to be used by developers for interoperability checks when creating generators or servers. Output is provided in both hexadecimal notation and the six-word encoding with the RFC2289 Standard Dictionary. Corbel Expires 26 August 2025 [Page 7] Internet-Draft Improvements to One Time Passwords March 2025 SHA256 ENCODINGS Passphrase Seed Cnt Hex Six Word Format ======================================================================== This is a test. TeSt 0 6FF2 6FCA 1D41 2482 DATA HANG USER SAP EVE TOM This is a test. TeSt 1 61A3 30FB 5460 EFE8 BUSY HAY SUP KYLE DO VEND This is a test. TeSt 99 A759 47C5 CB99 C0FE KLAN OVAL TURN HERO HUFF FERN AbCdEfGhIjK alpha1 0 33B7 C6B4 7704 4BC2 PI MONK LENT TOOT WEB SODA AbCdEfGhIjK alpha1 1 9D7B 7E17 5E8D 0112 HUSH SIGN FOWL MOAN RINK GARY AbCdEfGhIjK alpha1 99 3CCC F2F5 054F 0E7C SKY CLAY MOCK CAP TUNA SUB OTP's are good correct 0 3ACF A072 7DE5 CAFA SAW FAIL HUH WILL BOOM FAIR OTP's are good correct 1 4013 9EB6 13CA 6C66 TEN HUNT LEST MAW KING PEP OTP's are good correct 99 A194 AD13 0170 DF76 JILL KATE WED APT DEN MILL SHA384 ENCODINGS Passphrase Seed Cnt Hex Six Word Format ======================================================================== This is a test. TeSt 0 A25E 045C 7326 E83A JOEL TROY GIL SWAY DALE IDA This is a test. TeSt 1 0F19 0252 ACE0 9271 DOE OLIN HATH BLUE BUM ROW This is a test. TeSt 99 BE65 531C A0CC E0D5 MOOD NAG OHIO TON REEK COOL AbCdEfGhIjK alpha1 0 C542 1287 DBD0 6FFA NONE EAT JOAN MARS BEN WONT AbCdEfGhIjK alpha1 1 4A3D 9E8A C1CA DF58 AIRY TOGO JOIN FOAM LICE LEEK AbCdEfGhIjK alpha1 99 8012 50DA 1475 F556 FILE HAIR RAT MOB BROW LATE OTP's are good correct 0 3111 133B 8359 9CFA OWL GALA REST BEE HOLT FAIL OTP's are good correct 1 1D33 F015 80C0 F50D IDA ISLE BAD ALP DON FROG OTP's are good correct 99 F4D5 13BA 5694 3100 VICE KURD TOUR LEON UP FIND Corbel Expires 26 August 2025 [Page 8] Internet-Draft Improvements to One Time Passwords March 2025 SHA512 ENCODINGS Passphrase Seed Cnt Hex Six Word Format ======================================================================== This is a test. TeSt 0 9A33 631B AA8E 1097 HONK HOST OBOE BEAU SOAK ALTO This is a test. TeSt 1 72B2 58A6 8686 BC04 DIAL HALF MOT DAD COWL ANT This is a test. TeSt 99 41B5 690A 77B8 C1CC TOO LAVA TUM TREK GIST SWAN AbCdEfGhIjK alpha1 0 40EA E6E7 F6DA 6A1F TIP BETH MELT TONY KIND DUB AbCdEfGhIjK alpha1 1 D53A DF93 1E55 FB53 RUTH SARA SUIT SKI BUFF LAMB AbCdEfGhIjK alpha1 99 91DC 3DF2 5AE1 A17F GWEN SOLD EYED MAGI HER MOVE OTP's are good correct 0 0F78 A93E 448A AC9A DOT NONE AVID GAME LASS ANNE OTP's are good correct 1 208A CD3F 2C54 BB0E JOB BERG AVON BITS ALUM FUNK OTP's are good correct 99 16AF FE29 10EC AB94 GEM FIGS GEAR KEY OWNS OUTS Corbel Expires 