AS2 vs SFTP—What’s the difference?

Words By John Carl Villanueva
Last Updated:
AS2, used for direct B2B exchanges like EDI over HTTP/S, emphasizes encryption, authentication, and non-repudiation with MDN receipts. SFTP, functioning over SSH, provides a secure method for broader file transfer needs, focusing on encryption, two-factor authentication, and integrity without inherent non-repudiation. Choose AS2 for specific B2B EDI requirements and SFTP for versatile, secure file sharing.
  1. Blog

What is AS2 protocol?

AS2 or Applicability Statement 2 is a file transfer protocol that’s commonly used in business-to-business (B2B) data transfers. It’s based on the S/MIME and HTTP/S protocols. While you can theoretically use AS2 to transfer almost any type of file, it’s normally associated with electronic data interchange (EDI).

The AS2-EDI connection

EDI is a way of exchanging standardized business documents. These documents contain business data structured in certain formats, such as XML, X12, or EDIFACT. By agreeing on a common standard when exchanging business documents, which are then known as EDI documents, trading partners can ensure interoperability.

In the past, two trading partners would normally exchange EDI documents through a third party known as a Value-Added Network (VAN). Increased adoption of the Web and HTTP/S, however, paved the way for AS2. The AS2 protocol, which runs on HTTP/S, allows two trading partners to exchange EDI data directly, thereby eliminating the need for a VAN.

The AS2 protocol already comes with a robust selection of security features that protect EDI payloads, making it suitable for B2B exchanges. These features include authentication, data-in-transit encryption, data integrity checking, and non-repudiation. We’ll discuss these features in more detail later.

AS2 sample use cases

Order processing in the retail industry

AS2 is highly popular in the retail industry, where it is often used for various EDI transactions. For example, retailers can use it to exchange EDI data such as purchase orders, invoices, and advanced shipping notices (ASNs) with suppliers, distributors, and logistics partners.

Claims processing in the healthcare industry

AS2 is also popular in the US healthcare industry, where it is used to facilitate healthcare-related EDI data exchanges. For example, a hospital can use AS2 to send EDI 837 files, which contain healthcare claims and billing payment information, to a healthcare payer.

See how our AS2 solutions streamline healthcare data exchanges and enhance compliance. Schedule your free demo today.

What is SFTP protocol?

SFTP stands for either Secure File Transfer Protocol or SSH File Transfer Protocol. It’s a secure, general-purpose file transfer protocol that runs on top of SSH (Secure Shell), a cryptographic network protocol. SFTP is a subsystem in SSH that allows you to transfer files between a client and a server or a server and another server.

A more secure alternative to FTP

Although some people refer to SFTP as ‘Secure FTP’, SFTP shouldn’t be confused with FTPS. The latter is a secure extension of FTP or THE File Transfer Protocol (notice the caps). FTPS uses SSL/TLS for security, whereas SFTP uses SSH’s built-in security functions for that purpose. That said, both SFTP and FTPS are secure alternatives to FTP.

For a simplified discussion on the differences between SSL/TLS and SSH in the context of secure file transfers, read the blog post “SSL vs SSH - A Not-So-Technical Comparison”.

Although SFTP possesses the same file transfer capabilities as FTP, it’s significantly more secure. SFTP offers data-in-motion encryption, two-factor authentication, and data integrity. FTPS also supports these security features, but plain FTP doesn’t.

You can protect FTP file transfers by running them through a virtual private network or VPN, but that would be a more complicated setup. In addition to your FTP server, you’ll need to install, configure and deploy a VPN solution. Then, you need to have your FTP connections go through the VPN tunnel. With SFTP, you only need to set up one solution for file transfers and for securing those transfers.

SFTP sample use cases

Intra-organizational file sharing

While AS2 is exclusively used for server-to-server file transfers, SFTP can also be used for person-to-person file transfers. For example, you can set up an SFTP server for your organization and then allow your users to share files through it. Your users can upload and download files to/from shared folders on that server using SFTP clients.

Supply chain server-to-server file transfers

SFTP can also be used for server-to-server file transfers. Consider a supply chain scenario where you have a manufacturer and a distributor. The manufacturer and distributor can exchange business documents by setting up two SFTP servers. One SFTP server would be on the manufacturer’s side, while the other server would be on the distributor’s side. You can then automate file transfers between the two servers by writing scripts that execute based on certain events.

