All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

Certificate#5156StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorVeeam Software Corporation
Medium review priority  ·  no TCB surface named  ·  OpenSSL upstream has published 38 CVEs since this module's initial validation  ·  last validated 5 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date3/10/2030
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys).
VendorVeeam Software Corporation

Approved Algorithms (73)

AlgorithmACVP Cert
AES-CBCA3548
AES-CBC-CS1A3548
AES-CBC-CS2A3548
AES-CBC-CS3A3548
AES-CCMA3548
AES-CFB1A3548
AES-CFB128A3548
AES-CFB8A3548
AES-CMACA3548
AES-CTRA3548
AES-ECBA3548
AES-GCMA3548
AES-GMACA3548
AES-KWA3548
AES-KWPA3548
AES-OFBA3548
AES-XTS Testing Revision 2.0A3548
Counter DRBGA3548
DSA KeyGen (FIPS186-4)A3548
DSA PQGGen (FIPS186-4)A3548
DSA PQGVer (FIPS186-4)A3548
DSA SigGen (FIPS186-4)A3548
DSA SigVer (FIPS186-4)A3548
ECDSA KeyGen (FIPS186-4)A3548
ECDSA KeyVer (FIPS186-4)A3548
ECDSA SigGen (FIPS186-4)A3548
ECDSA SigVer (FIPS186-4)A3548
Hash DRBGA3548
HMAC DRBGA3548
HMAC-SHA-1A3548
HMAC-SHA2-224A3548
HMAC-SHA2-256A3548
HMAC-SHA2-384A3548
HMAC-SHA2-512A3548
HMAC-SHA2- 512/224A3548
HMAC-SHA2- 512/256A3548
HMAC-SHA3-224A3548
HMAC-SHA3-256A3548
HMAC-SHA3-384A3548
HMAC-SHA3-512A3548
KAS-ECC CDH- Component SP800-56Ar3 (CVL)A3548
KAS-ECC-SSC Sp800-56Ar3A3548
KAS-FFC-SSC Sp800-56Ar3A3548
KAS-IFC-SSCA3548
KDA HKDF SP800-56Cr2A3548
KDA OneStep SP800-56Cr2A3548
KDA TwoStep SP800-56Cr2A3548
KDF ANS 9.42 (CVL)A3548
KDF ANS 9.63 (CVL)A3548
KDF KMAC Sp800-108r1A3548
KDF SP800-108A3548
KDF SSH (CVL)A3548
KTS-IFCA3548
PBKDFA3548
RSA KeyGen (FIPS186-4)A3548
RSA SigGen (FIPS186-4)A3548
RSA Signature Primitive (CVL)A3548
RSA SigVer (FIPS186-4)A3548
SHA-1A3548
SHA2-224A3548
SHA2-256A3548
SHA2-384A3548
SHA2-512A3548
SHA2-512/224A3548
SHA2-512/256A3548
SHA3-224A3548
SHA3-256A3548
SHA3-384A3548
SHA3-512A3548
SHAKE-128A3548
SHAKE-256A3548
TLS v1.2 KDF RFC7627 (CVL)A3548
TLS v1.3 KDF (CVL)A3548

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Veeam Cryptographic Module based on the OpenSSL FIPS Provider
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric Encryption and Decryption<br/>Perform self- tests (All)<br/>Core (all except Teardown) (Show Status, Show…</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Veeam Cryptographic Module based on the OpenSSL FIPS Provider
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric Encryption and Decryption<br/>Perform self- tests (All)<br/>Core (all except Teardown) (Show Status, Show…</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Veeam Software Corporation Veeam Cryptographic Module based on the OpenSSL FIPS Provider Document Version 1.0 July 2025 Prepared by: www.lightshipsec.com

Page 2

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Table of Contents Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 3

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 4

Veeam Cryptographic Module based on the OpenSSL FIPS Provider List of Tables List of Figures Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance3
1212Mitigation of other attacks1
Overall LevelOverall Level1

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

1.1 Overview

Introduction Federal Information Processing Standards Publication 140-3

1.2 Security Levels

The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as follows: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 6

Veeam Cryptographic Module based on the OpenSSL FIPS Provider N/A N/A Table 1: Security Levels

1.3 Additional Information

In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply to the Module. In accordance with current CMVP policy, [ISO19790] §7.8 Non-Invasive Security is not applicable. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 7

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Module is a cryptographic software library providing a C-language application program interface (API) for use by applications that require cryptographic functionality and is designated as a software module with a multi-chip standalone embodiment based on the descriptions of [ISO19790] AS02.03. The Module is intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module’s formal name and version are “Veeam Cryptographic Module based on the OpenSSL FIPS Provider” and “3.1.2”, respectively. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per [ISO19790] AS02.03. The cryptographic boundary of the Module is the FIPS Provider, a dynamically loadable library. The Module performs no communication other than with the calling application via APIs that invoke the Module. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the General Purpose Computer. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 8
Module configuration
NameFirmware VersionFeaturesPackageIntegrity Test
fips.so3.1.2fips.so for Unix/Linux platformsfips.soHMAC-SHA2-256
fips.dll3.1.2fips.dll for Windows platformsfips.dllHMAC-SHA2-256
fips.dylib3.1.2fips.dylib for Mac platformsfips.dylibHMAC-SHA2-256

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Figure 1: Veeam Cryptographic Module based on the OpenSSL FIPS Provider Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa PaiHypervisor
Ubuntu Linux 22.04.1 ServerUbuntu Linux 22.04.1 ServerDell Inspiron 75733.1.2Intel i7- 8550UNoN/A
Ubuntu Linux 22.04.1 ServerUbuntu Linux 22.04.1 ServerDell Inspiron 75733.1.2Intel i7- 8550UYesN/A
Debian 11.5Debian 11.5Dell Inspiron 75733.1.2Intel i7- 8550UNoN/A
Debian 11.5Debian 11.5Dell Inspiron 75733.1.2Intel i7- 8550UYesN/A
FreeBSD 13.1FreeBSD 13.1Dell Inspiron 7591 2 in 13.1.2Intel i7- 10510UNoN/A
FreeBSD 13.1FreeBSD 13.1Dell Inspiron 7591 2 in 13.1.2Intel i7- 10510UYesN/A
Windows 10 ProWindows 10 ProDell Inspiron 7591 2 in 13.1.2Intel i7- 10510UNoN/A
Windows 10 ProWindows 10 ProDell Inspiron 7591 2 in 13.1.2Intel i7- 10510UYesN/A
macOS 11.5.2macOS 11.5.2Apple M1 Mac Mini3.1.2M1NoN/A
macOS 11.5.2macOS 11.5.2Apple M1 Mac Mini3.1.2M1YesN/A
macOS 11.5.2macOS 11.5.2Apple i7 Mac Mini3.1.2Intel i7NoN/A
macOS 11.5.2macOS 11.5.2Apple i7 Mac Mini3.1.2Intel i7YesN/A

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Intel i78550U Intel i78550U Intel i78550U Intel i78550U Intel i710510U Intel i710510U Intel i710510U Intel i710510U N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: No operational environments are vendor affirmed.

2.3 Excluded Components

No components are excluded from [FIPS140-3] requirements.

2.4 Modes of Operation

Modes List and Description: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 10
Service
NameDescriptionIndicatorType
Non- Approved modeThe module is in the Approved mode of operation by default. Use of the non-Approved Algorithms Not Allowed in the Approved Mode will place the module in the non-approved mode of operation.fips=noNon- Approved

Veeam Cryptographic Module based on the OpenSSL FIPS Provider NonApproved NonApproved Table 4: Modes List and Description