26 August 2025 [Page 9] Internet-Draft Improvements to One Time Passwords March 2025 Appendix B - French Alternate Dictionary This dictionary is made up of 2048 French words. None of these words appears in the RFC2289 Standard Dictionary, and none of these words are composed solely of A to F letters (thus avoiding confusing with hexadecimal numbers). This French dictionary MAY be used as an alternate dictionary by a user, although 35% of its words share at least two equal (alg(W)%2048) values (see appendix C below). But, once again, this list can be used straightforward as an alternate dictionary because, when receiving a set of six words from this list computed by the user willing to authenticate, the server just computes (alg(W)%2048) for each of the six words. It doesn't care about the number of words in the alternate dictionary that generate the same (alg(W)%2048) value, nor does it need to know the alternate dictionary at all (as stated in RFC2289). { "AAS", "ADO", "AGA", "AGE", "AGI", "AIE", "AIL", "AIS", "AIT", "ALE", "ALU", "AME", "AMI", "ANE", "ANS", "API", "ARA", "ARS", "ASA", "ASE", "AUX", "AXA", "AXE", "AYS", "BAI", "BAL", "BAS", "BAU", "BEL", "BER", "BIC", "BIO", "BIP", "BIS", "BLE", "BOA", "BOF", "BOL", "BOT", "BOX", "BRU", "BUE", "CAS", "CEP", "CES", "CET", "CHU", "CIF", "CIL", "CIS", "CLE", "COB", "COI", "COQ", "COR", "COU", "CRE", "CRI", "CRU", "CUL", "DAL", "DAO", "DAW", "DER", "DEY", "DIA", "DIS", "DIT", "DIX", "DOC", "DOL", "DOM", "DOP", "DOS", "DRU", "DUC", "DUO", "DUR", "DUS", "DUT", "EAU", "ECO", "ECU", "ELU", "EMU", "EON", "EPI", "ERE", "ERG", "ERS", "ETA", "ETE", "EUE", "EUH", "EUS", "EUT", "EUX", "EXO", "FAQ", "FAX", "FER", "FEU", "FEZ", "FIA", "FIC", "FIE", "FIL", "FIS", "FLA", "FOB", "FOC", "FOI", "FOL", "FOU", "FOX", "FUI", "FUS", "FUT", "GAI", "GAN", "GAZ", "GEO", "GEX", "GIS", "GIT", "GLU", "GOI", "GON", "GOS", "GOY", "GRE", "GUE", "GUI", "GUR", "HAI", "HEP", "HEU", "HIA", "HIC", "HIE", "HOU", "HUA", "HUI", "HUN", "IBN", "IBO", "ICI", "IDE", "IFS", "ILE", "ILS", "IPE", "ISO", "IVE", "IXA", "IXE", "JAS", "JEU", "JUS", "KAN", "KAS", "KEA", "KHI", "KIF", "KIL", "KIP", "KIR", "KOB", "KOP", "KOT", "KRU", "KSI", "KWA", "KYU", "LAI", "LAO", "LAS", "LEI", "LEK", "LEM", "LES", "LEU", "LEV", "LEZ", "LIA", "LIS", "LOF", "LOI", "LUE", "LUI", "LUS", "LUT", "LUX", "LYS", "MAI", "MAL", "MAS", "MAX", "MEC", "MEO", "MER", "MES", "MIE", "MIL", "MIR", "MIS", "MIX", "MMM", "MOA", "MOI", "MOL", "MON", "MOR", "MOU", "MOX", "MUA", "MUE", "MUR", "MUS", "MUT", "MYE", "NEF", "NEM", "NEO", "NES", "NEY", "NEZ", "NIA", "NID", "NIE", "NIF", "NOM", "NOS", "NUA", "NUE", "NUI", "NUL", "NUS", "OBA", "OBI", "OHE", "OHM", "OIE", "OKA", "OLA", "OLE", "ONC", "ONT", Corbel Expires 26 August 