Veeam Software Corporation FIPS 140-2 Security Policy Veeam Cryptographic Module Version: 3.0.9 Date: July11, 2024 Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 2 of 41 Copyright © 2024 Veeam Software Corporation Copyright Notice This document may be freely reproduced and distributed whole and intact including this copyright notice. Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 3 of 41 Modification History Version Description Release Date 1.0 Initial Draft March 20, 2024 1.1 Added updates made to OpenSSL on July 10, 2024 July 11, 2024 Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 4 of 41 Table of Contents Contents This document may be freely reproduced and distributed whole and intact including this copyright notice............................ 2 FIPS 140-2 Overview ............................................................................................................................................................ 6 1. Introduction................................................................................................................................................................. 7 1.1 Scope................................................................................................................................................................... 7 1.2 Module Overview................................................................................................................................................. 7 1.3 Module Boundary ................................................................................................................................................ 8 2. Security Level ............................................................................................................................................................... 9 3. TestedConfigurations................................................................................................................................................ 10 4. Portsand Interfaces................................................................................................................................................... 11 5. Roles,Services and Authentication............................................................................................................................. 12 5.1 Roles.................................................................................................................................................................. 12 5.2 Services.............................................................................................................................................................. 12 6. Physical Security......................................................................................................................................................... 15 7. Operational Environment........................................................................................................................................... 16 8. Cryptographic Algorithms and Key Management........................................................................................................ 17 8.1 Cryptographic Algorithms .................................................................................................................................. 17 8.2 Critical Security Parameters (CSP’s) and Public Keys........................................................................................... 26 8.3 Key Generation and Entropy .............................................................................................................................. 27 9. ElectromagneticInterference/ElectromagneticCompatibility (EMI/EMC)................................................................. 29 10. Self-tests .................................................................................................................................................................... 30 10.1 Power-On Self-Tests........................................................................................................................................... 30 10.2 Conditional Self-Tests......................................................................................................................................... 31 10.3 Assurances......................................................................................................................................................... 31 10.4 Critical Function Tests ........................................................................................................................................ 31 11. Mitigation of Other Attacks ........................................................................................................................................ 32 12. CryptoOfficerand UserGuidance .............................................................................................................................. 33 12.1 AES-GCM Usage ................................................................................................................................................. 33 12.2 Triple-DES Usage................................................................................................................................................ 