What Is AS2 And SFTP? Benefits And Use Cases Of EDI Protocols

Written by Brian McHugh. Last Updated:
The AS2 protocol provides secure file transfers with end-to-end encryption and MDN receipts

What is AS2?

AS2 is a specification for securely exchanging structured business electronic data interchange (EDI) should occur over the internet using HTTP/S and S/MIME encryption. AS2 uses HTTPS and S/MIME and is commonly used for B2B data transfers and can handle various file types beyond EDI, such as XML, EDIFACT, and others.

AS2 is an evolution of AS1, which was developed in the 1990s by the Internet Engineering Task Force (IETF), with the goal of making web-based messaging easier and more secure. AS2 was released in 2002. Whereas AS1 was based on SMTP and S/MIME, AS2 is based on HTTP/S and S/MIME.

Because AS2 uses HTTP/S, businesses need to make sure they are always connected to the internet in order to “listen” for transfers. A common analogy for AS2 is the telephone — if you aren’t there to hear the phone ring, you’re going to miss the phone call (the file transfer).

AS2 is somewhat similar to other protocols (FTPS) because it is based on HTTP/S and so uses TLS to provide encryption at the transport layer. Like AS1, AS2 uses S/MIME at the payload layer, placing information in a secure “envelope” as it moves over the internet.

AS2 differs because it is the only common protocol that uses Message Disposition Notifications to provide non-repudiation.

What is SFTP?

SFTP stands for Secure File Transfer Protocol and is built on File Transfer Protocol (FTP). It is a file protocol used to transfer files and uses Secure Shell (SSH) to protect data that is being sent and received. It uses both AES and other algorithms to secure data between two servers. It is often used by organizations that need to meet HIPAA, GDPR and other compliance requirements. 

To send data via SFTP, a SFTP client must connect to a SFTP server. It protects against a variety of cyber threats, including man in the middle attacks and password sniffing. It is considered to be more secure than other file protocols, including FTPS. 

What Is Non-Repudiation?

Non-repudiation methods make it unnecessary for the recipient of a file transfer to dispute the authenticity or accuracy of the information received. With AS2, validation is proven through Message Disposition Notification (MDN).

MDN is a special receipt that a transfer recipient can send back to the sender. The MDN lets the receiver know that the information has not been tampered with while crossing the network. Following decryption, the recipient’s unique digital signature is added to the MDN, which is then sent to the originator. This allows both the sender and the receiver to know that the information has been received in full and without being tampered with. If any information goes missing or is changed while in-transit, this will be automatically reflected in the MDN.

AS2 vs SFTP

As mentioned above, AS2 uses TLS/SSL to encrypt the communication channel and S/MIME to encrypt the actual information. SFTP uses Secure Shell protocol (SSH) instead of TLS to open and maintain secure connections between the client and server. (It’s worth noting that SFTP is an extension of SSH, as opposed to being an extension of FTP.)

While AS2 requires trading partners to share digital certificates before opening connections, SFTP does not, relying on public/private keys to provide authentication instead.

Technically, AS2 is a specification while SFTP is a protocol, but at a high level it still makes sense to compare both, as your trading partner is going to require you to use either AS2 or SFTP (or another secure file transfer protocol).

What Is AS2 Used For?

AS2 became very popular with retailers during the 2000s, with recognizable brands such as Walmart and Bed Bath & Beyond moving to AS2 to handle EDI transactions with suppliers, instead of relying on dial-up modems or value-added networks (VANs). Much of the retail world followed suit, spreading AS2 across consumer supply chains.

Additionally, AS2 is common in healthcare as AS2 meets HIPAA security standards.


Handle Any Protocol, Any Platform With A Unified MFT Solution

Take control of your file transfers with additional layers of security, workflow automation and unlimited trading partners.


Benefits Of AS2 EDI

AS2 has three main benefits that help differentiate AS2 from other common protocols such as FTPS, SFTP or OFTP2. Those three benefits are security, flexibility and cost. . Additionally, stress the cost savings achieved by bypassing Value Added Networks (VANs) and leveraging existing internet infrastructure.

Security

AS2 provide end-to-end encryption to ensure secure transmissions. End-to-end encryption means that information is encrypted before it leaves the sender’s machine, and is not decrypted until it arrives at the recipient’s machine. This makes it infeasible for hackers to attack servers in hopes of finding unencrypted data.

