RFID technology has been applied to many business applications in the past few years. The popularity of RFID technology lies in its ability for automatic identification and low cost. Most existing RFID security protocols utilize cryptography based solutions relying on hash functions and symmetric-key based encryptions, which incur high computational overhead and thus are unsuitable for passive RFID tags. In this paper, we present a lightweight secure reader-tag communication protocol providing secure key lookup, key transportation, reader-tag mutual authentication, and data confidentiality without using traditional cryptography based encryption and hash functions. Our approach is based on light-weight exclusive-or (XOR) onetime pad and modulo addition on passive RFID tags and readers. Our security and performance analysis shows that the proposed solutions are suitable for low-power passive RFID tags.