System and method for encryption and key management in cloud storage

What is claimed is: 1 . A cloud storage system, comprising: an encryption server configured to encrypt a plurality of data by using encryption keys having a hierarchy, the hierarchy of encryption keys corresponding to a relationship among the plurality of encrypted data; and a cloud storage server configured to store the plurality of encrypted data. 2 . The cloud storage system according to claim 1 , wherein the relationship among the plurality of encrypted data is determined according to an access policy for each data. 3 . The cloud storage system according to claim 2 , wherein, when at least two or more data have the same access policy, the two or more data are encrypted by using the same encryption key. 4 . The cloud storage system according to claim 2 , wherein, when at least two or more data are configured in a directory structure, all of data in each directory have the same access policy and are encrypted by using the same encryption key. 5 . The cloud storage system according to claim 2 , wherein the same data are encrypted by using the same encryption key regardless of a user who transmits the same data to be encrypted and stored in the cloud storage. 6 . The cloud storage system according to claim 1 , wherein the encryption keys are generated in a stateless manner based on a key derivation instruction received by the encryption server. 7 . The cloud storage system according to claim 6 , wherein the key derivation instruction provides key derivation information comprising at least one from among a root key, a key derivation function, and a key derivation policy, the root key being a key at a top of the hierarchy of the encryption keys. 8 . The cloud storage system according to claim 7 , wherein the key derivation information further comprises auxiliary information comprising at least one from among a directory path, a validity period of an encryption key, a name of a group of users having an access right, a policy identification (ID), and a uniform resource identifier (URI) for locating the policy ID. 9 . The cloud storage system according to claim 8 , wherein the validity period is stored at the cloud storage server, and prior to or upon expiry of the encryption key, the cloud storage performs at least of one from among an alert, an action to renew the encryption key, an action to re-encrypt data with the renewed encryption key. 10 . The cloud storage system according to claim 6 , wherein a representational state transfer (REST) instruction containing data to be encrypted is received by the encryption server, the REST instruction comprising a URI location of a resource at which the key derivation instruction is stored. 11 . A cloud storage system in which data encrypted by an encryption key are stored, the cloud storage system comprising: an authentication server configured to authenticate a user based on an identification (ID) and a password of the user; a license server configured to provide a license to access the encrypted data to the user based on a result of the authentication, the license comprising a key encryption key obtained by encrypting the encryption key; and a private-key generator configured to generate a private key for decrypting the encrypted data based on the license. 12 . The cloud storage system according to claim 11 , wherein the key encryption key comprises at least one from among a Rivest-Shaman-Adleman (RSA) public key, an identification (ID)-based cryptography (IBC) public key, and a symmetric key, and the key encryption key is delivered to the user through a secure channel. 13 . The cloud storage system according to claim 11 , wherein, when the user is authenticated by the authentication server, the authentication server generates an authentication token to be used by at least of one the user, the license server and the private key generator. 14 . The cloud storage system according to claim 13 , wherein the license comprises a license server ticket generated based on the authentication token, and the private key generator authenticates, prior to generating the private key, the user based on the license server ticket. 15 . The cloud storage system according to claim 14 , wherein the license server ticket comprises at least one from among the password and a function of the password of the user. 16 . The cloud storage system according to claim 13 , wherein, when the user is authenticated by the authentication server, the authentication server generates authentication tokens for the license server and the private key generator, respectively. 17 . An encryption method in a cloud storage system, the encryption method comprising: receiving a plurality of data from a user; and encrypting, at an encryption server separate from the cloud storage system, a plurality of data by using encryption keys having a hierarchy, the hierarchy of encryption keys corresponding to a relationship among the plurality of encrypted data, wherein the plurality of encrypted data are stored in the cloud storage system. 18 . An encryption method according to claim 17 , wherein the relationship among the plurality of encrypted data is determined according to at least one from among an access policy for each data and a directory structure of the plurality of data. 19 . An encryption method according to claim 18 , wherein, when at least two or more data have the same access policy, the two or more data are encrypted by using the same encryption key. 20 . The encryption method according to claim 2 , wherein the encryption keys are generated at the encryption server in a stateless manner based on a key derivation instruction received by the encryption server.