HSM Client/Server Audit Correlation: DINAMO CIDs

August 12, 2018

One of the most important services provided by hardware security modules (HSMs) is logging of auditable events. Customers rely heavily on this functionality to track key/CSP usage, specially when law constraints are involved.

DINAMOs are network attached HSMs, with services exposed over several TCP/IP client/server APIs. On a daily basis, millions of cryptographic transactions are handled by this architecture.

Besides facing all the optimization challenges related to high-performant (concurrent) logging, DINAMO deployments need to monitor what’s happening across multiple systems (e.g., different HSM pool nodes or app servers).

Microservices work under similar requirements, so DINAMO adopted their standard domain-level log grouping solution: sharing “unique” correlation ids (CIDs) between different software layers.

DINAMO sessions have corresponding 32-bit CIDs 0, allowing caller apps to correlate business logs and different HSM events/operations. An unsigned 4-byte number was chosen to balance low collision rates and backward compatibility.

[0] - derived from a strong hash function;