2025 [Page 10] Internet-Draft Improvements to One Time Passwords March 2025 "OPE", "ORS", "OSA", "OSE", "OST", "OTA", "OTE", "OUD", "OUF", "OUH", "OUI", "OVE", "OXO", "OYE", "PAF", "PAS", "PEC", "PEU", "PFF", "PHO", "PIC", "PIF", "PIS", "PIU", "PLI", "PLU", "POU", "PRE", "PSI", "PST", "PSY", "PUA", "PUE", "PUR", "PUS", "PUY", "QAT", "QIN", "QUE", "QUI", "RAB", "RAC", "RAD", "RAI", "RAS", "RAZ", "REA", "REE", "REG", "REM", "REZ", "RHE", "RHO", "RIA", "RIE", "RIF", "RIS", "RIT", "RIZ", "ROC", "ROI", "ROM", "ROS", "RUA", "RUS", "RUT", "RUZ", "SAI", "SAR", "SAS", "SAX", "SEL", "SEP", "SES", "SIC", "SIL", "SIX", "SKA", "SOC", "SOI", "SOL", "SOM", "SOT", "SOU", "SPI", "SUA", "SUC", "SUR", "SUS", "SUT", "TAC", "TAF", "TAO", "TAS", "TAT", "TAU", "TEC", "TEK", "TEL", "TEP", "TER", "TES", "TET", "TEX", "TIF", "TIR", "TOC", "TOI", "TOT", "TRI", "TUA", "TUE", "TUF", "TUS", "TUT", "UNE", "UNI", "UNS", "URE", "USA", "UTE", "VAL", "VAR", "VAS", "VAU", "VER", "VES", "VIA", "VIF", "VIL", "VIN", "VIS", "VIT", "VOL", "VOS", "VUE", "VUS", "WAP", "WAX", "WUS", "XENON", "YAK", "YEN", "YIN", "YOD", "YUE", "ZEC", "ZEE", "ZEF", "ZEK", "ZEN", "ZIG", "ZIP", "ZOB", "ZOE", "ZOO", "ZOU", "ZUP", "ZUT", "ABAT", "ABER", "ABOI", "ABOT", "ABRI", "ABUS", "ACCU", "ACES", "ACNE", "ACON", "ACRA", "ACTE", "ACTU", "ACUL", "ADAS", "ADAV", "ADNE", "ADON", "ADOS", "AERA", "AERE", "AFAT", "AFIN", "AGAS", "AGES", "AGHA", "AGIE", "AGIO", "AGIR", "AGIS", "AGIT", "AGUI", "AHAN", "AIES", "AIGU", "AILE", "AILS", "AIMA", "AIME", "AINE", "AIRA", "AIRE", "AIRS", "AISE", "AISY", "AJUT", "AKAN", "ALEA", "ALEM", "ALES", "ALFA", "ALLA", "ALLE", "ALLO", "ALOI", "ALPE", "ALUN", "ALUS", "ALYA", "AMAN", "AMAS", "AMER", "AMIE", "AMIS", "AMMI", "AMUI", "ANAL", "ANAR", "ANAS", "ANEE", "ANEL", "ANES", "ANGE", "ANIL", "ANIS", "ANON", "ANSE", "ANUS", "AOUT", "APAX", "APEX", "APIS", "APRE", "APTE", "ARAC", "ARAK", "ARAS", "ARCS", "ARDU", "AREC", "AREG", "ARES", "AREU", "ARIA", "ARMA", "ARME", "AROL", "ARUM", "ASES", "ASIN", "ASPE", "ASPI", "ASSE", "ASTI", "ATRE", "AUBE", "AUGE", "AULA", "AULX", "AUNA", "AUNE", "AVAL", "AVEC", "AVEN", "AVEU", "AVEZ", "AXAI", "AXAS", "AXAT", "AXEE", "AXEL", "AXER", "AXES", "AXEZ", "AXIS", "AYEZ", "AZUR", "BACS", "BAES", "BAHT", "BAIE", "BAIN", "BAIS", "BALS", "BANC", "BANI", "BANS", "BARS", "BASA", "BASI", "BATA", "BATI", "BATS", "BAUD", "BAUX", "BAVA", "BAVE", "BAYA", "BAYE", "BEAI", "BEAS", "BECS", "BEES", "BEEZ", "BEGU", "BEKE", "BELE", "BELS", "BENE", "BENI", "BENS", "BERK", "BERS", "BETE", "BEUR", "BEYS", "BIBI", "BICS", "BIEF", "BIGE", "BILA", "BINA", "BINE", "BINZ", "BIOS", "BIPA", "BIPE", "BIPS", "BIRR", "BISA", "BISE", "BITA", "BITU", "BIWA", "BLES", "BLET", "BLEU", "BLOG", "BOAS", "BOBO", "BOBS", "BOER", "BOGE", "BOGS", "BOIS", "BOIT", "BOLS", "BOME", "BONI", "BONS", "BOPS", "BORA", "BORD", "BORT", "BOTE", "BOTS", "BOUC", "BOUE", "BOUH", "BOUM", "BOUR", "BOUS", "BOXA", "BOXE", "BOYS", "BRAI", Corbel