4 files changed, 5 insertions, 3 deletions

diff --git a/doc/log.txt b/doc/log.txt
index df1274993..fce6ad0d1 100644
--- a/doc/log.txt
+++ b/doc/log.txt
@@ -1,5 +1,7 @@
 
 * 1.8.10-dev, ????-??-??
+ - Switch default PKCS #8 encryption algorithm from 3DES to AES-256
+ - Increase default hash iterations from 2048 to 10000 in PBES1 and PBES2
  - Enable the /proc-walking entropy source on NetBSD
  - Fix the doxygen makefile target
 
diff --git a/src/pbe/pbes1/pbes1.cpp b/src/pbe/pbes1/pbes1.cpp
index 21bd330ff..247df88d7 100644
--- a/src/pbe/pbes1/pbes1.cpp
+++ b/src/pbe/pbes1/pbes1.cpp
@@ -93,7 +93,7 @@ void PBE_PKCS5v15::set_key(const std::string& passphrase)
 */
 void PBE_PKCS5v15::new_params(RandomNumberGenerator& rng)
    {
-   iterations = 2048;
+   iterations = 10000;
    salt.create(8);
    rng.randomize(salt, salt.size());
    }
diff --git a/src/pbe/pbes2/pbes2.cpp b/src/pbe/pbes2/pbes2.cpp
index b7e2589d0..755f8a393 100644
--- a/src/pbe/pbes2/pbes2.cpp
+++ b/src/pbe/pbes2/pbes2.cpp
@@ -97,7 +97,7 @@ void PBE_PKCS5v20::set_key(const std::string& passphrase)
 */
 void PBE_PKCS5v20::new_params(RandomNumberGenerator& rng)
    {
-   iterations = 2048;
+   iterations = 10000;
    key_length = block_cipher->MAXIMUM_KEYLENGTH;
 
    salt.create(8);
diff --git a/src/pubkey/pk_codecs/pkcs8.cpp b/src/pubkey/pk_codecs/pkcs8.cpp
index 9ac890328..f4215b9a7 100644
--- a/src/pubkey/pk_codecs/pkcs8.cpp
+++ b/src/pubkey/pk_codecs/pkcs8.cpp
@@ -170,7 +170,7 @@ SecureVector<byte> BER_encode(const Private_Key& key,
                               const std::string& pass,
                               const std::string& pbe_algo)
    {
-   const std::string DEFAULT_PBE = "PBE-PKCS5v20(SHA-1,TripleDES/CBC)";
+   const std::string DEFAULT_PBE = "PBE-PKCS5v20(SHA-1,AES-256/CBC)";
 
    std::auto_ptr<PBE> pbe(get_pbe(((pbe_algo != "") ? pbe_algo : DEFAULT_PBE)));