AS2 (Applicability Statement 2) is used to exchange structured business data securely using the HTTP (Hypertext Transfer Protocol; An application protocol that runs on top of the TCP/IP suite of protocols used for Internet/intranet communications, typically over port 80.) or HTTP/S (Secure HTTP connection; HTTP is used, but with TCP port 443 and an additional encryption/authentication layer between the HTTP and TCP.) protocol. Any type of data can be exchanged using AS2, including traditional EDI Electronic Data Interchange; transfer of data between companies using VANs or the Internet. messages, XML (Extensible Markup Language; general-purpose markup language used to store any amount of text/data enclosed by a user-defined start and end tag. Compare to HTML.), flat files, spreadsheets, and CAD/CAM data. AS2 is not concerned with the content or validity of the data being sent, but only with the connection and the secure, reliable exchange of data. Data security is achieved using S/MIME (Secured Multi Purpose Internet Mail Extensions; A format and protocol for adding cryptographic signature and/or encryption services to Internet MIME messages.) through signing and/or encryption.
AS2 offers distinct advantages over plain HTTP, including increased verification and security achieved with receipts and digital signatures. Its transactions and acknowledgements occur in real time, increasing the efficiency of document exchanges. AS2 is also referred to as EDIINT AS2 (EDI over the Internet AS2). Many organizations are migrating to this protocol to reduce costs, and requiring their trading partners to switch to the AS2 protocol. Sending encrypted payloads over HTTPS ensures that only the sender and receiver can view the data exchanged. The use of a hash algorithm ensures data integrity by detecting whether the document was altered during transmission.
HTTP is used to send data to an AS2-ready server. Using extended header information in the HTTP request, the client outlines how the data should be handled and how the Server should respond to the client with a signed or unsigned receipt. (A receipt is an acknowledgment of an interchange that is NOT signed. A signed receipt is an acknowledgement of an interchange that IS signed.)
The Server validates the integrity of the data once received and subsequently provides the requested acknowledgement or message disposition notification (MDN (Message Disposition Notification; The Internet messaging format used to convey a receipt. This term is used interchangeably with receipt. An MDN is a receipt.)) to the client. Further validation is achieved by the client acknowledging the receipt from the Server. For technical details of AS2, refer to RFC 4130.
The basic structure of an AS2 message can be compared to an envelope that contains a MIME (Multipurpose Internet Mail Extensions; a specification for formatting non-ASCII messages so that they can be sent over the Internet. S/MIME supports encrypted messages.)-formatted message inside an HTTP message with AS2 headers. The MDN is returned in the HTTP response message body or in a new message to a URL (Uniform Resource Locator; an Internet address. See URI.) for the original sender. This request/reply transactional interchange can provide secure, reliable, and authenticated transport for data using HTTP as a transfer protocol. The security protocols and structures used also support auditable records of these document data transmissions, acknowledgements, and authentication. In a secure message exchange, one organization sends a signed and encrypted message to another organization and requests a signed receipt, and later the receiving organization returns the signed receipt to the sending organization.
Non-repudiation of receipt (NRR) is a legal event that occurs only when the original sender has verified the signed receipt returned from the recipient of the message, and has verified that the returned message integrity check (MIC (Also called the message digest, MIC is the digest output of the hash algorithm used by the digital signature. The digital signature is computed over the MIC.)) inside the MDN matches the previously recorded value for the original message. That is, the sender of the message obtains undeniable proof that the recipient received the message and that the message was not altered in transit. NRR is established when both the original message and the receipt use digital signatures.