Expires 26 August 2025 [Page 11] Internet-Draft Improvements to One Time Passwords March 2025 "BRAS", "BREF", "BREN", "BRIE", "BRIK", "BRIN", "BRIO", "BRIS", "BROC", "BROL", "BROU", "BRRR", "BRUI", "BRUN", "BRUS", "BRUT", "BUEE", "BUES", "BUGS", "BUIS", "BUNA", "BUNS", "BURE", "BUSA", "BUSC", "BUSE", "BUTA", "BUTE", "BUTO", "BUTS", "CABS", "CADI", "CAGE", "CAID", "CALA", "CALE", "CALO", "CALS", "CAMA", "CAMP", "CANA", "CAPA", "CAPE", "CAPO", "CAPS", "CARI", "CARS", "CARY", "CASA", "CATA", "CATI", "CAVA", "CAYE", "CECI", "CEDI", "CELA", "CELE", "CENE", "CENS", "CEPE", "CEPS", "CERF", "CERS", "CEUX", "CHAH", "CHAI", "CHAN", "CHAS", "CHEB", "CHER", "CHEZ", "CHIA", "CHIE", "CHIP", "CHOC", "CHOP", "CHTI", "CHUE", "CHUS", "CHUT", "CHVA", "CIAO", "CIEL", "CILS", "CIME", "CINE", "CINQ", "CIRA", "CIRE", "CITA", "CIVE", "CLAC", "CLAP", "CLEF", "CLES", "CLIC", "CLIM", "CLIN", "CLIP", "CLOS", "CLOU", "COBS", "COCU", "COEF", "COIR", "COIS", "COIT", "COLO", "COLS", "CONE", "CONS", "COPS", "COQS", "CORS", "COSY", "COTA", "COTE", "COTI", "COUD", "COUP", "COUR", "COUS", "COUT", "CRAC", "CRAN", "CRAU", "CREA", "CREE", "CRET", "CRIA", "CRIC", "CRIE", "CRIN", "CRIS", "CROC", "CRUE", "CRUS", "CRUT", "CUBI", "CUCU", "CUIR", "CUIS", "CUIT", "CULA", "CULE", "CULS", "CURA", "CUTI", "CUVA", "CUVE", "CYAN", "CYME", "CYON", "CZAR", "DABS", "DAHU", "DAIL", "DAIM", "DAIS", "DAMA", "DAME", "DAMS", "DANS", "DAOS", "DARD", "DARI", "DAUW", "DAWS", "DEBS", "DECI", "DECO", "DECU", "DEFI", "DEJA", "DELA", "DEME", "DEMI", "DEMO", "DENI", "DENT", "DERS", "DEUG", "DEUX", "DEYS", "DIAM", "DIAS", "DIBI", "DICO", "DIEU", "DINA", "DIOL", "DIOT", "DIRA", "DISE", "DITE", "DITO", "DITS", "DIVA", "DOCS", "DODO", "DODU", "DOGE", "DOIS", "DOIT", "DOJO", "DOLA", "DOLO", "DOLS", "DOMS", "DONA", "DONC", "DONF", "DONG", "DONS", "DONT", "DOPA", "DOPE", "DOPS", "DORE", "DORS", "DORT", "DOSA", "DOTA", "DOTS", "DOUA", "DOUE", "DOUM", "DOUX", "DRAP", "DROP", "DRUE", "DRUS", "DRYS", "DUBS", "DUCE", "DUCS", "DUES", "DUIT", "DUOS", "DUPA", "DUPE", "DURA", "DURE", "DURS", "DYKE", "DYNE", "EAUX", "EBAT", "ECHA", "ECHE", "ECHU", "ECOS", "ECOT", "ECRU", "ECUS", "EDAM", "EGAL", "EJET", "ELFE", "ELIA", "ELIE", "ELIS", "ELIT", "ELLE", "ELUA", "ELUE", "ELUS", "ELUT", "EMBU", "EMET", "EMEU", "EMIA", "EMIE", "EMIR", "EMIS", "EMOI", "EMOU", "EMUE", "EMUS", "EMUT", "ENOL", "ENTA", "ENTE", "ENVI", "EONS", "EPAR", "EPEE", "EPIA", "EPIE", "EPIS", "EPOI", "ERES", "ERGS", "ERRA", "ERRE", "ERSE", "ESSE", "ESTE", "ETAI", "ETAL", "ETAT", "ETAU", "ETES", "ETOC", "ETRE", "ETUI