Is an ASHWID guaranteed to uniquely identify a device?

Question

We want to use a unique device identifier in a Windows 8 Metro app and the recommendation is an ASHWID, documented here:

http://msdn.microsoft.com/en-us/library/windows/apps/jj553431.aspx

I'm struggling to see how this can possibly be guaranteed unique. The format includes two bytes per hardware component, of which the most uniquely identifiable are MAC address and hard disk serial number. But just two bytes for those values really doesn't seem like enough.

If the bytes used are anything other than the least significant digits (the rightmost, as a human reads them) are taken, then two identical laptops adjacent on the production line would probably have the same ASHWIDs. The MACs and drive serials would likely be adjacent.

So, I guess the crux of my question really is how many devices have to be produced with the same CPU type and memory configuration before you're likely hit a duplicate. Seems like the same sort of problem as the Birthday Paradox, so I found a calculator for that and plugged in the numbers :)

With one MAC address and one hard disk with a two-byte identifier each, you have about 4 billion permutations. Once you've allocated just 6,000 of them, it's roughly 50/50 that you've got two the same.

(go to http://jeff.aaron.ca/cgi-bin/birthday and plug in "6563" and "4294967296" for the actual calculation).

So this really doesn't seem very unique at all. Am I right in being ultra-sceptical of this identifier, or am I missing something really significant?

Answer 1

No, the ASHWID is not guaranteed to uniquely identify a device. At work, I've seen dozens of daily collisions where one monthly is our tolerance.

Further, the ASHWID might frequently change for the same device -- since Windows 8 will often run on laptops that might add a docking station, USB thumb-drive, or a plug-in Bluetooth adapter. The best use of the ASHWID is for verifying that a user has only installed your app to a limited number of devices, and you do that by parsing the ASHWID and selectively comparing it to previously-seen ASHWIDs from that user.

As for a unique hardware identifier, I suggest an MD5 digest of a string containing multiple components, of which some components of the ASHWID can play a part.

You might randomly generate a large number (64+ bits) and store that (eg in the registry). And of course the user's login name/ID should be unique to that user, if you want something else to include in a hash. You also need to consider what you want to do if the user clones an OS install, or replaces the HD after a drive failure.

Back in the Windows Desktop world, I used the MachineGuid registry key and the serial number of the boot device, but I'm fighting to get access to that info in a Windows Store app. If you have access, MachineGuid is in HKLM\SOFTWARE\Microsoft\Cryptography, which MS guarantees to be unique. The serial number of the boot device ::GetVolumeInformationW(::SHGetFolderPathW(~),~) will be fairly unique but only 32 bits.

Answer 2

From the article:

The ASHWID provides a strong binding between the app/package and the device by representing several individual hardware characteristics. In order to protect user privacy, the ASHWID varies from app to app. Unless the underlying hardware has changed, two calls from the same app will result in identical ASHWIDs. However, the ASHWID changes if the hardware profile of the device changes, such as when the user unplugs a USB Bluetooth adapter. The back-end cloud service can verify the ASHWID and compare it with previously reported values. Though the ASHWID varies, it can be parsed to detect if the variance was simply due to a minor change such as an addition of memory to the system. The level of tolerance for variance is up to the implementation of the back-end cloud service.

The ASHWID is made up of 9 components:

1. CPU ID of the processor
2. Size of the memory
3. Serial number of the disk device
4. Network adapter (NIC MAC address - first instance)
5. Audio adapter
6. Docking station
7. Bluetooth address
8. Mobile broadband device ID
9. BIOS

CPU ID is only unique to processor model, but NIC MAC Address should be very unique. Having said that, MAC addresses can be cloned and USB NICs can be moved from device to device. So, while I guess it's possible for two devices to have the same ASHWID, it's very unlikely. What's most challenging in using this ID is the fact that hardware can change. It's up to the service to decide which parts of the ASHWID they allow to change and which parts the do not (acceptable variance). The article itself provides guidance on that.