  1. Manual key entry is not supported.
  2. Data output is inhibited during self-tests, zeroisation, SSP generation and error states.
  3. The Module does not perform any cryptographic function if any self-test has failed.
  4. Installation of the Module as described in Section 11 results in the settings described below, which are a. security-checks = 1 Enforce minimum key strengths and approved curve names. b. conditional-errors = 1 Enforce the Module entering the error state on conditional test errors such as PCT failure. c. drbg-no-trunc-md=1 Disallow use of truncated digests with HASH and HMAC DRBGs (IG D.R) d. tls1-prf-ems-check=1 Enforce Extended Master Secret (EMS) use with TLS 1.2 (IG D.Q)
  5. The Module is a cryptographic library used by a calling application. The calling application is responsible for: a. Use of the primitives in the correct sequence. b. Use of keys in accordance with [SP800-140Dr2] (as the keys used by the Module for cryptographic purposes are provided over the call stack by the calling application). c. Use of a [SP800-90B] compliant entropy source. Entropy is supplied to the Module via callback functions. The callback functions return an error if the minimum entropy strength cannot be met. Mode Change Instructions and Status: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Page 11
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS1A3548Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS2A3548Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A3548Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3548Key Length - 128, 192, 256SP 800-38C
AES-CFB1A3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3548Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA3548Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GMACA3548Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-KWA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-KWPA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3548Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3548Prediction Resistance - Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - No, YesSP 800-90A Rev. 1
DSA KeyGen (FIPS186-4)A3548L - 2048, 3072 N - 224, 256FIPS 186-4
DSA PQGGen (FIPS186-4)A3548L - 2048, 3072 N - 224, 256FIPS 186-4
DSA PQGVer (FIPS186-4)A3548L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-4
DSA SigGen (FIPS186-4)A3548L - 2048, 3072 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-4
DSA SigVer (FIPS186-4)A3548L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-4
ECDSA KeyGen (FIPS186-4)A3548Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3548Curve - B-163, B-233, B-283, B-409, B-571, K- 163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3548Component - No, Yes Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A3548Component - No, Yes Curve - B-163, B-233, B-283, B-409, B-571, K- 163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512FIPS 186-4
Hash DRBGA3548Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-256, SHA3-512SP 800-90A Rev. 1
HMAC DRBGA3548Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-256, SHA3-512SP 800-90A Rev. 1
HMAC-SHA-1A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
KAS-ECC CDH- Component SP800-56Ar3 (CVL)A3548Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521SP 800-56A Rev. 3
KAS-ECC-SSC Sp800-56Ar3A3548Domain Parameter Generation Methods - B- 233, B-283, B-409, B-571, K-233, K-283, K- 409, K-571, P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A3548Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP- 3072, MODP-4096, MODP-6144, MODP-8192 Scheme - dhEphem - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-IFC-SSCA3548Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KAS1 - KAS Role - initiator, responder KAS2 - KAS Role - initiator, responderSP 800-56A Rev. 3
KDA HKDF SP800-56Cr2A3548Derived Key Length - 2048 Shared Secret Length - Shared Secret Length:SP 800-56C Rev. 2
KDA OneStep SP800-56Cr2A3548Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8SP 800-56C Rev. 2
KDA TwoStep SP800-56Cr2A3548MAC Salting Methods - default, random KDF Mode - feedback Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8SP 800-56C Rev. 2
KDF ANS 9.42 (CVL)A3548KDF Type - DER Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8SP 800-135 Rev. 1
KDF ANS 9.63 (CVL)A3548Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512 Key Data Length - Key Data Length: 128, 4096SP 800-135 Rev. 1
KDF KMAC Sp800-108r1A3548Derived Key Length - Derived Key Length: 112- 4096 Increment 8SP 800-108 Rev. 1
KDF SP800-108A3548KDF Mode - Counter, Feedback Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096SP 800-108 Rev. 1
KDF SSH (CVL)A3548Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512SP 800-135 Rev. 1
KMAC-128A3548Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8SP 800-185
KMAC-256A3548Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8SP 800-185
KTS-IFCA3548Modulo - 2048, 3072, 4096, 6144 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 1024SP 800-56B Rev. 2
PBKDFA3548Iteration Count - Iteration Count: 1-10000 Increment 1 Password Length - Password Length: 8-128 Increment 8SP 800-132
RSA KeyGen (FIPS186-4)A3548Key Generation Mode - B.3.3, B.3.6 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2, Table C.3 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A3548Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA Signature Primitive (CVL)A3548Private Key Format - CRTFIPS 186-4
RSA SigVer (FIPS186-4)A3548Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096FIPS 186-4
Safe Primes Key GenerationA3548Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
Safe Primes Key VerificationA3548Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
SHA-1A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3548Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A3548Output Length - Output Length: 16-65536 Increment 8FIPS 202
TLS v1.2 KDF RFC7627 (CVL)A3548Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A3548HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHESP 800-135 Rev. 1

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

2.5 Algorithms

Approved Algorithms: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 12

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 13

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 14

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 15

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 16
Service
NameProperties
DSA PQGGen [FIPS 186- 4]Key Size, Key Strength:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:PQGGen using SHA3OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
DSA PQGVer [FIPS 186- 4]Key Size, Key Strength:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:PQGVer using SHA3OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
DSA SigGen [FIPS 186- 4]Key Size, Key Strength:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:SigGen using SHA3OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
DSA SigVer [FIPS186- 4]Key Size, Key Strength:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128)OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
CKG - Section 4 and 5.1Key Type :AsymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.1: Key Pairs for Digital Signature Schemes
CKG - Section 4 and 5.2Key Type:AsymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.2: Key Pairs for Key Establishment
CKG - Section 4 and Section 6.1Key Type:SymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 6.1: Direct Generation of Symmetric Keys
CKG - Section 6.2Key Type:SymmetricN/ANIST SP 800-133r2 Section 6.2: Derivation of Symmetric keys
CKG - Section 6.3Key Type:SymmetricN/ANIST SP 800-133rev2, Section 6.3: Symmetric Keys Produced by Combining Multiple Keys and Other Data
CKG - Section 4Key Type:SymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Random bits returned to the calling application
AESAES (Any non-authenticated mode), (Cert.#A3548):Symmetric key unwrappingOpenSSL Project OpenSSL 3.x FIPS ProviderPer IG D.G Additional Comment 5

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Table 5: Approved Algorithms The Module implements the Approved cryptographic functions listed in Table 5. 4] 4] 4] 4] #3) #3) #3) #3) Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 17

Veeam Cryptographic Module based on the OpenSSL FIPS Provider N/A N/A 6.1 N/A N/A N/A N/A Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: Table 7: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 18
Service
NameDescriptionApproved FunctionsTypeProperties
Triple-DESProvides 3-Key ECB and CBC mode, but indicated as fips=no, Encryption, Decryption
Ed448SHAKE256, Ed448 provides 224 bits of security, Digital Signature Generation
Ed25519SHA2-512, Ed25519 provides 128 bits of security, Digital Signature Generation
X448Provides 224 bits of security, Key Agreement
X25519Provides 128 bits of security, Key Agreement
ECDSA SigVer ComponentProvides between 80 and 256 bits for security, Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521, Digital Signature Verification
FIPS 186-2 RSA SigGen/SigVerProvides >= 80 bits of security, RSA signature generation/verification per FIPS 186-2
FIPS 186-2 RSA KeyGenProvides >= 112 bits of security, RSA key generation per FIPS 186-2
X942KDF- CONCATUsage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
X963KDFUsage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
HKDFProvides < 112 bits of security, Usage of HKDF with key length less than 112 bits
OneStep KDFUsage of OneStep KDF with PRF SHAKE128, SHAKE256
HMACProvides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation
Hash and HMAC DRBGUsage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256
Symmetric Encryption and DecryptionSymmetric Encryption and DecryptionAES-CBC: (A3548) AES-CBC- CS1: (A3548) AES-CBC- CS2: (A3548) AES-CBC- CS3: (A3548) AES-CCM: (A3548) AES-CFB1: (A3548)BC-Auth BC-UnAuthKey Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits
Service
NameDescriptionApproved FunctionsTypeProperties
Triple-DESProvides 3-Key ECB and CBC mode, but indicated as fips=no, Encryption, Decryption
Ed448SHAKE256, Ed448 provides 224 bits of security, Digital Signature Generation
Ed25519SHA2-512, Ed25519 provides 128 bits of security, Digital Signature Generation
X448Provides 224 bits of security, Key Agreement
X25519Provides 128 bits of security, Key Agreement
ECDSA SigVer ComponentProvides between 80 and 256 bits for security, Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521, Digital Signature Verification
FIPS 186-2 RSA SigGen/SigVerProvides >= 80 bits of security, RSA signature generation/verification per FIPS 186-2
FIPS 186-2 RSA KeyGenProvides >= 112 bits of security, RSA key generation per FIPS 186-2
X942KDF- CONCATUsage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
X963KDFUsage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
HKDFProvides < 112 bits of security, Usage of HKDF with key length less than 112 bits
OneStep KDFUsage of OneStep KDF with PRF SHAKE128, SHAKE256
HMACProvides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation
Hash and HMAC DRBGUsage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256
Symmetric Encryption and DecryptionSymmetric Encryption and DecryptionAES-CBC: (A3548) AES-CBC- CS1: (A3548) AES-CBC- CS2: (A3548) AES-CBC- CS3: (A3548) AES-CCM: (A3548) AES-CFB1: (A3548)BC-Auth BC-UnAuthKey Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits
Message DigestMessage DigestSHA-1: (A3548) SHA2-224: (A3548) SHA2-256: (A3548) SHA2-384: (A3548) SHA2-512: (A3548) SHA2- 512/224: (A3548) SHA3-224: (A3548) SHA3-256: (A3548) SHA3-384: (A3548) SHA3-512: (A3548) SHAKE-128: (A3548) SHAKE-256: (A3548) SHA2- 512/256: (A3548)SHASHA-1 :(s = 160) Large Message Sizes: 1, 2, 4, 8gigabytes SHA2:SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2-512/224 (s = 224), SHA2- 512/256 (s = 256). Large Message Sizes: 1, 2, 4, 8gigabytes SHA3:SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512). See Note 1. Large Message Sizes: 1, 2, 4, 8gigabytes SHAKE:SHAKE-128 (s = 128), SHAKE- 256 (s = 256). See Note 1.
Keyed HashKeyed HashHMAC-SHA-1: (A3548)BC-Auth MACHMAC-SHA-1 [FIPS198-1]:SHA-1 (s
= 160) HMAC-SHA2 [FIPS198-1]:SHA2- 224 (s = 224), SHA2- 256 (s = 256), SHA2- 384 (s = 384), SHA2- 512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256) HMAC-SHA3 [FIPS198-1]:SHA3- 224 (s = 224), SHA3- 256 (s = 256), SHA3- 384 (s = 384), SHA3- 512 (s = 512) KMAC:KMAC-128 (112 s 128), KMAC- 256 (112 s 256). See Note 8.HMAC-SHA2- 224: (A3548) HMAC-SHA2- 256: (A3548) HMAC-SHA2- 384: (A3548) HMAC-SHA2- 512: (A3548) HMAC-SHA2- 512/224: (A3548) HMAC-SHA2- 512/256: (A3548) HMAC-SHA3- 224: (A3548) HMAC-SHA3- 256: (A3548) HMAC-SHA3- 384: (A3548) HMAC-SHA3- 512: (A3548) AES-CMAC: (A3548) KMAC-128: (A3548) KMAC-256: (A3548) AES-GMAC: (A3548)= 160) HMAC-SHA2 [FIPS198-1]:SHA2- 224 (s = 224), SHA2- 256 (s = 256), SHA2- 384 (s = 384), SHA2- 512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256) HMAC-SHA3 [FIPS198-1]:SHA3- 224 (s = 224), SHA3- 256 (s = 256), SHA3- 384 (s = 384), SHA3- 512 (s = 512) KMAC:KMAC-128 (112 s 128), KMAC- 256 (112 s 256). See Note 8.
RSA Digital Signature Generation and VerificationRSA Digital Signature Generation and VerificationRSA SigGen (FIPS186-4): (A3548) RSA SigVer (FIPS186-4): (A3548)DigSig- SigGen DigSig-SigVerSignature type: ANSI X9.31 tested with the listed moduli and the following hash algorithms: SHA2- 256, SHA2-384, SHA2-512:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCS 1.5 tested with the listed moduli and the following hash algorithms: SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256:k=2048 (s

