Internet of Things is evolving from the theory into reality. It is increasingly embedded into our daily lives to provide critical services such as pervasive healthcare and intelligent transportation systems, for which our privacy and security highly rely on the proper functioning of the products. This paper proposes a lightweight session-key establishment protocol that provides fundamental protection for the sensitive information flow in the Internet of Things. The new session-key establishment scheme utilizes the fact that time synchronization is a standard service in most of the Internet of Things products, and relies on loose time synchronization information to achieve secure and fast key agreement. Compared to traditional session-key establishment methods such as the one used by Wi-Fi, the new scheme is more lightweight and also allows a faster session establishment which can be critical for real-time services.