33 12.3 Miscellaneous.................................................................................................................................................... 33 Appendix A: Installation and Usage Guidance..................................................................................................................... 34 Appendix B: Compilers....................................................................................................................................................... 36 Appendix C: Glossary.......................................................................................................................................................... 37 Appendix D: Table of References........................................................................................................................................ 39 Appendix E: Trademarks .................................................................................................................................................... 41 Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 5 of 41 List of Tables Table 1 – Security Levels for each FIPS 140-2 Area ...................................................................................................................9 Table 2 – Tested Configurations.............................................................................................................................................10 Table 3 – Physical Port and Logical Interface Mapping ..........................................................................................................11 Table 4 – Approved Services and Role Allocation ...................................................................................................................14 Table 5 – Non-Approved Services and Role Allocation............................................................................................................14 Table 6 – FIPS Approved Algorithms.......................................................................................................................................24 Table 7 – Allowed Algorithms ................................................................................................................................................25 Table 8 – Non-Approved Algorithms......................................................................................................................................25 Table 9 – Critical Security Parameters....................................................................................................................................26 Table 10 – Public Keys............................................................................................................................................................27 Table 11 – Power On Self-Tests ..............................................................................................................................................31 Table 12 – Conditional Tests...................................................................................................................................................31 Table 13 – Assurances............................................................................................................................................................31 Table 14 – Compilers Used for Each Operational Environment...............................................................................................36 Table 15 – Glossary of Terms .................................................................................................................................................38 Table 16 – Standards and Publications Referenced within this Security Policy........................................................................40 Table 17 – Trademarks Referenced within this Security Policy ...............................................................................................41 List of Figures Figure 1 – Module Block Diagram............................................................................................................................................8 Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 6 of 41 FIPS 140-2 Overview Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) run the FIPS 140 program. NVLAP accredits independent testing labs to perform FIPS 140-2 testing; the CMVP validates modules meeting FIPS 140-2 validation. Validated is the term given to a module that is documented and tested against the FIPS 140-2 criteria. More information is available onthe CMVP website at: http://csrc.nist.gov/groups/STM/cmvp/index.html About this Document This non-proprietary Cryptographic Module Security Policy for the Veeam Cryptographic Module from Veeam Software Corporation provides an overview and a high-level description of how it meets the overall Level 1 security requirements of FIPS 140-2. Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 7 of 41 1. Introduction 1.1 Scope This document describes the non-proprietary cryptographic module security policy for the Veeam Cryptographic Module, hereafter referred to as “the Module.” It contains specification of the security rules, under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-2 standard. 