", "EUES", "EURO", "EVOE", "EWES", "EXAM", "EXIL", "EXIT", "EXON", "EXOS", "EXPO", "EYRA", "FACS", "FADO", "FAFS", "FAIM", "FAIS", "FAIT", "FAIX", "FANA", "FANE", "FANS", "FAON", "FAQS", "FARD", "FARE", "FARO", "FARS", "FART", "FATS", "FAUT", "FAUX", "FAXA", "FAXE", "FEAL", "FEES", "FELA", "FELE", "FERA", "FERS", "FERU", "FETA", "FETE", "FETU", "FEUE", "FEUJ", "FEUS", "FEUX", "FEVE", "FIAI", "FIAS", "FIAT", "FICS", "FIEE", "FIEL", "FIER", "FIES", "FIEU", "FIEZ", "FIFI", "FIGE", "FILA", "FILO", "FILS", "FINI", "FINN", "FINS", "FION", "FIQH", "FISC", "FIXA", Corbel Expires 26 August 2025 [Page 12] Internet-Draft Improvements to One Time Passwords March 2025 "FIXE", "FIZZ", "FLAC", "FLAN", "FLET", "FLIC", "FLIP", "FLOE", "FLOP", "FLOT", "FLOU", "FLUA", "FLUO", "FLUX", "FOCS", "FOGS", "FOHN", "FOIE", "FOIN", "FOIS", "FORA", "FORS", "FOUI", "FOUS", "FOUT", "FOXE", "FRAC", "FRAI", "FRIC", "FRIS", "FRIT", "FROC", "FUGU", "FUIE", "FUIR", "FUIS", "FUIT", "FUMA", "FUNE", "FUNS", "FUSA", "FUTE", "FUTS", "GABA", "GADE", "GAGA", "GAGS", "GAIE", "GAIS", "GALS", "GANS", "GANT", "GAPS", "GARA", "GARE", "GARI", "GARS", "GATA", "GAVA", "GAYS", "GAZA", "GAZE", "GEAI", "GELA", "GELE", "GELS", "GEMI", "GENA", "GENS", "GEOS", "GERA", "GERE", "GIGA", "GINS", "GITA", "GITE", "GLAS", "GLEY", "GLIE", "GLUA", "GLUI", "GLUS", "GNON", "GNOU", "GOBA", "GOBE", "GODA", "GODE", "GOGE", "GOGO", "GOIM", "GOIS", "GOND", "GONS", "GORD", "GOTH", "GOUM", "GOUR", "GOYM", "GOYS", "GRAM", "GRAS", "GRAU", "GREA", "GREC", "GREE", "GRES", "GRIL", "GRIP", "GRIS", "GROG", "GROS", "GRRR", "GRUE", "GUAI", "GUEA", "GUEE", "GUES", "GUET", "GUIB", "GUIS", "GUNZ", "GURS", "GUSS", "GYMS", "HADJ", "HAIE", "HAIK", "HAIS", "HAIT", "HAJE", "HAKA", "HALA", "HARO", "HASE", "HATA", "HAUT", "HAVA", "HAVI", "HEIN", "HELA", "HELE", "HEME", "HEUR", "HIAI", "HIAS", "HIAT", "HIEE", "HIER", "HIES", "HIEZ", "HIFI", "HILE", "HITS", "HOAX", "HOCA", "HOIR", "HOLA", "HOMO", "HOPI", "HORA", "HORS", "HOTE", "HOTS", "HOTU", "HOUA", "HOUE", "HOUP", "HOUX", "HUAI", "HUAS", "HUAT", "HUBS", "HUEE", "HUER", "HUES", "HUEZ", "HUIS", "HUIT", "HUMA", "HUME", "HUNE", "HUNS", "HURE", "HUTU", "IBNS", "IBOS", "IDEE", "IDEM", "IDES", "IGNE", "IGUE", "IKAT", "ILES", "ILET", "ILOT", "IMAM", "IMAN", "IMBU", "INDE", "INDU", "INFO", "INNE", "INNU", "INOX", "INSU", "INTI", "INUK", "IODA", "IODE", "IPES", "IRAI", "IRAS", "IRES", "IREZ", "ISBA", "ISSA", "ISSU", "ITOU", "IULE", "IVES", "IVRE", "IWAN", "IXAI", "IXAS", "IXAT", "IXEE", "IXER", "IXES", "IXEZ", "IXIA", "JABS", "JACO", "JAIN", "JAIS", "JALE", "JAMS", "JANS", "JARD", "JARS", "JASA", "JASE", "JASS", "JAZZ", "JEEP", "JETA", "JETE", "JETS", "JEUN", "JEUX", "JEZE", "JOIE", "JOJO", "JOLI", "JONC", "JOTA", "JOUA", "JOUE", "JOUG