Identification and Authentication I.- Flexible and Transparent User Authentication for Mobile Devices.- Combining Authentication, Reputation and Classification to Make Phishing Unprofitable.- Audio CAPTCHA for SIP-Based VoIP.- Threats and Attacks.- Roving Bugnet: Distributed Surveillance Threat and Mitigation.- On Robust Covert Channels Inside DNS.- Discovering Application-Level Insider Attacks Using Symbolic Execution.- Identification and Authentication II.- Custom JPEG Quantization for Improved Iris Recognition Accuracy.- On the IPP Properties of Reed-Solomon Codes.- A Generic Authentication LoA Derivation Model.- Applications of Cryptography and Information Hiding.- Media-Break Resistant eSignatures in eGovernment: An Austrian Experience.- How to Bootstrap Security for Ad-Hoc Network: Revisited.- Steganalysis of Hydan.- Trusted Computing.- On the Impossibility of Detecting Virtual Machine Monitors.- Implementation of a Trusted Ticket System.- Security Policies.- A Policy Based Approach for the Management of Web Browser Resources to Prevent Anonymity Attacks in Tor.- A Policy Language for Modelling Recommendations.- Validation, Verification, Evaluation.- On the Security Validation of Integrated Security Solutions.- Verification of Security Policy Enforcement in Enterprise Systems.- Optimization of the Controlled Evaluation of Closed Relational Queries.- Privacy Protection - Security Assessment.- Collaborative Privacy - A Community-Based Privacy Infrastructure.- Security and Privacy Improvements for the Belgian eID Technology.- A Structured Security Assessment Methodology for Manufacturers of Critical Infrastructure Components.- Role Mining and Content Protection.- Mining Stable Roles in RBAC.- Privacy-Preserving Content-Based Publish/Subscribe Networks.- BroadcastEncryption for Differently Privileged.- Ontology-Based Secure XML Content Distribution.- Security Protocols.- NGBPA Next Generation BotNet Protocol Analysis.- Non-repudiation Analysis with LySa.- A Provably Secure Secret Handshake with Dynamic Controlled Matching.- Towards a Theory of White-Box Security.- Access Control.- On a Taxonomy of Delegation.- Efficient Key Management for Enforcing Access Control in Outsourced Scenarios.- A Probabilistic Bound on the Basic Role Mining Problem and Its Applications.- Automating Access Control Logics in Simple Type Theory with LEO-II.- Internet and Web Applications Security.- In Law We Trust? Trusted Computing and Legal Responsibility for Internet Security.- Persona: Network Layer Anonymity and Accountability for Next Generation Internet.- Jason: A Scalable Reputation System for the Semantic Web.- Which Web Browsers Process SSL Certificates in a Standardized Way?.

It was an honor and a privilege to chair the 24th IFIP International Information Se- rity Conference (SEC 2009), a 24-year-old event that has become a tradition for - formation security professionals around the world. SEC 2009 was organized by the Technical Committee 11 (TC-11) of IFIP, and took place in Pafos, Cyprus, during May 18-20, 2009. It is an indication of good fortune for a Chair to serve a conference that takes place in a country with the natural beauty of Cyprus, an island where the hospitality and frie- liness of the people have been going together, hand-in-hand, with its long history. This volume contains the papers selected for presentation at SEC 2009. In response to the call for papers, 176 papers were submitted to the conference. All of them were evaluated on the basis of their novelty and technical quality, and reviewed by at least two members of the conference Program Committee. Of the papers submitted, 39 were selected for presentation at the conference; the acceptance rate was as low as 22%, thus making the conference a highly competitive forum. It is the commitment of several people that makes international conferences pos- ble. That also holds true for SEC 2009. The list of people who volunteered their time and energy to help is really long.