Is RSA-1024 Quantum Safe?
No. RSA-1024 is not quantum safe — and it is already considered insecure against classical attacks. It should be replaced immediately regardless of quantum threats.
Key Takeaway: RSA-1024 is NOT quantum safe. Urgent: replace immediately with at minimum RSA-2048 for classical security, then plan PQC migration to ML-KEM/ML-DSA.
Technical Analysis
RSA-1024 is NOT quantum safe and is already classically broken. **How RSA-1024 Works:** RSA-1024 uses the same RSA algorithm as RSA-2048 and RSA-4096 but with a 1024-bit modulus. This was the standard RSA key size in the 1990s and early 2000s, widely deployed in SSL/TLS certificates, email encryption (PGP, S/MIME), and VPN authentication. The smaller key size made RSA-1024 attractive when computational resources were limited — key generation and encryption operations are significantly faster than RSA-2048. However, cryptanalytic advances and Moore's Law have rendered RSA-1024 insecure against well-resourced classical attackers. In 2010, researchers estimated that a coordinated effort with specialized hardware could factor a 1024-bit RSA key in approximately one year with a budget of several hundred million dollars. Nation-state adversaries and well-funded criminal organizations are presumed to have this capability. **Quantum Vulnerability Explained:** RSA-1024 is vulnerable to both classical and quantum attacks. Classically, the General Number Field Sieve (GNFS) can factor 1024-bit numbers with approximately 2^80 operations — still large, but within reach of determined attackers with specialized hardware (ASIC-based factoring engines or distributed computing clusters). Quantum computers running Shor's algorithm could break RSA-1024 with approximately 2,000-5,000 logical qubits — roughly half the resources needed for RSA-2048. Some estimates suggest that near-term quantum computers (2025-2030 timeframe) might achieve sufficient qubit counts to threaten RSA-1024 before achieving RSA-2048 capability. This makes RSA-1024 the "first casualty" of quantum computing. The dual vulnerability creates an urgent replacement mandate: RSA-1024 must be replaced not just for quantum threats, but for immediate classical security. Any system still using RSA-1024 in 2024-2025 is critically vulnerable. **Migration Path:** RSA-1024 requires immediate emergency replacement: - **Short-term classical upgrade**: If PQC migration cannot be completed immediately, upgrade to RSA-2048 as an interim measure. While RSA-2048 is also quantum-vulnerable, it provides adequate classical security while PQC migration is planned. - **Long-term PQC migration**: Replace RSA-1024 with ML-KEM (FIPS 203) for key exchange and ML-DSA (FIPS 204) for signatures. Do not stop at RSA-2048 — continue to full PQC migration. - **Certificate replacement**: Revoke and reissue any X.509 certificates using RSA-1024 keys. Certificate authorities stopped issuing RSA-1024 certificates around 2013, but legacy certificates may still exist in internal PKI systems. - **Legacy system remediation**: Embedded devices, industrial control systems (ICS/SCADA), and legacy network appliances may have hardcoded RSA-1024 keys. These systems require firmware updates or hardware replacement. **Industries at Risk:** Industrial control systems and critical infrastructure face significant RSA-1024 exposure because embedded controllers and SCADA systems deployed in the 2000s-2010s often use RSA-1024 for authentication. Power grids, water treatment facilities, and manufacturing plants may have equipment with 20-30 year operational lifetimes, creating long-tail RSA-1024 exposure. ICS-CERT advisories have warned about this for years. Legacy financial systems including ATMs, point-of-sale terminals, and payment HSMs deployed before 2013 may still use RSA-1024. PCI-DSS banned RSA-1024 in 2013, but compliance audits occasionally find legacy deployments in production. A successful RSA-1024 break could enable transaction forgery, PIN extraction, and payment fraud. Government and military systems with long upgrade cycles may retain RSA-1024 in classified networks, secure communications equipment, and cryptographic modules. The NSA deprecated RSA-1024 over a decade ago, but interoperability requirements with allied nations or legacy compatibility may have preserved some usage. Embedded devices and IoT equipment (routers, network cameras, smart building systems) manufactured before 2015 frequently embed RSA-1024 keys in firmware. These devices often lack secure update mechanisms, creating permanent vulnerabilities. **Timeline to Obsolescence:** - **2010**: RSA-1024 considered weak against well-funded classical adversaries. - **2013**: NIST formally deprecated RSA-1024 for federal use (NIST SP 800-131A). PCI-DSS banned RSA-1024 for payment systems. - **2024-2025**: RSA-1024 is cryptographically broken. Immediate replacement required regardless of quantum threats. - **Quantum timeline**: RSA-1024 will likely be the first RSA key size broken by quantum computers, potentially years before RSA-2048 becomes vulnerable. Any system still using RSA-1024 should be treated as having no cryptographic protection. Immediate emergency remediation is required.
| Full Name | RSA with 1024-bit keys |
| Category | encryption |
| Key Size | 1024 bits |
| Quantum Vulnerability | Vulnerable to both classical factoring advances and Shor's algorithm. Already deprecated by NIST. |
| NIST Status | Already disallowed by NIST since 2013. Immediate replacement required. |
| Deprecation Timeline | Already disallowed (since 2013) |
| Replaced By | ML-KEM (FIPS 203) for key exchange, ML-DSA (FIPS 204) for signatures |
Migration Guidance
Urgent: replace immediately with at minimum RSA-2048 for classical security, then plan PQC migration to ML-KEM/ML-DSA.
How Qryptonic Can Help
Don’t Know Where RSA-1024 Lives in Your Stack?
Qscout26 discovers every instance of RSA-1024 across your infrastructure in 7 days — with zero operational disruption. 72-hour time to first findings.