Is GPG my best method of signing files?
I'm working on large testing/simulation system that, amongst other responsibilities, must capture live data for later playback. We are looking at security for this system as a secondary measure (we don't think anyone will try to break it, a cracker can't do much harm if he does break it, but we want it secure anyways...so long as it doesn't cost too much time/money).
Due to the complexity of the capture file attempting to screen all the data contained within for data injection, buffer overflow etc would be difficult, so instead I'm proposing we sign capture files which we generate, then check the signature when playing captures back. If a capture file came from one of our system(s) we will assume it contains only valid data. We would only sign files, not encrypt, were relying on anonymization to protect secure data from the capture.
..now that I described my situation I have a few questions which I believe should be quick answers for security experts out there.
1) Is GPG the best system for this? I don't need anything too complicated; we don't even have network access so I don't care about a 'web of trust'. (we would probably leave it up to the sys-admin to install new keys when necessary, it’s not fancy but I only expect a grand total of two private keys, one for each of 2 systems, to every exist)
2) Are there any .SO out there for compiling GPG directly into a C/C++ application?
3) Can anyone give me an idea of the time frame it takes to encrypt/decrypt a large file with GPG?
4) Am I correct when I assume that checking a file signature would also check for file corruption in much the same way that using a MD5 checksum would?
5) Have I made any “god this man is an idiot” mistakes that would mean my purposed solution won’t even work ;)
All answers are appreciated. Thank you.