Veeam Cryptographic Module based on the OpenSSL FIPS Provider The module does not support any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Table 8: Non-Approved, Not Allowed Algorithms Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 19

Veeam Cryptographic Module based on the OpenSSL FIPS Provider SHA2Large Message SHA2512/256: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 20

Veeam Cryptographic Module based on the OpenSSL FIPS Provider [FIPS198-1]:SHA2224 (s = 224), SHA2256 (s = 256), SHA2384 (s = 384), SHA2512 (s = 512), SHA2512/224 (s = 224), [FIPS198-1]:SHA3224 (s = 224), SHA3256 (s = 256), SHA3384 (s = 384), SHA3512 (s = 512) DigSigSigGen Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 21

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 22
Service
NameDescriptionApproved FunctionsTypeProperties
ECDSA Signature Generation and Signature VerificationECDSA Signature Generation and Signature VerificationECDSA SigGen (FIPS186-4): (A3548) ECDSA SigVer (FIPS186-4): (A3548)DigSig- SigGen DigSig-SigVerSigGen (includes SigGen Component) (tested with SHA2- 224, SHA2-256, SHA2-384, SHA2- 512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512):B-233, K- 233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); B- 409, K-409, P-384 (s ~= 192); B-571, K- 571, P-521 (s ~= 256) SigVer (tested with SHA-1*, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512):B-163, K- 163, P-192 (s < 112); B-233, K-233, P-224 (s ~= 112); B-283, K- 283, P-256 (s ~= 128); B-409, K-409, P-384 (s ~= 192); B- 571, K-571, P-521 (s ~= 256)
DSA Digital Signature Generation and VerificationDSA Digital Signature Generation and VerificationDSA SigGen (FIPS186-4): (A3548) DSA SigVer (FIPS186-4): (A3548) DSA SigGen [FIPS 186-4]: ()DigSig- SigGen DigSig-SigVerSigGen (tested with SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256); SigGen using SHA3; no ACVP testing is available:L = 2048/N

Veeam Cryptographic Module based on the OpenSSL FIPS Provider DigSigSigGen DigSigSigGen () Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 23
Service
NameDescriptionCsps AccessedTypeProperties
RSA Signature PrimitiveSignature primitiveRSA Signature Primitive: (A3548)DigSig- SigGenPrivate Key format:CRT Public Exponent Mode:Fixed : k = 2048
Asymmetric Key Pair GenerationGeneration of asymmetric key pairsRSA KeyGen (FIPS186-4): (A3548) DSA KeyGen (FIPS186-4): (A3548) ECDSA KeyGen (FIPS186-4): (A3548) Safe Primes Key Generation: (A3548) ECDSA KeyVer (FIPS186-4): (A3548) Safe PrimesAsymKeyPair- KeyGen AsymKeyPair- KeyVerRSA KeyGen:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) DSA KeyGen:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) ECDSA KeyGen: Secret Generation Mode: Testing Candidates:B-233, K- 233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); B- 409, K-409, P-384 (s ~= 192); B-571, K-
571, P-521 (s ~= 256) Safe Primes Key Generation, Safe Primes Key Verification:ffdhe2048 (s = 112), ffdhe3072 (112 s 128), ffdhe4096 (112 s 152), ffdhe6144 (112 s 176), ffdhe8192 (112 s 200), MODP- 2048 (s = 112), MODP-3072 (112 s 128), MODP-4096 (112 s 152), MODP- 6144 (112 s 176), MODP-8192 (112 s 200) ECDSA KeyVer:B- 163, K-163, P-192 (s < 112); B-233, K-233, P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K- 409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256) DSA PQGGen (FIPS186-4), DSA PQGGen [FIPS 186- 4] (VA):L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) DSA PQGVer (FIPS186-4), DSA PQGVer [FIPS 186-4] (VA):L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128)Key Verification: (A3548) CKG - Section 4 and 5.1: () Key Type : Asymmetric CKG - Section 4 and 5.2: () Key Type: Asymmetric DSA PQGGen (FIPS186-4): (A3548) DSA PQGVer (FIPS186-4): (A3548) DSA PQGGen [FIPS 186-4]: () Key Size, Key Strength: L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: PQGGen using SHA3 DSA PQGVer [FIPS 186-4]: () Key Size, Key Strength: L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: PQGVer using SHA3571, P-521 (s ~= 256) Safe Primes Key Generation, Safe Primes Key Verification:ffdhe2048 (s = 112), ffdhe3072 (112 s 128), ffdhe4096 (112 s 152), ffdhe6144 (112 s 176), ffdhe8192 (112 s 200), MODP- 2048 (s = 112), MODP-3072 (112 s 128), MODP-4096 (112 s 152), MODP- 6144 (112 s 176), MODP-8192 (112 s 200) ECDSA KeyVer:B- 163, K-163, P-192 (s < 112); B-233, K-233, P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K- 409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256) DSA PQGGen (FIPS186-4), DSA PQGGen [FIPS 186- 4] (VA):L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) DSA PQGVer (FIPS186-4), DSA PQGVer [FIPS 186-4] (VA):L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128)
Random Number GenerationRandom Number Generation - Hash_DRBG,Counter DRBG: (A3548)DRBGCounter DRBG [SP800-90Ar1]:AES- 128 (s = 128), AES-
CTR_DRBG and HMAC_DRBGCTR_DRBG and HMAC_DRBGHash DRBG: (A3548) HMAC DRBG: (A3548) CKG - Section 4: () Key Type: Symmetric192 (s = 192), AES- 256 (s = 256) Hash DRBG [SP800- 90Ar1]:SHA-1 (s = 160), SHA2-256 (s = 256), SHA2-512 (s = 512) SHA3-256 (s = 256), SHA3-512 (s = 512) HMAC DRBG [SP800-90Ar1]:SHA- 1 (s = 160), SHA2- 256 (s = 256), SHA2- 512 (s = 512) SHA3- 256 (s = 256), SHA3- 512 (s = 512)
Key DerivationDerive Keying MaterialKDA HKDF SP800-56Cr2: (A3548) KDA OneStep SP800-56Cr2: (A3548) KDA TwoStep SP800-56Cr2: (A3548) KDF ANS 9.42: (A3548) KDF ANS 9.63: (A3548) KDF KMAC Sp800-108r1: (A3548) KDF SP800- 108: (A3548) KDF SSH: (A3548) PBKDF: (A3548) TLS v1.2 KDF RFC7627: (A3548) TLS v1.3 KDF: (A3548) CKG - Section 6.2: () Key Type: SymmetricKBKDF PBKDFKDA HKDF:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512) KDA OneStep:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512); HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224),

Veeam Cryptographic Module based on the OpenSSL FIPS Provider DigSigSigGen AsymKeyPairKeyGen AsymKeyPairKeyVer Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 24

Veeam Cryptographic Module based on the OpenSSL FIPS Provider () () Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 25

Veeam Cryptographic Module based on the OpenSSL FIPS Provider [SP800-90Ar1]:SHA1 (s = 160), SHA2256 (s = 256), SHA2512 (s = 512) SHA3256 (s = 256), SHA3512 (s = 512) 4: () 6.2: () Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 26

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 27

Veeam Cryptographic Module based on the OpenSSL FIPS Provider KDF [SP800108r1]:CMACAES128 (s = 128), Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 28
Service
NameDescriptionApproved FunctionsTypeProperties
KAS-1Scheme: EphemeralUnified, KAS Role: Initiator, ResponderSP800-56Ar3 KAS- ECC-SSC per IG D.F Scenario 2 path (1):B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, and P-521 curves providing 112, 128, 192, or 256 bits of encryption strengthKAS-SSCKAS-ECC- SSC Sp800- 56Ar3: (A3548)
KAS-2Scheme: dhEphem. KAS Role: Initiator, ResponderSP800-56Ar3 KAS- FFC-SSC IG D.F Scenario 2 path (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strengthKAS-SSCKAS-FFC- SSC Sp800- 56Ar3: (A3548)
KAS-3Scheme: KAS1, KAS2. KAS Role: Initiator, ResponderSP800-56Br2 KAS- IFC-SSC IG D.F Scenario 1 path (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strengthKAS-SSCKAS-IFC- SSC: (A3548)
KTS-1Key Transport in compliance with [SP800- 38F]SP 800-38F KTS (key wrapping) per IG D.G :128, 192, andKTS-WrapAES-KW: (A3548)

