In traditional transportation, each driver usually relies on their experience to determine an appropriate route, which may shorten the driving time and transport cost. However, this may also lead to a waste of time in traffic jams or due to other problems. In recent years, by introducing Internet of Things technology into the transportation system, traffic condition data can be collected and analyzed in real-time, which makes it easier for drivers to choose appropriate routes. However, the transmitted data may be intercepted or falsified, especially in untrusted public communication channels. Some schemes have been proposed to protect personal data, while they are vulnerable to some known attacks. Therefore, we propose a mutual authentication scheme for session key agreement and information encryption before transmitting personal data. This scheme can correctly identify vehicles and information. The Burrows–Abadi–Needham logic proof and our security discussion demonstrate that this authentication scheme can resist the various known attacks, including de-synchronization, the replay attack and the reader lost attack, which is solved for the first time in this field. Compared with some typical schemes, the performance analysis shows that this new scheme realizes a balance between security and computing costs.