A symmetric encryption algorithm (AES, DES) requires that a key be sent with the encrypted message. In a man-in-the-middle attack (e.g. someone on your wireless network uses a packet sniffer or your ISP copies your data on route from the sender), the encryption is useless if the key isn't encrypted. An attacker would simply run the publicly-known decryption algorithm with the key and message, and he has stolen your data.



The shared key must be kept private, but that's not going to suffice. And, we can't encrypt the shared key with a symmetric algorithm or else we'd keep recursing on ourselves. So it's encrypted with a public-key algorithm (RSA).



The sender encrypts the message using AES and generates the shared key. Then the sender will get the receiver's digital certificate (which can be retrieved from a certificate authority, such as VeriSign) and lookup the receiver's public key. The sender will use the public key to encrypt the shared key and then send everything. The receiver has a private key which is used to decrypt the shared key. No one else has this shared key.



The sender can also hash everything and send the hash as a digital signature. The receiver will then re-hash (will the same algorithm - MD5, SHA) everything upon retrieval to tell if the data has been tampered with.



As long as the RSA algorithm uses big enough prime numbers in its algorithm, the encryption won't be broken, as there are no polynomial time algorithms to factor prime numbers, at least for non-quantum computers. You have to find the prime factors of a large ( > 100 digits) prime number to break the encryption. That large prime number is sent as a decryption parameter to the receiver.



All a man-in-the-middle attacker would have to do is sniff the packets, and try a brute-force integer factorization, but it would take centuries.

You can freely distribute your public key, and still be able to set up a secure communication channel.



Unlike symmetric encryption, which suffers from key distribution problems (you can't securely communicate unless both sides have a mutual secret key, but you can't give the other side a secret key because you don't have a secure communication channel), public-key encryption has a public-key used to encrypt the message, and a private key used to decrypt the message.



Thus, you can freely publicize the public key, and anyone can use it to encrypt the message. Once the message is encrypted, even the person that encrypted it cannot decrypt it. Only you, with the private key, can decrypt the message.



Currently, the most well-known public-key encryption method is RSA, which relies on modular arithmetic and the fact that it is believed to be very difficult to factor numbers into their prime factors.

You publish your public key and keep your private key, no need to distribute it.

This way you don't have a distribution problem. You can post our public key on a website or email signature.

The best encryption tools for email are free like PGP. Also email clients, like thunderbird, are free, open-source and platform independent.

Installation and configuration is explained on howto sites like http://pgp.insidertopics.com/.



I hope that helps.