The Internet of Things（IoT） carries the safe transmission and storage of a large amount of sensitive information. Since IoT devices are resource-constrained, which have expensive communication, slow mission velocity and need to store sensitive information security primitives （such as public key algorithm and digital signature），they are not suitable for the authentication of lightweight IoT devices. This paper proposes a lightweight anonymous key sharing security authentication protocol for IoT devices, which generates a shared key by the Physical Unclonable Function（PUF） and uses security primitives such as the MASK algorithm and the Hash function. The security analysis and verification are accomplished by Ban logic and ProVerif to prove that the protocol ensures security attributes such as anonymity, non-repudiation, and forward/backward confidentiality. Compared with other protocols, this protocol has the characteristics of low computing cost, small communication overhead and storage capacity, and high security performance, which is suitable for the secure communication transmission of resource-constrained devices.