[Cryptography] How should we encrypt external mail attachments

[John Levine]

It appears that Michael Kjörling <michael at kjorling.se> said:
>> My question is what algorithms to use? The file can be anything up to
>> several gigabytes so they should be reasonably fast. It's OK if the hash
>> and key are fairly large, since a few hundred or even a few thousand
>> bytes in a mail message is not a big deal these days.
>
>Considering that e-mail itself is unauthenticated to begin with,

These days most mail has DKIM signatures, which are sufficient to
detect tampering between sender and recipient. Again, no reason to
reinvent it. If you really want to make it more strongly authenticated
we all know where to find PGP and S/MIME.

>body, is there any particular reason not to go with the simple
>solution of just about any cryptographic hash?

Like I eaid, I wanted to see if I was missing somehing.  Sounds like SHA-256 would be fine.
For encryption, I guess AES CBC, so what IV should I use?

Again, it makes sense to allow for algorithm rotation but since every 
recipient has to be prepared to handle every algorithm, there can't be
very many of them.

Re discussions of streaming and merkle trees and such, I would prefer to avoid mission
creep.  Nobody downloads parts of mail attachments now, so I am not inclined to try
and guess how they might perhaps want to do so at some future time.

R's,
John