", "JOUI", "JOUR", "JUBE", "JUGE", "JUIF", "JUIN", "JUMP", "JUPE", "JURA", "JURE", "JUTA", "KADI", "KAKI", "KALI", "KAMI", "KANA", "KANS", "KAON", "KAPO", "KART", "KATA", "KAVA", "KAWA", "KAWI", "KEAS", "KEPI", "KEUF", "KEUM", "KHAN", "KHAT", "KHOL", "KIDS", "KIEF", "KIFA", "KIFE", "KIFS", "KIKI", "KILO", "KILS", "KILT", "KINA", "KINE", "KIPS", "KIRS", "KITS", "KIWI", "KOAN", "KOBS", "KOKA", "KOLA", "KOPS", "KORA", "KORE", "KOTA", "KOTE", "KOTO", "KOTS", "KRAK", "KRUS", "KSAR", "KUNA", "KURU", "KVAS", "KWAS", "KYAT", "KYUS", "LABO", "LACA", "LACS", "LADS", "LAIC", "LAIE", "LAIS", "LAIT", "LAKH", "LALA", "LAMA", "LAOS", "LAPA", "LAPE", "LAPS", "LARE", "LARI", "LATS", "LAVE", "LAYA", "LAYE", "LEGE", "LEGO", "LEGS", "LEHM", "LEKS", "LEMS", "LESA", "LESE", "LEUR", "LEUS", "LEVA", "LEVE", "LEVS", "LIAI", "LIAS", "LIAT", "MAAR", "MACH", "MACS", "MAFE", "MAGE", "MAIA", "MAIE", "MAIS", "MAJE", "MAKI", "MALM", "MALS", "MAMY", "MANS", Corbel Expires 26 August 2025 [Page 13] Internet-Draft Improvements to One Time Passwords March 2025 "MANX", "MAOS", "MARA", "MARI", "MASO", "MATA", "MATI", "MATS", "MATU", "MAUX", "MAXI", "MAYA", "MAYE", "MAZA", "MAZE", "MECS", "MEDE", "MEGA", "MEGI", "MELA", "MELE", "MELO", "MELS", "MEME", "MENA", "MENE", "MENS", "MENT", "MEOS", "MERE", "MERL", "MERS", "MESA", "META", "METS", "MEUF", "MEUH", "MEUS", "MEUT", "MEZE", "MIAM", "MICA", "MIDI", "MIEL", "MIEN", "MIES", "MILS", "MIMA", "MIME", "MINA", "MING", "MINS", "MIPS", "MIRA", "MIRO", "MIRS", "MISA", "MISE", "MISO", "MITA", "MIXA", "MIXE", "MOAI", "MOAS", "MOBS", "MOCO", "MOHO", "MOIE", "MOIS", "MOKA", "MOKO", "MOLY", "MOME", "MONO", "MONS", "MORD", "MORS", "MOTO", "MOTS", "MOUD", "MOUE", "MOUS", "MOUT", "MOXA", "MOYA", "MOYE", "MUAI", "MUAS", "MUAT", "MUEE", "MUER", "MUES", "MUET", "MUEZ", "MUGE", "MUGI", "MUGS", "MUID", "MUNI", "MUON", "MURA", "MURE", "MURI", "MURS", "MUSA", "MUSC", "MUSE", "MUTA", "MYES", "NABI", "NAFE", "NAGA", "NAGE", "NAGI", "NAIF", "NAIN", "NAIS", "NAIT", "NAJA", "NANA", "NAOS", "NARD", "NASE", "NAYS", "NAZE", "NAZI", "NEEM", "NEES", "NEFS", "NEMI", "NEMS", "NENE", "NEOS", "NEPE", "NERE", "NERF", "NETS", "NEUF", "NEVE", "NEYS", "NIAI", "NIAS", "NIAT", "NIDA", "NIDS", "NIEE", "NIER", "NIES", "NIET", "NIEZ", "NIFE", "NIFS", "NITS", "NIVE", "NIXE", "NOCA", "NOCE", "NOIE", "NOIR", "NOIX", "NOME", "NOMS", "NORD", "NORI", "NOTA", "NOUA", "NOUC", "NOUE", "NOUS", "NOVE", "NOVI", "NOYA", "NOYE", "NUAI", "NUAS", "NUAT", "NUEE", "NUER", "NUES", "NUEZ", "NUIS", "NUIT", "NULS", "OBAS", "OBEI", "OBEL", "OBIS", "OBIT", "OBUS", "OCRA", "OCRE", "ODES", "OEIL", "OEUF", "OGAM", "OGRE", "OHMS", "OIES", "OING", "OINS", "OKAS", "OKRA", "OLAS", "OLIM", "OLLE", "OMET", "OMIS", "ONDE", "ONYX", "ONZE", "OPEN", "OPES