How are sensitive sectors such as commercial airlines, healthcare or transport communicated and shared data? How do you transfer structured B2B data safely and reliably through risk networks like the Internet? The answer is the AS2 protocol.
What is AS2?
Applicability Statement 2 ( AS2 ) is a type of file transfer mechanism based on HTTPS ( Hypertext Transport Protocol Secure ) and S / MIME. AS2 can be used to transfer any file, but is often used for EDI documents ( Electronic Data Interchange ) in B2B environments.
As a protocol, AS2 defines a secure procedure to establish a point-to-point connection between an AS2 client and an AS2 server on any type of network, including public networks such as the Internet. AS2 uses digital certificates and encryption to provide security in the transfer of sensitive information, such as EDI documents, through risk networks.
Background
AS2 was created by the Internet Engineering Working Group ( IETF ) in 2002 and is specified in RFC 4130. AS2 is a second generation protocol that aims to replace the Application Statement 1 ( AS1 ), created in the 90s and based on email protocols. AS2 was designed on the basis of AS1, with the same encryption and some message disposition notification conventions ( MDN ).
Walmart, the American retail giant, was one of the first to adopt AS2 for its EDI communications. It required all its suppliers and sellers to also use the same protocol to exchange information related to consumer goods. After Walmart adopted AS2, other giants like Target, Amazon, Lowe’s, and many more also followed.
Today, more industries are beginning to use the AS2 protocol, especially for their EDI transactions. AS2 is widespread in the healthcare sector as it complies with HIPAA.
The advantages of using AS2
AS2 can be a great solution for large, fast, secure data transfers. Thanks to its security and non-repudiation mechanisms, the AS2 protocol may even require some transfers of EDI B2B documents.
Some of its benefits
- Use as an alternative to expensive VAN AS2 is being used as an alternative option to expensive value-added networks (VANs). When exchanging EDI documents, third-party VANs require a service subscription that is usually priced based on data volume. AS2, on the other hand, only requires software based on AS2 and the Internet.
- Be more far-reaching Since large US-based retail companies such as Walmart and Lowe’s began using AS2 to share EDI documents, the protocol is becoming almost a de facto standard in a wide range of providers and partners. The possibility of using the EDI with the Internet and the lowering of costs allow more organizations to interconnect. AS2 works as long as organizations agree and use AS2 to transfer data over the Internet.
- The interoperable AS2 is independent of the payload. It can be used to transfer any file or document, including standardized formats such as EDIFACT, X12 and XML. Both the AS2 sender and receiver need to operate with AS2. But fortunately, the list of transactional partners supporting AS2 is growing exponentially, especially in the retail sector.
- SSL and S / MIME AS2 compatibility sends data over the Internet using the HTTPS protocol (HTTP over SSL). HTTPS adds an SSL encryption layer to protect traffic. In this way, AS2 messages are sent through an SSL encrypted tunnel over the Internet. AS2 also protects EDI data in the payload layer, using the S / MIME (Secure / Multipurpose Internet Mail Extensions) protocol based on asymmetric cryptography. The standardized S / MIME message wraps EDI data in a secure envelope to ensure secure file transmission.
- AS2 data integrity also ensures the integrity of the data and the identity of the sender using digital certificates. The receiving end sends a receipt to the sender to ensure that the message has been delivered correctly. These receipts are signed using the digital certificate and are returned along with a checksum value using the message integrity check (MIC).
- No repudiation AS2 uses an acknowledgment notification service known as Message Disposition Notification (MDN). The sender of an AS2 message may request an MDN receipt from the recipient to report the successful delivery of the message. An MDN acknowledgment indicates whether the AS2 transfer has been successfully completed and the message has arrived unchanged. AS2 has several options, including:
- MDN can be synchronous if receipts are returned immediately.
- MDN can be asynchronous if receipts are returned at a later time. Asynchronous MDN can be returned by email.
- You can put the MDN not back. The recipient can choose not to send an MDN.
- File name preservation function. The MDN may contain the file name of the business partner.
How AS2 works
As already mentioned, AS2 works using the client / server model. Both parts ( emitter and receptor ) have to support AS2. AS2 specifies the procedure, including compression, signature, and encryption.
The content of files transferred by AS2 (or payload) is not specified by AS2, but by a standardized format such as EDIFACT, X12 or XML. If AS2 is used for EDI, before sending documents through AS2, they need to be prepared in EDI format (mapped or translated).
