diff --git a/attest/activation.go b/attest/activation.go
index d1835a4..b7481f3 100644
--- a/attest/activation.go
+++ b/attest/activation.go
@@ -225,7 +225,7 @@ func (p *ActivationParameters) Generate() (secret []byte, ec *EncryptedCredentia
 
 	switch p.TPMVersion {
 	case TPMVersion12:
-		ec, err = p.generateChallengeTPM12(secret)
+		ec, err = p.generateChallengeTPM12(rnd, secret)
 	case TPMVersion20:
 		ec, err = p.generateChallengeTPM20(secret)
 	default:
@@ -254,7 +254,7 @@ func (p *ActivationParameters) generateChallengeTPM20(secret []byte) (*Encrypted
 	}, nil
 }
 
-func (p *ActivationParameters) generateChallengeTPM12(secret []byte) (*EncryptedCredential, error) {
+func (p *ActivationParameters) generateChallengeTPM12(rand io.Reader, secret []byte) (*EncryptedCredential, error) {
 	pk, ok := p.EK.(*rsa.PublicKey)
 	if !ok {
 		return nil, fmt.Errorf("got EK of type %T, want an RSA key", p.EK)
@@ -267,7 +267,7 @@ func (p *ActivationParameters) generateChallengeTPM12(secret []byte) (*Encrypted
 	if p.AIK.UseTCSDActivationFormat {
 		cred, encSecret, err = verification.GenerateChallengeEx(pk, p.AIK.Public, secret)
 	} else {
-		cred, encSecret, err = generateChallenge12(pk, p.AIK.Public, secret)
+		cred, encSecret, err = generateChallenge12(rand, pk, p.AIK.Public, secret)
 	}
 
 	if err != nil {
diff --git a/attest/challenge.go b/attest/challenge.go
index 171cd51..990f473 100644
--- a/attest/challenge.go
+++ b/attest/challenge.go
@@ -4,11 +4,11 @@ import (
 	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
 	"encoding/binary"
 	"fmt"
+	"io"
 )
 
 const (
@@ -102,13 +102,13 @@ func pad(plaintext []byte, bsize int) []byte {
 // the secret encrypted with the session key credential contained in asymenc.
 // To use this, pass asymenc as the input to the TPM_ActivateIdentity command.
 // Use the returned credential as the aes key to decode the secret in symenc.
-func generateChallenge12(pubkey *rsa.PublicKey, aikpub, secret []byte) (asymenc []byte, symenc []byte, err error) {
+func generateChallenge12(rand io.Reader, pubkey *rsa.PublicKey, aikpub, secret []byte) (asymenc []byte, symenc []byte, err error) {
 	aeskey := make([]byte, 16)
 	iv := make([]byte, 16)
-	if _, err = rand.Read(aeskey); err != nil {
+	if _, err = io.ReadFull(rand, aeskey); err != nil {
 		return nil, nil, err
 	}
-	if _, err = rand.Read(iv); err != nil {
+	if _, err = io.ReadFull(rand, iv); err != nil {
 		return nil, nil, err
 	}
 
@@ -117,7 +117,7 @@ func generateChallenge12(pubkey *rsa.PublicKey, aikpub, secret []byte) (asymenc
 		return nil, nil, err
 	}
 	label := []byte{'T', 'C', 'P', 'A'}
-	asymenc, err = rsa.EncryptOAEP(sha1.New(), rand.Reader, pubkey, makeEkBlob(activationBlob), label)
+	asymenc, err = rsa.EncryptOAEP(sha1.New(), rand, pubkey, makeEkBlob(activationBlob), label)
 	if err != nil {
 		return nil, nil, fmt.Errorf("EncryptOAEP() failed: %v", err)
 	}
diff --git a/attest/challenge_test.go b/attest/challenge_test.go
index f0277de..47e41a9 100644
--- a/attest/challenge_test.go
+++ b/attest/challenge_test.go
@@ -2,6 +2,7 @@ package attest
 
 import (
 	"bytes"
+	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"testing"
@@ -51,7 +52,7 @@ func TestGenerateChallengeSymHeader(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	_, sym, err := generateChallenge12(cert.PublicKey.(*rsa.PublicKey), []byte("pubkey yo"), []byte("secretz"))
+	_, sym, err := generateChallenge12(rand.Reader, cert.PublicKey.(*rsa.PublicKey), []byte("pubkey yo"), []byte("secretz"))
 	if err != nil {
 		t.Fatal(err)
 	}