Basically you are asking for too much. Public keys are secure if you use them correctly. If you do a “public private key exchange” that sounds insecure. Private keys never leave the host they are generated at.

Public keys are public and just bytes. It’s a pair of numbers!! No other information. So here you need to choose:

1. Have a trusted third party with a shared server that associates public keys with identities. That’s called CA 🙂
2. Exchange public keys in other secure ways. Examples: post on one’s Facebook profile (browse it with HTTPS!), meet the other person, etc.

You might want to learn how PGP and Web Of Trust work. With WOT you can make a pretty good secure P2P chat in a social network fashion. Basically, you can still never join a P2P chat for the first time by typing an IP address, but after you do an initial work you can get a good result.

First, obtain someone’s public key: meet him/her. By then, you can authenticate that party and he can authenticate you without possibility of attacks.

Phase 2 consists in building a trust chain. I’ll explain that in social networking terms. You are party A, you met party B. You know each other. B knows C,D,E and later you meet F who is not known by B.

Ask B who are his friends (and get their public keys), you get to know C, D and E and you can contact them by then. Tell B you know F and he can contact them.

You might want to tell F about C, D and E that you know via A. This is very sensitive, because if the process is repeated indiscriminately a bad guy can easily enter the network. If you limit your trust to the “friends of friends” or up to a certain degree of indirect knowledge you can balance security.

I proposed you this way because you told you are doing this for fun and you are not in a business scenario!!