Verify the integrity of Azure Confidential Ledger transactions with receipts and application claims

In today's digital landscape, the integrity and confidentiality of transactional data are paramount. Microsoft’s Azure Confidential Ledger offers a robust solution for maintaining the privacy and confidentiality of your data. The service utilizes cryptographic techniques to generate transaction receipts, which serve as immutable evidence of the ledger's state at a specific point in time. These receipts are crucial for businesses that require a high level of trust and transparency in their operations. 

 

Write receipts

The value proposition of Azure Confidential Ledger write receipts lies in their ability to provide a verifiable trail of all write transactions. Azure Confidential Ledger leverages the Confidential Consortium Framework (CCF), which ensures the integrity of transactions by using a Merkle tree data structure to store the hash of all transaction blocks that are added to the immutable ledger. 

How write transactions are recorded in the ledger using an internal Merkle Tree data structure in CCF. 

 

When a write transaction is completed, Azure Confidential Ledger users can obtain a cryptographic Merkle proof, or receipt, over the entry created in a Confidential Ledger to check that the write operation was recorded correctly. A write transaction receipt is evidence that the system has committed the corresponding transaction and can be used to confirm that the entry has been successfully appended to the ledger. This ensures that once a transaction has been committed to the ledger, it cannot be altered or deleted without detection. 

For more details on Azure Confidential Ledger write receipts, their structure, and how to get a receipt from an active ledger, please refer to this dedicated article. 

 

Application claims

Application claims take receipts a step further by allowing users to attach arbitrary metadata to a transaction, which are eventually reflected in write receipt response payloads. This metadata includes details specific to the transaction's context, such as the collection ID and the input content of a write operation. The application claims of a write transaction ensure that the claims digest is signed securely and stored together with the transaction itself, meaning that it cannot be tampered with once the transaction is committed.

 
Example of an application claim attached to a write receipt response payload. 

 

Later, the application claims in plain format are shown in the receipt payload for the same transaction where they were added. Using the claims in plain format, users can recalculate the same claims digest (available in the write receipt) that the ledger signed in place during the transaction to verify the claim authenticity. The claims digest can help verify the write transaction receipt, giving an offline way for users to check the authenticity of the recorded claims.

 

By leveraging application claims, organizations can tailor the ledger to their specific needs, enhancing the utility and relevance of the data stored within receipts. Application claims are currently supported in the Azure Confidential Ledger preview API version 2023-01-18-preview and their current format is documented in this article. 

 

Receipts and claims verification 

The process of verifying write transaction receipts and application claims is straightforward and secure. Utilizing cryptographic proofs, users can independently confirm the authenticity and integrity of each transaction offline, without having to connect to the ledger or trust any central authority.

The Azure Confidential Ledger client library for Python offers useful functions to validate receipts of write transactions and calculate the claims digest from a list of application claims in an easy and seamless manner. With this verification utility, any write receipt from a Confidential Ledger service can be verified with ease and any application claims associated with the transaction can be fully authenticated. 

 

from azure.identity import DefaultAzureCredential from azure.confidentialledger import ConfidentialLedgerClient from azure.confidentialledger.certificate import ( ConfidentialLedgerCertificateClient, ) from azure.confidentialledger.receipt import ( verify_receipt, ) LEDGER_ID = "acl-test-ledger" # Replace with the ID of the ledger to get the receipt from. TRANSACTION_ID = "2.50" # Replace with the ID of the transaction to get the receipt for. API_VERSION = "2023-01-18-preview" # Use this API version for application claims support. # Build a ConfidentialLedgerClient object through AAD. ledger_client = ConfidentialLedgerClient( f"https://{LEDGER_ID}.confidential-ledger.azure.com", credential=DefaultAzureCredential(), ledger_certificate_path="service_cert.pem", api_version=API_VERSION, ) ### We assume that the target transaction has been committed to the ledger in a previous step. ### Please refer to the Azure Confidential Ledger Python SDK samples and documentation ### for details on how to create an entry and wait for it to be committed. # Get a receipt from the ledger for the input transaction. poller = ledger_client.begin_get_receipt(TRANSACTION_ID) get_receipt_response = poller.result() print(get_receipt_response) try: # Verify the contents of the receipt, with optional application claims (if any) verify_receipt( get_receipt_response["receipt"], ConfidentialLedgerCertificateClient().get_ledger_identity(LEDGER_ID).get("ledgerTlsCertificate"), application_claims=get_receipt_response.get("applicationClaims", None), ) print(f"Receipt for transaction id {TRANSACTION_ID} successfully verified") except ValueError: print(f"Receipt verification for transaction id {TRANSACTION_ID} failed") raise

 

How to verify receipts (with optional application claims) using the Azure Confidential Ledger Python SDK. 

 

The decentralized and offline approach to verification bolsters the security and reliability of the system, making Azure Confidential Ledger an ideal platform for applications that demand the highest levels of data integrity. To learn more about the Data Plane Python SDK and its receipt verification utilities, check out this section and the full sample code.  

 

Conclusion

In conclusion, Azure Confidential Ledger's receipts and application claims offer a compelling value proposition for organizations looking to secure their transactional data. With its strong focus on integrity, confidentiality, and verifiability, Azure Confidential Ledger stands out as a leading solution in the realm of confidential computing. Whether you are managing financial transactions, supply chain management, or any other data-sensitive operation, Azure Confidential Ledger provides the assurance that your data remains untampered and trustworthy through transaction receipts and application claims. 

 

Resources 

For getting started with Azure confidential ledger write receipts and application claims, please refer to our documentation: 

• Azure Confidential Ledger write transaction receipts | Microsoft Learn 

• Verify Azure Confidential Ledger write transaction receipts | Microsoft Learn