This is a draft!
Please give feedback, especially where the description is confusing or breaks the mental model of a hotel/apartment setup. As written, this is mean for fellow digisec trainers to leverage in their explanations, and is not (yet) a document to help people learning PGP by themselves.
There are a ton of ways people have described PGP in specific and public key cryptography more generally - from mixing paint (http://gizmodo.com/5888567/how-to-understand-encryption-using-paint-and-clocks, http://maths.straylight.co.uk/archives/108) to magic lock-boxes and Romeo and Juliet (https://www.level-up.cc/leading-trainings/training-curriculum/activity/love-story). I present another, which uses the experience of a hotel (or, alternatively, apartment buildings with front desk staff) as an analogy which can stretch to cover not just cryptography, but also digital signatures. This is written to explain PGP, but could be adapted for S/MIME and other public key crypto approaches.
You and your friend are attending an event and staying at different hotels - you're at the Hilliot and she's at the Marilton. You're trying to deliver a message, so let's review how you might do this.
Without knowing much other than your friend's name and the hotel they're staying at, you could call you the front desk of your hotel (the Hilliot), and ask them to call Alice's hotel (the Marilton) and pass along the message. This is (almost exactly) how email works today. Of course, now both front desks at both the Hilliot and Marilton know your message, and it's possible they used a courier to send it over, who also knows it. If your message is totally innocent, this may be acceptable to you - it's certainly very easy.
Directly call their hotel's Front Desk (Internal or "TLS" protected email e.g. gmail-to-gmail, internal emails)
If you happen to be staying in the same hotel, you could simplify this a lot - only the front desk would know, with no risk of a random courier or other hotel staff also knowing the message. This is more akin to emailing within your own company, or from one gmail account to another.
Of course, if the message is more sensitive, you want to have even more control over who has access to it... If you know the room number of whoever you want to send a message to, you can physically go to that room and slide the message under the door. In this case, you have to know not only Alice@Marilton, but also another piece of information - her room number.
Now, Alice can give this room number our to anyone; it's not sensitive in any way. Knowing that number doesn't give anyone access to her room - only Alice has the key to open the door itself and get in the room.
In PGP-land, the room number is akin to your public key - you can share it widely. The key to the door itself is your "private key" - it's important to keep this secure, and have an equally secure backup, but you should never share it.
By knowing this room number and slipping your message under the door, you have securely delivered a message to Alice.
It's important to note that as of now, Alice has received a very secure message - she sees the message at her door and knows that only she has the key to get inside the door. While you may have put your name on the message, Alice doesn't know for sure who sent it.
The specific physics gets a bit unwieldly here, but let's consider what happens if you're standing outside Alice's room and you see a message pushed out from under the door. The message is just sitting there in the open hallway, so anyone could read it, but you'd know that only the person who has the key to that room could have pushed that message out.
In PGP-land, this is message signing - to make sense of it, you have to know both the sender's identity (Alice@Marilton) and their room number (their public key) to know that it came from them.
You can sign a message to guarantee it's authenticity without encrypting it, and you can encrypt it without signing it. You can also of course encrypt and sign
- What do you need to send an encrypted message to Alice? (Alice's Name, Hotel, Room number == email address, public key) Discuss: What /don't/ you need? You don't need Alice's key, you don't even need your own hotel room/number/key!!)
- What does Alice need to send you an encrypted message? (same)
- How can Alice prove the message came from you? What information would she need? (Your Name, Hotel, Room number == email address, public key) Discuss: What /doesn't/ Alice need? She does not need a hotel room/number/key herself!
- How can you prove the message came from Alice? What information would you need? (Alice's Name, Hotel, Room number == email address, public key)
Anyone who can break into the room has a chance at accessing the message -- don't share your room key or open the door to strangers.
PGP-encrypted emails by default are stored encrypted even on your laptop, but if someone has ongoing access, they can capture your PGP password and use that to decrypt the message! The best way to defend against this is to make sure you keep your system up to date, keep an anti-virus system running and updated, and most importantly don't click on weird links or download unexpected attachments!
None of this prevents the hotels and even people on the street from tracking you coming in and out of the hotel. Who you're communicating with, and how often you're doing so, are not protected by this. Importantly, PGP specifically does not hide the subject of your email, so it's important to choose something that does not reveal any risky or sensitive content.
If you think of the hotel more like an apartment building, it could even be listed on a public directory. In PGP land, these are key servers. Now, anyone could go and post up a fake listing on the directory, so it's best to not just refer to that listing, but to also confirm it directly with the person.
If you really want to get crazy, you can apply the same concepts of "message signing" to the public directory. You can "sign" other people's keys and post your signature publicly, to help others choose the correct information on a public directory.
My thoughts are almost entirely about how the narrative could be tweaked to make the metaphor a bit smoother. But, as it is, everything in your metaphor works.
First thought is that you should add some narrative elements to make it a more interesting storytelling experience for the listener and avoid the "possibility of falling prey to participant heckling about "why you should have just planned ahead" or other jokes that can derail the lesson for other listeners.
I would change the context from attending an event to a child moving into a new neighborhood that has apartment buildings and meeting a new friend on the playground. All the same properties apply if you give them doormen and it makes the key-exchange note in advanced PGP topics work because the child can find the apartment number by looking at the last names on the mailboxes, but be unable to get into the building because it requires some sort of key/card to get in the elevator.
If you want to continue with the hotel narrative, I would add a foil to the opening narrative that provides a reason why you don't know the room number. e.g. Traveling separately, accidentally booked the wrong hotel, whatever.
I would add a initial caveat that lets the audience know that we are not to think about technical surveillance during this presentation. Because PGP is a communications security tool the participants who are primed for the training might start to question the security of the phone call as well. This opens the lesson up to people making the metaphor more complex than it is. I don't have a good solution, but some thoughts are that it could either be done in the narrative (They have direct lines to each others hotel) through a spherical cow (lets assume perfect security on all technology for the moment), or by including an adversary that has limited capabilities (Your third friend you are trying to plan around who may sit by the desk waiting to overhear phone conversations, or may try to look over the shoulder of the courier, or bribe someone at your hotel to give them the message, to send false messages to exclude one of you, etc.) The use of children makes the capabilities of the adversary limited by default ( a neighborhood bully, an annoying little brother, etc.)
I would introduce the "Alice@Marilton" at the very beginning. If we were doing this in a training I would white-board it out along side the intro to make the connection between hotel and service provider very clear.
I think Alice should affix a sign to the inside of her window facing outward to avoid the physics problem. This way it is a public message, but it has the same properties as a the note slid from under her door. If you do the kids & apartment one this also makes a lot of sense because they would not be able to get to the actual apartment number, but they might be able to see each others windows from across the apartment complex. It also offers a possible cute element to the eventual animated version where you get close-up shots of each child counting up and over the windows to find their friends apartment across the way.