I'm using an Arduino Uno and a nRF8001 board from Adafruit to connect to an Android phone over bluetooth. I will be using it to lock and unlock a lock and I need to make sure only verified devices are able to initiate the locking and unlocking. I've searched around a bunch and I'm having trouble finding a clear example of what I should do to verify the connecting device. Currently I have the Arduino hooked up to the lock and whenever the Android phone connects, it is allowed to lock and unlock.
I'm pretty new to cryptography and some guidance would be helpful. From what I've read, it sounds like md5 hashing is both broken and not the correct solution for my problem. I've found SipHash and that seems to be the closest thing that I might need. The process I had in mind is as follows.
- Android tries to connect to the Arduino
- Arduino sees the request and sends a random string to the Android device
- The Android encrypts the string with a shared secret key and sends it back to the Arduino
- The Arduino decrypts the encrypted string and verifies it matches the original it sent if it does it it goes ahead and connects/continues with locking or unlocking.
Am I on the right track with SipHash and the process above? Is there a better more common way to do this? After searching around here I found some info here. It looks like I should worry about man-in-the-middle attacks and MAC spoofing. I would just check the MAC address as verification, but from what I remember, it is very easy to spoof MAC addresses. Any help would be appreciated.