SHA-2 and TLS Security for AS2 Transfers
It’s crucial for organizations to take the time to upgrade the security used to protect their AS2 data transfers. In order to be compliant with the latest security standards, you need to be using a modern AS2 solution.
Related Reading: AS2 Protocol Software for Client & Server Transfers
The Story of SHA-1
SHA-1 (Secure Hash Algorithm) is a cryptographic hash algorithm created by the NSA and published in 1995. SHA-1 takes a message of any length and produces a 160-bit message digest. The message digest verifies the integrity of the message by comparing the hash that was calculated before and after message transmission.
For example, the hash of a transmitted file is compared against the hash of the file before it was sent. If the hash values are the same, the file was not tampered with. If the hash values are different, the file was altered during transmission.
Over the years, attacks demonstrated that the security in SHA-1 is weaker than originally intended, thus a more secure SHA-2 standard was created.
What’s Up with SHA-2
SHA-2 is a family of hash functions with hash values of 224, 256, 384, or 512 bits. It was first published by the National Institute of Standards and Technology (NIST) as a U.S. federal standard (FIPS).
Due to the stronger hash algorithms in SHA-2, Federal agencies utilize it after being directed to stop using SHA-1. In fact, as of 2016, vendors widespread completed their migration to SHA-2 and many major organizations, like UPS, require their AS2 trading partners to use SHA-2.
Transport Layer Security (TLS) is a protocol that encrypts communications between client applications and servers. TLS is the successor to the Secure Sockets Layer (SSL) protocol version 3.0. It uses more advanced methods for message authentication, better alerting for problem certificates, and more robust cipher suites.
After the POODLE vulnerability was discovered in late 2014, companies that are still using SSL instead of TLS are leaving themselves open to man-in-the-middle exploits. The most recent version of SSL (3.0) has not been updated since 1996 and many modern web browsers no longer support it. Additionally, trading partners are demanding companies support TLS for AS2 transfers.
Related Reading: What is SSL, TLS, and HTTPS?
Achieve SHA-2 and TLS Security for AS2 Transfers with GoAnywhere MFT
Using a Drummond Certified solution, and requiring your trading partners do as well, alleviates the challenges of AS2 and ensures your transfers fully meet the latest security standards. For more information on AS2 support in GoAnywhere MFT, visit our AS2 Client and AS2 Server resources.