One of the shortcomings in S0 security is the vulnerability during inclusion process, where an in-band unsecure transmission of encryption keys happened during a narrow window of the inclusion process.
How does S2 security handle key exchange?
The S2 key exchange is encrypted with a temporary key that is exchanged using the Diffie-Hellman algorithm. This temporary encryption key is known only to the two nodes participating in the key exchange, and the key is unique to these two nodes.
As the temporary key is different from the network keys, it is not among the keys that can be exported from the PC Controller, thus the Zniffer has no means to decrypt the secure inclusion.
The exception is the "Network Key Verify" frame, which is encrypted with the key it is intended to verify. This frame will be encrypted with a network key, and can be decrypted using the Zniffer.
While Key Exchange and cryptography generally relies on sophisticated mathematics, the actual principle of Diffie-Hellman Key Exchange is straightforward: It is relatively simple to multiply very large prime numbers, but it is very difficult reverse the calculation if one does not know one of the factors.
It is recommended to watch this video, to get more information on Diffie-Hellman key exchange.
Video: Diffie-hellman key exchange