Wednesday, April 25, 2012

AS2 Protocol

AS2 is a protocol that describes how to exchange structured business data securely using the HTTP transfer protocol.
Structured business data exchanged using AS2 protocol can be,
  • Electronic Data Interchange (EDI) in either the
    • UN Electronic Data Interchange for Administration, Commerce, and Transport (UN/EDIFACT) format or
    • The American National Standards Committee (ANSI) X12 format
  • XML or any other structured data formats.


Major application of AS2 is to exchange data in EDI formats.

Security is achieved using digital certificates and encryption. Exchanged messages can be signed using to provide security requirements such as authenticity and preventing non-repudiation. They can be also encrypted to provide confidentiality and integrity. Those are optional requirement according to AS2 specification. An AS2 message can have its content in plain text and without a digital signature.

S/MIME is a format and protocol for adding cryptographic signature and/or encryption services to Internet MIME messages. In AS2, files are encoded as attachments in an S/MIME message. This is what we call an AS2 message. Those messages are sent using the HTTP or HTTPS, usually as POST.



Content Types and AS2

 

There can be several content types for AS2 messages.
  • When there is no encryption, no signature
    • application/EDIxxxx or application/xml
  • When there is no encryption, but signature is present
    • multipart/signed – message contains two MIME parts
      • application/EDIxxxx or application/xml
      • application/pkcs7-signature
  • When there is Encryption, but no signature is present
    • application/pkcs7-mime
      • application/EDIxxxx or application/xml (in the decrypted message)
  • When there is both encryption and signature
    • application/pkcs7-mime
      • multipart/signed(encrypted) – decrypted message contains 2 parts
        • application/EDIxxxx or /xml)
        • application/pkcs7-signature)

Usually AS2 clients are called "Trading partners". When sending a message, they can request an acknowledgement message called MDN (Message Disposition Notification).
There are several options of requesting a MDN. They are Synchronous MDN, Asynchronous MDN and No MDN.

If there are problems receiving or interpreting the original AS2 message, a "failed" MDN may be sent back. Both "failed" MDN and not receiving MDN (when it is requested) are considered as failures according to specs.

Mendelson (GPL) and OpenAS2 (BSD) are open source implementations of AS2 for java, These can be used to send and receive AS2 messages. Specifically, Mendelson has a user-friendly GUI.