Veeam Cryptographic Module based on the OpenSSL FIPS Provider (1):B-233, K-233, PResponder KAS-ECCSSC Sp80056Ar3: KAS-FFCSSC Sp80056Ar3: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 29
Service
NameDescriptionCsps AccessedApproved FunctionsType
KTS-2Key Transport in compliance with [SP800- 38F] when approved AES (any mode) and approved HMAC, KMAC, GMAC or CMAC are used in combinationSP 800-38F KTS (key wrapping) per IG D.G : 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strengthAES-CBC: (A3548) AES-CFB1: (A3548) AES-CFB128: (A3548) AES-CFB8: (A3548) AES-CTR: (A3548) AES-ECB: (A3548) AES-OFB: (A3548) AES-XTS Testing Revision 2.0: (A3548) AES-CBC- CS2: (A3548) AES-CBC- CS3: (A3548) AES-CCM: (A3548) AES-CMAC: (A3548) AES-GCM: (A3548) AES-GMAC: (A3548) AES-KW: (A3548) AES-KWP: (A3548) HMAC-SHA-1: (A3548) HMAC-SHA2- 224: (A3548) HMAC-SHA2- 256: (A3548) HMAC-SHA2- 384: (A3548) HMAC-SHA2- 512: (A3548) HMAC-SHA2- 512/224:KTS-Wrap
KTS-3Key Transport in compliance with [SP800- 38F] when approved using an Authenticated AES mode (AES CCM; AES GCM; AES GMAC; AES CMAC)SP 800-38F KTS (key wrapping) per IG D.G : 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strengthAES-CCM: (A3548) AES-CMAC: (A3548) AES-GCM: (A3548) AES-GMAC: (A3548)KTS-Wrap
KTS-4Key Transport; Scheme: KTS- OAEP-basic (no key confirmation): RSA-OAEP, Key Encapsulation, Key Unencapsulation Key Generation Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-prime- factor, rsakpg2- basic, rsakpg2-crt, rsakpg2- prime- factorSP 800-56Brev2 KTS-IFC (key encapsulation and un-encapsulation) per IG D.G:2048, 3072, 4096, and 6144-bit key providing 112, 128, 152, or 176 bits of encryption strengthKTS-IFC: (A3548)KTS-Encap
KAS ECC CDH ComponentKAS-ECC-SSC primitiveCurves:B-233, K-233, P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K-KAS-ECC CDH- ComponentKAS-SSC
409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256).409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256).SP800-56Ar3: (A3548)
Perform self- tests (All)All self-tests executed by the module at bootAES-ECB: (A3548) AES-GCM: (A3548) Hash DRBG: (A3548) Counter DRBG: (A3548) HMAC DRBG: (A3548) DSA SigGen (FIPS186-4): (A3548) DSA SigVer (FIPS186-4): (A3548) ECDSA SigGen (FIPS186-4): (A3548) ECDSA SigVer (FIPS186-4): (A3548) RSA SigGen (FIPS186-4): (A3548) RSA SigVer (FIPS186-4): (A3548) HMAC-SHA2- 256: (A3548) SHA-1: (A3548) SHA3-256: (A3548) SHA2-512: (A3548) KDF ANS 9.42: (A3548) KDF ANS 9.63: (A3548) KAS-ECC- SSC Sp800- 56Ar3: (A3548)BC-Auth BC-UnAuth DigSig- SigGen DigSig-SigVer DRBG KAS-SSC KBKDF MAC PBKDF SHA XOF
Cryptographic Key Generation (CKG)Direct generation of symmetric keys per NIST SP 800- 133r2CKG - Section 4 and Section 6.1: ()CKG
Software Integrity TestHMAC-SHA2-256 used to perform the software integrity testKey size: 256 bitsHMAC-SHA2- 256: (A3548)MAC
Cryptographic Key Generation (CKG) - AES XTSAES XTS Key generated to comply with the approved key generation guidelines of NIST SP 800-133rev2, Section 6.3, Symmetric Keys Produced by Combining Multiple Keys and Other DataKey size:128, 256 bitsCKG - Section 6.3: ()CKG
KTS-5Key Unwrapping using any non- authenticated AES modeKTS (key unwrapping) per IG D.G:128, 192, and 256-bit keys providing 128, 192, orAES-CBC: (A3548) AES-CFB1: (A3548) AES-CFB128:KTS-Unwrap

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 30

Veeam Cryptographic Module based on the OpenSSL FIPS Provider rsakpg2- primefactor CDHComponent Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 31

Veeam Cryptographic Module based on the OpenSSL FIPS Provider DigSigSigGen KAS-ECCSSC Sp80056Ar3: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 32

Veeam Cryptographic Module based on the OpenSSL FIPS Provider KAS-FFCSSC Sp80056Ar3: 6.1: () 6.3: () Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 33
Service
NameDescriptionApproved Functions
256 bits of decryption strength256 bits of decryption strength(A3548) AES-CFB8: (A3548) AES-CTR: (A3548) AES-ECB: (A3548) AES-OFB: (A3548) AES-CBC- CS1: (A3548) AES-CBC- CS2: (A3548) AES-CBC- CS3: (A3548)

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Table 9: Security Function Implementations Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority of the sources. Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP80057P1r5] Table

  1. Note 2: Elliptic curve strengths are annotated as approximate (i.e., s ~=) since [SP800-186] Table 1 provides approximate security strengths. Note 3: [SP800-186] (cited in [SP800-140Cr2]) and [FIPS140-3_IG] C.K indicate that the Binary (B-) and Koblitz (K-) curves are deprecated. Note 4: Approved elliptic curves for ECC key agreement are given in [SP800-56Ar3] Table
  2. Note 5: In Digital Signature applications, security strength is primarily associated with the asymmetric key pair specification. The hash function used must have equivalent strength equal to or greater than the security strength of the associated key pair. Note 6: Approved key types for FFC key agreement are given in [SP800-56Ar3] Tables 25,
  3. The group notation of Table 26 is used for consistency with CAVP algorithm listings and ACVP capability registration. Note 7: Approved key types for IFC key agreement are given in [SP800-56Br2] Table
  4. IFC key types approved for Digital Signature Generation and Verification are given also in [SP800-57P1r5] Table
  5. Equivalent strengths are annotated as approximate (i.e., s ~=) since [SP800-56Br2] Table 4 provides approximate security strengths. Note 8: Security strengths for KDA One Step are given in [SP800-56Cr2] Table 1 (hash), Table 2 (HMAC) and Table 3 (KMAC). Note 9: Security strength for L=2048/N=256 is determined in accordance with [FIPS140-3_IG] D.B Strength of SSP Establishment Methods as y = min(x, N/2), where x is 112 and therefore y = min(112, 128) = 112. Other reference sources for the strengths are as follows: • AES (AES-128, AES-192, AES-256): [SP800-57P1r5] Table 2. • ECC (B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521): [SP800-186] Table 1. • FFC (L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256): [SP800-57P1r5] Table 2. • FFC (ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP6144, MODP-8192): [SP800-56Ar3] Tables 25 and 26. • IFC (k=1024, k=2048, k=3072, k=4096, k=6144, k=8192): [SP800-56Br2] Table 4. • KMAC (KMAC128, KMAC256): [SP800-56Cr2] Table
  6. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Page 34

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

2.7 Algorithm Specific Information

a. AES-GCM Usage AES GCM IV generation must be compliant to [FIPS140-3_IG] C.H Key/IV Pair Uniqueness Requirements from SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS/DTLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. IV constructed in compliance with a protocol shall only be used in the context of the AES-GCM mode encryptions within the protocol. The Module does not implement the TLS and SSH protocols itself, however, it provides the cryptographic functions required for implementing the protocols. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3. The module provides the primitives to support the AES GCM ciphersuites from [SP800-52r1] Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per [SP800-38D] Section 8.2.2. Per [FIPS140-3_IG] C.H Scenario 2 and [SP800-38D], the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. In each case, in the event that the Module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are re-distributed in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This is in accordance with IG 2.4.A: If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation). b. PBKDF Usage The lower limit on the supported length of a password/passphrase used in key derivation is 1-character. The ASCII system comprises of 94 printable characters (letters, digits, punctuation, and symbols). For a 1character password/passphrase chosen from 94 printable ASCII characters, the total combinations are: 94^1. Thus, the probability of guessing the correct password/passphrase on a random attempt is: 1/94^1 ~0.010. The module being a software module, does not restrict the usage of a password/string used as the password and input to the PBKDF. The onus is on the calling application to provide a password of an appropriate length based on the intended security strength (and size) of the key to be derived. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 35

Veeam Cryptographic Module based on the OpenSSL FIPS Provider In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. The module complies with NIST SP 800-132 Section 5.4 Option 1 a and IG D.N. The iteration count values used range from 1 to 10000 per NIST SP 800-132 Section 5.2 whereby the iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. Keys derived from passwords, as shown in SP 800-132, may only be used in storage applications. The security strength of the derived key is at least 112 bits. The module implements CKG per NIST SP 800-133r2 Section 6.2.2. c. AES-XTS Usage Usage In accordance with [SP800-38E], the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with [FIPS140-3_IG] C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. d. Legacy Usage The module supports the following implementations for legacy use/support per NIST SP 800-131Ar2: e.

Page 36

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

2.8 RBG and Entropy

The Module relies on the use of a [SP800-90B] compliant entropy source outside the Module boundary. The calling application is responsible for use of an [SP800-90B] compliant entropy source with sufficient entropy based on the required security strength. Entropy is supplied to the Module via callback functions (see Section 2.4 2. c). Minimum Number of Bits of Entropy, depending on the target security strength of generated SSPs are 128, 192 or 256 bits. When using the Counter DRBG implementation without the derivation function enabled, full entropy from the entropy source is required. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys). N/A for this module. N/A for this module. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 37

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

2.9 Key Generation

The module implements NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.

2.10 Key Establishment

Key Agreement Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and [FIPS140-3_IG] D.F Scenario 2 (path 1) and NIST SP 800-56Br2 and [FIPS140-3_IG] D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 9 have been documented accordingly. The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KASFFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the [FIPS140-3_IG] D.F required key agreement assurances: [SP800-56Ar3] in accordance with Section 5.6.2. [SP800-56Br2] in accordance with Section 6.4. Per IG C.F Additional Comment 1.e: The elliptic curve used in the key agreement scheme and the associated domain parameters provide more than

112 bits of security as seen in the KAS-1 entry per Table 9.

