diff --git a/model/group.go b/model/group.go
index d901b87..dd64182 100644
--- a/model/group.go
+++ b/model/group.go
@@ -83,10 +83,15 @@ func NewGroup(server string) (*Group, error) {
 	return group, nil
 }
 
+// CheckGroup returns true only if the ID of the group is cryptographically valid.
+func (g *Group) CheckGroup() bool {
+	return g.GroupID == deriveGroupID(g.GroupKey[:], g.GroupServer)
+}
+
 func deriveGroupID(groupKey []byte, serverHostname string) string {
 	data, _ := base32.StdEncoding.DecodeString(strings.ToUpper(serverHostname))
 	pubkey := data[0:ed25519.PublicKeySize]
-	return hex.EncodeToString(pbkdf2.Key(groupKey, pubkey, 4, 16, sha512.New))
+	return hex.EncodeToString(pbkdf2.Key(groupKey, pubkey, 4096, 16, sha512.New))
 }
 
 // Compromised should be called if we detect a a groupkey leak