I know that WEP traffic can be "sniffed" by any user of the WIFI.
I know that WPA/WPA2 traffic is encrypted using a different link key for each user, so they can't sniff traffic... unless they capture the initial handshake. If you are using a PSK (preshared key) schema, then you recover the link key trivially from this initial handshake.
If you don't know the PSK, you can capture the handshake and try to crack the PSK by bruteforce offline.
Is my understanding correct so far?.
I know that WPA2 has AES mode and can use "secure" tokens like X.509 certificates and such, and it is said to be secure against sniffing because capturing the handshake doesn't help you.
So, is WPA2+AES secure (so far) against sniffing, and how it actually works?. That is, how is the (random) link key negociated?. When using X.509 certificates or a (private and personal) passphrase.
Do WPA/WPA2 have other sniffer-secure modes beside WPA2+AES?
How is broadcast traffic managed to be received by all the WIFI users, if each has a different link key?.
Thanks in advance! :).