You don't just need to use cryptography, you need a cryptographic protocol that is secure. For instance you probably want to be secure against a "replay attack" where the attacker eavesdrops one of your sessions and then just replays the server-side responses - if you haven't made provision to prevent this it won't matter if you use encryption or not. (And the attacker doesn't have to know anything about your system, just try the replayed session).
First though you need to make a realistic assessment of your "threat model" - what kind of attacker is there likely to be and what might they be able to do - they make sure you've provided for those attack modes.
You are likely to want authentication rather than secrecy, note.
If you need AES I've got a library to do this, see: http://arduino.cc/forum/index.php/topic,88890.0.html
But remember if your authentication test is vulnerable to replay it might not be enough - and its hard to generate random numbers or test timestamps on a small microcontroller.