Radio frequency identification (RFID) is a technique using radio frequency for object identification. It is regarded as one of the ten most important technologies of this century due to its celerity, real-time, veracity in collecting and processing information through unique identification. RFID can be widely used in manufacture, retail, logistics, transportation, medical treatment, national defence, etc. However, wireless transmission, broadcast of signals, resource-constraint, etc. bring some potential risks, which disturb the reliability of RFID system and block the deployment progress of RFID techniques. To prevent the security threats, based on the analysis of the security problem, two concepts of operation mode, the single session mode and the successive session mode, are proposed; and a Hash-based Security Authentication Protocol (HSAP) between tags and the back-end server for low-cost RFID system is designed. This protocol can prevent many security problems including spoofing attack, replay attack, tracking, as well as the problem of desynchronization. The formal proof of correctness of the proposed authentication protocol is given based on GNY logic. As only hash function and bitwise OR operation are required to be computed by tags, so the proposed strategy is very suitable for low-cost RFID system compared with previous works.