To solve the security problems between the reader and the server of mobile Radio Frequency IDentification (RFID) caused by wireless transmission, a two-way authentication protocol based on pseudo-random function was provided. It satisfied the EPC Class-1 Generation-2 industry standards, and mutual certifications between tags, readers and servers were achieved. The security of this protocol was also proved by using GNY logic. It can effectively resist track, replay and synchronization attack etc.; simultaneously, its main calculations are transferred to the server, thereby reducing the calculations and cost of the tag.