", "OPTA", "OPTE", "OPUS", "ORBE", "ORDI", "ORDO", "OREE", "ORES", "ORGE", "ORIN", "ORLE", "ORME", "ORNA", "ORNE", "ORYX", "OSAI", "OSAS", "OSAT", "OSEE", "OSER", "OSES", "OSEZ", "OSSU", "OSTO", "OSTS", "OTAI", "OTAS", "OTAT", "OTEE", "OTER", "OTES", "OTEZ", "OUAH", "OUDS", "OUED", "OUFS", "OUIE", "OUIN", "OUIR", "OUIS", "OUPS", "OURS", "OUZO", "OVEE", "OVES", "OVIN", "OVNI", "OXER", "OYAT", "OYES", "OYEZ", "PACA", "PACK", "PACS", "PAFS", "PAGE", "PAGI", "PAIE", "PAIN", "PAIR", "PAIS", "PAIT", "PAIX", "PALA", "PALE", "PALI", "PALS", "PALU", "PAMA", "PAME", "PANA", "PANE", "PANS", "PAON", "PAPA", "PAPE", "PAPI", "PAPY", "PARA", "PARC", "PARE", "PARI", "PARS", "PART", "PARU", "PATE", "PATI", "PATS", "PAVA", "PAVE", "PAYA", "PAYE", "PAYS", "PEAN", "PEAU", "PECS", "PEDE", "PELA", "PELE", "PEND", "PENE", "PEON", "PEPE", "PEPS", "PERD", "PERE", "PERF", "PERI", "PERM", "PERS", "PESA", "PESE", "PESO", "PETA", "PETE", "PETS", "PEUH", "PEUL", "PEUR", "PEUT", "PEUX", "PEZE", "PFFT", "PFUT", "PHOS", "PHOT", "PIAF", "PIAN", "PICA", "PICS", "PIED", "PIER", "PIES", "PIEU", "PIFA", "PIFE", "PIFS", "PIGE", "PILA", "PILE", "PILS", "PINE", "PINS", "PION", "PIPA", "PIPE", "PIPI", "PIPO", "PIRE", "PISE", "PITA", "PITE", "PIVE", "PLAF", "PLAN", "PLAT", "PLIA", "PLIE", "PLIS", "PLOC", "PLOT", "PLUS", "PLUT", "PNEU", Corbel Expires 26 August 2025 [Page 14] Internet-Draft Improvements to One Time Passwords March 2025 "POCO", "POGO", "POIL", "POIS", "POIX", "POLE", "POLI", "POLO", "POLY", "POND", "PONT", "POOL", "POPE", "POPS", "PORC", "PORE", "PORT", "POSA", "POSE", "POTE", "POTS", "POTU", "POUF", "POUH", "POUM", "POUR", "POUX", "POYA", "PRAO", "PRES", "PRET", "PRIA", "PRIE", "PRIS", "PRIT", "PRIX", "PROF", "PROS", "PROU", "PSYS", "PUAI", "PUAS", "PUAT", "PUBS", "PUCE", "PUCK", "PUEE", "PUER", "PUES", "PUEZ", "PUIS", "PUJA", "PULA", "PULL", "PUMA", "PUNA", "PUNI", "PUNK", "PUNT", "PUPE", "PURE", "PURO", "PURS", "PUTE", "PUTS", "PUTT", "PUYS", "QATS", "QING", "QINS", "QUAI", "QUEL", "QUIA", "QUIZ", "QUOI", "RAAG", "RABE", "RABS", "RACA", "RADA", "RADE", "RADS", "RAGA", "RAIA", "RAIE", "RAIS", "RAIT", "RAJA", "RAKI", "RALA", "RALE", "RAMA", "RAME", "RAMI", "RAND", "RANG", "RANI", "RANZ", "RAPA", "RAPE", "RAPS", "RAPT", "RASA", "RASE", "RATA", "RATS", "RAVI", "RAYA", "RAYE", "REAC", "REAI", "REAS", "REAT", "REBU", "RECU", "REDU", "REER", "REES", "REEZ", "REGI", "REGS", "REIS", "RELU", "REMS", "RENE", "REPS", "REPU", "RETS", "REVA", "REVE", "REVU", "RHES", "RHUM", "RIAD", "RIAL", "RIAS", "RIDA", "RIEL", "RIEN", "RIES", "RIEZ", "RIFF", "RIFS", "RIMA", "RIOS", "RIPA", "RIPE", "RIRA", "RIRE", "RISS", "RITS", "RIVA", "RIVE", "RIXE", "ROBA", "ROBS", "ROCS", "RODA", "ROIS", "ROLE", "ROMS", "ROND", "ROSI", "ROTA", "ROTE", "ROTI", "ROTS", "ROUA", "ROUE", "ROUF", "ROUI", "ROUX", "RUAI", "RUAS", "RUAT", "RUEE", "RUER", "RUES", "RUEZ", "RUGI", "RUMB", "RUNE", "RUPA", "RUPE", "RUSA", "RUTS", "RYAD", "RYAL", "RYES", "SACS", "SADO", "SAGA", "SAIE", "SAIN", "SAIS", "SAIT", "SAKE", "SAKI", "SALA", "SALI", "SALS", "SAMU", "SANA", "SANS", "SAPA", "SAPE", "SARI", "SARS", "SART", "SATE", "SATI", "SAUF", "SAUR", "SAUT", "SAXE", "SAXO", "SCIA", "SCIE", "SEAU", "SECS", "SECU", "SEGA", "SEIN", "SELS", "SEMA", "SEME", "SENE", "SENS", "SEPS", "SEPT", "SERA", "SERE", "SERF", "SERS", "SERT", "SEUL", "SEVE", "SEVI", "SEXE", "SEXY", "SHAH", "SHIT", "SIAL", "SIDA", "SIDI", "TAAL", "TACO", "TACS", "TAEL", "TAFS", "TAGS", "TAIE", "TAIN", "TAIS", "TAIT", "TAKA", "TALA", "TALC", "TANS", "TANT", "TAON", "TAOS", "TAPA", "TAPE", "TAPI", "TARA", "TARD", "TARE", "TARI", "TARO", "TARS", "TAUX", "TAXA", "TAXE", "TAXI", "TEST", "TOUS", "TRES", "TROP", "TRIO", "TRUC", "TUBE", "UNIR", "VERS", "VERT", "VELO", "VITE", "VLAN", "VOIR", "VOIX", "VOUS", "VRAI", "WOLF", "XENON", "YACK", "YEUX", "YOGA", "ZINC" }; Corbel Expires 26 August 2025 [Page 15] Internet-Draft Improvements to One Time Passwords March 2025 Appendix C - Statistical analysis of EN and FR dictionaries For a given dictionary (EN or FR) and a given hash algorithm (md5, sha1, sha256, sha384 or sha512), this table shows the number (and ratio on 2048 words) of collisions - that is, the number of words that share at least two equal (alg(word) % 2048) values. The EN dictionary is the RFC2289 standard, while the FR dictionary is made of 2048 French different words shown in Appendix B above. None of these words appears in the English RFC2289 standard dictionary. _______________________________________________________ |\ | | | | | | | \ | | | | | | | \ alg | MD5 | SHA1 | SHA256 | SHA384 | SHA512 | | \ | | | | | | | \ | | | | | | | \ | | | | | | |lang \ | | | | | | | \| | | | | | |________|________|________|________|________|________| | | | | | | | | FR | 759 | 766 | 757 | 763 | 764 | | | 37,0% | 37,4% | 37,0% | 37,3% | 37,3% | |________|________|________|________|________|________| | | | | | | | | EN | 727 | 722 | 730 | 762 | 755 | | | 35,5% | 35,3% | 35,6% | 37,2% | 36,9% | |________|________|________|________|________|________| These figures show that collision rate varies from 35,3% to 37,4%, which can be considered very high, whatever the dictionary, word distribution and hash algorithm. They mean that, among 10 words randomly chosen in a source dictionary, almost 4 of them share 1 slot in the final (computed) alternate dictionary. Author's Address Regis Corbel Orange Group 2 avenue Pierre Marzin 22300 Lannion FRANCE regis.corbel@orange.com Corbel Expires 26 August 2025 [Page 16]