Just to blatantly steal Lucas's basic premise, which is excellent, and build a full narrative around it:
Symmetric cryptography is like a lockbox, such as a small fireproof safe. A key is required both to lock and to unlock the box, and the same key does both things. If you and I both had the key to one of these lockboxes, we could exchange secret messages or other valuable objects with each other, without anyone else being able to access whatever's in the box. We could even mail the box back and forth to each other, and nobody who handles the package in transit would be able to see what we're sending inside it.
However, what if you went out and bought a new lockbox, with two keys, and you needed to give me one of the keys to set up this method of exchanging messages? Well, one option is for us to meet in person and for you to physically hand me one of the keys. In computer parlance, that's an "offline key exchange", and it does happen in certain circumstances.
But what if I were on the other side of the world? It would be expensive, and impractical, for you to fly out to me, or vice versa, to physically exchange keys. Your only option is to mail me the key. But mailing me something in an ordinary envelope or box isn't secure; theoretically, someone could open the envelope or the box, get the key out, make a copy of it, then re-package the key and send it back on its way. Once that's been done, we're not the only two people that can see the contents of the lockbox that we'll be exchanging things in later, and so the keys, and the lockbox, aren't secure. And you can't send me the key in a lockbox, because then we're back to square one; I don't have the key to the lockbox that you'd use to send me the key to the lockbox.
So instead, I send you a padlock. The package containing the lock has my return address and a postmark from my local post office, and the padlock's engraved with my name, so you know it's from me. The padlock also has a serial number on it that was engraved by the store that sold me the lock, so if you had any doubts, you could call the store and they could verify that the padlock you got was given to me by them.
The padlock is open, and I'm the only one that has a key (or combination) for this padlock. You take your key to the lockbox, put it in a strong box with a latch and hasp, and then put my padlock on the latch to the box and close the lock. Once you have done this, I'm the only person that can open that lock, and the box you put it on, ever again. You mail me the box with the padlock on it, I get it, open the padlock with my key, and now I have the key to your lockbox, and I can still be confident that nobody else has a copy, because anyone who could intercept the package in transit would have to have the key to my padlock which I jealously guard. Even if they saw, and could examine, the padlock itself as it was being sent to you and then closed on the box, they wouldn't gain any information that would help them forge a key or guess the combination for it. Now that I have your lockbox key, we can use your lockbox to exchange further messages securely.
Now, we've conveniently ignored a few facts that would make these real-world analogies break down if applied one-for-one. Possibly the simplest is that the average $10 padlock is trivial for a skilled locksmith (or burglar) to pick, and also trivial for anyone to open with a pair of bolt cutters. Even $1000 safes won't resist being opened by a combination of these techniques for more than about 15 minutes. Locks and boxes that are secure and strong enough to resist these methods are too heavy to send back and forth in the mail.
In the digital world, making a cipher resistant to brute force (bolt cutters/drills) and cryptanalysis (lockpicking) is a concern, and algorithms are inspected in theoretical form and tested by professional cryptographers (and in the real world by hackers) constantly, but the equivalents of the locks and safes, the cipher algorithms, can be made extremely strong (brute forcing and lockpicking are so time-consuming as to be impractical), but very light (the data in encrypted form is not much larger than the original message), and very easy to close and open if you have the right key (fast execution of the algorithm), making them easy for the legitimate parties to the conversation to use. Ciphers are rated based on the time and/or space complexity of the best-known attack against them, which for most current ciphers is such a large power of two that without a shortcut, the cipher could not be cracked by at least the great-grandchildren of the attacker.
Another concern is that the safecracker might gain information we don't want him to know about the contents of the locked box, simply by picking it up and shaking it like a Christmas present. Or, the material the box is made from may not be completely opaque, allowing someone to get a general idea of what's in the box even if they can't see it clearly. There are equivalents in the digital world, usually considered weaknesses in the basic ciphering mechanism, that can be mitigated by using proper "padding". Much like a Christmas present, something properly padded inside its box will make little or no distinctive rattling when shaken. If the padding is thick and opaque enough and fills the entire box, the box could be made of Lexan and there would still be no useful clue about its actual contents. The digital equivalent of both of these is that with a properly padded encrypted message, close inspection of the encrypted data will be indistinguishable from random noise, with no pattern based on the underlying message data becoming apparent, or any repeating blocks of information giving the attacker any information about the true contents of the ciphertext.
Lastly, me sending you a padlock in the real world is susceptible to someone intercepting that padlock and then sending you their own padlock, making it look like it came from me, then intercepting the locked box on its return trip, unlocking it, copying the key, and relocking the box with the padlock I tried to send you in the first place, before sending it back on its way to me.
This, in digital form, is called a "man in the middle" attack and it is a genuine concern. It is generally mitigated or eliminated by the equivalent of including information about me and about the lock in a "certificate of authenticity", that is packaged along with the lock by the vendor that sold it to me, in an envelope with a unique wax seal that only that lock vendor has. You can read the certificate and be confident that the lock in your hands came directly from me. If you don't trust the lock vendor completely, their certificate also has information packaged in much the same way by the lock manufacturer, which you should be able to trust completely if you are to trust anything about this padlock system. In digital form, these "certificates of authenticity" are exactly that, and include a hash digest of the information in the certificate, which has been encrypted asymmetrically by the entity that gave me the certificate. Even I couldn't have encrypted that digest, because I don't know the private key the entity used to do so. You, however, can obtain a key to decrypt that digest, proving it was issued by the entity listed on the certificate, and then you can compute the hash of the certificate and verify it matches the one that had been encrypted, proving that the certificate wasn't tampered with.
