Abstract: For the access control of a tag’s privacy information and the privacy protection of a user’s identity in Mobile RFID systems in the internet of things, a security model called IB-AB-eCK is introduced, and an identity-based and attribute-based authenticated key exchange (IB-AB-AKE) protocol is proposed in this paper. Based on IB-AB-AKE protocol, an authenticated key exchange scheme is then established between mobile RFID phones and information servers of mobile RFID systems in the internet of things. The scheme not only preserves the identity privacy of the user of mobile RFID phone, but also completes the authentication and agrees upon a session key for the access to the tag’s information according to the owner’s access control policy. The analyses show that IB-AB-AKE protocol is secure in IB-AB-eCK model and it has advantages for communication round, communication traffic and computing complexity.