Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks

User authentication protocol is an important security mechanism for mobile networks. Recently, Wu et al. proposed a biometrics-based three-factor user authentication scheme using elliptic curve cryptography for mobile networks. However, in this paper, we find out that their scheme is vulnerable to the impersonation attack, because de/encryption key of the server and the user can be computed by an adversary. And then an improved three factor authentication scheme for mobile client-server networks is proposed to overcome the weakness. The proposed scheme uses a random nonce to decrypt and encrypt messages without using the server's public key for reducing computation cost and avoiding the key management problem, and it also achieves user's anonymity. In addition, we apply the pi calculus-based formal verification tool ProVerif for security evaluations, and compare our scheme with some related schemes to show that the proposed scheme is both secure and efficient. (C) 2016 Elsevier Ltd. All rights reserved.