In SRP, why must the client send the A number before the server sends the B number?
In SRP, an authentication exchange starts with the client and server generating nonces a and b, and sending their public variants (A = g^a % N and B = (v + g^b) % N) to the other party. However, reading RFC2945, it is quite adamant that
The host MUST send B after receiving A from the client, never before.
I'm struggling to understand why this is, and as far as I can tell, the RFC doesn't explain the requirement further.
Since a and A are effectively just random numbers, sending A before receiving the B number doesn't impose any onerous requirement on the client. If, as a malicious client, I wanted to get a thousand B numbers from the server, I'd just send a thousand A numbers and it wouldn't cost me anything of note. And even if I did, I can't see what I would gain from it.
Is there an explanation for this requirement?