1.2 Module Overview The Module is a software library providing a C-language application program interface (API) for use by applications that require cryptographic functionality. The Module is classified under FIPS 140-2 as a software module, with a multi-chip standalone module embodiment. The physical cryptographic boundary is the general-purpose computer on which the module is installed. The logical cryptographic boundary of the Module is the Veeam Cryptographic Module, a dynamically loadable library. The Module performs no communication other than with the calling application via APIs that invoke the Module. The module implements both an Approved and non-Approved mode of operation. Use of the Approved algorithms listed in table 6 and allowed algorithms listed in table 7 will place the module in the Approved mode of operation. Use of the non-Approved algorithms listed in table 8 will place the module in the non-Approved mode of operation. Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 8 of 41 1.3 Module Boundary The following block diagram details the Module’s physical and logical boundaries. Figure 1 – Module Block Diagram Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 9 of 41 2. Security Level The following table lists the level of validation for each area in FIPS 140-2: FIPS 140-2 Security Requirement Areas Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 3 Mitigation of Other Attacks 1 Overall Level 1 Table 1 – Security Levels for each FIPS 140-2 Area The Module meets the overall security level requirements of Level 1. The Module’s software version for this validation is 3.0.9. Please note that this corresponds to version 3.0.9 of the OpenSSL FIPS Provider of which this Module is a rebrand. Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 10 of 41 3. Tested Configurations The Module has been tested on the platforms listed below in Table 2. # Operating System/Hypervisor Hardware Platform Processor Optimizations (Target) Module Version 1 Ubuntu Linux 22.04.1 LTS Dell Inspiron 7591 Intel i7 (x64) None 3.0.9 2 Ubuntu Linux 22.04.1 LTS Dell Inspiron 7591 Intel i7 (x64) PAA (AES-NI) 3.0.9 3 Debian 11.5 Dell Inspiron 7591 Intel i7 (x64) None 3.0.9 4 Debian 11.5 Dell Inspiron 7591 Intel i7 (x64) PAA (AES-NI) 3.0.9 5 FreeBSD 13.1 Dell Inspiron 7591 Intel i7 (x64) None 3.0.9 6 FreeBSD 13.1 Dell Inspiron 7591 Intel i7(x64) PAA (AES-NI) 3.0.9 7 Windows 10 Dell Inspiron 7591 Intel i7(x64) None 3.0.9 8 Windows 10 Dell Inspiron 7591 Intel i7(x64) PAA (AES-NI) 3.0.9 9 macOS 11.5.2 AppleM1 Mac Mini M1 None 3.0.9 10 macOS 11.5.2 AppleM1 Mac Mini M1 PAA (AES-NI) 3.0.9 11 macOS 11.5.2 Applei7Mac Mini Intel i7 (x64) None 3.0.9 12 macOS 11.5.2 Applei7Mac Mini Intel i7 (x64) PAA (AES-NI) 3.0.9 Table 2 – Tested Configurations See Appendix Afor additional information oninstallation. See Appendix B for a listof the specific compilers used to generate the Module for the respective operational environments. Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 11 of 41 4. Ports and Interfaces The physical ports of the Module are the same as the computer system on which it is executing. The logical interface is a C-language application program interface (API), the mapping of which is described in the following table: Logical Interface Type Description Data Input API entry point data input stack parameters Data Output API entry point data output stack parameters Control Input API entry point and corresponding stack parameters Status Output API entry point return values and status stack parameters Table 3 – Physical Port and Logical Interface Mapping As a software module, control of the physical ports is outside module scope. However, when the module is performing self-tests, or is in an error state, all output on the logical data output interface is inhibited. In error scenarios, the module returns only an error value (no data output is returned). Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 12 of 41 5. Roles, Services and Authentication 5.1 Roles The Module implements both a User Role (User) as well as the Crypto Officer (CO) role. The Module does not support authentication and does not allow concurrent operators. The User and Crypto Officer roles are implicitly assumed by the application accessing services implemented by the Module. 5.2 Services All the services provided by the module can be accessed by both the User and the Crypto Officer roles. The User Role (User) can load the Module and call any of the API functions. The Crypto Officer Role (CO) is responsible for installation of the Module on the host computer system and calling of any API functions. The module provides the following Approved services which utilize algorithms listed in Table 6 and 7: Service Roles (User/CO) Description Initialize X Module initialization. Does not access CSPs. Self-Test X Perform POST self-tests (SELF_TEST_post( )) on demand. Does not access CSPs. Show Status X The Module’s status can be verified by querying the “status” parameter. Does not access CSPs. CSP/Key Zeroization X All services automatically overwrite CSPs stored in allocated memory. Stack cleanup is the responsibility of the calling application. RandomNumber Generation X Used for random number and symmetric key generation. • Seed or reseed a DRBG instance. • Determine security strength of a DRBG instance. • Obtain random data. Uses and updates Hash_DRBG CSPs, HMAC_DRBG CSPs, CTR_DRBG CSPs AsymmetricKey Generation X Used to generate