Per IG C.F Additional Comment 2: The KAS-ECC-SSC and KAS-FFC-SSC implementations each support a scheme of the Diffie-Helllman variety. Per IG D.G: The module supports the Key Transport per NIST SP 800-56Br2 (RSA-OAEP) denoted by KTS-4 in the SFI Table 9. The RSA modulus sizes and key generation method have been documented in the table as well. The module can also optionally be used in the context of IETF protocols and provide key transport using any approved AES mode(s) and an approved MAC. The corresponding entries KTS-1, KTS-2, KTS-3 and KTS-5 in the SFI Table 9 have been documented accordingly. All KTS entries have been documented in accordance with Additional Comment 4 in the IG. The module also supports the following untested approved moduli for KTS-4: 6144 < nlen <=16384, where nlen denotes the modulus. Per IG D.A and IG D.B: The strengths of the established key have been documented in accordance with IG D.A Additional Comment 4. and per the Resolution in IG D.B.

2.11 Industry Protocols

The Module conforms to Resolution 3 per [FIPS140-3_IG] D.C References to the Support of Industry Protocols: while it provides [SP800-56Ar3] conformant schemes and API entry points oriented to SSH and TLS usage, the Module does not contain the full implementation of SSH or TLS. The following caveat is required: No parts of the SSH and TLS protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 38

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 39
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AControl InputAPI entry point: stack frame including non-sensitive parameters
N/AN/AData InputAPI call parameters passed by reference or value for cryptographic service input
N/AN/AStatus OutputAPI return value: enumerated status resulting from call execution
N/AN/AData OutputAPI call parameters passed by reference for cryptographic service output

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 10: Ports and Interfaces Table 10 defines the Module’s [FIPS140-3] logical interfaces; the Module does not interact with physical ports. The Control Output logical interface is not applicable to the Module and is intentionally omitted from Table 10. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 40
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
InitializeModule initializationCrypto Officer - DRBG_E I: G,W,E,Z - DRBG_S tate: G - Software Integrity key: ERandom Number Generatio nFIPS_O KCore handle, dispatch in and out, provider contextInitializatio n status (1 = pass, 0 = fail)
Core (all except Teardown) (Show Status, Show Version)Show status; Core operations dispatched by FIPS provider: Metadata (Gettable parameters; Get parameters; Get capabilities); Query; Self- testCrypto OfficerNoneFIPS_O KProvider context, paramete rs types (array), capability , callback pointer and argument s, operation IDParameter types (array) with: Name, Version, BuildInfo, Status, SecurityCh ecks; Status return, TLS group capabilities , Null or array of
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
InitializeModule initializationCrypto Officer - DRBG_E I: G,W,E,Z - DRBG_S tate: G - Software Integrity key: ERandom Number Generatio nFIPS_O KCore handle, dispatch in and out, provider contextInitializatio n status (1 = pass, 0 = fail)
Core (all except Teardown) (Show Status, Show Version)Show status; Core operations dispatched by FIPS provider: Metadata (Gettable parameters; Get parameters; Get capabilities); Query; Self- testCrypto OfficerNoneFIPS_O KProvider context, paramete rs types (array), capability , callback pointer and argument s, operation IDParameter types (array) with: Name, Version, BuildInfo, Status, SecurityCh ecks; Status return, TLS group capabilities , Null or array of
Core: Perform self-testsRun the self- test sequenceCrypto OfficerPerform self-tests (All) Software Integrity TestFIPS_O KProvider contextStatus (1 = pass, 0 = fail)
Core: Teardown (Perform zeroisation)Uninstantiate the module; includes ZeroiseCrypto Officer - DS_SGK : Z - DS_SVK: Z - GKP_Pri vate: Z - GKP_Pu blic: Z - KAS_Pri vate: Z - KAS_Pu blic: Z - KAS_SS: Z - KD_DKM : Z - KH_Key: Z - KTS_KD K: Z - KTS_KE K: Z - KTS_SS: Z - DRBG_ENoneFIPS_O KProvider contextNone
Asymmetric cipher (Key Transport) (Perform approved security functions)Encapsulate or decapsulate key material on behalf of the calling process (does not establish keys into the module)Crypto Officer - KTS_KD K: E - KTS_KE K: E - KTS_SS: RKTS-4[KTS- IFC: RSA, 4, (2048, 3072, 4096, 6144, 8192)]Encapsul ate: Key struct (KTS_KD K); Decapsul ate (KTS_KE K)Status return; KTS_SS
Cipher (Encryption/Dec ryption and Key Wrapping) (Perform approved security functions)Encrypt or decrypt data, including AEAD modes (CCM, GCM) and key wrap (KW, KWP) (CSPs are passed in by the calling process or generated within the module)Crypto Officer - SC_EDK : E - KH_Key: ESymmetri c Encryptio n and Decryptio n Keyed Hash KTS-1 KTS-2 KTS-3 Cryptogra phic Key Generatio n (CKG) Cryptogra phic Key Generatio n (CKG) - AES XTS KTS-5[AES- ECB: AES- 128- ECB, AES- 192- ECB, AES- 256- ECB]; [AES- CBC: AES- 128- CBC, AES- 192- CBC, AES- 256- CBC]; [AES-SC_EDK and KH_Key (for key wrapping ); flagsStatus return. Plaintext or ciphertext data, or wrapped key

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

4 Roles, Services, and Authentication

The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document. N/A for this module.

4.2 Roles

Table 11: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified) and does not support a maintenance role or a bypass capability.

4.3 Approved Services

r K Query; Selftest K s, s n I: G,W,E,Z Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 41

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r K K s :Z Z Z :Z Z K: Z K: Z Z Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 42

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s [KTSIFC: K); K) [AESECB: AES128ECB, AES192ECB, AES256ECB]; [AESCBC: AES128CBC, AES192CBC, AES256CBC]; c n I: Z :Z K: E K: E R :E E Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 43

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s CBCCS: AES128CBCCTS, AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, AES256CFB8]; [AESVeeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 44

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s AES128CFB, AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256GCM]; [AESXTS: AES128XTS, Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 45
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Key derivation (Perform approved security functions)Derive keying materialCrypto Officer - KAS_SS: W,E - KD_DKM : G,R - KTS_SS: W,E - PBKDF Passwor d: W,E,ZKey Derivatio n[PBKDF: PBKDF2 , (SHA- 1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512)]; [TLS1- PRF, (SHA2- 256, SHA2- 384, SHA2- 512)]; [TLS13- KDF, (SHA2- 256,KAS_SS; flagsStatus return; KD_DKM

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r AES256XTS]; [AESKW, AES128WRAP, AES256WRAP] , (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; [TLS13KDF, (SHA2256, s n W,E : G,R W,E d: W,E,Z Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 46

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s SHA2384)]; [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; SP 800108r1 (KMAC128, KMAC256)]; SP 800108r1 Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 47

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s AES128CBC, AES192CBC, AES256CBC, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACVeeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 48

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s SHA3384, HMACSHA3512]; F, SHA2224, SHA2256, SHA2384, SHA2512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACVeeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 49

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s SHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, KMAC128, KMAC256)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 50
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Key exchange (Perform approved security functions)Perform key agreement primitives on behalf of the calling process (does not establish keys into the module)Crypto Officer - KAS_Pri vate: E - KAS_Pu blic: E - KAS_SS: GKAS-1 KAS-2 KAS-3 KAS ECC CDH Compone nt[KAS- FFC- SSC: DHX]; [KAS- ECC- SSC: EC]Key structs (KAS_Pri vate and KAS_Pu blic); flagsStatus return; KAS_SS
Key management (Perform approved security functions)Generate asymmetric key pairsCrypto Officer - GKP_Pri vate: G - GKP_Pu blic: GAsymmet ric Key Pair Generatio n[SafePri mes: DHX]; [RSA KeyGen: RSA, (2048, 3072,ECDSA: curve identifier. DSA/RS A: modulus sizeStatus return; Key struct (GKP_Priv ate, GKP_Publi c)
Message authentication (Perform approved security functions)Generate or verify data integrity. (CSPs are passed in by the calling process or generated within the module)Crypto Officer - KH_Key: EKeyed Hash Cryptogra phic Key Generatio n (CKG)[HMAC: HMAC- SHA1, HMAC- SHA2- 224, HMAC- SHA2- 256, HMAC- SHA2- 384, HMAC- SHA2- 512, HMAC- SHA2- 512/224, HMAC- SHA2- 512/256, HMAC- SHA3- 224, HMAC- SHA3- 256, HMAC- SHA3- 384, HMAC- SHA3- 512]; [CMAC]; [KMAC: KMAC-KH_KeyStatus return; Tag value
Message digest (Perform approved security functions)Generate a message digestCrypto OfficerMessage Digest[SHA-1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512, SHAKE- 128, SHAKE- 256]Message ; flagsStatus return; Hash value
Random (Perform approved security functions)Generate random bits using the DRBGCrypto Officer - DRBG_E I: E - DRBG_S eed: E -Random Number Generatio n[Hash DRBG: HASH- DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [HMAC-DRBG struct (RBG State); DRBG_E IStatus return; Random value
DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [CTR- DRBG, (AES- 128- CTR, AES- 192- CTR, AES- 256- CTR)]DRBG_S tate: EDRBG, (SHA1, SHA2- 256, SHA2- 512)]; [CTR- DRBG, (AES- 128- CTR, AES- 192- CTR, AES- 256- CTR)]
Signature (Perform approved security functions)Generate or verify digital signatures (SSPs are passed in by the calling process)Crypto Officer - DS_SGK : E - DS_SVK: ERSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA Digital Signature Generatio n and Verificatio n RSA Signature Primitive[RSA SigGen: RSA, (2048, 3072, 4096), (SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256) ]; [RSA SigVer: RSA, (1024, 2048, 3072, 4096), (SHA1, SHA2- 224, SHA2- 256, SHA2-Sign: Key struct (DS_SG K); message ; Verify: signature value; Key struct (DS_SV K); flags; sizesStatus return; Signature value

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r SHA3384, SHA3512]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512]; [KASFFCSSC: [KASECCSSC: s A: c) G n Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 51

