The invention provides a software asset protection mechanism which is based on the separation of the software to be protected from the right to execute that software. Protected software can only be executed on composite computing systems in which a physically and logically secure coprocessor is associated with a host computer. The software to be protected is broken down into a protected (encrypted) portion and an (optional) unprotected or plain text portion. The software is distributed by any conventional software distribution mechanism (for example a floppy disk) including the files already identified along with an encrypted software decryption key. The coprocessor is capable of decrypting the software decryption key so it can thereafter decrypt the software, for execution purposes. However, the coprocessor will not perform these functions unless and until the user's right to execute is evidenced by presentation of a physically secure token. The physically secure token provides to the coprocessor token data in plain text form (the physical security of the plain text token data is provided by the cartridge within which token data is stored). The physical properties of that cartridge taken together with the correspondence between the token data provided by the cartridge and the encrypted token data evidence the user's right to execute. While the coprocessor can, thereafter, decrypt and execute the protected portion of the software, access to that software is denied the user by the physical and logical features of the coprocessor. Other properties of the cartridge (specifically a destructive read property) ensure that the act of transferring token data to the coprocessor obliterates that data from the cartridge so it cannot be revised. Further, the protocol for the coprocessor/cartridge exchange is arranged so that observation of even the entire exchange provides inadequate information with which to simulate or spoof the effect of an authentic, unused cartridge.