A system for providing rights controlled access to digital media comprises
a server data processor and a client data processor connected by a
communications network. The user data processor provides access to a data
object in accordance with rules associated with the data object by the
server data processor. The client data processor comprises a machine key
device and a user key device. The machine key device is preferably an
installed component of the client data processor that provides
encryption, decryption, and authentication functionality for the client
data processor. The user key device is preferably a removable, portable
device that connects to the client data processor and provides
encryption, decryption, and authentication functionality for the user. A
method restricts the use of a data object to a particular user and a
particular data processor through the use of additional layers of
encryption. The method preferably comprises encrypting a data object such
that the it can be decrypted by the machine key device, and further
encrypting the data object such that it can be decrypted by the user key
device. A method restricts the use of a data object to a particular user
and a particular data processor through the use of rules that require
authentication of the machine key device and the user key device.