In pervasive computing environments,users can get services anytime and anywhere,but the ubiquity and mobility of the environments bring new security challenges.The user and the service provider do not know each other in advance,they should mutually authenticate each other.The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous.Privacy and security are two important but seemingly contradictory objectives.As a result,a user prefers not to expose any sensitive information to the service provider such as his physical location,ID and so on when being authenticated.In this paper,a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed.Not only can a user’s anonymous authentication be achieved,but also the public key cryptography operations can be reduced by adopting this scheme.Different access control policies for different services are enabled by using biometric encryption technique.The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic. In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges.The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous.Privacy and security are two important but seemingly contradictory objectives.As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location , ID and so on when being being authenticated.In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme.Di fferent access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.