For those who want to know “What is AS2?”, AS2 is an abbreviation for Applicability Statement 2 - a secure B2B transfer protocol that allows businesses to exchange Electronic Data Interchange (EDI) documents or other data, such as XML, CSV, or plain text documents with their trading partners. AS2 defines a reliable and secure mechanism to transfer structured business data via the Internet using HTTP/S (hypertext transport protocol secure), the same protocol nearly every website uses. In simple terms, AS2 is an “envelope” for sensitive business data, allowing it to be sent securely through a point to point client-server connection.
AS2 is a second-generation EDI specifications, published by the Internet Engineering Task Force (IETF) in 2002 as a replacement for their AS1 protocol introduced in the late 1990s. AS1 was a first-generation EDI specification that used email protocol for secure data transfers.
There are some other protocols available for B2B communication such as FTP, SFTP, and FTPS. But in contrast to those traditional B2B protocols, AS2 offers a secure, efficient and simple-to-use trading environment without a need for proprietary devices, software, value-added networks, or expensive private networks.
AS2 protocol defines that a message can be encrypted, digitally signed, and compressed before sending it to the recipient over an SSL tunnel (optionally) making the file transfers very secure. The recipient can send a Message Disposition Notification (MDN) to the sender, ensuring the message was delivered successfully. MDN can be digitally signed and will contain a checksum value that the sender will use to verify that the message received was identical to what was sent.
Encryption - AS2 uses Asymmetric Cryptography, also known as public-key cryptography, for message encryption. Sender encrypts message content with the recipient’s public key certificate to keep the data secure. Encrypted content can only be decrypted by using the corresponding private key - held only by the recipient - ensuring only the intended recipient will be able to interpret the content.
Digital Signatures- A digital signature is used to verify the identity of the message sender. The sender should sign a message using his private key which then allows the recipient to verify the authenticity of the sender. The recipient verifies the signature by using the sender’s public key certificate. The recipient can also sign his MDN to ensure the identity of the recipient's system. These digital signatures are used for message integrity and non-repudiation of origin.
Compression - Compression can be added to decrease the overall size of the message in order to improve transmission time.
Message Disposition Notification (MDN) - MDN, which is commonly referred to as a receipt, will make sure that the recipient received the message; and if digitally signed, it also verifies the identity of the recipient. The receiver can send back the receipt immediately over the same connection as a synchronous MDN - or he can send back the receipt later on a new connection, perhaps after the message has been processed - known as asynchronous mode.
Message Integrity Check(MIC) - After a message has been received, the recipient will calculate a checksum of the message using a hashing algorithm like MD5, SHA1, or SHA256. This calculated value is referred to as the MIC, and it will be sent back to the sender with the MDN. The sender will calculate a checksum using the same algorithm to make sure that the message sent is identical to the message that was received by the recipient. Non-repudiation of Receipt - The use of signatures on the message and receipt creates a Non-Repudiation of Receipt (NRR) event, which is considered legal proof of delivery.
The basic structure of an AS2 message consists of a MIME format inside an HTTP message, with a few additional AS2-specific HTTP headers.
An AS2 message conforms to the following structure:
AS2 follows a fairly straightforward process. Fist of all you need to have an AS2 software that acts as both a client (for message sending) and a server (for message receiving). There are some open-source AS2 implementation such as OpenAS2 and Mendelson AS2 for this purpose, Also, you can always go with an enterprise-grade SaaS AS2 application like AdroitLogic AS2 Gateway which provides a B2B trading platform for organizations - with the ability to configure AS2 stations and trading partners with a nice, simplified and intuitive interface concealing the underlying complexities.
EDI document preparation - Message content could be prepared in a standard EDI format to send over AS2. This is an optional step as AS2 can send documents in any format.
AS2 packaging - Content to be sent via AS2 can undergo three types of transformation:
Message Delivery - The message is securely transmitted over HTTP/S using file transmission software or services.
AS2 Unpacking - The receiver will unpack the message to retrieve the EDI document. If the data was encrypted, the document will be decrypted using the receiver's private key. If signed, the signature on the document is verified using the sender's public key. If the document was compressed, it will be decompressed.
EDI Processing - The AS2 receiver passes the unpacked EDI document to any back-end process that handles the data to perform any additional business logic.
MDN Reply - The receiver uses AS2 or EDI software to send a message confirmation receipt to the sender. The receiver will calculate the MIC as described before, and will send it along with the MDN.
MDN Processing - The sender validates the receipt signature and compares the returned MIC against the one originally calculated to make sure the content was delivered without any corruption or tampering.
AS2 is a universal method for B2B data transmission, used by millions of businesses worldwide, including most major retailers, such as Amazon and Walmart. When properly implemented, AS2 is a system for reliably and securely transferring files between trading partners. If you are interested in AS2, this will be a good starting point for your AS2 journey. Also, If you are interested in the AS2 technical background feel free to go through RFC 4130.