AS2 vs. SFTP - Key security distinctions

AS2 and SFTP are both highly secure. However, their approach to specific data security functions differ. In this section, we’ll distinguish the approaches AS2 and SFTP take to implement major security functions such as authentication, encryption, data integrity, and non-repudiation.

Moreover, since your AS2 and SFTP data transfers will likely have to go through your firewall—yet another network security solution—we’ll also talk about firewall considerations.

Authentication

Before you execute any file transfer with another party, it’s important to verify that party’s identity. You don’t want to send any sensitive data to a malicious host or receive data from a malicious sender. You need to use an authentication method to verify the other party’s identity.

AS2 authentication

While most file transfer solutions use usernames and passwords for authentication, most AS2 deployments use digital certificates for this purpose. A digital certificate contains an AS2 trading partner’s public key. If two trading partners wish to exchange data through AS2, they each have to send a copy of their digital certificate (and its accompanying public key) to the other party first. This is done only once during the initial setup process.

Once both organizations have already imported their trading partner’s digital certificate, all of their succeeding AS2 file transfers will use those AS2 certificates for authentication. When one party requests to connect to the other party, the requesting party sends a digital signature signed with its own private key. The second party then verifies that signature using the first party’s public key. If both the private key and public key match, the requesting party’s identity is considered authenticated.

Note that, while AS2 has built-in security features for certificate-based authentication, encryption and data integrity, you can also augment those features with those included in SSL/TLS. To do that, you must enable HTTPS on your AS2 solution.

SFTP authentication

Since SFTP supports person-to-server file transfers, many SFTP deployments employ password-based authentication. This method of authentication is sometimes augmented with public key authentication to achieve 2-factor authentication. In public key authentication, the connecting party submits an SSH key instead of a password.

Public key authentication, which also uses private key and public key pairs, like certificate-based authentication, can be used on its own, i.e., without being used in tandem with password authentication. You normally use this setup for automated SFTP file transfers.

Encryption

During a file transfer, you would want to preserve the confidentially of your transmitted data. To prevent threat actors from carrying out man-in-the-middle attacks, eavesdropping on your connections and viewing your data, you need to employ data-in-motion encryption. When you use strong cryptographic algorithms, like AES-256 for instance, threat actors will be unable to decrypt and view your transmitted data.

AS2 encryption

AS2 provides data-in-motion encryption in two ways. The first is through its built-in AS2 encryption. The second is through HTTPS. So, if you use AS2’s built-in encryption, you can send your AS2 messages through unencrypted HTTP, and your messages will already be protected from man-in-the-middle attacks. However, for double protection, you can layer that built-in encryption with SSL/TLS encryption by sending your AS2 file transfers through HTTPS.

Both methods—built-in AS2 encryption and HTTPS-based encryption—use digital certificates and their corresponding public-private key pairs.

SFTP encryption

SFTP derives its encryption capabilities from its underlying SSH protocol. Just like in AS2, SFTP encryption uses public-private key pairs. The main difference between AS2 encryption and SFTP encryption is that SFTP encryption is always on. Every single SFTP file transfer is always encrypted. In AS2, encryption is optional. You may or may not enable it when you configure AS2.

Data integrity

Upon receiving a file at the end of a file transfer, you might want to verify that it is intact and wasn’t tampered along the way. This can be achieved through data integrity checks.

AS2 data integrity

AS2 ensures data integrity by employing hashing algorithms such as MD5, SHA-1, and SHA2. Before sending out an AS2 message, the sender runs the message through a hash function. It then sends the message together with the resulting hash. Upon receiving the message and its hash, the recipient runs the same message through the same hashing algorithm. If the resulting hash matches the one sent by the sender, the message’s integrity is considered preserved.

The actual process is more complicated than that. For a more detailed discussion, you may read the blog post “Understanding Hashing.”

SFTP data integrity

Like AS2, SFTP also uses hash functions to check for data integrity. It gets this functionality from the underlying SSH protocol.