DSA, ECDSA, RSA , DH, ECDH, X25519 and X448 keys: Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 13 of 41 Service Roles (User/CO) Description • RSA SGK, RSA SVK; DSA SGK, DSA SVK; ECDSA SGK, ECDSA SVK; DH Private, DH Public, ECDH Private, ECDH Public; X25519 Private, X25519 Public, X448 Private and X448 Public keys There is one supported entropy strength for each mechanism and algorithm type, the maximum specified in SP 800-90Ar1 Key Derivation X Used to derive keys using KBKDF, PBKDF2, HKDF, SP 800-56Cr2 One- Step KDF (KDA), SP 800-135 TLS 1.2, SSHv2, ANSI X9.6-2001, ANSI X9.42-2001 KDFs and TLS 1.3 KDF. Symmetric Encrypt/Decrypt X Used to encrypt or decrypt data. Executes using AES EDK, TDES EDK (passed in by the calling application). Symmetric Digest X Used to generate or verify data integrity with CMAC. Executes using AES CMAC Key (passed in by the calling application). Message Digest X Used to generate a SHA-1, SHA-2, or SHA-3 message digest. Does not access CSPs Keyed Hash X Used to generate or verify data integrity with HMAC or KMAC. Executes using HMAC or KMAC Key (passed in by the calling application) Key Transport X Used to encrypt or decrypt a key value on behalf of the calling application (does not establish keys into the module). Executes using RSA KDK, RSA KEK (passed in by the calling application). Key Wrapping X Used to encrypt a key value on behalf of the calling application Executes using AES Key Wrapping Key (passed in by the calling application). Key Agreement X Used to perform key agreement primitives on behalf of the calling application (does not establish keys into the module). Executes using DH Private, DH Public, EC DH Private, EC DH Public, X25519 Private, X25519 Public, X448 Private and X448 Public, RSA SGK, RSA SVK (passed in by the calling application). Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 14 of 41 Service Roles (User/CO) Description Digital Signature X Used to generate or verify RSA, DSA, or ECDSA digital signatures. Executes using RSA SGK, RSA SVK; DSA SGK, DSA SVK; ECDSA SGK, ECDSA SVK (passed in by the calling application). Utility X Miscellaneous helper functions. Does not access CSPs. Table 4 – Approved Services and Role Allocation The module provides the following non-Approved services which utilize algorithms listed in Table 5: Service Roles (User/CO) Description Digital Signature X Used to generate or verify Ed25519 or Ed448 digital signatures. Used to verify RSA digital signatures with 1024 < nlen < 2048 bits where nlen is the supported modulus. Table 5 – Non-Approved Services and Role Allocation Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 15 of 41 6. Physical Security The physical boundary of the Module is the general-purpose computer on which the module is installed. The Module meets all physical security requirements of a Security Level 1 software module under FIPS 140-2 requirements. Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 16 of 41 7. Operational Environment The tested operating systems, listed in Table 2, segregate applications into separate spaces. Each application space is logically separated from all other applications by the operating system software and hardware. The Module functions entirely within the operating system provided space for the calling application, and implicitly satisfies the FIPS 140-2 requirement for a single-user mode of operation. Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 17 of 41 8. Cryptographic Algorithms and Key Management 8.1 Cryptographic Algorithms The module implements the following Approved algorithms: CAVP Cert # Algorithm Standard Sizes/Curves Mode/Method Use A4086 AES [FIPS 197] SP 800-38A 128, 192, 256 bits ECB, CBC, CBC-CS1, CS2, CS3, OFB, CFB 1, CFB 8, CFB 128, CTR Encryption, Decryption and CMAC Generate/Verify SP 800-38B CMAC SP 800-38C CCM SP 800-38D GCM, GMAC SP 800-38F KW, KWP (cipher, inverse) SP 800-38E 128, 256 bits XTS A4086 Triple-DES SP800-67r2 3-Key TDES ECB, CBC Encryption, Decryption A4086 DSA FIPS 186-4 L = 2048, N = 224 L = 2048, N = 256 L = 3072, N = 256 Key Pair Gen Digital Signature and Asymmetric Key Generation L = 2048, N = 224 L = 2048, N = 256 L = 3072, N = 256 with all applicable SHA-2 sizes per N PQG Gen Sig Gen L = 1024, N = 160 L = 2048, N = 224 L = 2048, N = 256 L = 3072, N = 256 with all applicable SHA sizes per N PQG Ver Sig Ver Version 1.1 Public Material – May be reproduced only in its original entirety (without revision). Veeam Software Corporation Page 18 of 41 CAVP Cert # Algorithm Standard Sizes/Curves Mode/Method Use A4086 ECDSA FIPS 186-4 P-224, 256, 384, 521 K-233, 283, 409, 571 B-233, 283, 409, 571 Testing Candidates Key Gen Digital Signature and Asymmetric Key Generation P-192, P-224, 256, 384, 521 K-163, 233, 283, 409, 571 B-163, 233, 283, 409, 571 PKV P-224, 256, 384, 521 SHA2-224, 256, 384, 512, 512/224, 512/256 SigGen K-233, 283, 409, 571 B-233, 283, 409, 571 P-192, 224, 256, 384, 521 SHA-1, SHA2-224, 256, 384, 512, 512/224, 512/256 5 1 2 / 2 5 6 SigVer K-163, 233, 283, 409, 571 B-163, 233, 283, 409, 571 A4086 CVL FIPS 186-4 ECDSA SigGen Component SHA2-224, 256, 384, 512, 512/224, 512/256 with P-224, 256, 384, 521, K-233, 283, 409, 571, B-233, 283, 409, 571 Digital Signature Generation A4086 RSA FIPS 186-4 2048, 3072, 4096 The module also generates the following untested approved moduli: 4096