In this dissertation, we focus on cryptographic hierarchical access control (CHAC) prob- lem in cloud computing. We propose a practical and provably-secure CloudCHAC sys- tem for controlling access to encrypted data while considering the characteristics of cloud services. The characteristics include a great quantity of outsourced data, a large number of users with frequently changed membership, flexible access control policies, and data accessing from resourced-constrained users. The data owner takes advantage of abundant storage space and computation resources for economy of data access con- trol while keeping data confidential against cloud server. More precisely, the proposed CloudCHAC system possesses almost all advantages of the existing approaches such as optimal user storage size, supporting dynamic user set and access policy, and provable security against collusive attacks. In particular, CloudCHAC lets the data owner enjoy less cost in revoking a user from data access- ing. In user revocation, the data owner needs to renew all decryptable data ciphers of the revoked user and re-distribute the new decryption keys to other non-revoked users only. It is a large burden for the data owner when facing large and highly dynamic set of users in cloud services. Our CloudCHAC system leverages the proxy re-encryption (PRE) technology [14] into data encryption to tackle the efficiency issue. The cipher updating process can be performed on the CS side and the workload of the data owner is lessen. On the other hand, we design two provably-secure key management schemes, KeyDer-GKM and ReEnc-GKM, to distribute decryption keys for users in cloud en- vironment. They have nice semi-stateful property that the data owner and users can update the decryption keys in a non-synchronized way; that is, they do not need to be online at the same time for updating key. Both of the proposed schemes achieve the best performance factors while compared with the best-known approaches. Additionally, in our CloudCHAC system, most of the computation in key derivation can be offloaded to the cloud server as well. It is desirable for the users with some resource-constrained devices in cloud environment.