Skip to main content

Kember Identity

Ever wonder if there is an MD5 hash the same as the original input? Nope, me neither. But Mr. Kember does and he's asking the world to help him find out if such a thing exists. There's no fame if you find it for him (he's humbly named it the "Kember Identity" already)—but you might make a little cash. Check out his web page for the details. Go ahead and enter his contest if you're feeling gullible lucky!

The MD5 algorithm returns a fixed-length 128-bit hash, so there are 2128 possible values. The hash is typically expressed as a series of 32 hexadecimal values. Since the input string and its hash must be the same to reflect the Kember Identity, you wouldn't need to test random strings like "ruby on rails rots your brain"; you only need to test strings that are 32-characters long and contain the numbers 0 though 9 and letters a through f like 8d112b3c68248c12f178188c1b921ec1.

Kember suggests testing values at random because the range of candidates is so large (2128 is 34,028,236,692,093,846,346,337,460,743,177). Unfortunately, there're a few problems with this approach:It actually takes less time to test all values sequentially than through random-selection.

Additionally, one has to consider the possibility that such a value doesn't exist. The odds of finding the Kember Identity are actually quite small: 1/((2128!)/( 2128!)(1-2128)!). So how would you know when all possible values have been tested proving the Kember identity doesn't exist if the values are tested randomly? You don't.

The only reliable way to programmatically identify whether the Kember Identity exists and what hashes exhibit it is to test each hashes sequentially and record the results.

The whole thing might not bother me if money wasn't involved. Just send Mr. Kember your $5 entry fee and you're eligible to win the prize pot if your script is first to find the magical hash! But I have a few questions:
  • How do I contact Mr. Kember to receive my prize when I find a hash that exhibits the Kember Identity?

  • What happens to my $5 and the rest of the prize money if it is proven the Identity doesn't exist?

  • At 60-million hashes an hour, it would take over 646,987,670,262,051,588,140,743 millennia to verify them all. How long does Mr. Kember plan on holding on to the prize money?
While it might not be a scam (it says explicitly that it's not a scam somewhere on the irrationally highlighted contest page), it isn't well thought out.
Labels:

Comments

  1. AnonymousJune 14, 2009 at 11:15 PM

    What the hell does any of this mean??? LOL.. DUDE! Good lord.. I think I hurt my brain bad... oyyyy.. now I think I just need a drink!!! LOLOLOLOL

    ReplyDelete

Post a Comment

Popular posts from this blog

Writing a Minimal PSR-0 Autoloader

An excellent overview of autoloading in PHP and the PSR-0 standard was written by Hari K T over at PHPMaster.com , and it's definitely worth the read. But maybe you don't like some of the bloated, heavier autoloader offerings provided by various PHP frameworks, or maybe you just like to roll your own solutions. Is it possible to roll your own minimal loader and still be compliant? First, let's look at what PSR-0 mandates, taken directly from the standards document on GitHub : A fully-qualified namespace and class must have the following structure \<Vendor Name>\(<Namespace>\)*<Class Name> Each namespace must have a top-level namespace ("Vendor Name"). Each namespace can have as many sub-namespaces as it wishes. Each namespace separator is converted to a DIRECTORY_SEPARATOR when loading from the file system. Each "_" character in the CLASS NAME is converted to a DIRECTORY_SEPARATOR . The "_" character has no special ...
6 comments
Read more

Safely Identify Dependencies for Chrooting

The most difficult part of setting up a chroot environment is identifying dependencies for the programs you want to copy to the jail. For example, to make cp available, not only do you need to copy its binary from /bin and any shared libraries it depends on, but the dependencies can have their own dependencies too that need to be copied. The internet suggests using ldd to list a binary’s dependencies, but that has its own problems. The man page for ldd warns not to use the script for untrusted programs because it works by setting a special environment variable and then executes the program. What’s a security-conscious systems administrator to do? The ldd man page recommends objdump as a safe alternative. objdump outputs information about an object file, including what shared libraries it links against. It doesn’t identify the dependencies’ dependencies, but it’s still a good start because it doesn’t try to execute the target file. We can overcome the dependencies of depende...
Post a Comment
Read more

A Unicode fgetc() in PHP

In preparation for a presentation I’m giving at this month’s Syracuse PHP Users Group meeting, I found the need to read in Unicode characters in PHP one at a time. Unicode is still second-class in PHP; PHP6 failed and we have to fallback to extensions like the mbstring extension and/or libraries like Portable UTF-8 . And even with those, I didn’t see a unicode-capable fgetc() so I wrote my own. Years ago, I wrote a post describing how to read Unicode characters in C , so the logic was already familiar. As a refresher, UTF-8 is a multi-byte encoding scheme capable of representing over 2 million characters using 4 bytes or less. The first 128 characters are encoded the same as 7-bit ASCII with 0 as the most-significant bit. The other characters are encoded using multiple bytes, each byte with 1 as the most-significant bit. The bit pattern in the first byte of a multi-byte sequence tells us how many bytes are needed to represent the character. Here’s what the function looks like: f...
1 comment
Read more