Message flow
- AS2 creates a coded envelope for the EDI document using the S / MIME protocol.
- The EDI envelope (S / MIME data) is compressed and signed by the issuer’s AS2 platform. Signature is the action of encrypting a hash using a private key. The result is digitally signed data (certified) that is attached to the original data. These signed data help the recipient confirm the authenticity of the sender (and vice versa).
- To ensure integrity, the sender of the AS2 message also calculates a message check sum using the message integrity check (MIC), with the MD5 hashing algorithms, SHA-1 or SHA-2. Place the MIC value in the message (again, using the private key).
- A request for receipt (MDN) is attached to the message.
- Encryption. The message is encrypted with SSL and transmitted over the Internet.
- The message reaches the destination AS2 platform. The message is decrypted with SSL, unzipped, and the recipient verifies the sender’s digital signature using the public key. The MIC value is also demonstrated.
- The non-repudiation phase of AS2 begins. Upon request, an MDN receipt is sent to the original sender along with a digital signature.
- The sender receives the MDN and verifies the digital signature of the receipt. Once received, the sender can verify the MDN signature to ensure that the recipient has received the message.
- The AS2 sender processes the MDN. The sender validates the MDN signature of the receipt. The recipient returns a failed MDN if there has been a problem receiving the AS2 message. Also, if the sender requested an MDN and did not receive it, the sender may treat it as a failure. The sender also compares the returned MIC with the original.
AS2 vs. SFTP
Although AS2 and SFTP can transfer EDI documents, they are two quite different file transfer protocols.
Now that you know what AS2 is and how it works, let’s define what SFTP is.
SFTP ( FTP over SSH ) is a safe FTP alternative to the traditional and insecure FTP ( File Transfer Protocol ). Use a client / server model to establish a Secure Shell ( SSH ) connection and share data over the Internet or any other network. This protocol was designed as an SSH extension see 2.0 to provide file transfers. SFTP goes beyond standard and secure file transfer as it also allows for a number of additional operations such as remote file access and management and pause/resumption of file transfer.
AS2 and differences with SFTP
Coding
- AS2: uses digital certificates, encryption and hash algorithms. Messages sent with AS2 are encrypted, compressed, and signed. AS2 can also encrypt the payload itself, using S / MIME cryptographic technology. And AS2 uses hashing processes to guarantee the integrity of the files.
- SFTP: All file transfers in SFTP are executed through a secure SSH channel. In other words, SFTP inherits all the security features of SSH, a protocol that supports symmetric encryption mechanisms like AES or the outdated 3DES.
Authentication
- AS2: AS2 can authenticate using digital certificates. An AS2 server has a digital certificate with a public key that belongs to the client’s private key. AS2 can also authenticate transactions using a username and password.
- SFTP: Access to files through SFTP can be protected with a username and password or an SSH key. SFTP can be used with dual factor authentication to improve security, or a combination of password and SSH key. An SSH server uses public key cryptography to authenticate clients who have a private key.
Non-repudiation of receipt
- AS2: uses the receiving MDN to ensure that the transferred message has been sent and received by the correct parties. Users can request a receiving MDN, which is signed (with a certificate) and returned when the other party has received the message.
- SFTP: SFTP has no non-repudiation mechanisms.
Interoperability and ease of use
- AS2: Requires higher maintenance costs, special software and technical knowledge. All these requirements end up increasing the cost of implementation.
- SFTP: It is easier to implement, operate and is cheaper. SFTP is based on port 22 ( but you can be assigned others ) to establish a connection, request authentication, create a tunnel, issue commands, and exchange data. SFTP supports a wide range of software and platforms, and is easily implemented on any firewall.
Conclusion
AS2 end-to-end encryption, along with its use of digital certificates, are valid reasons why AS2 is becoming popular and sometimes even required. In addition, AS2 also provides non-repudiation functionality to validate file integrity with transfer receipts, something not known in standard file transfer protocols.
If your organization belongs to the retail or e-commerce sector, AS2 is probably a good idea. This protocol will help you comply with the regulations and requirements of many business partners. Still, the AS2 protocol is not easy to implement and requires special software; This is why most companies use secure file transfer mechanisms like SFTP. This protocol is easier to implement and provides strong authentication (including keys and passwords).
