Digital Rights Management (DRM) is used to control access to digitized intellectual property and sometimes to control how that property is used. In the media context, this often involves a player together with a (possibly incorporated) "set-top box". Historically, DRM schemes have been too fragile to protect high-value digital content. In this thesis, we remedy that problem. Through registration, a user's identity is bound to a tamper-proof set-top box storing shared secrets and running a hard-wired program. Encrypted content of interest is obtained by arbitrary means. The user activates the box to engage in a protocol with a remote server operated on behalf of the content owner. The server securely delivers the capability to display this content precisely once and records this fact. Keying information is hidden from the user in such a way that key distribution and authentication are radically simplified, resulting in an extremely robust security architecture.