I am trying to create a web server to open an electronic lock, the electronics part and the web server part are already finished, however I am looking for the best way to secure this. I would like to do a MAC address check on the user's that connect to the arduino so my users (not many) wont have to type in a username and password for convenience, as I am anticipating this page to be loaded on cell phones mostly. Yes I am aware that a MAC address can easily be spoofed, but that is not something most users need to worry about, and this is already on a secure wireless connection on a private network. Is it possible to determine the Client's MAC address through the Ethernet library?
I am currently using an Arduino Uno with the Ethernet shield attached. I am planning on eventually switching it for the WiFi shield, however I do not have one at my disposal currently to test with.
If it is not possible to determine the connected client's MAC address, does anyone else have any suggestions of an easy way to secure this.
Unless you know your client is in the same collision domain, I don't think you'll be able to identify it using the MAC. Since you say your clients are cell phones, they're pretty obviously not going to be in the same network. In any case that approach is not secure and would not be a good idea for anything remotely important.
A safer way to do it would be to incorporate a challenge/response handshake using a public/private key pair. However, I don't know of any implementations that would be light enough to run on an Arduino.
If all you want is to discourage casual attempts from unauthorised users then you could require a password to be entered and then store that as a cookie. It's horribly insecure and would easily be defeated by anyone who can snoop your network traffic, but to protect against that you need proper authentication and encryption and Arduino is really not a suitable platform for that sort of thing. A RPi would be much better placed to do it - you could use proper SSL/TLS then and lock the whole thing down securely.
The cell phones would actually be on the same network, as these users always keep their WiFi on 24/7. the WiFi network that they use is Secured with a WPA2 pre-shared key. I'm not too concerned about WiFi sniffers. I'm considering the cookie idea, but I'm not crazy about it. Since they would be on the same collision domain, would it be possible to use MAC address? I'm also considering using a Base 64 encoded user/pass handshake, however I feel that is about as secure as the cookie idea.
Even on a local network, it will be tricky to get the MAC address once the packet's been routed through the router (and replaced with the MAC address of the network router)