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; s E Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 52

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r KMAC256]; AES128GCM, AES192GCM, AES256GCM] SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, SHAKE128, SHAKE256] HASHDRBG, SHA2256, SHA2512)]; s I n I: E Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 53

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r SHA2256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) SHA2224, SHA2256, s K); n n n :E E Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 54

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s SHA2512, SHA2512/224, SHA2512/256) e m: (SHA2224, SHA2256, SHA2384, SHA2512, SHA3224, SHA3256, SHA3384, SHA3512)]; SHA2224, SHA2256, SHA2384, SHA2512, Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 55

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s SHA2512/224, SHA2512/256) ]; (L= SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) , =SHA2256, SHA2384, SHA2512, SHA2512/256) Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 56

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s (L= (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) ] Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 57
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Zeroise (Perform zeroisation)*The core Teardown operation zeroizes all Module scope SSPs *Call stack cleanup is the duty of the application *Restarting the general- purpose computer clears all SSPs in RAM *OPENSSL_cl eanse provides zeroisation of SSPs managed by the caller; See the notes below this table for additional explanationCrypto Officer - DS_SGK : Z - DS_SVK: Z - GKP_Pri vate: Z - GKP_Pu blic: Z - KAS_Pri vate: Z - KAS_Pu blic: Z - KAS_SS: Z - KD_DKM : Z - KH_Key: Z - KTS_KD K: Z - KTS_KE K: Z - KTS_SS: Z - DRBG_E I: Z - DRBG_S eed: Z - DRBG_S tate: Z -NoneZERO_ OKMemory pointerVoid

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r the generalpurpose s :Z Z Z :Z Z K: Z K: Z Z I: Z Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 58

Veeam Cryptographic Module based on the OpenSSL FIPS Provider r s :Z Table 12: Approved Services Note: The Indicators in Table 12 above follow the format: [Algorithm name: Indicator 1, Indicator 2, etc.] where Indicator 1 is an algorithm identifier and Indicators 2, 3 etc. depending on the algorithm are the specifics i.e. modes/supported curves/SafePrime groups/PRFs, etc.) per algorithm. Each combination of the Indicator 1 along with Indicators 2, 3, etc. in the comma separated list can be observed when the corresponding modes/curves/SafePrimes, PRFs etc. are invoked for a given algorithm in the context of a given service. The service indicators must be requested by the calling applications as by calling the following EVP APIs of the module in the context of each service:

Page 59

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

Page 60
Service
NameDescriptionRolesApproved Functions
SignatureGenerate or verify digital signatures (SSPs are passed in by the calling process)Crypto OfficerEd448 Ed25519 FIPS 186-2 RSA SigGen/SigVer
Key ExchangePerform key agreement primitives on behalf of the calling process (does not establish keys into the module)Crypto OfficerX448 X25519
Cipher (Encryption/Decryption)Encrypt or decrypt data (CSPs are passed in by the calling process)Crypto OfficerTriple-DES
ECDSA SigVer ComponentVerify ECDSA digital signatures (SSPs are passed in by the calling process)Crypto OfficerECDSA SigVer Component
Key DerivationDerive keys (key derivation key passed in by the calling process)Crypto OfficerX942KDF- CONCAT X963KDF HKDF OneStep KDF
Keyed HashGenerate HMAC using key length less than 112 bitsCrypto OfficerHMAC
RandomGenerate random bits using the non-approved Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256Crypto OfficerHash and HMAC DRBG

Veeam Cryptographic Module based on the OpenSSL FIPS Provider X942KDFCONCAT Table 13: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not support loading of any additional software.

4.6 Bypass Actions and Status
4.7 Cryptographic Output Actions and Status

The module does not support self-initiated cryptographic output. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 61

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fipsmodule.cnf contains the integrity reference value. The HMAC key used for the integrity test is considered a non-SSP. The HMAC-SHA2-256 CAST is performed prior to the software integrity test. The Module is provided in an executable form (as fips.so shared object for use in Linux environments, fips.dylib for use in Mac environments and fips.dll for use in Windows environments). The module does not support loading of any additional software.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.

5.3 Open-Source Parameters

In accordance with [ISO19790] Annex B, as the Module is open source, the tools used to build the Module as tested are:

Page 62

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The operational environment for the Module is modifiable as it runs in General Purpose Computers (GPC). The Module conforms to [FIPS140-3_IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by [FIPS140-3_IG] 2.3.C as a known PAA.

6.2 Configuration Settings and Restrictions

Table 3 lists the operational environments on which the Module was tested; no operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 63

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

7 Physical Security

Physical Security requirements are not applicable for this software Module. N/A for this module. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 64

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

8 Non-Invasive Security

In accordance with current CMVP policy, Non-Invasive Security is not applicable. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 65
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary, plaintext storage
Stored in the module's configuration fileStaticPersistent, plaintext storage
Service
NameApproved FunctionsTypeFromToDistributio n Type
CALL STACK (API) INPUT PARAMETER SElectroni cPlaintex tCalling applicationModuleManual
CALL STACK (API) OUTPUT PARAMETER SElectroni cPlaintex tModuleCalling applicationManual
Stored at manufactureN/APlaintex tManufacture rStored in the module's configuratio n fileN/A
Zeroization MethodDescriptionRationaleOperator
Initiation
OPENSSL_cleanseZeroisation of SSPs managed by the callerThe OPENSSL_cleanse provides zeroisation of SSPs managed by the callerModule initiated
cleared after useTemporary copies of CSPs are zeroised within the relevant function for the scope within which they are usedCSPs with a lifetime associated with an OpenSSL object will be zeroized when reinitializedModule initiated
TeardownThis operation triggers Module uninstantiationCSPs with a lifetime associated with the Module are zeroised on Module uninstantiationOperator initiated

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

S S t c t c r t N/A N/A m Table 15: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path).

9.3 SSP Zeroization Methods

Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 66
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUseInputRelated SSPs
DS_SGKPrivate key - CSPPrivate key for signature generationRSA: 2048, 3072 and 4096 bits DSA: 2048 and 3072 bits ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: 112, 128, 192, 521RSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA Digital Signature Generatio n and Verificatio n RSA Signature Primitive
DS_SVKPublic key - PSPPublic key for signature verificationRSA: 1024, 2048, 3072 and 4096 bits DSA: 1024, 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B-RSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n
571, K-571, P-521 - RSA: 80, 112, 128 or 152 DSA: 80, 112 or 128 ECDSA: 112, 128, 192, 256571, K-571, P-521 - RSA: 80, 112, 128 or 152 DSA: 80, 112 or 128 ECDSA: 112, 128, 192, 256DSA Digital Signature Generatio n and Verificatio n
GKP_Priva tePrivate key - CSPKey pair (Private: DS_SGK, Public: DS_SVK) generated per caller request; the keypair purpose is unspecifiedRSA: 2048, 3072, 4096 bits DSA: 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: 112, 128, 192, 256Asymmetric Key Pair Generation Random Number Generation
GKP_Publi cPublic key - PSPKey pair (Private: GPK_Privat e, Public: GPK_Publi c) generated per caller request; the keypair purpose is unspecifiedRSA: 2048, 3072, 4096 bits DSA: 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 orAsymmetric Key Pair Generation Random Number Generation
KAS_Privat ePrivate key - CSPKey pair component provided by the local participant, used for Diffie- Hellman shared secret generationFFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192, 256 IFC [SP800- 56Br2]: 112, 128Asymmetric Key Pair Generation Random Number GenerationKAS-1 KAS-2 KAS-3
KAS_Publi cPublic key - PSPKey pair component provided by the local participant, used for Diffie- Hellman shared secret generationFFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P-Asymmetric Key Pair Generation Random Number GenerationKAS-1 KAS-2 KAS-3
KAS_SSShared secret - CSPShared secret calculation; z output value is expected to be used by a KDFFFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192,KAS-1 KAS-2 KAS-3
KD_DKMDerived Keying Material - CSPKey Derivation derived keying materialHMAC PRF: 160, 224, 256, 384, 512 - HMAC PRF: 160, 224, 256, 384, 512Key Derivation
KH_KeySymmetr ic key - CSPKeyed Hash keyCMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256 - CMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256Random Number Generation Cryptograph ic Key Generation (CKG)Keyed Hash KTS-2
KTS_KDKPrivate key - CSPPrivate (KDK) component of an RSA key pair used for [SP800- 56Br2] RSA key transport2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176KTS-4
KTS_KEKPublic key - PSPPublic (KEK) component of an RSA key pair used for [SP800- 56Br2] RSA key transport2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176KTS-4
KTS_SSShared secret - CSPThe RSA key transport2048, 3072, 4096 and 6144 bits -KTS-4
shared secretshared secret112, 128, 152, 176
DRBG_EIEntropy input - CSPEntropy input from an external source used for DRBG seeding128 - 256 bits - 128 - 256 bitsRandom Number Generatio n
DRBG_Se edDRBG seed - CSPSeed generated from the entropy input for the DRBG128 - 256 bits - 128 - 256 bitsRandom Number Generatio n
DRBG_Sta teDRBG state - CSPHash DRBG: V and C. HMAC DRBG: V and Key CTR DRBG: V and KeyHash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256 - Hash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256Random Number GenerationRandom Number Generatio n
SC_EDKSymmetr ic key - CSPAES key used for symmetric encryption and decryption (including use in key wrapping)AES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256. - AES: 128, 192, 256 AES CCM:Random Number Generation Cryptograph ic Key Generation (CKG) Cryptograph ic Key Generation (CKG) - AES XTSSymmetri c Encryptio n and Decryptio n KTS-1 KTS-2 KTS-3 KTS-5
PBKDF PasswordSymmetr ic key - CSPInput provided to the PBKDFRecommend ed size is greater than 10 characters for passwords and greater than 20 characters for passphrases - 112 bits or greaterKey Derivatio n
Software Integrity key256 bits - NeitherHMAC- SHA2-256 key used to perform the Software Integrity Test256 bits - 256 bitsSoftware Integrity Test
DS_SGKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDS_SVK:Paired With
DS_SVKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting theCALL STACK (API) INPUT PARAMETE RScleared after useDS_SGK:Paired With
Zeroization MethodDescriptionRationaleOperator Initiation
Restarting the general-purpose computerRAM (memory) is used for temporary storage of SSPsRestarting the general- purpose computer clears all SSPs in RAMOperator initiated

