I have a mobile application where I would like to store private keys securely. The security requirement implies that it should be very hard for attackers to be able to obtain the private key even if they had unlimited access to the mobile device. In order to achieve this level of security, the application employs symmetric cryptography with a key derived from a passphrase specified by the user and a salt specific to the device.
Ideally, this should be secure enough against a brute-force attack; however there a two limiting factors:
Since the private key must conform to a certain format, the decryption process can test the result of the process to see if it is valid or not. For example, if the private key was to be an RSA private key, the attacker would try various combinations of the passphrase and test to see if he can use the resulting plaintext as a valid RSA private key. Since the RSA private key must encode certain information in a certain way, if the decryption failed, the RSA engine would signal that the key is not valid. This gives the attacker a totally offline way of verifying his attacks. Preferably, the attacker should not be able to tell, without communicating with a server, if his decryption attempt was successful or not.
Since the application runs on a mobile device, the increased complexity of the Key Derivation Function does not help with Key Strengthening since an offline attack that has full access to the mobile device would presumably be undertaken on a more capable device with richer resources. Shortly, any increase in the number of rounds of calculation of the key derivation function would slow down the user experience (which acceptable to a certain limit) but would be immediately thwarted if the attack were to be performed on a desktop computer.
Could anybody offer me a solution to these problems? Specifically, does anybody know an asymmetric cryptography algorithm where the private key can be any random byte sequence (it could be fixed-length sequence, that doesn't matter), and the algorithm would still be able to produce ciphertext?