US Patent 8719952 Systems and methods using passwords for secure storage of private keys on mobile devices

The public key of an RSA (asymmetric) software key pair is maintained confidentially on an authentication server, while the corresponding private key is maintained in encrypted, unstructured form on a mobile communication device (e.g. smartphone). The mobile device cannot verify locally whether a decrypted private key is correct, and a brute force, dictionary, or other attack that yields the correct private key among many decrypted keys does not allow determining which private key is correct without access to the authentication server. A relatively-long (128+ bit, e.g. 512-bit) public key exponent is used to make brute-force local verification of the private key impractical. The unstructured private key can secure other resources such as RSA keys used for digital signing. The enhanced security provided for the private key adds computational and logistical cost, but is of particular use if the mobile device controls access to external resources such as secure websites.