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Table 16: SSP Zeroization Methods n y n n n n n Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 67

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n c c) y n Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 68

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n e DiffieHellman c DiffieHellman [SP80056Br2]: 112, y Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 69

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n [SP80056Br2]: 112, y Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 70

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n [SP80056Br2] RSA [SP80056Br2] RSA y Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 71

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n n n n c n y Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 72
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputRelated SSPs
PBKDF PasswordSymmetr ic key - CSPInput provided to the PBKDFRecommend ed size is greater than 10 characters for passwords and greater than 20 characters for passphrases - 112 bits or greaterKey Derivatio n
Software Integrity key256 bits - NeitherHMAC- SHA2-256 key used to perform the Software Integrity Test256 bits - 256 bitsSoftware Integrity Test
DS_SGKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDS_SVK:Paired With
DS_SVKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting theCALL STACK (API) INPUT PARAMETE RScleared after useDS_SGK:Paired With
GKP_Priv ateRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) OUTPUT PARAMETE RScleared after useGKP_Public:Paired With
GKP_Publ icRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) OUTPUT PARAMETE RScleared after useGKP_Private:Paired With
KAS_Priva teRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKAS_Public:Paired With
KAS_Publi cRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKAS_Private:Paired With
KAS_SSRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computercleared after useKAS_Private:Establi shed using KAS_Public:Establis hed using
KD_DKMRAM:Plaint extOPENSSL_clea nse cleared after use TeardownCALL STACK (API) OUTPUTcleared after use
PARAMETE RSRestarting the general-purpose computerPARAMETE RS
KH_KeyRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after use
KTS_KDKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKTS_KEK:Paired With
KTS_KEKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKTS_KDK:Paired With
KTS_SSRAM:Plaint extOPENSSL_clea nse Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RS CALL STACK (API) OUTPUT PARAMETE RScleared after use
DRBG_EIRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDRBG_Seed:Used to derive
DRBG_Se edRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computercleared after useDRBG_EI:Derived From
DRBG_St ateRAM:Plaint extTeardown Restarting the general-purpose computerUntil power- cycling of the underlyi ng host platformDRBG_Seed:Derive d From
SC_EDKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RS CALL STACK (API) OUTPUT PARAMETE RScleared after use
PBKDF PasswordRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after use
Software Integrity keyStored in the module's configuratio n file :PlaintextTeardownStored at manufactureUntil teardow n operatio n is perform ed

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n HMACSHA2-256 y n Table 17: SSP Table 1 n Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 73

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n c Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 74

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 75

Veeam Cryptographic Module based on the OpenSSL FIPS Provider n powercycling n Table 18: SSP Table 2 All SSPs used by the Module are described in this section, arranged for consistency with Table 12; ‘--’ indicates the cell is intentionally empty, not applicable, or not relevant. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 76

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). The Module maintains only the DRBG CSPs used for key generation as persistent CSPs; these are used exclusively for approved services. DRBG outputs are used internally to the Module for asymmetric key pair generation and used by calling applications to generate a random value (potentially for use as a symmetric key). The Module:

Page 77
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityMAC (HMAC- SHA2-256, A3548)Key Length: 256 bitsSuccess: All self- tests passed (as expected)
AES-ECB (A3548)AES-ECB (A3548)KATCASTDecryptKey Length: 128 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTEncryptKey Length: 256 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTDecryptKey Length: 256 bitsFIPS_OKOn reloading the module
Counter DRBG (A3548)Counter DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsAES CTR (128 bits) with derivation functionFIPS_OKOn reloading the module
DSA SigGen (FIPS186- 4) (A3548)DSA SigGen (FIPS186- 4) (A3548)KATCASTSignModulus: 2048 bits; Hash: SHA2-384FIPS_OKOn reloading the module
DSA SigVer (FIPS186- 4) (A3548)DSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyModulus: 2048 bits; Hash: SHA2-384FIPS_OKOn reloading the module
ECDSA SigGen (FIPS186- 4) (A3548)ECDSA SigGen (FIPS186- 4) (A3548)KATCASTSignCurve: P- 224; Hash: SHA2-512FIPS_OKOn reloading the module
ECDSA SigVer (FIPS186- 4) (A3548)ECDSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyCurve: P- 224; Hash: SHA2-512FIPS_OKOn reloading the module
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityMAC (HMAC- SHA2-256, A3548)Key Length: 256 bitsSuccess: All self- tests passed (as expected)
AES-ECB (A3548)AES-ECB (A3548)KATCASTDecryptKey Length: 128 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTEncryptKey Length: 256 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTDecryptKey Length: 256 bitsFIPS_OKOn reloading the module
Counter DRBG (A3548)Counter DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsAES CTR (128 bits) with derivation functionFIPS_OKOn reloading the module
DSA SigGen (FIPS186- 4) (A3548)DSA SigGen (FIPS186- 4) (A3548)KATCASTSignModulus: 2048 bits; Hash: SHA2-384FIPS_OKOn reloading the module
DSA SigVer (FIPS186- 4) (A3548)DSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyModulus: 2048 bits; Hash: SHA2-384FIPS_OKOn reloading the module
ECDSA SigGen (FIPS186- 4) (A3548)ECDSA SigGen (FIPS186- 4) (A3548)KATCASTSignCurve: P- 224; Hash: SHA2-512FIPS_OKOn reloading the module
ECDSA SigVer (FIPS186- 4) (A3548)ECDSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyCurve: P- 224; Hash: SHA2-512FIPS_OKOn reloading the module
Hash DRBG (A3548)Hash DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsPRF: SHA2-256FIPS_OKOn reloading the module
HMAC DRBG (A3548)HMAC DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsPRF: HMAC- SHA-1FIPS_OKOn reloading the module
HMAC- SHA2-256 (A3548)HMAC- SHA2-256 (A3548)KATCASTHMAC tag GenerationPRF: SHA2-256FIPS_OKPerformed prior to the software integrity test
KAS- ECC-SSC Sp800- 56Ar3 (A3548)KAS- ECC-SSC Sp800- 56Ar3 (A3548)KATCASTKey Agreement - Shared Secret ComputationScheme: Ephemeral Unified, Curve: P- 256FIPS_OKOn reloading the module
KAS-FFC- SSC Sp800- 56Ar3 (A3548)KAS-FFC- SSC Sp800- 56Ar3 (A3548)KATCASTKey Agreement - Shared Secret ComputationScheme: dhEphem; Modulus: L = 2048 bits, N = 256 bitFIPS_OKOn reloading the module
KAS-IFC- SSC (A3548)KAS-IFC- SSC (A3548)KATCASTKey Agreement - Shared Secret ComputationSchemes: Basic, CRT, Modulus: L = 2048 bitsFIPS_OKOn reloading the module
KDF SP800- 108 (A3548)KDF SP800- 108 (A3548)KATCASTCounter Mode (HMAC- SHA2-256).Mode: Counter, PRF: HMAC- SHA2-256FIPS_OKOn reloading the module
KDA OneStep SP800- 56Cr2 (A3548)KDA OneStep SP800- 56Cr2 (A3548)KATCASTKey DerivationAuxiliary Function, H = SHA2- 224FIPS_OKOn reloading the module
KDA TwoStep SP800- 56Cr2 (A3548)KDA TwoStep SP800- 56Cr2 (A3548)KATCASTKey DerivationAuxiliary Function, H = HMAC- SHA2-256FIPS_OKOn reloading the module
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTEncryptSchemes: Basic Modulus: L = 2048 bitsFIPS_OKOn reloading the module
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTDecryptSchemes: Basic,FIPS_OKOn reloading the module
PBKDF (A3548)PBKDF (A3548)KATCASTKey DerivationDerivation of the Master Key (MK), PRF: SHA2-256FIPS_OKOn reloading the module
RSA SigGen (FIPS186- 4) (A3548)RSA SigGen (FIPS186- 4) (A3548)KATCASTSignScheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-256FIPS_OKOn reloading the module
RSA SigVer (FIPS186- 4) (A3548)RSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyScheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-256FIPS_OKOn reloading the module
SHA-1 (A3548)SHA-1 (A3548)KATCASTHashSHA-1FIPS_OKOn reloading the module
SHA2-512 (A3548)SHA2-512 (A3548)KATCASTHashSHA2-512FIPS_OKOn reloading the module
SHA3-256 (A3548)SHA3-256 (A3548)KATCASTHashSHA3-256FIPS_OKOn reloading the module
KDF ANS 9.42 (A3548)KDF ANS 9.42 (A3548)KATCASTKey DerivationPRFs: AES KW (128 bits), SHA-1FIPS_OKOn reloading the module
KDF ANS 9.63 (A3548)KDF ANS 9.63 (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
KDF SSH (A3548)KDF SSH (A3548)KATCASTKey DerivationPRF: SHA- 1FIPS_OKOn reloading the module
TLS v1.2 KDF RFC7627 (A3548)TLS v1.2 KDF RFC7627 (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
TLS v1.3 KDF (A3548)TLS v1.3 KDF (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
RSA KeyGen (FIPS186- 4) (A3548)RSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Transport (KTS IFC)/Key Agreement (KAS IFC)/Signature
ECDSA KeyGen (FIPS186- 4) (A3548)ECDSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification
DSA KeyGen (FIPS186- 4) (A3548)DSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS FFC)/Signature Generation/Signature Verification
ECDSA SigGen (FIPS186- 4) (A3548)ECDSA SigGen (FIPS186- 4) (A3548)KATCASTSignCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
ECDSA SigVer (FIPS186- 4) (A3548)ECDSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityOn DemandManually by reloading the module or calling the fips_self_test function
AES-ECB (A3548)AES-ECB (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
AES-GCM (A3548)AES-GCM (A3548)KATCASTOn DemandManually by reloading the