Non-repudiation

Unlike authentication, encryption, and data integrity, non-repudiation is a security function inherently present in AS2 but not in SFTP. In the context of AS2 file transfers, it prevents the receiving party from falsely denying that it received an AS2 message in its entirety and untampered.

To clarify, non-repudiation is different from data integrity checking. While data integrity checks are beneficial to the recipient, non-repudiation is beneficial to the sender. If you send a contract, an invoice, a file containing healthcare records or patient consent forms, intellectual property, a regulatory filing or any other important document, you’ll want to know with utmost certainty whether the intended recipient received that document.

AS2 enforces non-repudiation through what’s known as Message Disposition Notification (MDN) receipts. It acts as an electronic receipt. If AS2 MDN is enabled, AS2 trading partners that are on the receiving end of an AS2 transmission automatically send back MDN receipts to the sending party. This will enable the sending party to confirm that the AS2 transfer went through without issues.

Firewall considerations

The network firewall is one of the most fundamental cybersecurity solutions. Every business will normally have a firewall deployed on their network perimeter. So, in almost all cases, file transfer connections normally go through at least one firewall. For this reason, it’s important to be familiar with the firewall requirements of your file transfer protocol. You need to know what ports to open to prevent firewall-based connectivity issues.

AS2 firewall considerations

AS2 runs over HTTP or HTTPS. The standard ports for these protocols are port 80 and port 443, respectively. So you just need to open either one of those ports, depending on which underlying protocol you’re using for your AS2 connections. That shouldn’t be a problem since these port numbers need to be open for users to connect to websites. Most firewalls will allow port 80 and port 443 connections to pass through by default.

SFTP firewall considerations

SFTP’s standard port number is 22. So if you’re using a standard port for your SFTP service, you need to open port 22 on your firewall.

When should you use AS2?

In many cases, your decision to use AS2 will not be a matter of choice but of necessity. Many large enterprises, such as Walmart, Unilever, and General Motors, either require or recommend the use of AS2. If you wish to transact with them, you’ll need to adopt AS2.

Some industries indirectly require AS2 as well. For instance, in the United States, organizations operating in the healthcare industry are mandated by law, through the Healthcare Insurance Portability and Accountability Act (HIPAA), to use EDI in healthcare information exchanges. Since AS2 is a natural fit for exchanging EDI data, it would be logical to use that file transfer protocol.

In choosing an AS2 solution, make sure it is Drummond-certified. A Drummond Group certification means the product was rigorously tested and validated for reliability and interoperability.

When should you use SFTP?

Since SFTP is more of a general-purpose file transfer protocol, you can use it for any other file transfer use case. You can use it to transfer large files, facilitate file sharing, send backups to a remote backup service, transfer files of any type, etc. You can even use it for EDI exchanges if that’s the only protocol your trading partner supports.

Use MFT if you need both AS2 and SFTP

Some trading partners require a specific file transfer protocol for exchanging data. For example, some might prefer FTPS. Others will want to transfer files via SFTP. Others may still want to exchange EDI documents using AS2 or OFTP.

In cases wherein you have to exchange data with multiple trading partners, it would make more sense to use a managed file transfer (MFT) solution. An enterprise-class MFT solution like JSCAPE MFT Server or JSCAPE MFTaaS will readily support AS2 and SFTP, along with other file transfer protocols such as FTP/S, HTTP/S, OFTP, etc. Thus, an MFT solution will enable you to easily meet any interoperability requirement.

That’s not the only reason to use an MFT. A leading MFT solution like JSCAPE MFT server is usually equipped with an array of security features that augment the built-in security functionality of secure file transfer protocols like AS2 and SFTP.

For instance, JSCAPE MFT Server also comes with strong authentication, data-at-rest encryption, data loss prevention (DLP), malware protection, high availability, and many more. A file transfer solution with extensive security capabilities will make it easier for you to meet stringent security policies and regulatory compliance requirements.

Lastly, a reputable MFT solution like JSCAPE will always include automation and integration functionality. These capabilities will enable you to streamline business processes through automated workflows that transfer data in response to certain conditions in real time. Unlike in the SFTP sample use case above, automation isn’t implemented through scripts but rather through an easy-to-use graphical user interface. Learn more by booking a free demo here.