Message authentication
The fact that you don’t need to meet with your contacts to send secret stego messages is both a strength and weakness. If an adversary were to discover your steg file they could replace it with one of their own containing false information in a bid to trap you or your contacts.
For this reason, consider using the command line utility gpg to digitally sign any messages you send. This utility is traditionally used for encrypting data – files are encoded with a “public” key which you make available to everyone and decoded by a separate “private” key which never leaves your computer.
The process however can work in reverse, whereby you encode a file with your private key. This offers no security in terms of reading data, as anyone in possession of your public key can read the file, but it does allow them to be sure it was you who sent a message.
Full instructions for using gpg, which comes preinstalled in Linux, can be found at www. gnupg.org/documentation/manpage.html. Any attempt to alter the contents of the file will result in a ‘bad’ signature.
Whenever you tell gpg to sign a file it will create a new file with the extension .asc, which you can then hide inside a container file using Outguess. This works for all kinds of files. When your contact receives the signed .asc file, ask them to run the command gpg --output filename.jpg --decrypt filename.jpg.asc where filename.jpg.asc is the extracted file.