Background
I am building a Home Automation system using RF 315/433 MHz Transmitter-receiver module, an Ethernet shield and AT Mega AVR Micro controller(ATMega328 PPU) that works as follows.
A set of REST APIs are integrated with a back end database. A web and mobile application interface with this DB to change settings. The AT Mega MC interfaces with the Ethernet shield connects to my home ADSL router.
AT Mega MC reads (HTTPS) API values via Ethernet shield and try to control devices (my roller door, light switches, heating etc..) using a RF 315/433 MHz Transmitter-receiver module. The end point featuring by the RF Receiver and AT Mega MC sends control messages using the RF Transmitter.
Problem
I have the following security problems in this setup.
What is the most efficient way that I can encrypt my messages from the RF transmitter to receiver ? Right now I do a simple XOR operation to the control messages in both ends. So the value of the XOR is simply acts as a shared key. I know this is not secure at all! I cannot implement resource consuming algorithm in my end point (receiver end) because it is using the ATtiny85 MC.
Even If I encrypt the message from RF TX to RX, someone can intercept the outgoing message (using some tool like HackRF) and replay the message later. So they can do a replay attack easily and open up my gate any time later.
Questions
What are the best security precautions that I can use to secure my RF transmission? Please remember that I am working with IoT devices which do not have extensive computing power.
How can I prevent this replay attack ?