AS2 also provides MDN capabilities, allowing senders to require MDN receipts, as we covered above. MDN capabilities provide non-repudiation by enabling recipients to send receipts confirming the integrity of transferred data, while its payload agnosticism allows it to handle various file types beyond Electronic Data Interchange (EDI), ensuring flexibility in data exchange. This receipt capability is an additional security measure that is important for businesses.

Additionally, AS2 is backed by the Drummond Group. Drummond-certified vendors test their AS2 software across a range of security fields to maintain interoperability, reliability and security.

Flexibility

AS2 is most commonly associated with Electronic Data Interchange (EDI), which has its own set of technical standards. However, AS2 is payload agnostic and can handle almost any file type (EDI X12, EDIFACT, XML, etc.) so long as the file type is agreed to between trading partners.

Additionally, because AS2 transports information over the internet, there aren’t any limitations on large files. Transferring files over the internet also means most organizations have the infrastructure needed to use AS2, and because AS2 is already so common in retail, e-commerce and healthcare, most IT teams are already familiar and comfortable with AS2.

Costs

AS2 is a specification that simplifies point-to-point EDI. This is important because the alternative to point-to-point is to use a Value Added Network (VAN). VANs are expensive. Instead of contracting with a third-party provider, businesses can use AS2 to share information directly with their trading partners and customers.

Moreover, because your business is already connected to the internet, there isn’t a need to build new infrastructure in order to support AS2, which relies on HTTP/S.

Best Practices For Managing AS2

The main requirement for AS2 is to make sure your AS2 server is always connected to the internet. So long as there is stable internet connectivity, your AS2 server will always be able to receive transfers. Because AS2 runs over HTTP/S, it’s best to use ports 80/433 in order to simplify firewall configurations on the other end.

As for MDN, it’s optional — the sender can choose to require an MDN and can choose what type of MDN the receiver must return. In order to ensure the highest level of security and reliability, senders should require MDNs that contain digital signatures and which are sent regardless of whether or not the transfer was a success.

MDNs can also be synchronous or asynchronous. Asynchronous MDNs send receipts at a later time over a separate HTTPS connection, while synchronous MDNs use the same connection. This makes synchronous MDNs the faster option, but can cause problems handling large files in low bandwidth. Because AS2 operates on HTTPS, synchronous MDNs enable near real-time file transfers.

Also, because not all AS2 vendors are Drummond-certified, it is best to inquire about certifications before selecting an AS2 vendor.

As we’ve mentioned, AS2 provides direct connections which help reduce costs as compared to VANs. The drawback is that VANs support multiple protocols without requiring you to add more servers and infrastructure.

An AS2 server however is only going to support AS2. For most businesses this means having multiple servers for multiple protocols, as most businesses have trading partners that require different protocols. This makes management difficult.

Using an MFT server instead of an AS2 server can enable you to manage multiple protocols from a single server. Managed file transfer software also provide additional layers of security and functionality, making it easier to secure, automate and maintain your file transfers and file transfer environment.

Frequently Asked Questions

What is the difference between AS2 and SFTP?

AS2 specifies how structured business data is transported in a secure manner over the web. Trading partners using AS2 use digital certificates and encryption before opening connections as a way to protect the data and ensure it is transferred safely. 

SFTP is a secure file transfer protocol that uses Secure Shell (SSH) to protect data that is being sent and received. It uses both AES and other algorithms to secure data between two servers. Unlike AS2, it uses public/private keys to protect the business data it is transferring.

What is the AS2 protocol?

AS2, which uses HTTPS and S/MIME, is a specification that describes how EDI data should be transported between endpoints. It is commonly used by trading partners to transfer data between businesses.

Which is better – AS2 or SFTP?

Determining which protocol to  use – either AS2 or SFTP – depends on the use case and the requirements of the parties transferring data. AS2 is the preferred protocol of many trading partners who need to send EDI data between two endpoints (or businesses). 

SFTP is commonly used for large file transfers and bulk transfers of multiple files, documents and forms. It can be used as a more secure replacement for FTP files transfers because it protects from cyber threats like man-in-the-middle attacks.


Ready To See How We Make Managed File Transfers Easy?

Schedule a demo to watch our experts run jobs that match your use cases in ActiveMFT. Get your questions answered and learn how easy it is to automate and manage all of your file transfers in ActiveMFT.