Are there any security measures that are resistant to a brute force attack?

Question

I'm not talking in particular about encryption, but security as a whole. Are there any security measures that can be put in place to protect data and/or a system that can withstand even a hypothetical amount of resources being pitted against it over a hypothetical amount of time?

I think the answer is no, but I thought I'd double check before saying this out loud to people because I'm no security expert.

UPDATE: I should point out, I'm not asking this because I need to implement something. It's idle curiosity. I should also mention that I'm ok dealing with hypotheticals here. Feel free to bring things like quantum computing into the equation if there's any relevance.

Answer 1

The One-time pad is such an encryption technique: it's fundamentally secure against brute force, in other words, information-theoretically secure. If you don't have the key, it cannot be "broken" regardless of what computation power you throw at it. The trick is that it's impossible to distinguish the correct answer from all other possible answers, because every answer is equally likely.

Read more on Wikipedia

Unfortunately the one-time pad is almost useless in practice, because the key must be as long as your plaintext, the key may never be re-used, and it has to be random. All of this means that you can't derive the key from a memorable password, so you need a secure storage method for the key itself. But if you can already secure a massive key, you might as well put your plaintext there without encryption.

Answer 2

The first thing that comes to mind is shutting down access (at least for some time) after a number of failed attempts. Such as a bank card becoming invalid after the wrong PIN has been used a couple of times, or a phone that deletes its own data after you fail to unlock it repeatedly.

Of course, this will not work with files, that the attacker can make copies of on his own machine.

Answer 3

First of all, you'd be better off trying this on ITsec.SE.

Now, to answer your question:
Yes, of course there are.

Brute force attacks can accomplish two things: "guessing" some sort of secret (e.g. password, encryption key, etc), and overwhelming resources (i.e. flooding, or Denial of service - DoS).

Any countermeasures aimed at preventing any other form of attack, would be irrelevant to bruteforce.

For example, take the standard reccomendations to protect against SQL Injection: input validation, stored procedures (or parameterized queries), command/parameter objects, and the like.
What would you try to bruteforce here? If code was written correctly, there is no "secret" to guess.

Now, if you're asking, "How to prevent brute force attacks?", well the answer would depend on what the attacker is trying to brute force.
Assuming that we're talking about bruteforcing a password / login screen, there several options: strong password policy (to make it harder), account lockout (to limit rate of bruteforce attempts), throttling (again limits the attempt rate), and more.

Answer 4

ideally no , but typically in a solution you provide , an additional step can be introduced, the data that can be subjected to direct brute force can be obfuscated to make it tough to or meaningless

for ex: a password that is encrypted and being sent over wire can be subjected brute force but if its obfuscated by transforming it into some form and then sent over wire then even brute force may not help unless the attacker knows the transforming functions too

Answer 5

You can always try to look for repeated / large volume attempts (to log in for example) and ban the source (IP) temporarily or even permanently.

Talking about a distributed attack it's much more difficult of course, but you can still issue mass temporary bans and scale services down for unknown users.

I'm not sure if there's any silver bullet, just be creative :) Having a home brewn solution will probably make your chances better as there are no known exploits.