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

10.1 Pre-Operational Self-Tests

Table 19: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test (KAT) for the

10.2 Conditional Self-Tests

(FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 78

Veeam Cryptographic Module based on the OpenSSL FIPS Provider HMACSHA-1 HMACSHA2-256 KASECC-SSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 KAS-IFCSSC SP800108 SP80056Cr2 SP80056Cr2 Curve: P256 HMACSHA2-256 H = SHA2224 H= HMACSHA2-256 (HMACSHA2-256). Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 79

Veeam Cryptographic Module based on the OpenSSL FIPS Provider (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) PRF: SHA1 Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 80
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
ECDSA KeyGen (FIPS186- 4) (A3548)ECDSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification
DSA KeyGen (FIPS186- 4) (A3548)DSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS FFC)/Signature Generation/Signature Verification
ECDSA SigGen (FIPS186- 4) (A3548)ECDSA SigGen (FIPS186- 4) (A3548)KATCASTSignCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
ECDSA SigVer (FIPS186- 4) (A3548)ECDSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityOn DemandManually by reloading the module or calling the fips_self_test function
AES-ECB (A3548)AES-ECB (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
AES-GCM (A3548)AES-GCM (A3548)KATCASTOn DemandManually by reloading the
AES-GCM (A3548)AES-GCM (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
Counter DRBG (A3548)Counter DRBG (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
DSA SigGen (FIPS186-4) (A3548)DSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
DSA SigVer (FIPS186-4) (A3548)DSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
ECDSA SigGen (FIPS186-4) (A3548)ECDSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
ECDSA SigVer (FIPS186-4) (A3548)ECDSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
Hash DRBG (A3548)Hash DRBG (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
HMAC DRBG (A3548)HMAC DRBG (A3548)KATCASTOn DemandManually by reloading the
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KAS-ECC-SSC Sp800-56Ar3 (A3548)KAS-ECC-SSC Sp800-56Ar3 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KAS-FFC-SSC Sp800-56Ar3 (A3548)KAS-FFC-SSC Sp800-56Ar3 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KAS-IFC-SSC (A3548)KAS-IFC-SSC (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDF SP800-108 (A3548)KDF SP800-108 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDA OneStep SP800-56Cr2 (A3548)KDA OneStep SP800-56Cr2 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDA TwoStep SP800-56Cr2 (A3548)KDA TwoStep SP800-56Cr2 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTOn DemandManually by reloading the
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
PBKDF (A3548)PBKDF (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
RSA SigGen (FIPS186-4) (A3548)RSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
RSA SigVer (FIPS186-4) (A3548)RSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
SHA-1 (A3548)SHA-1 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
SHA2-512 (A3548)SHA2-512 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
SHA3-256 (A3548)SHA3-256 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDF ANS 9.42 (A3548)KDF ANS 9.42 (A3548)KATCASTOn DemandManually by reloading the
KDF ANS 9.63 (A3548)KDF ANS 9.63 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDF SSH (A3548)KDF SSH (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
TLS v1.2 KDF RFC7627 (A3548)TLS v1.2 KDF RFC7627 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
TLS v1.3 KDF (A3548)TLS v1.3 KDF (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
RSA KeyGen (FIPS186-4) (A3548)RSA KeyGen (FIPS186-4) (A3548)PCTPCTOn DemandOn generation of keys
ECDSA KeyGen (FIPS186-4) (A3548)ECDSA KeyGen (FIPS186-4) (A3548)PCTPCTOn DemandOn generation of keys
DSA KeyGen (FIPS186-4) (A3548)DSA KeyGen (FIPS186-4) (A3548)PCTPCTOn DemandOn generation of keys
ECDSA SigGen (FIPS186-4) (A3548)ECDSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
ECDSA SigVer (FIPS186-4) (A3548)ECDSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the

Veeam Cryptographic Module based on the OpenSSL FIPS Provider (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) Table 20: Conditional Self-Tests Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. On instantiation, the Module performs the pre-operational self-tests and all CASTs listed above. All KATs must complete successfully prior to any other use of cryptography by the Module. Table 21: Pre-Operational Periodic Information Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 81

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 82

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 83

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 84

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 85
Self test
NameAlgorithm Or TestPeriodic Method
TestTestMethod
Service
NameDescriptionRole AccessIndicator
ERR OR STA TE*The error state is persistent and no services are available *All attempts to use the Module's services result in the return of a non-zero error code, PROV_R_FIPS_MODULE_IN_ ERROR_STATEIf one of the KATs or if the Softwar e Integrit y Test fails, the Module enters the self-test failure error statePROV_R_FIPS_MODULE_IN_ ERROR_STATETo recove r from an error state, reload the Modul e into memo ry

Veeam Cryptographic Module based on the OpenSSL FIPS Provider Table 22: Conditional Periodic Information

10.4 Error States
10.5 Operator Initiation of Self-Tests

also be called on demand, fulfilling AS05.11. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 86

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Module is provided to vendors who integrate it into their product, typically in a manufacturing environment, and is not provided directly to US or Canadian Federal agencies. Adherence to the instructions in this document maintains security throughout the distribution, build, installation and configuration processes. An authorized Cryptographic Officer is required to perform these steps on each platform where it is intended to be used. The config file output contains information about the Module (such as the self-test status and the Module checksum) and must not be manually modified without using the openssl fipsinstall command. Crypto Officer Guidance a. Installation and Usage Guidance The Module is installed as part of the OpenSSL 3.1.2 library. The source distribution package is located at https://www.openssl.org/source/openssl-3.1.2.tar.gz. The Veeam Cryptographic Module based on the OpenSSL FIPS Provider can be installed on the Tested Configurations listed in Table 3 by performing the following steps:

  1. Build and install OpenSSL 3.1.2 to the default location: The Veeam Cryptographic Module based on the OpenSSL FIPS Provider (i.e., the Module) does not get built and installed automatically. To install the Module automatically during the normal OpenSSL 3.1.2 installation process it must be enabled by configuring OpenSSL using the ‘enable-fips’ option. Unix/Linux/macOS: $ ./Configure enable-fips $ make $ make install Windows: $ perl Configure enable-fips $ nmake $ nmake install The ‘install_fips’ make target can also be invoked explicitly to install the FIPS Provider independently, without installing the rest of OpenSSL: $ make install_fips Note: The instructions for building and installing OpenSSL 3.1.2 on other platforms can be found in the platformspecific guidance provided in INSTALL.md and README-FIPS.md in the OpenSSL 3.1.2 distribution package. Please see Appendix A for further information on porting the Module to platforms apart from the Tested Configurations in Table 3.
  2. Verify the version: Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Page 87

Veeam Cryptographic Module based on the OpenSSL FIPS Provider $ openssl version -v The Installation of the Veeam Cryptographic Module based on the OpenSSL FIPS Provider that occurs as a result of Step 1 above ensures that the shared library and the configuration file containing information about the Module (e.g., the Module checksum) is copied to its installed location. To install the configuration file to a non-default location, this can be achieved by running the ‘fipsinstall’ command line application manually: $ openssl fipsinstall -pedantic Please see fipsinstall.html /docs/man3.1/man1/openssl-fipsinstall.html for options supported for the ‘openssl fipsinstall’ command. Note: The software integrity check (per Section 5 of this document) is performed using HMAC-SHA2-256 on the Module file to validate that the Module has not been modified. The integrity value is compared to a value written to the config file during installation. b. CVEs The publication of a CVE does not require immediate re-validation or maintenance in the CMVP process. The module may be updated in the field as needed depending on the severity or consequences of the CVE. The Module will be kept up to date with re-validation and maintenance as required, generally bundling fixes for known CVEs in a next release. The OpenSSL organization maintains a Vulnerabilities page which describes known vulnerabilities and potential resolution. These are reported to the NVD, where they are independently assessed. The OpenSSL group publishes fixes for these vulnerabilities according to their triage process. c. Miscellaneous The module performs run-time checks related to enforcement of security parameters such as the minimumsecurity strength of keys, valid key sizes, and usage of approved curves. These checks shall not be disabled (by using OPENSSL_NO_FIPS_SECURITYCHECKS or any other method). Validation of domain parameters prior to generating keys using functions provided by the module is the responsibility of the Cryptographic Officer and not enforced by the module itself.

11.2 Administrator Guidance

No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.

11.3 Non-Administrator Guidance

No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 88

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

11.4 Design and Rules

No additional rules apply for the operation of the module apart from those specified in the remainder of this section and Section 2.4 of this document.

11.5 Maintenance Requirements

No maintenance requirements apply for operation of the module in the Approved/non-Approved modes as defined above.

11.6 End of Life

Module Sanitization and Destruction Sanitization is defined in [ISO19790] as “... the process of removing sensitive information (e.g. SSPs, user data, etc.) from the module, so that it may either be distributed to other operators or disposed.” The Module itself does not manage persistent SSPs, authentication data or any user data. The Module may be securely sanitized by deletion of the folder in which the Module was located. There are no additional procedures required for secure destruction of the Module. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 89

Veeam Cryptographic Module based on the OpenSSL FIPS Provider

12 Mitigation of Other Attacks
12.1 Attack List

The Module implements mitigations for some types of attacks using the constant-time implementations and blinding. Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key. Veeam Software Corporation. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Referenced URLs