How do sensitive industries like commercial airlines, healthcare, or transport talk to each other and share data? How do they transfer structured B2B data securely and reliably over risky networks like the Internet? The answer is the AS2 protocol.
In this guide to AS2 protocol, we’ll learn everything about this popular transfer mechanism, from its background, its benefits, its functionality, how it works, and a comparison with SFTP.
What is AS2
The Applicability Statement 2 (AS2) is a type of file transfer mechanism based on HTTPS (Hypertext Transport Protocol Secure) and S/MIME. AS2 can be used for transferring any file, but it is commonly used for EDI (Electronic Data Interchange) documents within B2B environments.
As a protocol, AS2 defines a safe procedure to establish a point-to-point connection between an AS2 client and an AS2 server in any type of network, including public networks like the Internet. AS2 uses digital certificates and encryption to provide security for transferring sensitive information like EDI documents across risky networks.
AS2 was created by the Internet Engineering Task Force (IETF) in 2002 and is specified in the RFC 4130. AS2 is a second-generation protocol aimed to replace the Applicability Statement 1 (AS1), built in the 1990s and was based on email protocols. AS2 was designed based on AS1, with the same encryption and some Message Disposition Notification (MDN) conventions.
Walmart, the US-based retail giant, was one of the first to adopt AS2 for their EDI communications. It required all of its suppliers and vendors to also use the same protocol for exchanging information related to consumer goods. After Walmart adopted AS2, other giants such as Target, Amazon, Lowe’s, and many more also followed.
Today more industries are starting to use the AS2 protocol, especially for their EDI transactions. AS2 is widespread within the healthcare industry, as it is compliant with HIPAA.
The Benefits of using AS2
AS2 can be a fantastic solution for safe, fast, and large-size data transfers. Due to its security and non-repudiation mechanisms, the AS2 protocol can even require some B2B EDI document transfers.
Some of its benefits
- Use as an alternative to expensive VANs AS2 is being used as an alternative option for expensive Value Added Networks (VAN). When exchanging EDI documents, third-party VANs require a service subscription that is generally priced based on data volume. The AS2, on the other hand, only requires AS2-based software and the Internet.
- Have a wider reach Since big US-based retail companies like Walmart and Lowe’s started to use AS2 to share EDI documents, the protocol is becoming almost a de facto standard across a wide range of suppliers and partners. Being able to use EDI with the Internet and lower costs allow more organizations to interconnect. AS2 works as long as organizations agree and use AS2 to transfer data using the Internet.
- Interoperable AS2 is payload-agnostic. It can be used to transfer any file or document, including standardized formats such as EDIFACT, X12, and XML. Both the AS2 sender and the AS2 receiver need to operate AS2. But fortunately, the list of transaction partners supporting AS2 is growing exponentially, especially within retail.
- Support for SSL and S/MIME AS2 sends data across the Internet using the HTTPS (HTTP over SSL) protocol. HTTPS adds a layer of SSL encryption to protect the traffic. In this way, the AS2 messages are sent via an SSL encrypted tunnel across the Internet. AS2 also protects EDI data at the payload layer, using the S/MIME (Secure/Multipurpose Internet Mail Extensions) based on asymmetric cryptography. The standardized S/MIME message wraps the EDI data inside a secure envelope to ensure safe file transmission.
- Data Integrity AS2 also ensures the integrity of the data and identity of the sender using digital certificates. The receiving end sends a receipt back to the sender to ensure the message was delivered correctly. These receipts are signed using the digital certificate and sent back along with a checksum value using Message Integrity Check (MIC).
- Non-repudiation AS2 uses a return receipt notification service known as Message Disposition Notification (MDN). The AS2 message sender may request the receiver an MDN receipt informing on the successful delivery of the message. An MDN receipt tells whether the AS2 transfer was completed successfully, and the message arrived without change. AS2 has several options, including:
- MDN can be synchronous if the receipts are sent back immediately.
- MDN can be asynchronous if the receipts are sent back at a later time. MDN async mode can be sent back via email.
- May put for no MDN return. The recipient can choose not to send an MDN.
- Filename preservation feature. MDN may contain the filename of the trading partner.
How Does AS2 work
As said before, AS2 works using the client/server model. Both sides (sender and receiver) need to support AS2. The AS2 specifies the procedure, including compression, signature, and encryption.
The content of the files transferred by AS2 (or payload) is not specified by AS2 but by a standardized format such as EDIFACT, X12, or XML. If AS2 is used for EDI, before sending documents over AS2, they need to be prepared in the EDI format (mapped or translated).
- AS2 creates an encoded envelope of the EDI document using the S/MIME protocol.
- The EDI envelope (S/MIME data) gets compressed and signed by the AS2 sender platform. Singing is the action of encrypting a hash using a private key. This results in a digitally signed data (certificate) that attaches to the original data. This signed data helps the recipient confirm the sender’s authenticity (and vice versa).
- To ensure integrity, the AS2 message sender also calculates a checksum of the message using the Message Integrity Check (MIC), with either MD5, SHA-1, or SHA-2 hashing algorithms. It places the MIC value into the message (again, using the private key).
- A request for receipt (MDN) is attached to the message.
- Encrypted. The message gets SSL-encrypted and transmitted through the Internet.
- The message arrives at the destined AS2 platform. The message gets SSL-decrypted, decompressed, and the sender’s digital signature gets verified by the recipient using the public key. The MIC value is also demonstrated.
- The AS2 non-repudiation phase starts. If requested, an MDN receipt along with a digital signature is sent back to the original sender.
- The sender receives the MDN and verifies the receipt’s digital signature. When received, the sender can verify the MDN signature to ensure that the recipient got the message.
- The AS2 sender processes the MDN. The sender validates the receipt MDN signature. A failed MDN is sent back from the recipient if there was a problem while receiving the AS2 message. In addition, if the sender requested and did not receive an MDN, the sender may treat this as a failure. The sender also compares the returned MIC with the original.
AS2 vs. SFTP
Although AS2 and SFTP can transfer EDI documents, they are two quite distinct file transfer protocols.
Now that you know what AS2 is and how it works, let's define what SFTP is.
SFTP (FTP over SSH) is a secure FTP alternative to the traditional and insecure FTP (File Transfer Protocol). It uses a client/server model to establish a Secure Shell (SSH) connection and share data across the Internet or any other network. This protocol was designed as an extension of SSH ver 2.0 to provide file transfers. SFTP goes beyond the standard, secure file transfer, as it also allows a range of additional operations, including remote file access and management and file transfer pause/resume.
AS2 and the differences to SFTP
- AS2: uses digital certificates, encryption, and hashing algorithms. The messages that are sent over with AS2 are encrypted, compressed, and signed. AS2 can also encrypt the payload itself, using the S/MIME cryptographic technology. And AS2 uses hashing processes to ensure file integrity.
- SFTP: All the file transfers in SFTP are run over an SSH secure channel. In other words, SFTP inherits all security features from SSH, a protocol that supports symmetric encryption mechanisms like AES or the deprecated 3DES.
- AS2: AS2 can authenticate using digital certificates. An AS2 server has a digital certificate with a public key that belongs to the client’s private key. AS2 can also authenticate transactions using a username and password.
- SFTP: Access to files via SFTP can be protected with a username and password or an SSH key. SFTP can be used with dual-factor authentication to enhance security—or a combination of password and SSH key. An SSH server uses public-key cryptography to authenticate clients holding a private key.
Non-repudiation of receipt
- AS2: uses MDN of receipt to ensure that the transferred message has been sent and received by the right parties. Users can request an MDN of receipt, which is signed (with a certificate) and returned when the other party has received the message.
- SFTP: SFTP does not have non-repudiation mechanisms.
Interoperability and ease of use
- AS2: It requires a higher maintenance overhead, special software, and technical expertise. All these requirements end up increasing the cost for implementation.
- SFTP: It is easier to implement, operate, and it is cheaper. SFTP is based on port 22 (but can be assigned others) for establishing a connection, authentication request, tunneling, issuing commands, and exchanging data. SFTP is supported by a wide range of software and platforms, and it is easily implemented on any firewall.
The Best Applicability Statement 2 (AS2) Tools
Serv-U MFT is a multi-protocol remote file sharing solution that improves the control and security of internal and external file transfers. It supports file transfers from protocols like FTP, HTTP, FTPS, SFTP, and HTTPS.
- Peer-to-peer transfers using web browsers or mobile devices
- Request and send files on an ad-hoc basis
- Ensure data-in-transit compliance with PCI DSS, HIPAA, FISMA, SOX, and others
- Transfer large-size files and synchronize them anytime
- Authentication through Active Directory or database
Serv-U MFT is designed for businesses of all sizes that need secure data transfers. An alternative for smaller companies is Serv-U FTP that allows transfers over SFTP.
SolarWinds Serv-U Managed File Transfer (MFT) is available to test out for a fully functional 30-day free trial.
Files.com is a cloud-based file management solution. It allows users to transfer and share files using a cloud server while encrypting files in transit (and at rest). Files.com is popular because it will enable third-party integration of popular file-sharing mechanisms, including SFTP, WebDAV, HTTPS, cloud storage (AWS, Azure, etc.), and allows you to manage them from a single dashboard.
- Share files via share links or file inboxes
- 2FA and encryption at rest
- Supports files up to 5TB in size
Files.com is a subscription-based service, offered on full 30-day free trial.
ArcESB is a popular platform used for EDI communications and Managed File Transfer (MFT). It supports the most critical B2B messaging protocols, such as AS2, OFTP, X12, EDIFACT, XML, and more. In addition to managed file transfers, ArcESB allows the preparation and management of EDI documents, including mapping and translation.
- Drummond Certified solution for AS2 file transfer and messaging
- End-to-end integration with applications, including ERPs, CRMs, and more
- B2B automation
4. GoAnywhere MFT
GoAnywhere MFT from HelpSystems is a secure file transfer solution for multiple protocols, including SFTP, FTPS, HTTPS, and AS2. GoAnywhere supports various encryption protocols and offers a NIST-certified FIPS 140-2 Validation encryption module.
- Drummond Certified for AS2
- Supports SHA2 algorithms
- Integrated clustering support
- A Key and Certificate Management System (KMS)
AS2’s end-to-end encryption, along with its use of digital certificates, are valid reasons why AS2 is becoming popular and sometimes even required. Additionally, AS2 also provides the non-repudiation functionalities to validate the file integrity with transfer receipts— something not familiar with standard file transfer protocols.
If your organization is in the retail or e-commerce industry, then AS2 is probably a good idea. This protocol will help you meet the compliance and the requirements of many trading partners. Still, the AS2 protocol is not easy to implement and requires special software; this is why most businesses use safe file transfer mechanisms like SFTP. This protocol is easier to implement and provides strong authentication (including keys and passwords).